Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.22.2] Revert static sig metadata #4323

Merged
merged 4 commits into from
Sep 24, 2024
Merged

[v0.22.2] Revert static sig metadata #4323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
adab3e3
Revert "perf: benchmark improve sig GetMetadata"
rscampos Sep 23, 2024
02b5afb
Revert "core(test): static sig metadata declaration"
rscampos Sep 23, 2024
54e7823
Revert "chore: static sig metadata declaration"
rscampos Sep 23, 2024
ce64366
chore(k8s): prepare v0.22.2 release
rscampos Sep 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions deploy/helm/tracee/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: tracee
description: Linux Runtime Security and Forensics using eBPF
home: https://aquasecurity.github.io/tracee/v0.22.1/
home: https://aquasecurity.github.io/tracee/v0.22.2/
sources:
- https://github.com/aquasecurity/tracee

Expand All @@ -18,10 +18,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: "0.22.1"
version: "0.22.2"

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.22.1"
appVersion: "0.22.2"
24 changes: 12 additions & 12 deletions deploy/kubernetes/tracee/tracee.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@ kind: ServiceAccount
metadata:
name: tracee
labels:
helm.sh/chart: tracee-0.22.1
helm.sh/chart: tracee-0.22.2
app.kubernetes.io/name: tracee
app.kubernetes.io/instance: tracee
app.kubernetes.io/version: "0.22.1"
app.kubernetes.io/version: "0.22.2"
app.kubernetes.io/managed-by: Helm
---
# Source: tracee/templates/serviceaccount.yaml
Expand All @@ -17,10 +17,10 @@ kind: ServiceAccount
metadata:
name: tracee-operator
labels:
helm.sh/chart: tracee-0.22.1
helm.sh/chart: tracee-0.22.2
app.kubernetes.io/name: tracee
app.kubernetes.io/instance: tracee
app.kubernetes.io/version: "0.22.1"
app.kubernetes.io/version: "0.22.2"
app.kubernetes.io/managed-by: Helm
---
# Source: tracee/templates/tracee-config.yaml
Expand All @@ -29,10 +29,10 @@ kind: ConfigMap
metadata:
name: tracee-config
labels:
helm.sh/chart: tracee-0.22.1
helm.sh/chart: tracee-0.22.2
app.kubernetes.io/name: tracee
app.kubernetes.io/instance: tracee
app.kubernetes.io/version: "0.22.1"
app.kubernetes.io/version: "0.22.2"
app.kubernetes.io/managed-by: Helm
data:
config.yaml: |-
Expand Down Expand Up @@ -118,10 +118,10 @@ kind: DaemonSet
metadata:
name: tracee
labels:
helm.sh/chart: tracee-0.22.1
helm.sh/chart: tracee-0.22.2
app.kubernetes.io/name: tracee
app.kubernetes.io/instance: tracee
app.kubernetes.io/version: "0.22.1"
app.kubernetes.io/version: "0.22.2"
app.kubernetes.io/managed-by: Helm
spec:
selector:
Expand All @@ -140,7 +140,7 @@ spec:
{}
containers:
- name: tracee
image: "docker.io/aquasec/tracee:0.22.1"
image: "docker.io/aquasec/tracee:0.22.2"
imagePullPolicy: IfNotPresent
command:
- /tracee/tracee
Expand Down Expand Up @@ -218,10 +218,10 @@ kind: Deployment
metadata:
name: tracee-operator
labels:
helm.sh/chart: tracee-0.22.1
helm.sh/chart: tracee-0.22.2
app.kubernetes.io/name: tracee
app.kubernetes.io/instance: tracee
app.kubernetes.io/version: "0.22.1"
app.kubernetes.io/version: "0.22.2"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
Expand All @@ -238,7 +238,7 @@ spec:
{}
containers:
- name: tracee-operator
image: "docker.io/aquasec/tracee:0.22.1"
image: "docker.io/aquasec/tracee:0.22.2"
imagePullPolicy: IfNotPresent
command:
- /tracee/tracee-operator
Expand Down
53 changes: 0 additions & 53 deletions pkg/signatures/benchmark/benchmark_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (

"github.com/stretchr/testify/require"

"github.com/aquasecurity/tracee/pkg/events"
"github.com/aquasecurity/tracee/pkg/signatures/benchmark/signature/golang"
"github.com/aquasecurity/tracee/pkg/signatures/benchmark/signature/rego"
"github.com/aquasecurity/tracee/pkg/signatures/engine"
Expand Down Expand Up @@ -231,58 +230,6 @@ func BenchmarkEngineWithNSignatures(b *testing.B) {
}
}

func BenchmarkEngineMultipleMethodsGetMetadata(b *testing.B) {
benches := []struct {
name string
sigFuncs []func() (detect.Signature, error)
Enabled bool
}{
{
name: "Performance sig GetMetadata() - static",
sigFuncs: []func() (detect.Signature, error){golang.NewPerformanceStatic},
},
}

for _, bc := range benches {
b.Run(bc.name, func(b *testing.B) {
var sigs []detect.Signature
for _, sig := range bc.sigFuncs {
s, _ := sig()
sigs = append(sigs, s)
}

for i := 0; i < b.N; i++ {
// Produce events without timing it
b.StopTimer()
inputs := ProduceEventsInMemory(inputEventsCount)
output := make(chan *detect.Finding, inputEventsCount*len(sigs))

config := engine.Config{
Signatures: sigs,
Enabled: true,
SigNameToEventID: allocateEventIdsForSigs(events.StartSignatureID, sigs),
ShouldDispatchEvent: func(int32) bool { return true },
}

e, err := engine.NewEngine(config, inputs, output)
require.NoError(b, err, "constructing engine")

err = e.Init()
require.NoError(b, err, "initializing engine")
b.StartTimer()

// Start signatures engine and wait until all events are processed
e.Start(waitForEventsProcessed(inputs.Tracee))

b.StopTimer()

// Set engine to nil to help with garbage collection
e = nil
runtime.GC()
}
})
}
}
func waitForEventsProcessed(eventsCh chan protocol.Event) context.Context {
ctx, cancel := context.WithCancel(context.Background())
go func() {
Expand Down
20 changes: 0 additions & 20 deletions pkg/signatures/benchmark/helpers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,7 @@ import (
_ "embed"
"math/rand"

"github.com/aquasecurity/tracee/pkg/events"
"github.com/aquasecurity/tracee/pkg/logger"
"github.com/aquasecurity/tracee/pkg/signatures/engine"
"github.com/aquasecurity/tracee/types/detect"
"github.com/aquasecurity/tracee/types/protocol"
"github.com/aquasecurity/tracee/types/trace"
)
Expand Down Expand Up @@ -174,20 +171,3 @@ func ProduceEventsInMemoryRandom(n int, seed ...trace.Event) engine.EventSources
Tracee: eventsCh,
}
}

func allocateEventIdsForSigs(startId events.ID, sigs []detect.Signature) map[string]int32 {
namesToIds := make(map[string]int32)
newEventDefID := startId
// First allocate event IDs to all signatures
for _, s := range sigs {
m, err := s.GetMetadata()
if err != nil {
logger.Warnw("Failed to allocate id for signature", "error", err)
continue
}

namesToIds[m.EventName] = int32(newEventDefID)
newEventDefID++
}
return namesToIds
}
123 changes: 0 additions & 123 deletions pkg/signatures/benchmark/signature/golang/performance_static.go
View file
Open in desktop

This file was deleted.

32 changes: 15 additions & 17 deletions signatures/golang/anti_debugging_ptraceme.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,30 +14,28 @@ type AntiDebuggingPtraceme struct {
ptraceTraceMe string
}

var antiDebuggingPtracemeMetada = detect.SignatureMetadata{
ID: "TRC-102",
Version: "1",
Name: "Anti-Debugging detected",
EventName: "anti_debugging",
Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
Properties: map[string]interface{}{
"Severity": 1,
"Category": "defense-evasion",
"Technique": "Debugger Evasion",
"Kubernetes_Technique": "",
"id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
"external_id": "T1622",
},
}

func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
sig.cb = ctx.Callback
sig.ptraceTraceMe = "PTRACE_TRACEME"
return nil
}

func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
return antiDebuggingPtracemeMetada, nil
return detect.SignatureMetadata{
ID: "TRC-102",
Version: "1",
Name: "Anti-Debugging detected",
EventName: "anti_debugging",
Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
Properties: map[string]interface{}{
"Severity": 1,
"Category": "defense-evasion",
"Technique": "Debugger Evasion",
"Kubernetes_Technique": "",
"id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
"external_id": "T1622",
},
}, nil
}

func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
Expand Down
Loading
Loading