feat: adding _OP_CLOUD_SYS_VENDOR key (#418)

should be helpful in debugging IMDS errors
crashappsec · Sep 5, 2024 · 7330736 · 7330736
1 parent da45ae0
commit 7330736
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@
 - `_OP_EXIT_CODE` key which reports external commands
   exit code such as for `chalk docker build`.
   ([#417](https://github.com/crashappsec/chalk/pull/417))
+- `_OP_CLOUD_SYS_VENDOR` key for reporting sys vendor
+  file content used to identity cloud provider.
+  ([#418](https://github.com/crashappsec/chalk/pull/418))
 
 ## 0.4.12
 

diff --git a/src/configs/base_keyspecs.c4m b/src/configs/base_keyspecs.c4m
@@ -4477,6 +4477,18 @@ metadata.
 """
 }
 
+keyspec _OP_CLOUD_SYS_VENDOR {
+  kind:     RunTimeHost
+  type:     string
+  standard: true
+  since:    "0.4.13"
+  shortdoc: "Content of the system DMI vendor file"
+  doc:      """
+Content of the system hardware DMI vendor file as configured by
+`cloud_provider.cloud_instance_hw_identifiers.sys_vendor_path`.
+"""
+}
+
 keyspec _OP_ERRORS {
     kind:             RunTimeHost
     type:             list[string]

diff --git a/src/configs/base_plugins.c4m b/src/configs/base_plugins.c4m
@@ -199,7 +199,7 @@ plugin cloud_metadata {
     enabled:         true
     priority:        1000
     post_run_keys:   ["_GCP_INSTANCE_METADATA", "_GCP_PROJECT_METADATA",
-    "_AZURE_INSTANCE_METADATA",
+    "_AZURE_INSTANCE_METADATA", "_OP_CLOUD_SYS_VENDOR",
     "_OP_CLOUD_PROVIDER", "_OP_CLOUD_PROVIDER_SERVICE_TYPE",
     "_OP_CLOUD_PROVIDER_ACCOUNT_INFO", "_OP_CLOUD_PROVIDER_REGION",
     "_OP_CLOUD_PROVIDER_REGION", "_OP_CLOUD_PROVIDER_IP",

diff --git a/src/configs/base_report_templates.c4m b/src/configs/base_report_templates.c4m
@@ -335,6 +335,7 @@ report and subtract from it.
   key._ENV.use                                = true
   key._TENANT_ID.use                          = true
   key._OPERATION.use                          = true
+  key._OP_EXIT_CODE.use                       = true
   key._TIMESTAMP.use                          = true
   key._DATE.use                               = true
   key._TIME.use                               = true
@@ -372,6 +373,7 @@ report and subtract from it.
   key._OP_ARP_TABLE.use                       = true
   key._OP_CPU_INFO.use                        = true
   key._OP_ALL_PS_INFO.use                     = true
+  key._OP_CLOUD_SYS_VENDOR.use                = true
   key._OP_CLOUD_PROVIDER.use                  = true
   key._OP_CLOUD_PROVIDER_SERVICE_TYPE.use     = true
   key._OP_CLOUD_PROVIDER_ACCOUNT_INFO.use     = true
@@ -484,6 +486,7 @@ doc: """
   key._ENV.use                                = true
   key._TENANT_ID.use                          = true
   key._OPERATION.use                          = true
+  key._OP_EXIT_CODE.use                       = true
   key._TIMESTAMP.use                          = true
   key._DATE.use                               = true
   key._TIME.use                               = true
@@ -522,6 +525,7 @@ doc: """
   key._OP_CPU_INFO.use                        = true
   key._OP_ALL_PS_INFO.use                     = true
   key._CHALK_EXTERNAL_ACTION_AUDIT.use        = true
+  key._OP_CLOUD_SYS_VENDOR.use                = true
   key._OP_CLOUD_PROVIDER.use                  = true
   key._OP_CLOUD_PROVIDER_SERVICE_TYPE.use     = true
   key._OP_CLOUD_PROVIDER_ACCOUNT_INFO.use     = true
@@ -996,6 +1000,7 @@ container.
   key._OP_CLOUD_METADATA.use                  = true
   key._CHALK_EXTERNAL_ACTION_AUDIT.use        = true
   key._OP_ERRORS.use                          = true
+  key._OP_CLOUD_SYS_VENDOR.use                = true
   key._OP_CLOUD_PROVIDER.use                  = true
   key._OP_CLOUD_PROVIDER_SERVICE_TYPE.use     = true
   key._OP_CLOUD_PROVIDER_ACCOUNT_INFO.use     = true
@@ -1456,6 +1461,7 @@ and keep the run-time key.
   key._OP_CLOUD_METADATA.use                  = true
   key._CHALK_EXTERNAL_ACTION_AUDIT.use        = true
   key._OP_ERRORS.use                          = true
+  key._OP_CLOUD_SYS_VENDOR.use                = true
   key._OP_CLOUD_PROVIDER.use                  = true
   key._OP_CLOUD_PROVIDER_SERVICE_TYPE.use     = true
   key._OP_CLOUD_PROVIDER_ACCOUNT_INFO.use     = true

diff --git a/src/configs/crashoverride.c4m b/src/configs/crashoverride.c4m
@@ -77,6 +77,7 @@ This is mostly a copy of insert template however all keys are immutable.
   ~key._OP_CLOUD_METADATA.use                         = true
   ~key._CHALK_EXTERNAL_ACTION_AUDIT.use               = true
   ~key._OP_ERRORS.use                                 = true
+  ~key._OP_CLOUD_SYS_VENDOR.use                       = true
   ~key._OP_CLOUD_PROVIDER.use                         = true
   ~key._OP_CLOUD_PROVIDER_SERVICE_TYPE.use            = true
   ~key._OP_CLOUD_PROVIDER_ACCOUNT_INFO.use            = true

diff --git a/src/plugins/cloudMetadata.nim b/src/plugins/cloudMetadata.nim
@@ -486,5 +486,7 @@ proc cloudMetadataGetrunTimeHostInfo*(self: Plugin,
     of hkGcp:
       getGcpMetadata()
 
+  result.setIfNeeded("_OP_CLOUD_SYS_VENDOR", vendor)
+
 proc loadCloudMetadata*() =
   newPlugin("cloud_metadata", rtHostCallback = RunTimeHostCb(cloudMetadataGetrunTimeHostInfo))
diff --git a/tests/functional/test_plugins.py b/tests/functional/test_plugins.py
@@ -150,7 +150,7 @@ def test_aws_no_imds(
 ):
     with make_tmp_file() as vendor, make_tmp_file() as instance:
         # make imds plugin think we are running in EC2
-        vendor.write_text("Amazon")
+        vendor.write_text("Amazon EC2")
         instance.write_text("i-abc123xyz789")
         bin_path = copy_files[0]
         insert = chalk.insert(
@@ -164,6 +164,7 @@ def test_aws_no_imds(
         )
         assert insert.report.contains(
             {
+                "_OP_CLOUD_SYS_VENDOR": "Amazon EC2",
                 "_OP_CLOUD_PROVIDER": "aws",
                 "_OP_CLOUD_PROVIDER_SERVICE_TYPE": "aws_ec2",
                 "_AWS_INSTANCE_ID": "i-abc123xyz789",