Skip to content

Commit

Permalink
tetragon: Support IMA hash collection for LSM sensor
Browse files Browse the repository at this point in the history 
Adding support for IMA hash collection in Post Action.
Adding IMA hashes in LSM events. Hash is represented by
a string algorithm:value. Support loading lsm.s/ima_* program
for one of lsm hooks (file_open, mmap_file, bprm_check_security).

Signed-off-by: Andrei Fedotov <[email protected]>
  • Loading branch information
@anfedotoff
anfedotoff committed Sep 16, 2024
1 parent 2e07334 commit 2c1a144
Show file tree
Hide file tree
Showing 26 changed files with 909 additions and 428 deletions.
1 change: 1 addition & 0 deletions api/v1/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

283 changes: 147 additions & 136 deletions api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions api/v1/tetragon/tetragon.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -546,6 +546,8 @@ message ProcessLsm {
KprobeAction action = 8;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 9;
// IMA file hash. Format algorithm:value.
string ima_hash = 11;
}

message KernelModule {
Expand Down
283 changes: 147 additions & 136 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/content/en/docs/reference/grpc-api.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 40 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -676,6 +681,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -968,6 +978,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1287,6 +1302,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1610,6 +1630,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1929,6 +1954,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2189,6 +2219,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2508,6 +2543,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down
40 changes: 40 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -676,6 +681,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -968,6 +978,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1287,6 +1302,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1610,6 +1630,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1929,6 +1954,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2189,6 +2219,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2508,6 +2543,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down
1 change: 1 addition & 0 deletions pkg/api/processapi/processapi.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (
MSG_COMMON_FLAG_RETURN = 0x1
MSG_COMMON_FLAG_KERNEL_STACKTRACE = 0x2
MSG_COMMON_FLAG_USER_STACKTRACE = 0x4
MSG_COMMON_FLAG_IMA_HASH = 0x8

BINARY_PATH_MAX_LEN = 256

Expand Down
26 changes: 26 additions & 0 deletions pkg/grpc/tracing/tracing.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package tracing

import (
"encoding/hex"
"fmt"

"github.com/cilium/tetragon/pkg/reader/kernel"
Expand Down Expand Up @@ -814,13 +815,19 @@ func (msg *MsgGenericUprobeUnix) Cast(o interface{}) notify.Message {
return &t
}

type MsgImaHash struct {
Algo int32 `align:"algo"`
Hash [64]uint8 `align:"hash"`
}

type MsgGenericLsmUnix struct {
Msg *tracingapi.MsgGenericKprobe
Hook string
Args []tracingapi.MsgGenericKprobeArg
PolicyName string
Message string
Tags []string
ImaHash MsgImaHash
}

func (msg *MsgGenericLsmUnix) Notify() bool {
Expand Down Expand Up @@ -895,6 +902,25 @@ func GetProcessLsm(event *MsgGenericLsmUnix) *tetragon.ProcessLsm {
Tags: event.Tags,
}

switch event.ImaHash.Algo {
case 1: // MD5
tetragonEvent.ImaHash = fmt.Sprintf("md5:%s", hex.EncodeToString(event.ImaHash.Hash[:16]))
case 2: // SHA1
tetragonEvent.ImaHash = fmt.Sprintf("sha1:%s", hex.EncodeToString(event.ImaHash.Hash[:20]))
case 4: // SHA256
tetragonEvent.ImaHash = fmt.Sprintf("sha256:%s", hex.EncodeToString(event.ImaHash.Hash[:32]))
case 5: // SHA384
tetragonEvent.ImaHash = fmt.Sprintf("sha384:%s", hex.EncodeToString(event.ImaHash.Hash[:48]))
case 6: // SHA512
tetragonEvent.ImaHash = fmt.Sprintf("sha512:%s", hex.EncodeToString(event.ImaHash.Hash[:]))
case 7: // SHA224
tetragonEvent.ImaHash = fmt.Sprintf("sha224:%s", hex.EncodeToString(event.ImaHash.Hash[:28]))
case -1: // No hash in the map or no need to collect hash
break
default:
logger.GetLogger().Debugf("bpf_ima_inode_hash/bpf_ima_file_hash returned code: %d", event.ImaHash.Algo)
}

if tetragonProcess.Pid == nil {
eventcache.CacheErrors(eventcache.NilProcessPid, notify.EventType(tetragonEvent)).Inc()
return nil
Expand Down
Loading

0 comments on commit 2c1a144

Please sign in to comment.