chore: add events triggers (scripts)

Author: geyslan

Diff for: cmd/evt/cmd/trigger/triggers/arch_prctl.sh

@@ -0,0 +1 @@
+common/true.sh

Diff for: cmd/evt/cmd/trigger/triggers/bpf_attach.sh

@@ -0,0 +1 @@
+common/bpftrace.sh

Diff for: cmd/evt/cmd/trigger/triggers/commit_creds.sh

@@ -0,0 +1 @@
+common/sudo.sh

Diff for: cmd/evt/cmd/trigger/triggers/common/bpftrace.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# common
+
+# security_file_open   60
+# shared_object_loaded 44
+# sched_process_exec    2
+# arch_prctl            2
+# security_bpf_prog     4
+# kallsyms_lookup_name  2
+# kprobe_attach         1
+# bpf_attach            1
+# sched_process_exit    2
+
+bpftrace -e 'kprobe:__do_sys_vfork { }' &
+bpftrace_pid=$!
+sleep 3
+kill -KILL $bpftrace_pid

Diff for: cmd/evt/cmd/trigger/triggers/common/docker.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# common
+
+sh -c 'docker run --rm -it ubuntu /bin/bash'

Diff for: cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec      5
+# security_file_open     17
+# shared_object_loaded    5
+# arch_prctl              5
+# security_inode_unlink   3
+# security_inode_symlink  1
+# sched_process_exit      5
+
+file=$(mktemp /tmp/fileXXXXXX)
+link1=$(mktemp /tmp/link1XXXXXX)
+
+rm -f "$link1"
+
+ln -s "$file" "$link1"
+rm "$file" "$link1"

Diff for: cmd/evt/cmd/trigger/triggers/common/ping.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec      1
+# security_file_open      8
+# shared_object_loaded    4
+# arch_prctl              1
+# security_socket_create  3
+# security_socket_connect 1
+# sched_process_exit      1
+
+ping 0.0.0.0 -c 1

Diff for: cmd/evt/cmd/trigger/triggers/common/self-comm.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# common
+
+# magic_write        2
+# security_file_open 1
+# do_truncate        1
+# sched_process_exit 1
+
+echo "fake-comm" > /proc/self/comm # trigger magic-write by fake-comm
+echo "fake-comm" > /proc/self/comm # trigger do_truncate by fake-comm

Diff for: cmd/evt/cmd/trigger/triggers/common/sudo.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec       3
+# security_file_open     113
+# shared_object_loaded    40
+# arch_prctl               3
+# security_socket_create  19
+# commit_creds             4
+# sched_process_fork       3
+# sched_process_exit       3
+# socket_dup               2
+
+sudo echo sudo >/dev/null

Diff for: cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# sched_process_exec      2
+# security_file_open     11
+# shared_object_loaded    2
+# arch_prctl              2
+# security_file_open     12
+# sched_process_fork      1
+# process_execute_failed  5 (the amount of wrong PATH entries)
+# security_socket_create  1
+# security_socket_bind    1
+# sched_process_exit      2
+
+basename=$(basename "$0")
+socket_path=$(mktemp -u /tmp/"$basename"_XXXXXX)
+timeout 0.1 nc -l -U "$socket_path"
+rm -f "$socket_path"

Diff for: cmd/evt/cmd/trigger/triggers/common/true.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec   1
+# security_file_open   2
+# shared_object_loaded 1
+# arch_prctl           1
+# sched_process_exit   1
+
+/bin/true # full path to avoid shell built-in

Diff for: cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec      2
+# security_file_open     13
+# shared_object_loaded    2
+# arch_prctl              2
+# debugfs_create_dir      1
+# debugfs_create_file     2
+# security_socket_create 15
+# device_add              1
+# switch_task_ns          1
+# sched_process_fork      1
+# magic_write             3
+# security_sb_mount       1
+# process_execute_failed  4
+# sched_process_exit      2
+
+unshare --mount --pid --net --ipc --uts --user --fork --map-root-user sh &
+sleep 1 # wait for the unshare to complete and exit
+exit 0

Diff for: cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh

@@ -0,0 +1 @@
+common/unshare-mkdir.sh

Diff for: cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh

@@ -0,0 +1 @@
+common/unshare-mkdir.sh

Diff for: cmd/evt/cmd/trigger/triggers/device_add.sh

@@ -0,0 +1 @@
+common/unshare-mkdir.sh

Diff for: cmd/evt/cmd/trigger/triggers/do_truncate.sh

@@ -0,0 +1 @@
+common/self-comm.sh

Diff for: cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh

@@ -0,0 +1 @@
+common/bpftrace.sh

Diff for: cmd/evt/cmd/trigger/triggers/kprobe_attach.sh

@@ -0,0 +1 @@
+common/bpftrace.sh

Diff for: cmd/evt/cmd/trigger/triggers/magic_write.sh

@@ -0,0 +1 @@
+common/self-comm.sh

Diff for: cmd/evt/cmd/trigger/triggers/process_execute_failed.sh

@@ -0,0 +1 @@
+common/timeout-nc.sh

Diff for: cmd/evt/cmd/trigger/triggers/ptrace.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# ptrace
+
+# sched_process_exec    2
+# security_file_open   14
+# shared_object_loaded  6
+# arch_prctl            2
+# sched_process_fork    2
+# ptrace              287
+# sched_process_exit    4
+
+strace /bin/true # full path to avoid shell built-in

Diff for: cmd/evt/cmd/trigger/triggers/sched_process_exec.sh

@@ -0,0 +1 @@
+common/true.sh

Diff for: cmd/evt/cmd/trigger/triggers/sched_process_exit.sh

@@ -0,0 +1 @@
+common/true.sh

Diff for: cmd/evt/cmd/trigger/triggers/sched_process_fork.sh

@@ -0,0 +1 @@
+common/timeout-nc.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# security_bpf_prog
+
+# sched_process_exec   1
+# arch_prctl           2
+# security_bpf_prog  487
+# security_file_open   3
+# sched_process_exit   1
+
+bpftool prog dump xlated name trace_execute_finished

Diff for: cmd/evt/cmd/trigger/triggers/security_file_open.sh

@@ -0,0 +1 @@
+common/true.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh

@@ -0,0 +1 @@
+common/mktemp-ln-rm.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh

@@ -0,0 +1 @@
+common/mktemp-ln-rm.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_path_notify.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# sched_process_exec    1
+# security_file_open    6
+# shared_object_loaded  5
+# arch_prctl            1
+# security_path_notify  1
+# sched_process_exit    1
+
+inotifywait -m /tmp -t 1

Diff for: cmd/evt/cmd/trigger/triggers/security_sb_mount.sh

@@ -0,0 +1 @@
+common/unshare-mkdir.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_socket_bind.sh

@@ -0,0 +1 @@
+common/timeout-nc.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_socket_connect.sh

@@ -0,0 +1 @@
+common/ping.sh

Diff for: cmd/evt/cmd/trigger/triggers/security_socket_create.sh

@@ -0,0 +1 @@
+common/ping.sh

Diff for: cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh

@@ -0,0 +1 @@
+common/true.sh

Diff for: cmd/evt/cmd/trigger/triggers/socked_dup.sh

@@ -0,0 +1 @@
+common/sudo.sh

Diff for: cmd/evt/cmd/trigger/triggers/switch_task_ns.sh

@@ -0,0 +1 @@
+common/unshare-mkdir.sh