update(pkg/runner/helper): SpawnAsWithSymlink and SpawnAs to copy the…

… binary

This can be used to trigger rules that are based on proc.exepath rather than proc.name
for better detection purposes.

Signed-off-by: Lorenzo Susini <[email protected]>

events/interfaces.go

@@ -48,8 +48,14 @@ type Helper interface {
 
 	// SpawnAs starts a child process and waits for it to complete.
 	// The child runs the given action as a different program name.
+	// The current event-generator binary is copied with a differen name
+	// prior to be run.
 	SpawnAs(name string, action string, args ...string) error
 
+	// SpawnAsWithSymlink works like SpawnAs, except that it does not make a
+	// copy of the the current event-generator binary, but creates a symlink instead.
+	SpawnAsWithSymlink(name string, action string, args ...string) error
+
 	// Spawned returns true if the action is running in a child process.
 	Spawned() bool
 

events/syscall/db_program_spawned_process.go

@@ -25,5 +25,5 @@ var _ = events.Register(
 )
 
 func DbProgramSpawnedProcess(h events.Helper) error {
-	return h.SpawnAs("mysqld", "helper.ExecLs")
+	return h.SpawnAsWithSymlink("mysqld", "helper.ExecLs")
 }

events/syscall/non_sudo_setuid.go

@@ -36,6 +36,6 @@ func NonSudoSetuid(h events.Helper) error {
 		h.Log().WithError(err).Debug("ignore root setuid error")
 		return nil
 	} else {
-		return h.SpawnAs("child", "syscall.NonSudoSetuid")
+		return h.SpawnAsWithSymlink("child", "syscall.NonSudoSetuid")
 	}
 }

events/syscall/read_sensitive_file_trusted_after_startup.go

@@ -21,5 +21,5 @@ import (
 var _ = events.Register(ReadSensitiveFileTrustedAfterStartup)
 
 func ReadSensitiveFileTrustedAfterStartup(h events.Helper) error {
-	return h.SpawnAs("httpd", "syscall.ReadSensitiveFileUntrusted", "--sleep", "6s")
+	return h.SpawnAsWithSymlink("httpd", "syscall.ReadSensitiveFileUntrusted", "--sleep", "6s")
 }

events/syscall/run_shell_untrusted.go

@@ -22,5 +22,5 @@ import (
 var _ = events.Register(RunShellUntrusted)
 
 func RunShellUntrusted(h events.Helper) error {
-	return h.SpawnAs("httpd", "helper.RunShell")
+	return h.SpawnAsWithSymlink("httpd", "helper.RunShell")
 }

events/syscall/system_procs_network_activity.go

@@ -25,5 +25,5 @@ var _ = events.Register(
 )
 
 func SystemProcsNetworkActivity(h events.Helper) error {
-	return h.SpawnAs("sha1sum", "helper.NetworkActivity")
+	return h.SpawnAsWithSymlink("sha1sum", "helper.NetworkActivity")
 }

events/syscall/user_mgmt_binaries.go

@@ -32,5 +32,5 @@ func UserMgmtBinaries(h events.Helper) error {
 			Reason: "'User mgmt binaries' is excluded in containers",
 		}
 	}
-	return h.SpawnAs("vipw", "helper.ExecLs")
+	return h.SpawnAsWithSymlink("vipw", "helper.ExecLs")
 }

pkg/runner/helper.go

@@ -80,6 +80,14 @@ func (h *helper) Cleanup(f func(), args ...interface{}) {
 }
 
 func (h *helper) SpawnAs(name string, action string, args ...string) error {
+	return h.spawnAs(name, action, true, args...)
+}
+
+func (h *helper) SpawnAsWithSymlink(name string, action string, args ...string) error {
+	return h.spawnAs(name, action, false, args...)
+}
+
+func (h *helper) spawnAs(name string, action string, copy bool, args ...string) error {
 	fullArgs := append([]string{fmt.Sprintf("^%s$", action)}, args...)
 	h.Log().WithField("args", strings.Join(fullArgs, " ")).Infof(`spawn as "%s"`, name)
 	if h.Spawned() {
@@ -92,8 +100,18 @@ func (h *helper) SpawnAs(name string, action string, args ...string) error {
 	defer os.RemoveAll(tmpDir)
 
 	name = filepath.Join(tmpDir, name)
-	if err := os.Symlink(h.runner.exePath, name); err != nil {
-		return err
+	if copy {
+		var data []byte
+		if data, err = os.ReadFile(h.runner.exePath); err != nil {
+			return err
+		}
+		if err = os.WriteFile(name, data, 0755); err != nil {
+			return err
+		}
+	} else {
+		if err := os.Symlink(h.runner.exePath, name); err != nil {
+			return err
+		}
 	}
 
 	cmd := exec.Command(name, append(h.runner.exeArgs, fullArgs...)...)