Signatures written in Go-Cel (POC)¶
Tracee has introduced, on its last version, a new type of signatures, the Common Expression Language, or Go-Cel, signatures as a PROOF OF CONCEPT.
Go-cel
The Common Expression Language (CEL) is a non-Turing complete language designed for simplicity, speed, safety, and portability. CEL's C-like syntax looks nearly identical to equivalent expressions in C++, Go, Java, and TypeScript.
Proof-of-concept
Go-Cel based signatures are experimental and part an on going development proof-of-concept. The feature is not finished and writing signatures in Go-Cel might need tracee code updates such as creation of internal parser helpers and/or event types declaration in a protobuf wrapper internal structure.
This feature is enabled by placing CEL signature definition files (.cel, .yaml,
.yml) in the the --rules-dir
directory. Sample definition files can be found
in the pkg/signatures/celsig/testdata/rules/
directory.
Signature
kind: SignaturesConfig
apiVersion: tracee.aquasecurity.github.io/v1alpha1
signatures:
- metadata:
id: "Mine-0.1.0"
version: "0.1.0"
name: "My Own Signature"
description: "My Own Signature Detects Stuff"
tags:
- "linux"
eventSelectors:
- source: tracee
name: openat
expression: |-
input.eventName == 'openat' &&
input.stringArg('pathname').startsWith('/etc/passwd')
After placing your signature_example.yaml
inside dist/signatures
directory you
may execute tracee selecting only the event you just created, if that is
what you want:
$ sudo ./dist/tracee-ebpf \
--output json \
--filter comm=bash \
--filter follow \
--output option:parse-arguments \
-trace event=$(./dist/tracee-rules --rules Mine-0.1.0 --list-events) \
| ./dist/tracee-rules \
--input-tracee \
format:json \
--input-tracee file:stdin \
--rules Mine-0.1.0
Loaded 1 signature(s): [Mine-0.1.0]
*** Detection ***
Time: 2022-07-10T05:49:48Z
Signature ID: Mine-0.1.0
Signature: My Own Signature
Data: map[]
Command: batcat
Hostname: fujitsu
Experimental
Like said previously, Go-Cel signatures are experimental and considered proof-of-concept for now. If you decide to develop Go-Cel signatures you may face some issues:
-
Go-Cel depends on protobuf and
tracee.Event
is not yet a protobuf object. Because of that, there is a wrapper in place convertingtracee.Event
intoprotobuf
so the evaluations can happen (check files insidepkg/signatures/celsig/wrapper/
directory. -
When writting your signature, it might happen that the event you're filtering for does not have all of its arguments types wrapper into the protobuf wrapper. You may face errors such as:
It means you have to add that type to Tracee's go-cel wrapper so it is able to evaluate it.Unrecognized event arg: eventName: "openat" name: "mode" type: "mode_t" valueType: uint32 value: 0
-
Your signature might need helpers/macros that don't exist yet. A good source of an example is
pkg/signatures/celsig/library.go
file and functions:sockaddrArg
stringArg
argByName