redirect logs to alerts based on default posture

When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture. Ref #595 Signed-off-by: daemon1024 <[email protected]>
kubearmor · Feb 14, 2022 · 61280ab · 61280ab
1 parent f6115a4
commit 61280ab
Showing 1 changed file with 35 additions and 12 deletions.
diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
@@ -673,6 +673,25 @@ func lastString(ss []string) string {
 	return ss[len(ss)-1]
 }
 
+// Update Log Fields based on default posture and visibility configuration and return false if no updates
+func setLogFields(action string, visibility bool, log *tp.Log) bool {
+	if action == "block" {
+		(*log).Type = "MatchedPolicy"
+		(*log).PolicyName = "DefaultPosture"
+		(*log).Action = "Block"
+		return true
+	} else if action == "audit" {
+		(*log).Type = "MatchedPolicy"
+		(*log).PolicyName = "DefaultPosture"
+		(*log).Action = "Audit"
+		return true
+	} else if visibility {
+		(*log).Type = "ContainerLog"
+		return true
+	}
+	return false
+}
+
 // UpdateMatchedPolicy Function
 func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 	allowProcPolicy := ""
@@ -1008,18 +1027,22 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 				}
 			}
 
-			if log.ProcessVisibilityEnabled && log.Operation == "Process" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.FileVisibilityEnabled && log.Operation == "File" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.NetworkVisibilityEnabled && log.Operation == "Network" {
-				log.Type = "ContainerLog"
-				return log
-			} else if log.CapabilitiesVisibilityEnabled && log.Operation == "Capabilities" {
-				log.Type = "ContainerLog"
-				return log
+			if log.Operation == "Process" {
+				if setLogFields(cfg.GlobalCfg.DefaultFilePosture, log.ProcessVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "File" {
+				if setLogFields(cfg.GlobalCfg.DefaultFilePosture, log.FileVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "Network" {
+				if setLogFields(cfg.GlobalCfg.DefaultNetworkPosture, log.NetworkVisibilityEnabled, &log) {
+					return log
+				}
+			} else if log.Operation == "Capabilities" {
+				if setLogFields(cfg.GlobalCfg.DefaultCapabilitiesPosture, log.CapabilitiesVisibilityEnabled, &log) {
+					return log
+				}
 			}
 		} else if log.Type == "MatchedPolicy" {
 			if log.PolicyEnabled == tp.KubeArmorPolicyAudited {