Add label based filter mechanism

threathunters-io · Sep 6, 2022 · 3ef7c45 · 3ef7c45
1 parent bb9f8ab
commit 3ef7c45
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 1 deletion.
diff --git a/etc/laurel/config.toml b/etc/laurel/config.toml
@@ -88,4 +88,9 @@ propagate-labels = [ "software_mgmt", "amazon-ssm-agent" ]
 # When audit records with attached keys are being generated,
 # LAUREL will discard these.
 
-#filter-keys = ["filter-this"]
+# filter-keys = ["filter-this"]
+
+# In addition to key based filtering it is also possible to configure label based 
+# filtering. This alows the possibility to filter based on parent processes.
+
+# filter-labels = ["software_mgmt"]
diff --git a/src/coalesce.rs b/src/coalesce.rs
@@ -101,6 +101,7 @@ pub struct Settings<'a> {
     pub label_exe: Option<&'a LabelMatcher>,
 
     pub filter_keys: HashSet<Vec<u8>>,
+    pub filter_labels: HashSet<Vec<u8>>,
 }
 
 impl Default for Settings<'_> {
@@ -116,6 +117,7 @@ impl Default for Settings<'_> {
             translate_userdb: false,
             label_exe: None,
             filter_keys: HashSet::new(),
+            filter_labels: HashSet::new(),
         }
     }
 }
@@ -642,6 +644,12 @@ impl<'a> Coalesce<'a> {
         if let (Some(pid), Some(EventValues::Single(sc))) = (pid, ev.body.get_mut(&SYSCALL)) {
             if let Some(p) = self.processes.get_process(pid) {
                 if !p.labels.is_empty() {
+                    if p.labels
+                        .iter()
+                        .any(|x| self.settings.filter_labels.contains(x))
+                    {
+                        ev.filter = true;
+                    }
                     let labels = p
                         .labels
                         .iter()
@@ -1046,4 +1054,41 @@ mod test {
 
         Ok(())
     }
+
+    #[test]
+    fn filter_label() -> Result<(), Box<dyn Error>> {
+        let ec: Rc<RefCell<Option<Event>>> = Rc::new(RefCell::new(None));
+
+        let mut c = Coalesce::new(|e| {
+            *ec.borrow_mut() = Some(e.clone());
+        });
+        c.settings
+            .proc_label_keys
+            .insert(Vec::from(&b"software_mgmt"[..]));
+        c.settings
+            .filter_labels
+            .insert(Vec::from(&b"software_mgmt"[..]));
+        c.settings
+            .proc_propagate_labels
+            .insert(Vec::from(&b"software_mgmt"[..]));
+
+        process_record(&mut c, include_bytes!("testdata/tree/00.txt"))?;
+        {
+            assert!(ec.borrow().as_ref().is_none());
+        }
+
+        process_record(&mut c, include_bytes!("testdata/tree/01.txt"))?;
+        {
+            assert!(ec.borrow().as_ref().is_none());
+        }
+
+        process_record(&mut c, include_bytes!("testdata/record-login.txt"))?;
+        {
+            assert!(event_to_json(ec.borrow().as_ref().unwrap()).contains(r#"/usr/sbin/cron"#));
+        }
+
+        drop(c);
+
+        Ok(())
+    }
 }
diff --git a/src/config.rs b/src/config.rs
@@ -86,6 +86,8 @@ pub struct LabelProcess {
 pub struct Filter {
     #[serde(default, rename = "filter-keys")]
     pub filter_keys: HashSet<String>,
+    #[serde(default, rename = "filter-labels")]
+    pub filter_labels: HashSet<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -188,6 +190,12 @@ impl Config {
                 .iter()
                 .map(|s| s.as_bytes().to_vec())
                 .collect(),
+            filter_labels: self
+                .filter
+                .filter_labels
+                .iter()
+                .map(|s| s.as_bytes().to_vec())
+                .collect(),
         }
     }
 }