Absolute paths partially changed to relative paths for OPEN_calls in Rule0002 #721
Description
Description
The OpenEvents are capturing paths that are missing their root nodes, examples are
"path":"/46/task/46/fd" ( /proc is missing)
or
{"alertName":"Files Access Anomalies in container","arguments":{"apChecksum":"72b6f0c31555285bc48f30fab4e55093d40ce0f58951dcd07b097b521bca30fa","flags":["O_RDONLY","O_CLOEXEC"],"message":"Unexpected file access detected: runc:[2:INIT] with PID 304615 to ","path":"" (not sure what path RUNC is reporting here "identifiers":{"process":{"name":"runc:[2:INIT]"},"file":{"name":".","directory":"."}}}
In the applicationProfile, we now find a mention to a "." or sometimes "/." path with all flags
opens:
- flags:
- O_APPEND
- O_CLOEXEC
- O_CREAT
- O_DIRECTORY
- O_EXCL
- O_NONBLOCK
- O_RDONLY
- O_RDWR
- O_WRONLY
path: .
I can provide similar instances, of "headless" paths, the easiest is to look in an applicationProfile for e.g. the webapp example.
Environment
OS: ubuntu 24 LTS (but I dont think it matters)
Version: 1.30.2
Steps To Reproduce
helm install kubescape-operator version 1.30.2 on k3s v1.35.0+k3s3 with
default-rules.yaml
- description: Detects unexpected file access that is not in the baseline
enabled: true
expressions:
message: >-
'Unexpected file access detected: ' + event.comm + ' with PID ' +
string(event.pid) + ' to ' + event.path
ruleExpression:
- eventType: open
expression: >-
!ap.was_path_opened(event.containerId, event.path)
uniqueId: event.comm + '_' + event.path
id: R0002
isTriggerAlert: true
mitreTactic: TA0009
mitreTechnique: T1005
name: Files Access Anomalies in container
profileDependency: 0
severity: 1
supportPolicy: false
tags:
- anomaly
- file
- open
- applicationprofile
Expected behavior
The old behavior, e.g. for /proc was
"path":"/proc/46/task/46/fd"
Actual Behavior
"path":"/46/task/46/fd"
Additional context
This was not present in kubescape operator 1.29.9 . there we had absolute paths everywhere.