fix duplicate alerts issue

Signed-off-by: rksharma95 <ramakant@accuknox.com>
kubearmor · Jan 31, 2025 · 0edf151 · 0edf151
1 parent 9656a7f
commit 0edf151
Show file tree

Hide file tree

Showing 14 changed files with 231 additions and 37 deletions.
diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go
@@ -625,3 +625,12 @@ func GetLabelsFromString(labelString string) (map[string]string, []string) {
 func GetCurrentTimeStamp() uint64 {
 	return uint64(time.Now().UnixNano())
 }
+
+// ============
+// == Feeder ==
+// ============
+
+// IsPresetEnforcer returns true if log is generated by any of preset enforcer
+func IsPresetEnforcer(enforcer string) bool {
+	return strings.Contains(enforcer, "PRESET")
+}
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go
diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go
@@ -534,20 +534,21 @@ func (fd *Feeder) PushLog(log tp.Log) {
 	   in case of enforcer = AppArmor only Default Posture logs will be converted to
 	   container/host log depending upon the defaultPostureLogs flag
 	*/
-
-	if (cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer == "eBPF Monitor") || (fd.Enforcer != "BPFLSM" && !cfg.GlobalCfg.DefaultPostureLogs) {
-		log = fd.UpdateMatchedPolicy(log)
-		if (log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy") && ((fd.Enforcer == "BPFLSM" && (strings.Contains(log.PolicyName, "DefaultPosture") || !strings.Contains(log.Action, "Audit"))) || (fd.Enforcer != "BPFLSM" && strings.Contains(log.PolicyName, "DefaultPosture"))) {
-			if log.Type == "MatchedPolicy" {
-				log.Type = "ContainerLog"
-			} else if log.Type == "MatchedHostPolicy" {
-				log.Type = "HostLog"
+	if !common.IsPresetEnforcer(log.Enforcer) {
+		if (cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer == "") || (fd.Enforcer != "BPFLSM" && !cfg.GlobalCfg.DefaultPostureLogs) {
+			log = fd.UpdateMatchedPolicy(log)
+			if (log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy") && ((fd.Enforcer == "BPFLSM" && (strings.Contains(log.PolicyName, "DefaultPosture") || !strings.Contains(log.Action, "Audit"))) || (fd.Enforcer != "BPFLSM" && strings.Contains(log.PolicyName, "DefaultPosture"))) {
+				if log.Type == "MatchedPolicy" {
+					log.Type = "ContainerLog"
+				} else if log.Type == "MatchedHostPolicy" {
+					log.Type = "HostLog"
+				}
+			}
+		} else {
+			log = fd.UpdateMatchedPolicy(log)
+			if fd.Enforcer == "BPFLSM" {
+				log.Enforcer = "BPFLSM"
 			}
-		}
-	} else {
-		log = fd.UpdateMatchedPolicy(log)
-		if fd.Enforcer == "BPFLSM" && !strings.Contains(log.Enforcer, "PRESET") {
-			log.Enforcer = "BPFLSM"
 		}
 	}
 

diff --git a/KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.go b/KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.go
diff --git a/KubeArmor/presets/anonmapexec/anonmapexec_bpfel.go b/KubeArmor/presets/anonmapexec/anonmapexec_bpfel.go