Skip to content

Commit

Permalink
tetragon: Support IMA hash collection for LSM sensor
Browse files Browse the repository at this point in the history 
Adding support for IMA hash collection in Post Action.
Adding IMA hashes in LSM events. Hash is represented by
a string algorithm:value. Support loading lsm.s/ima_* program
for one of lsm hooks (file_open, mmap_file, bprm_check_security).

Signed-off-by: Andrei Fedotov <[email protected]>
  • Loading branch information
@anfedotoff
anfedotoff committed Aug 29, 2024
1 parent e38e738 commit 20a3c09
Show file tree
Hide file tree
Showing 26 changed files with 901 additions and 428 deletions.
1 change: 1 addition & 0 deletions api/v1/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

283 changes: 147 additions & 136 deletions api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions api/v1/tetragon/tetragon.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -546,6 +546,8 @@ message ProcessLsm {
KprobeAction action = 8;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 9;
// IMA file hash. Format algorithm:value.
string ima_hash = 11;
}

message KernelModule {
Expand Down
283 changes: 147 additions & 136 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/content/en/docs/reference/grpc-api.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 40 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -676,6 +681,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -968,6 +978,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1287,6 +1302,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1610,6 +1630,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1929,6 +1954,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2189,6 +2219,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2508,6 +2543,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down
40 changes: 40 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -676,6 +681,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -968,6 +978,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1287,6 +1302,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1610,6 +1630,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1929,6 +1954,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2189,6 +2219,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2508,6 +2543,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down
1 change: 1 addition & 0 deletions pkg/api/processapi/processapi.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (
MSG_COMMON_FLAG_RETURN = 0x1
MSG_COMMON_FLAG_KERNEL_STACKTRACE = 0x2
MSG_COMMON_FLAG_USER_STACKTRACE = 0x4
MSG_COMMON_FLAG_IMA_HASH = 0x8

BINARY_PATH_MAX_LEN = 256

Expand Down
26 changes: 26 additions & 0 deletions pkg/grpc/tracing/tracing.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package tracing

import (
"encoding/hex"
"fmt"

"github.com/cilium/tetragon/pkg/metrics/eventcachemetrics"
Expand Down Expand Up @@ -815,13 +816,19 @@ func (msg *MsgGenericUprobeUnix) Cast(o interface{}) notify.Message {
return &t
}

type MsgImaHash struct {
Algo int32 `align:"algo"`
Hash [64]uint8 `align:"hash"`
}

type MsgGenericLsmUnix struct {
Msg *tracingapi.MsgGenericKprobe
Hook string
Args []tracingapi.MsgGenericKprobeArg
PolicyName string
Message string
Tags []string
ImaHash MsgImaHash
}

func (msg *MsgGenericLsmUnix) Notify() bool {
Expand Down Expand Up @@ -896,6 +903,25 @@ func GetProcessLsm(event *MsgGenericLsmUnix) *tetragon.ProcessLsm {
Tags: event.Tags,
}

switch event.ImaHash.Algo {
case 1: // MD5
tetragonEvent.ImaHash = fmt.Sprintf("md5:%s", hex.EncodeToString(event.ImaHash.Hash[:16]))
case 2: // SHA1
tetragonEvent.ImaHash = fmt.Sprintf("sha1:%s", hex.EncodeToString(event.ImaHash.Hash[:20]))
case 4: // SHA256
tetragonEvent.ImaHash = fmt.Sprintf("sha256:%s", hex.EncodeToString(event.ImaHash.Hash[:32]))
case 5: // SHA384
tetragonEvent.ImaHash = fmt.Sprintf("sha384:%s", hex.EncodeToString(event.ImaHash.Hash[:48]))
case 6: // SHA512
tetragonEvent.ImaHash = fmt.Sprintf("sha512:%s", hex.EncodeToString(event.ImaHash.Hash[:]))
case 7: // SHA224
tetragonEvent.ImaHash = fmt.Sprintf("sha224:%s", hex.EncodeToString(event.ImaHash.Hash[:28]))
case -1: // No hash in the map
break
default:
logger.GetLogger().Debugf("bpf_ima_inode_hash/bpf_ima_file_hash returned code: %d", event.ImaHash.Algo)
}

if tetragonProcess.Pid == nil {
eventcachemetrics.EventCacheError(eventcachemetrics.NilProcessPid, notify.EventType(tetragonEvent)).Inc()
return nil
Expand Down
Loading

0 comments on commit 20a3c09

Please sign in to comment.