Xmr mining all options

alertbindings.yaml

@@ -0,0 +1,67 @@
+apiVersion: kubescape.io/v1
+kind: RuntimeRuleAlertBinding
+metadata:
+  annotations:
+    meta.helm.sh/release-name: kubescape
+    meta.helm.sh/release-namespace: kubescape
+  creationTimestamp: "2024-11-26T11:07:08Z"
+  generation: 1
+  labels:
+    app: node-agent
+    app.kubernetes.io/component: node-agent
+    app.kubernetes.io/instance: kubescape
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kubescape-operator
+    app.kubernetes.io/version: 1.23.2
+    helm.sh/chart: kubescape-operator-1.23.2
+    kubescape.io/ignore: "true"
+    tier: ks-control-plane
+  name: all-rules-all-pods
+  resourceVersion: "516"
+  uid: 78bc578c-6374-4641-adc3-a5f067d5a748
+spec:
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubescape
+      - kube-system
+      - kube-public
+      - kube-node-lease
+      - kubeconfig
+      - gmp-system
+      - gmp-public
+  rules:
+  - ruleName: Unexpected process launched
+  - parameters:
+      ignoreMounts: true
+      ignorePrefixes:
+      - /proc
+      - /run/secrets/kubernetes.io/serviceaccount
+      - /var/run/secrets/kubernetes.io/serviceaccount
+      - /tmp
+    ruleName: Unexpected file access
+  - ruleName: Unexpected system call
+  - ruleName: Unexpected capability used
+  - ruleName: Unexpected domain request
+  - ruleName: Unexpected Service Account Token Access
+  - ruleName: Kubernetes Client Executed
+  - ruleName: Exec from malicious source
+  - ruleName: Kernel Module Load
+  - ruleName: Exec Binary Not In Base Image
+  - ruleName: Malicious SSH Connection
+  - ruleName: Fileless Execution
+  - ruleName: Exec from mount
+  - ruleName: Crypto Mining Related Port Communication
+  - ruleName: Crypto Mining Domain Communication
+  - ruleName: Read Environment Variables from procfs
+  - ruleName: eBPF Program Load
+  - ruleName: Symlink Created Over Sensitive File
+  - ruleName: Unexpected Sensitive File Access
+  - ruleName: Hardlink Created Over Sensitive File
+  - ruleName: Exec to pod
+  - ruleName: Port forward
+  - ruleName: Unexpected Egress Network Traffic
+  - ruleName: Malicious Ptrace Usage
+  - ruleName: Crypto Miner detected

go.sum

@@ -594,8 +594,6 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby v27.0.2+incompatible h1:iYtGEjFi9lkX2m/Bop2H/peXzx3VtzmPlE9r0JHyH0s=
-github.com/moby/moby v27.0.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/moby v27.1.2+incompatible h1:vqOs4c7YktTdEBnPQNm0Q+M+IOuxxTCkrYJLBAVsEHQ=
 github.com/moby/moby v27.1.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=

pkg/ruleengine/v1/factory.go

@@ -34,6 +34,8 @@ func NewRuleCreator() *RuleCreatorImpl {
 			R1010SymlinkCreatedOverSensitiveFileRuleDescriptor,
 			R1011LdPreloadHookRuleDescriptor,
 			R1012HardlinkCreatedOverSensitiveFileRuleDescriptor,
+			R1013CryptoMiningFilesAccessRuleDescriptor,
+			R1014CryptoMinerDetectedRuleDescriptor,
 		},
 	}
 }

pkg/ruleengine/v1/r0001_unexpected_process_launched.go

@@ -76,6 +76,7 @@ func (rule *R0001UnexpectedProcessLaunched) generatePatchCommand(event *tracerex
 }
 
 func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure {
+
 	if eventType != utils.ExecveEventType {
 		return nil
 	}

pkg/ruleengine/v1/r1008_crypto_mining_domain.go → pkg/ruleengine/v1/r1008_crypto_mining_domains.go

@@ -17,114 +17,6 @@ const (
 	R1008Name = "Crypto Mining Domain Communication"
 )
 
-var commonlyUsedCryptoMinersDomains = []string{
-	"2cryptocalc.com.",
-	"2miners.com.",
-	"antpool.com.",
-	"asia1.ethpool.org.",
-	"bohemianpool.com.",
-	"botbox.dev.",
-	"btm.antpool.com.",
-	"c3pool.com.",
-	"c4pool.org.",
-	"ca.minexmr.com.",
-	"cn.stratum.slushpool.com.",
-	"dash.antpool.com.",
-	"data.miningpoolstats.stream.",
-	"de.minexmr.com.",
-	"eth-ar.dwarfpool.com.",
-	"eth-asia.dwarfpool.com.",
-	"eth-asia1.nanopool.org.",
-	"eth-au.dwarfpool.com.",
-	"eth-au1.nanopool.org.",
-	"eth-br.dwarfpool.com.",
-	"eth-cn.dwarfpool.com.",
-	"eth-cn2.dwarfpool.com.",
-	"eth-eu.dwarfpool.com.",
-	"eth-eu1.nanopool.org.",
-	"eth-eu2.nanopool.org.",
-	"eth-hk.dwarfpool.com.",
-	"eth-jp1.nanopool.org.",
-	"eth-ru.dwarfpool.com.",
-	"eth-ru2.dwarfpool.com.",
-	"eth-sg.dwarfpool.com.",
-	"eth-us-east1.nanopool.org.",
-	"eth-us-west1.nanopool.org.",
-	"eth-us.dwarfpool.com.",
-	"eth-us2.dwarfpool.com.",
-	"eth.antpool.com.",
-	"eu.stratum.slushpool.com.",
-	"eu1.ethermine.org.",
-	"eu1.ethpool.org.",
-	"fastpool.xyz.",
-	"fr.minexmr.com.",
-	"kriptokyng.com.",
-	"mine.moneropool.com.",
-	"mine.xmrpool.net.",
-	"miningmadness.com.",
-	"monero.cedric-crispin.com.",
-	"monero.crypto-pool.fr.",
-	"monero.fairhash.org.",
-	"monero.hashvault.pro.",
-	"monero.herominers.com.",
-	"monerod.org.",
-	"monerohash.com.",
-	"moneroocean.stream.",
-	"monerop.com.",
-	"multi-pools.com.",
-	"p2pool.io.",
-	"pool.kryptex.com.",
-	"pool.minexmr.com.",
-	"pool.monero.hashvault.pro.",
-	"pool.rplant.xyz.",
-	"pool.supportxmr.com.",
-	"pool.xmr.pt.",
-	"prohashing.com.",
-	"rx.unmineable.com.",
-	"sg.minexmr.com.",
-	"sg.stratum.slushpool.com.",
-	"skypool.org.",
-	"solo-xmr.2miners.com.",
-	"ss.antpool.com.",
-	"stratum-btm.antpool.com.",
-	"stratum-dash.antpool.com.",
-	"stratum-eth.antpool.com.",
-	"stratum-ltc.antpool.com.",
-	"stratum-xmc.antpool.com.",
-	"stratum-zec.antpool.com.",
-	"stratum.antpool.com.",
-	"supportxmr.com.",
-	"trustpool.cc.",
-	"us-east.stratum.slushpool.com.",
-	"us1.ethermine.org.",
-	"us1.ethpool.org.",
-	"us2.ethermine.org.",
-	"us2.ethpool.org.",
-	"web.xmrpool.eu.",
-	"www.domajorpool.com.",
-	"www.dxpool.com.",
-	"www.mining-dutch.nl.",
-	"xmc.antpool.com.",
-	"xmr-asia1.nanopool.org.",
-	"xmr-au1.nanopool.org.",
-	"xmr-eu1.nanopool.org.",
-	"xmr-eu2.nanopool.org.",
-	"xmr-jp1.nanopool.org.",
-	"xmr-us-east1.nanopool.org.",
-	"xmr-us-west1.nanopool.org.",
-	"xmr.2miners.com.",
-	"xmr.crypto-pool.fr.",
-	"xmr.gntl.uk.",
-	"xmr.nanopool.org.",
-	"xmr.pool-pay.com.",
-	"xmr.pool.minergate.com.",
-	"xmr.solopool.org.",
-	"xmr.volt-mine.com.",
-	"xmr.zeropool.io.",
-	"zec.antpool.com.",
-	"zergpool.com.",
-}
-
 var R1008CryptoMiningDomainCommunicationRuleDescriptor = RuleDescriptor{
 	ID:          R1008ID,
 	Name:        R1008Name,
@@ -163,12 +55,14 @@ func (rule *R1008CryptoMiningDomainCommunication) DeleteRule() {
 }
 
 func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure {
+
 	if eventType != utils.DnsEventType {
 		return nil
 	}
 
 	if dnsEvent, ok := event.(*tracerdnstype.Event); ok {
-		if slices.Contains(commonlyUsedCryptoMinersDomains, dnsEvent.DNSName) {
+
+		if slices.Contains(utils.CommonlyUsedCryptoMinersDomains, dnsEvent.DNSName) {
 			ruleFailure := GenericRuleFailure{
 				BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
 					AlertName:      rule.Name(),

pkg/ruleengine/v1/r1013_crypto_mining_files.go

@@ -0,0 +1,103 @@
+package ruleengine
+
+import (
+	"fmt"
+	"strings"
+	"slices"
+
+	traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types"
+	"github.com/kubescape/node-agent/pkg/objectcache"
+	"github.com/kubescape/node-agent/pkg/ruleengine"
+	"github.com/kubescape/node-agent/pkg/utils"
+
+	apitypes "github.com/armosec/armoapi-go/armotypes"
+)
+
+const (
+	R1013ID   = "R1013"
+	R1013Name = "Crypto Mining files access"
+)
+
+var R1013CryptoMiningFilesAccessRuleDescriptor = RuleDescriptor{
+	ID:          R1013ID,
+	Name:        R1013Name,
+	Description: "Detecting Crypto miners communication by files access",
+	Tags:        []string{"crypto", "miners", "malicious", "whitelisted"},
+	Priority:    RulePriorityHigh,
+	Requirements: &RuleRequirements{
+		EventTypes: []utils.EventType{
+			utils.OpenEventType,
+		},
+	},
+	RuleCreationFunc: func() ruleengine.RuleEvaluator {
+		return CreateRuleR1013CryptoMiningFilesAccess()
+	},
+}
+var _ ruleengine.RuleEvaluator = (*R1013CryptoMiningFilesAccess)(nil)
+
+type R1013CryptoMiningFilesAccess struct {
+	BaseRule
+}
+
+func CreateRuleR1013CryptoMiningFilesAccess() *R1013CryptoMiningFilesAccess {
+	return &R1013CryptoMiningFilesAccess{}
+}
+func (rule *R1013CryptoMiningFilesAccess) Name() string {
+	return R1013Name
+}
+
+func (rule *R1013CryptoMiningFilesAccess) ID() string {
+	return R1013ID
+}
+
+func (rule *R1013CryptoMiningFilesAccess) DeleteRule() {
+}
+
+func (rule *R1013CryptoMiningFilesAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure {
+	if eventType != utils.OpenEventType {
+		return nil
+	}
+
+	openEvent, ok := event.(*traceropentype.Event)
+	if !ok {
+		return nil
+	}
+
+	if slices.Contains(utils.CryptoMiningFilesAccessPathsPrefix, openEvent.FullPath) {
+
+	ruleFailure := GenericRuleFailure{
+		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
+			AlertName:      rule.Name(),
+			InfectedPID:    openEvent.Pid,
+			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
+			Severity:       R1013CryptoMiningFilesAccessRuleDescriptor.Priority,
+		},
+		RuntimeProcessDetails: apitypes.ProcessTree{
+			ProcessTree: apitypes.Process{
+				Comm: openEvent.Comm,
+				Gid:  &openEvent.Gid,
+				PID:  openEvent.Pid,
+				Uid:  &openEvent.Uid,
+			},
+			ContainerID: openEvent.Runtime.ContainerID,
+		},
+		TriggerEvent: openEvent.Event,
+		RuleAlert: apitypes.RuleAlert{
+			RuleDescription: fmt.Sprintf("Unexpected access to crypto mining-related file: %s with flags: %s in: %s", openEvent.FullPath, strings.Join(openEvent.Flags, ","), openEvent.GetContainer()),
+		},
+		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
+			PodName: openEvent.GetPod(),
+		},
+		RuleID: rule.ID(),
+	}
+
+	return &ruleFailure
+}
+return nil
+}
+
+func (rule *R1013CryptoMiningFilesAccess) Requirements() ruleengine.RuleSpec {
+	return &RuleRequirements{
+		EventTypes: R1013CryptoMiningFilesAccessRuleDescriptor.Requirements.RequiredEventTypes(),
+	}
+}

pkg/ruleengine/v1/r1013_crypto_mining_files_test.go

@@ -0,0 +1,68 @@
+package ruleengine
+
+import (
+	"testing"
+
+	"github.com/kubescape/node-agent/pkg/utils"
+
+	traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types"
+	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
+
+	eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types"
+)
+
+func TestR1013UnexpectedServiceAccountTokenMount(t *testing.T) {
+	// Create a new rule
+	r := CreateRuleR1013CryptoMiningFilesAccess()
+	// Assert r is not nil
+	if r == nil {
+		t.Errorf("Expected r to not be nil")
+	}
+
+	// Create a file access event
+	e := &traceropentype.Event{
+		Event: eventtypes.Event{
+			CommonData: eventtypes.CommonData{
+				K8s: eventtypes.K8sMetadata{
+					BasicK8sMetadata: eventtypes.BasicK8sMetadata{
+						ContainerName: "test",
+					},
+				},
+			},
+		},
+		Path:     "/test",
+		FullPath: "/test",
+		Flags:    []string{"O_RDONLY"},
+	}
+
+	// Test with nil appProfileAccess
+	ruleResult := r.ProcessEvent(utils.OpenEventType, e, &RuleObjectCacheMock{})
+	if ruleResult != nil {
+		t.Errorf("Expected ruleResult to not be nil since no appProfile")
+		return
+	}
+
+	// Test with whitelisted file
+	e.FullPath = "/proc/meminfo/asdasd"
+	objCache := RuleObjectCacheMock{}
+	profile := objCache.ApplicationProfileCache().GetApplicationProfile("test")
+	if profile == nil {
+		profile = &v1beta1.ApplicationProfile{}
+		profile.Spec.Containers = append(profile.Spec.Containers, v1beta1.ApplicationProfileContainer{
+			Name: "test",
+			Opens: []v1beta1.OpenCalls{
+				{
+					Path:  "/proc/meminfo",
+					Flags: []string{"O_RDONLY"},
+				},
+			},
+		})
+
+		objCache.SetApplicationProfile(profile)
+	}
+
+	ruleResult = r.ProcessEvent(utils.OpenEventType, e, &objCache)
+	if ruleResult != nil {
+		t.Errorf("Expected ruleResult to be nil since file is whitelisted")
+	}
+}