Refactor: use return.ErrSkipped to skip actions due to non supported …

…context or prerequisite Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
falcosecurity · Apr 11, 2024 · 692bafe · 692bafe
1 parent 939b3e0
commit 692bafe
Show file tree

Hide file tree

Showing 15 changed files with 161 additions and 134 deletions.
diff --git a/events/syscall/change_namespace_privileges_via_unshare.go b/events/syscall/change_namespace_privileges_via_unshare.go
@@ -18,25 +18,27 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
+	"os/exec"
 
-    "github.com/falcosecurity/event-generator/events"
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(
 	ChangeNamespacePrivilegesViaUnshare,
-        events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
 )
 
 func ChangeNamespacePrivilegesViaUnshare(h events.Helper) error {
-    if h.InContainer() {
-        cmd := exec.Command("unshare")
-
-        h.Log().Infof("Change namespace privileges via unshare")
-
-        if err := cmd.Run(); err != nil {
-            return err
-        }
+	if h.InContainer() {
+		cmd := exec.Command("unshare")
+
+		h.Log().Infof("Change namespace privileges via unshare")
+
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+	}
+	return &events.ErrSkipped{
+		Reason: "'Change Namespace Privileges Via Unshare' is applicable only to containers.",
 	}
-    return nil
 }
diff --git a/events/syscall/contact_cloud_metadata_service_from_container.go b/events/syscall/contact_cloud_metadata_service_from_container.go
@@ -18,29 +18,32 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
-    "github.com/falcosecurity/event-generator/events"
+	"os/exec"
+
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(
-    ContactCloudMetadataServiceFromContainer,
-    events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
+	ContactCloudMetadataServiceFromContainer,
+	events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
 )
 
 func ContactCloudMetadataServiceFromContainer(h events.Helper) error {
-    if h.InContainer() {
-        // The IP address 169.254.169.254 is reserved for the Cloud Instance Metadata Service,
-        // a common endpoint used by cloud instances (GCP, AWS and Azure) to access
-        // metadata about the instance itself. Detecting attempts to communicate with this
-        // IP address from a container can indicate potential unauthorized access to
-        // sensitive cloud infrastructure metadata.
-        cmd := exec.Command("timeout", "1s", "nc", "169.254.169.254", "80")
-
-        if err := cmd.Run(); err != nil {
-            return err
-        }
-
-        h.Log().Infof("Outbound connection to cloud instance metadata service")
-    }
-    return nil
+	if h.InContainer() {
+		// The IP address 169.254.169.254 is reserved for the Cloud Instance Metadata Service,
+		// a common endpoint used by cloud instances (GCP, AWS and Azure) to access
+		// metadata about the instance itself. Detecting attempts to communicate with this
+		// IP address from a container can indicate potential unauthorized access to
+		// sensitive cloud infrastructure metadata.
+		cmd := exec.Command("timeout", "1s", "nc", "169.254.169.254", "80")
+
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+
+		h.Log().Infof("Outbound connection to cloud instance metadata service")
+	}
+	return &events.ErrSkipped{
+		Reason: "'Contact Cloud Metadata Service From Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/container_drift_detected_chmod.go b/events/syscall/container_drift_detected_chmod.go
@@ -40,5 +40,7 @@ func ContainerDriftDetcted(h events.Helper) error {
 			return err
 		}
 	}
-	return nil
+	return &events.ErrSkipped{
+		Reason: "'Container Drift Detected (chmod)' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/container_drift_detected_open_create.go b/events/syscall/container_drift_detected_open_create.go
@@ -37,5 +37,7 @@ func ContainerDriftDetectedOpenCreate(h events.Helper) error {
 		h.Log().Infof("writing to %s", file.Name())
 		return os.WriteFile(file.Name(), nil, os.FileMode(0755)) // Also set execute permission
 	}
-	return nil
+	return &events.ErrSkipped{
+		Reason: "'Container Drift Detected (open+create)' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/debugfs_launched_in_privilleged_container.go b/events/syscall/debugfs_launched_in_privilleged_container.go
@@ -15,28 +15,29 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
-    "syscall"
+	"os/exec"
+	"syscall"
 
-    "github.com/falcosecurity/event-generator/events"
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(DebugfsLaunchedInPrivilegedContainer)
 
 func DebugfsLaunchedInPrivilegedContainer(h events.Helper) error {
-    if h.InContainer() {
-        cmd := exec.Command("debugfs")
-        cmd.SysProcAttr = &syscall.SysProcAttr{
-            Cloneflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWUSER,
-        }
+	if h.InContainer() {
+		cmd := exec.Command("debugfs")
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			Cloneflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWUSER,
+		}
 
-        h.Log().Info("Debugfs launched started in a privileged container")
-        err := cmd.Run()
-        if err != nil {
-            h.Log().WithError(err).Error("Failed to launch debugfs")
-            return err
-        }
-    }
-
-    return nil
+		h.Log().Info("Debugfs launched started in a privileged container")
+		err := cmd.Run()
+		if err != nil {
+			h.Log().WithError(err).Error("Failed to launch debugfs")
+			return err
+		}
+	}
+	return &events.ErrSkipped{
+		Reason: "'Debugfs Launched in Privileged Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/decoding_payload_in_container.go b/events/syscall/decoding_payload_in_container.go
@@ -15,25 +15,27 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
-    "github.com/falcosecurity/event-generator/events"
+	"os/exec"
+
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(
-    DecodingPayloadInContainer,
-    events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
+	DecodingPayloadInContainer,
+	events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
 )
 
 func DecodingPayloadInContainer(h events.Helper) error {
-    if h.InContainer() {
-        encodedPayload := "ZGVjb2RlZF9ieV9ldmVudC1nZW5lcmF0b3I="
-        cmd := exec.Command("echo", encodedPayload, "|", "base64", "-d")
-
-        err := cmd.Run()
-        if err != nil {
-            return err
-        }
-    }
+	if h.InContainer() {
+		encodedPayload := "ZGVjb2RlZF9ieV9ldmVudC1nZW5lcmF0b3I="
+		cmd := exec.Command("echo", encodedPayload, "|", "base64", "-d")
 
-    return nil
+		err := cmd.Run()
+		if err != nil {
+			return err
+		}
+	}
+	return &events.ErrSkipped{
+		Reason: "'Decoding Payload In Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/drop_and_execute_new_binary_in_container.go b/events/syscall/drop_and_execute_new_binary_in_container.go
@@ -28,8 +28,9 @@ func DropAndExecuteNewBinaryInContainer(h events.Helper) error {
 		// Find the path of the ls binary
 		lsPath, err := exec.LookPath("ls")
 		if err != nil {
-			h.Log().WithError(err).Error("ls binary not found")
-			return err
+			return &events.ErrSkipped{
+				Reason: "ls utility not found in path",
+			}
 		}
 
 		// Read the ls binary content
@@ -52,5 +53,7 @@ func DropAndExecuteNewBinaryInContainer(h events.Helper) error {
 		h.Log().Info("Executed a binary not part of base image")
 		executeCmd.Run() // Rule triggers even the command is not successful
 	}
-	return nil
+	return &events.ErrSkipped{
+		Reason: "'Drop And Execute New Binary In Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/kubernetes_client_tool_launched_in_container.go b/events/syscall/kubernetes_client_tool_launched_in_container.go
@@ -32,13 +32,16 @@ func kubernetesClientToolLaunchedInContainer(h events.Helper) error {
 	if h.InContainer() {
 		kubectl, err := exec.LookPath("kubectl")
 		if err != nil {
-			h.Log().Warnf("kubectl is needed to launch this action")
-			return err
+			return &events.ErrSkipped{
+				Reason: "kubectl is needed to launch this action",
+			}
 		}
 
 		cmd := exec.Command(kubectl)
 		h.Log().Infof("Kubernetes Client Tool Launched In Container")
 		return cmd.Run()
 	}
-	return nil
+	return &events.ErrSkipped{
+		Reason: "'Kubernetes Client Tool Launched In Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/launch_package_management_process_in_container.go b/events/syscall/launch_package_management_process_in_container.go
@@ -46,5 +46,7 @@ func LaunchPackageManagementProcessInContainer(h events.Helper) error {
 		cmd := exec.Command("apt-get")
 		return cmd.Run()
 	}
-	return nil
+	return &events.ErrSkipped{
+		Reason: "'Launch Package Management Process In Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/launch_remote_file_copy_tools_in_container.go b/events/syscall/launch_remote_file_copy_tools_in_container.go
@@ -15,28 +15,29 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
+	"os/exec"
 
-    "github.com/falcosecurity/event-generator/events"
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(
-    LaunchRemoteFileCopyToolsInContainer,
-    events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+	LaunchRemoteFileCopyToolsInContainer,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
 )
 
 func LaunchRemoteFileCopyToolsInContainer(h events.Helper) error {
-    if h.InContainer() {
-        // Launch a remote file copy tool (e.g., scp) within the container
-        cmd := exec.Command("scp")
+	if h.InContainer() {
+		// Launch a remote file copy tool (e.g., scp) within the container
+		cmd := exec.Command("scp")
 
-        h.Log().Info("Remote file copy tool launched in container")
-        err := cmd.Run()
-        if err != nil {
-            h.Log().WithError(err).Error("Failed to launch remote file copy tool")
-            return err
-        }
-    }
-
-    return nil
+		h.Log().Info("Remote file copy tool launched in container")
+		err := cmd.Run()
+		if err != nil {
+			h.Log().WithError(err).Error("Failed to launch remote file copy tool")
+			return err
+		}
+	}
+	return &events.ErrSkipped{
+		Reason: "'Launch Remote File Copy Tools In Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/launch_remote_file_copy_tools_inside_container.go b/events/syscall/launch_remote_file_copy_tools_inside_container.go
@@ -33,5 +33,7 @@ func LaunchIngressRemoteFileCopyToolsInsideContainer(h events.Helper) error {
 		cmd := exec.Command("wget")
 		return cmd.Run()
 	}
-	return nil
+	return &events.ErrSkipped{
+		Reason: "'Launch Ingress Remote File Copy Tools Inside Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/launch_suspicious_network_tool_in_container.go b/events/syscall/launch_suspicious_network_tool_in_container.go
@@ -15,26 +15,27 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
+	"os/exec"
 
-    "github.com/falcosecurity/event-generator/events"
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(
-    LaunchSuspiciousNetworkToolInContainer,
-    events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
+	LaunchSuspiciousNetworkToolInContainer,
+	events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
 )
 
 func LaunchSuspiciousNetworkToolInContainer(h events.Helper) error {
-    if h.InContainer() {
-        cmd := exec.Command("nmap", "-sn", "192.168.1.0/24")
-
-        h.Log().Infof("Network tool launched in container")
-
-        if err := cmd.Run(); err != nil {
-            return err
-        }
-    }
-
-    return nil
+	if h.InContainer() {
+		cmd := exec.Command("nmap", "-sn", "192.168.1.0/24")
+
+		h.Log().Infof("Network tool launched in container")
+
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+	}
+	return &events.ErrSkipped{
+		Reason: "'Launch Suspicious Network Tool In Container' is applicable only to containers.",
+	}
 }
diff --git a/events/syscall/launch_suspicious_network_tool_on_host.go b/events/syscall/launch_suspicious_network_tool_on_host.go
@@ -15,26 +15,27 @@ limitations under the License.
 package syscall
 
 import (
-    "os/exec"
+	"os/exec"
 
-    "github.com/falcosecurity/event-generator/events"
+	"github.com/falcosecurity/event-generator/events"
 )
 
 var _ = events.Register(LaunchSuspiciousNetworkToolOnHost)
 
 func LaunchSuspiciousNetworkToolOnHost(h events.Helper) error {
-    nmap, err := exec.LookPath("nmap")
-    if err != nil {
-      h.Log().Warnf("nmap is needed to launch this action")
-      return err
-    }
-
-    cmd := exec.Command(nmap, "-sn", "192.168.1.0/24")
-    h.Log().Infof("Network tool launched in host")
-
-    if err := cmd.Run(); err != nil {
-        return err
-    }
-
-    return nil
+	nmap, err := exec.LookPath("nmap")
+	if err != nil {
+		return &events.ErrSkipped{
+			Reason: "nmap utility is needed to launch this action ",
+		}
+	}
+
+	cmd := exec.Command(nmap, "-sn", "192.168.1.0/24")
+	h.Log().Infof("Network tool launched in host")
+
+	if err := cmd.Run(); err != nil {
+		return err
+	}
+
+	return nil
 }