From f064183eb5da3c060fff3843a1daa7892cc09273 Mon Sep 17 00:00:00 2001
From: daemon1024 <barun.acharya@accuknox.com>
Date: Sat, 12 Feb 2022 11:29:34 +0530
Subject: [PATCH] redirect logs to alerts based on default posture

When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref #595

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>
---
 KubeArmor/feeder/policyMatcher.go | 48 +++++++++++++++++++++++--------
 1 file changed, 36 insertions(+), 12 deletions(-)

diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
index ffdf8d40e8..dbd43432ae 100644
--- a/KubeArmor/feeder/policyMatcher.go
+++ b/KubeArmor/feeder/policyMatcher.go
@@ -13,6 +13,7 @@ import (
 
 	kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
 	cfg "github.com/kubearmor/KubeArmor/KubeArmor/config"
+	"github.com/kubearmor/KubeArmor/KubeArmor/types"
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
 )
 
@@ -1008,18 +1009,41 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 				}
 			}
 
-			if log.ProcessVisibilityEnabled && log.Operation == "Process" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.FileVisibilityEnabled && log.Operation == "File" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.NetworkVisibilityEnabled && log.Operation == "Network" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.CapabilitiesVisibilityEnabled && log.Operation == "Capabilities" {
-				log.Type = "ContainerLog"
-				return log
+			// Check if
+			setLogFields := func(action string, visibility bool, log *types.Log) bool {
+				if action == "block" {
+					(*log).Type = "MatchedPolicy"
+					(*log).PolicyName = "DefaultPosture"
+					(*log).Action = "Block"
+					return true
+				} else if action == "audit" {
+					(*log).Type = "MatchedPolicy"
+					(*log).PolicyName = "DefaultPosture"
+					(*log).Action = "Audit"
+					return true
+				} else if visibility {
+					(*log).Type = "ContainerLog"
+					return true
+				}
+				return false
+			}
+
+			if log.Operation == "Process" {
+				if setLogFields(cfg.GlobalCfg.DefaultFilePosture, log.ProcessVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "File" {
+				if setLogFields(cfg.GlobalCfg.DefaultFilePosture, log.FileVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "Network" {
+				if setLogFields(cfg.GlobalCfg.DefaultNetworkPosture, log.NetworkVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "Capabilities" {
+				if setLogFields(cfg.GlobalCfg.DefaultCapabilitiesPosture, log.CapabilitiesVisibilityEnabled, &log) {
+					return log
+				}
 			}
 		} else if log.Type == "MatchedPolicy" {
 			if log.PolicyEnabled == tp.KubeArmorPolicyAudited {