feat: Add IDs to Signature Metadata. (#567)

Author: simar7

Readme.md

@@ -51,7 +51,7 @@ Name | Description | Tags
 Standard Input/Output Over Socket | Redirection of process's standard input/output to socket | "linux", "container"
 Anti-Debugging | Process uses anti-debugging technique to block debugger | "linux", "container"
 Code injection | Possible code injection into another process | "linux", "container"
-Dynamic Code Loading | writing to executable allocated memory region | "linux", "container"
+Dynamic Code Loading | Writing to executable allocated memory region | "linux", "container"
 Fileless Execution | Executing a precess from memory, without a file in the disk | "linux", "container"
 kernel module loading | Attempt to load a kernel module detection | "linux", "container"
 LD_PRELOAD | Usage of LD_PRELOAD to allow hooks on process | "linux", "container"

tracee-rules/main.go

@@ -28,13 +28,13 @@ func main() {
 				return err
 			}
 			if c.Bool("list") {
-				fmt.Printf("%-30s %s\n", "RULE NAME", "DESCRIPTION")
+				fmt.Printf("%-10s %-35s %s\n", "ID", "NAME", "DESCRIPTION")
 				for _, sig := range sigs {
 					meta, err := sig.GetMetadata()
 					if err != nil {
 						continue
 					}
-					fmt.Printf("%-30s %s\n", meta.Name, meta.Description)
+					fmt.Printf("%-10s %-35s %s\n", meta.ID, meta.Name, meta.Description)
 				}
 				return nil
 			}

tracee-rules/signature.go

@@ -35,7 +35,7 @@ func getSignatures(rulesDir string, rules []string) ([]types.Signature, error) {
 	} else {
 		for _, s := range sigs {
 			for _, r := range rules {
-				if m, err := s.GetMetadata(); err == nil && m.Name == r {
+				if m, err := s.GetMetadata(); err == nil && m.ID == r {
 					res = append(res, s)
 				}
 			}

tracee-rules/signature_test.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/aquasecurity/tracee/tracee-rules/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_getSignatures(t *testing.T) {
+	sigs, err := getSignatures("signatures/rego", []string{"TRC-2"})
+	require.NoError(t, err)
+	require.Equal(t, 1, len(sigs))
+
+	gotMetadata, err := sigs[0].GetMetadata()
+	assert.Equal(t, types.SignatureMetadata{
+		ID:          "TRC-2",
+		Name:        "Anti-Debugging",
+		Description: "Process uses anti-debugging technique to block debugger",
+		Tags:        []string{"linux", "container"},
+		Properties: map[string]interface{}{
+			"MITRE ATT&CK": "Defense Evasion: Execution Guardrails",
+			"Severity":     json.Number("3"),
+		},
+	}, gotMetadata)
+}

tracee-rules/signatures/golang/stdio_over_socket.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+
 	tracee "github.com/aquasecurity/tracee/tracee-ebpf/tracee/external"
 	"github.com/aquasecurity/tracee/tracee-rules/types"
 )
@@ -20,6 +21,7 @@ func (sig *stdioOverSocket) Init(cb types.SignatureHandler) error {
 
 func (sig *stdioOverSocket) GetMetadata() (types.SignatureMetadata, error) {
 	return types.SignatureMetadata{
+		ID:          "TRC-1",
 		Name:        "Standard Input/Output Over Socket",
 		Description: "Redirection of process's standard input/output to socket",
 		Tags:        []string{"linux", "container"},

tracee-rules/signatures/rego/anti_debugging_ptraceme.rego

@@ -1,6 +1,7 @@
-package main
+package tracee.TRC_2
 
 __rego_metadoc__ := {
+    "id": "TRC-2",
     "name": "Anti-Debugging",
     "description": "Process uses anti-debugging technique to block debugger",
     "tags": ["linux", "container"],

tracee-rules/signatures/rego/anti_debugging_ptraceme_test.rego

@@ -1,4 +1,4 @@
-package main
+package tracee.TRC_2
 
 test_match_1 {
     tracee_match with input as {

tracee-rules/signatures/rego/code_injection.rego

@@ -1,8 +1,9 @@
-package main
+package tracee.TRC_3
 
 import data.tracee.helpers
 
 __rego_metadoc__ := {
+    "id": "TRC-3",
     "name": "Code injection",
     "description": "Possible code injection into another process",
     "tags": ["linux", "container"],

tracee-rules/signatures/rego/code_injection_test.rego

@@ -1,4 +1,4 @@
-package main
+package tracee.TRC_3
 
 test_match_1 {
     tracee_match with input as {

tracee-rules/signatures/rego/dynamic_code_loading.rego

@@ -1,10 +1,11 @@
-package main
+package tracee.TRC_4
 
 import data.tracee.helpers
 
 __rego_metadoc__ := {
+    "id": "TRC-4",
     "name": "Dynamic Code Loading",
-    "description": "writing to executable allocated memory region",
+    "description": "Writing to executable allocated memory region",
     "tags": ["linux", "container"],
     "properties": {
         "Severity": 2,