Merge pull request #133 from step-security/int

Monitor source code modification
step-security · Dec 29, 2021 · 5331c3b · 5331c3b
2 parents 2ef89a8 + 2183042
commit 5331c3b
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 13 deletions.
diff --git a/eventhandler.go b/eventhandler.go
@@ -25,6 +25,7 @@ type EventHandler struct {
 	ProcessConnectionMap map[string]bool
 	ProcessFileMap       map[string]bool
 	ProcessMap           map[string]*Process
+	SourceCodeMap        map[string][]*Event
 	netMutex             sync.RWMutex
 	fileMutex            sync.RWMutex
 	procMutex            sync.RWMutex
@@ -49,7 +50,7 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) {
 	_, found := eventHandler.ProcessFileMap[event.Pid]
 	fileType := ""
 	if !found {
-
+		// TODO: Improve this logic to monitor dependencies across languages
 		if strings.Contains(event.FileName, "/node_modules/") && strings.HasSuffix(event.FileName, ".js") {
 			fileType = "Dependencies"
 
@@ -64,9 +65,42 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) {
 		}
 	}
 
+	if isSourceCodeFile(event.FileName) && event.Syscall != "chmod" {
+		_, found = eventHandler.SourceCodeMap[event.FileName]
+		if !found {
+			eventHandler.SourceCodeMap[event.FileName] = append(eventHandler.SourceCodeMap[event.FileName], event)
+		}
+		if found {
+			isFromDifferentProcess := false
+			for _, writeEvent := range eventHandler.SourceCodeMap[event.FileName] {
+				if writeEvent.Pid != event.Pid {
+					isFromDifferentProcess = true
+				}
+			}
+
+			if isFromDifferentProcess {
+				eventHandler.SourceCodeMap[event.FileName] = append(eventHandler.SourceCodeMap[event.FileName], event)
+				WriteAnnotation(fmt.Sprintf("Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe))
+			}
+		}
+	}
+
 	eventHandler.fileMutex.Unlock()
 }
 
+func isSourceCodeFile(fileName string) bool {
+	ext := path.Ext(fileName)
+	// https://docs.github.com/en/get-started/learning-about-github/github-language-support
+	sourceCodeExtensions := []string{".c", "cpp", "cs", ".go", ".java", ".js", ".php", "py", ".rb", ".rs", ".scala", ".sc", ".sh", ".ts"}
+	for _, extension := range sourceCodeExtensions {
+		if ext == extension {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (eventHandler *EventHandler) handleProcessEvent(event *Event) {
 	eventHandler.procMutex.Lock()
 

diff --git a/eventhandler_test.go b/eventhandler_test.go
@@ -42,6 +42,8 @@ func TestEventHandler_HandleEvent(t *testing.T) {
 			args: args{event: &Event{IPAddress: "127.0.0.53", Port: "53", EventType: netMonitorTag, Exe: "/path/to/exe"}}},
 		{name: "fileMonitorEvent", fields: fields{CorrelationId: "123", Repo: "owner/repo", ApiClient: apiclient, ProcessFileMap: make(map[string]bool)},
 			args: args{event: &Event{EventType: fileMonitorTag, Exe: "/path/to/exe", FileName: ".git/objects"}}},
+		{name: "fileMonitorEventSourceCode", fields: fields{CorrelationId: "123", Repo: "owner/repo", ApiClient: apiclient, ProcessFileMap: make(map[string]bool)},
+			args: args{event: &Event{EventType: fileMonitorTag, Exe: "/path/to/exe", FileName: "/path/to/code/code.go"}}},
 	}
 	for _, tt := range tests {
 		cache := InitCache(EgressPolicyAudit)
@@ -59,6 +61,7 @@ func TestEventHandler_HandleEvent(t *testing.T) {
 				ProcessConnectionMap: tt.fields.ProcessConnectionMap,
 				ProcessFileMap:       tt.fields.ProcessFileMap,
 				ProcessMap:           tt.fields.ProcessMap,
+				SourceCodeMap:        make(map[string][]*Event),
 				DNSProxy:             proxy,
 			}
 			eventHandler.HandleEvent(tt.args.event)

diff --git a/procmon.go b/procmon.go
@@ -34,18 +34,19 @@ type Process struct {
 }
 
 type Event struct {
-	FileName         string
-	Path             string
-	Syscall          string
-	Exe              string
-	IPAddress        string
-	Port             string
-	Pid              string
-	ProcessArguments []string
-	PPid             string
-	Timestamp        time.Time
-	EventType        string
-	Status           string
+	FileName          string
+	Path              string
+	Syscall           string
+	Exe               string
+	IPAddress         string
+	Port              string
+	Pid               string
+	ProcessArguments  []string
+	PPid              string
+	Timestamp         time.Time
+	EventType         string
+	Status            string
+	SentForProcessing bool
 }
 
 func (p *ProcessMonitor) PrepareEvent(sequence int, eventMap map[string]interface{}) {
@@ -124,7 +125,17 @@ func getValue(key string, eventMap map[string]interface{}) string {
 	return ""
 }
 
+func (p *ProcessMonitor) markEventSent(event *Event) {
+	p.mutex.Lock()
+	event.SentForProcessing = true
+	p.mutex.Unlock()
+}
+
 func isEventReady(event *Event) bool {
+	if event.SentForProcessing {
+		return false
+	}
+
 	switch event.EventType {
 	case netMonitorTag:
 		if event.IPAddress != "" && event.Port != "" {

diff --git a/procmon_linux.go b/procmon_linux.go
@@ -114,6 +114,7 @@ func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error {
 	eventHandler := EventHandler{CorrelationId: p.CorrelationId, Repo: p.Repo, ApiClient: p.ApiClient, DNSProxy: p.DNSProxy}
 	eventHandler.ProcessConnectionMap = make(map[string]bool)
 	eventHandler.ProcessFileMap = make(map[string]bool)
+	eventHandler.SourceCodeMap = make(map[string][]*Event)
 	eventHandler.ProcessMap = make(map[string]*Process)
 
 	for {
@@ -136,6 +137,7 @@ func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error {
 
 		p.PrepareEvent(int(message.Sequence), eventMap)
 		if isEventReady(p.Events[int(message.Sequence)]) {
+			p.markEventSent(p.Events[int(message.Sequence)])
 			go eventHandler.HandleEvent(p.Events[int(message.Sequence)])
 		}