fix: sig not triggering due to filtered base event

aquasecurity · Jun 27, 2023 · 047d2f5 · 047d2f5
1 parent 8d5237a
commit 047d2f5
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -253,7 +253,10 @@ func (t *Tracee) decodeEvents(outerCtx context.Context, sourceChan chan []byte)
 			// events (for derivative ones) might not have set related policy bit, thus the need
 			// to continue with those within the pipeline.
 			if t.matchPolicies(&evt) == 0 {
-				if _, ok := t.eventDerivations[eventId]; !ok {
+				_, hasDerivation := t.eventDerivations[eventId]
+				_, hasSignature := t.eventSignatures[eventId]
+
+				if !hasDerivation && !hasSignature {
 					_ = t.stats.EventsFiltered.Increase()
 					continue
 				}

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -15,6 +15,7 @@ import (
 	"unsafe"
 
 	lru "github.com/hashicorp/golang-lru/v2"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 
@@ -77,6 +78,7 @@ type Tracee struct {
 	eventsSorter     *sorting.EventsChronologicalSorter
 	eventProcessor   map[events.ID][]func(evt *trace.Event) error
 	eventDerivations derive.Table
+	eventSignatures  map[events.ID]bool
 	// Artifacts
 	fileHashes     *lru.Cache[string, fileExecInfo]
 	capturedFiles  map[string]int64
@@ -181,6 +183,9 @@ func GetCaptureEventsList(cfg config.Config) map[events.ID]eventConfig {
 
 func (t *Tracee) handleEventsDependencies(eventId events.ID, submitMap uint64) {
 	definition := events.Definitions.Get(eventId)
+
+	isSignatureEvent := slices.Contains(definition.Sets, "signatures")
+
 	eDependencies := definition.Dependencies
 	for _, dependentEvent := range eDependencies.Events {
 		ec, ok := t.events[dependentEvent.EventID]
@@ -190,6 +195,10 @@ func (t *Tracee) handleEventsDependencies(eventId events.ID, submitMap uint64) {
 		}
 		ec.submit |= submitMap
 		t.events[dependentEvent.EventID] = ec
+
+		if isSignatureEvent {
+			t.eventSignatures[dependentEvent.EventID] = true
+		}
 	}
 }
 
@@ -205,12 +214,13 @@ func New(cfg config.Config) (*Tracee, error) {
 	// Create Tracee
 
 	t := &Tracee{
-		config:        cfg,
-		done:          make(chan struct{}),
-		writtenFiles:  make(map[string]string),
-		readFiles:     make(map[string]string),
-		capturedFiles: make(map[string]int64),
-		events:        GetEssentialEventsList(),
+		config:          cfg,
+		done:            make(chan struct{}),
+		writtenFiles:    make(map[string]string),
+		readFiles:       make(map[string]string),
+		capturedFiles:   make(map[string]int64),
+		events:          GetEssentialEventsList(),
+		eventSignatures: make(map[events.ID]bool),
 	}
 
 	// Initialize capabilities rings soon