From 61280ab4bd6e76fc0ce5bd3fb6c453bece28ab78 Mon Sep 17 00:00:00 2001
From: daemon1024 <barun.acharya@accuknox.com>
Date: Sat, 12 Feb 2022 11:29:34 +0530
Subject: [PATCH] redirect logs to alerts based on default posture

When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref #595

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>
---
 KubeArmor/feeder/policyMatcher.go | 47 +++++++++++++++++++++++--------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
index ffdf8d40e8..e4958ec76f 100644
--- a/KubeArmor/feeder/policyMatcher.go
+++ b/KubeArmor/feeder/policyMatcher.go
@@ -673,6 +673,25 @@ func lastString(ss []string) string {
 	return ss[len(ss)-1]
 }
 
+// Update Log Fields based on default posture and visibility configuration and return false if no updates
+func setLogFields(action string, visibility bool, log *tp.Log) bool {
+	if action == "block" {
+		(*log).Type = "MatchedPolicy"
+		(*log).PolicyName = "DefaultPosture"
+		(*log).Action = "Block"
+		return true
+	} else if action == "audit" {
+		(*log).Type = "MatchedPolicy"
+		(*log).PolicyName = "DefaultPosture"
+		(*log).Action = "Audit"
+		return true
+	} else if visibility {
+		(*log).Type = "ContainerLog"
+		return true
+	}
+	return false
+}
+
 // UpdateMatchedPolicy Function
 func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 	allowProcPolicy := ""
@@ -1008,18 +1027,22 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 				}
 			}
 
-			if log.ProcessVisibilityEnabled && log.Operation == "Process" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.FileVisibilityEnabled && log.Operation == "File" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.NetworkVisibilityEnabled && log.Operation == "Network" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.CapabilitiesVisibilityEnabled && log.Operation == "Capabilities" {
-				log.Type = "ContainerLog"
-				return log
+			if log.Operation == "Process" {
+				if setLogFields(cfg.GlobalCfg.DefaultFilePosture, log.ProcessVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "File" {
+				if setLogFields(cfg.GlobalCfg.DefaultFilePosture, log.FileVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "Network" {
+				if setLogFields(cfg.GlobalCfg.DefaultNetworkPosture, log.NetworkVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "Capabilities" {
+				if setLogFields(cfg.GlobalCfg.DefaultCapabilitiesPosture, log.CapabilitiesVisibilityEnabled, &log) {
+					return log
+				}
 			}
 		} else if log.Type == "MatchedPolicy" {
 			if log.PolicyEnabled == tp.KubeArmorPolicyAudited {