Skip to content

ROX-33000: Support for process details in detection node#19586

Merged
JoukoVirtanen merged 5 commits intomasterfrom
jv-ROX-33000-support-for-process-details-in-detection-node
Mar 26, 2026
Merged

ROX-33000: Support for process details in detection node#19586
JoukoVirtanen merged 5 commits intomasterfrom
jv-ROX-33000-support-for-process-details-in-detection-node

Conversation

@JoukoVirtanen
Copy link
Copy Markdown
Contributor

@JoukoVirtanen JoukoVirtanen commented Mar 24, 2026
edited
Loading

Description

A previous PR made it possible to create deployment policies with Process fields and FileAccess fields. This PR makes it possible to create node policies with a combination and Process and FileAccess fields. Node policies with Process only fields are still disallowed.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

A test was modified.

How I validated my change

Summary

A script was used to create various policies and tested in master and this branch.

  1. Process and FileAccess fields
    This branch: Success
    Master: Failure

  2. Process only
    This branch: Failure, but incorrect error message
    Master: Failure

  3. FileAccess only
    This branch: Success
    Master: Success

The first type of policy was also tested by triggering it in this branch.

Details

The following script was used to test the changes here.

#!/usr/bin/env bash

set -euox pipefail

# Configuration
ROX_ENDPOINT=${ROX_ENDPOINT:-https://localhost:8000}

POLICY_FILE="$1"

# Check for required environment variable
if [ -z "${ROX_API_TOKEN:-}" ]; then
    echo "Error: ROX_API_TOKEN environment variable is not set"
    echo "Please set it with: export ROX_API_TOKEN=<your-token>"
    exit 1
fi

# Read policy from file
data=$(cat "$POLICY_FILE")

# Make the API call
response=$(curl --location --silent --request POST \
  "${ROX_ENDPOINT}/v1/policies" \
  -k \
  --header "Authorization: Bearer $ROX_API_TOKEN" \
  --header "Content-Type: application/json" \
  --data "$data")

echo "$response" | jq

The following policy was used as an input. This is a valid node policy with Process and FileAccess fields. The policy is successfully created in this branch.

{
  "id": "",
  "name": "Node with process",
  "description": "",
  "severity": "LOW_SEVERITY",
  "disabled": false,
  "lifecycleStages": [
    "RUNTIME"
  ],
  "notifiers": [],
  "lastUpdated": null,
  "eventSource": "NODE_EVENT",
  "isDefault": false,
  "rationale": "",
  "remediation": "",
  "categories": [
    "Anomalous Activity"
  ],
  "exclusions": [],
  "scope": [],
  "enforcementActions": [],
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "",
  "policySections": [
    {
      "sectionName": "Rule 1",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "values": [
            {
              "value": "bash"
            }
          ],
          "negate": false,
          "fieldKey": {
            "name": "Process Name",
            "shortName": "Process name",
            "longName": "Process name is",
            "negatedName": "Process name doesn’t match",
            "category": "Process activity",
            "type": "text",
            "placeholder": "apt-get",
            "canBooleanLogic": true,
            "lifecycleStages": [
              "RUNTIME"
            ]
          }
        },
        {
          "fieldName": "File Path",
          "booleanOperator": "OR",
          "values": [
            {
              "value": "/etc/sudoers"
            }
          ],
          "negate": false,
          "fieldKey": {
            "label": "File path",
            "name": "File Path",
            "shortName": "File path",
            "category": "File activity",
            "type": "text",
            "placeholder": "/home/**/.ssh/id_*",
            "helperText": "Enter an absolute file path. Supports glob patterns.",
            "canBooleanLogic": false,
            "lifecycleStages": [
              "RUNTIME"
            ]
          }
        }
      ]
    }
  ],
  "mitreAttackVectors": [],
  "criteriaLocked": false,
  "mitreVectorsLocked": false,
  "source": "IMPERATIVE"
}

In master it results in an error.

{
  "code": 3,
  "message": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments",
  "details": [],
  "error": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments"
}

The policy was triggered by doing the following actions.

cat SSH_ACCESS
gcloud compute config-ssh --project=acs-team-temp-dev
ssh ******
sudo visudo

Alerts were checked with the following script

#!/usr/bin/env bash

set -euox pipefail

# Configuration
ROX_ENDPOINT=${ROX_ENDPOINT:-https://localhost:8000}

# Check for required environment variable
if [ -z "${ROX_API_TOKEN:-}" ]; then
    echo "Error: ROX_API_TOKEN environment variable is not set"
    echo "Please set it with: export ROX_API_TOKEN=<your-token>"
    exit 1
fi

# Make the API call
response=$(curl --location --silent --request GET \
  "${ROX_ENDPOINT}/v1/alerts" \
  -k \
  --header "Authorization: Bearer $ROX_API_TOKEN" \
  --header "Content-Type: application/json")

echo "$response" | jq
{
  "alerts": [
    {
      "id": "0b087242-b3a6-45e7-a1e6-e6313a9e0b62",
      "lifecycleStage": "RUNTIME",
      "time": "2026-03-25T21:09:59.119409214Z",
      "policy": {
        "id": "6af33bed-624f-45ad-b1aa-0209f662486a",
        "name": "Node with process",
        "severity": "LOW_SEVERITY",
        "description": "",
        "categories": [
          "Anomalous Activity"
        ],
        "developerInternalFields": null
      },
      "state": "ACTIVE",
      "enforcementCount": 0,
      "enforcementAction": "UNSET_ENFORCEMENT",
      "commonEntityInfo": {
        "clusterName": "remote",
        "namespace": "",
        "clusterId": "6ae794a4-aa60-44f5-958c-2802793afbd3",
        "namespaceId": "",
        "resourceType": "DEPLOYMENT"
      },
      "node": {
        "name": "gke-jv-0317-default-pool-76ef2ea2-3x9w"
      }
    },
 ]
}

The violation had been triggered.

An invalid policy with only a Process field was tested.

{
  "id": "",
  "name": "Node with process only",
  "description": "",
  "severity": "LOW_SEVERITY",
  "disabled": false,
  "lifecycleStages": [
    "RUNTIME"
  ],
  "notifiers": [],
  "lastUpdated": null,
  "eventSource": "NODE_EVENT",
  "isDefault": false,
  "rationale": "",
  "remediation": "",
  "categories": [
    "Anomalous Activity"
  ],
  "exclusions": [],
  "scope": [],
  "enforcementActions": [],
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "",
  "policySections": [
    {
      "sectionName": "Rule 1",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "values": [
            {
              "value": "bash"
            }
          ],
          "negate": false,
          "fieldKey": {
            "name": "Process Name",
            "shortName": "Process name",
            "longName": "Process name is",
            "negatedName": "Process name doesn’t match",
            "category": "Process activity",
            "type": "text",
            "placeholder": "apt-get",
            "canBooleanLogic": true,
            "lifecycleStages": [
              "RUNTIME"
            ]
          }
        }
      ]
    }
  ],
  "mitreAttackVectors": [],
  "criteriaLocked": false,
  "mitreVectorsLocked": false,
  "source": "IMPERATIVE"
}

This resulted in the following error

{
  "code": 3,
  "message": "policy invalid errors: [error validating lifecycle stage error: Node event policies with process criteria must include file access criteria in the same section, Node event policies with process criteria must include file access criteria in the same section]: invalid arguments",
  "details": [],
  "error": "policy invalid errors: [error validating lifecycle stage error: Node event policies with process criteria must include file access criteria in the same section, Node event policies with process criteria must include file access criteria in the same section]: invalid arguments"
}

It failed in master with the following error:

{ 
  "code": 3,
  "message": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments",
  "details": [],
  "error": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments"
}

A policy with only a FileAccess field was tested and worked in this branch and in master.

{
  "id": "",
  "name": "Node with file access only",
  "description": "",
  "severity": "LOW_SEVERITY",
  "disabled": false,
  "lifecycleStages": [
    "RUNTIME"
  ],
  "notifiers": [],
  "lastUpdated": null,
  "eventSource": "NODE_EVENT",
  "isDefault": false,
  "rationale": "",
  "remediation": "",
  "categories": [
    "Anomalous Activity"
  ],
  "exclusions": [],
  "scope": [],
  "enforcementActions": [],
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "",
  "policySections": [
    {
      "sectionName": "Rule 1",
      "policyGroups": [
        {
          "fieldName": "File Path",
          "booleanOperator": "OR",
          "values": [
            {
              "value": "/etc/sudoers"
            }
          ],
          "negate": false,
          "fieldKey": {
            "label": "File path",
            "name": "File Path",
            "shortName": "File path",
            "category": "File activity",
            "type": "text",
            "placeholder": "/home/**/.ssh/id_*",
            "helperText": "Enter an absolute file path. Supports glob patterns.",
            "canBooleanLogic": false,
            "lifecycleStages": [
              "RUNTIME"
            ]
          }
        }
      ]
    }
  ],
  "mitreAttackVectors": [],
  "criteriaLocked": false,
  "mitreVectorsLocked": false,
  "source": "IMPERATIVE"
}

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 24, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Mar 25, 2026
edited
Loading

Images are ready for the commit at 148d3ba.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-438-g148d3ba939.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.28%. Comparing base (5d84b54) to head (148d3ba).
⚠️ Report is 18 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19586      +/-   ##
==========================================
+ Coverage   49.26%   49.28%   +0.01%     
==========================================
  Files        2735     2735              
  Lines      206138   206220      +82     
==========================================
+ Hits       101550   101631      +81     
- Misses      97041    97046       +5     
+ Partials     7547     7543       -4
Flag Coverage Δ
go-unit-tests 49.28% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Stringy
Stringy approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Stringy Stringy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor non-blocking comment but overall LGTM

@JoukoVirtanen JoukoVirtanen marked this pull request as ready for review March 25, 2026 20:04
@JoukoVirtanen JoukoVirtanen requested a review from a team as a code owner March 25, 2026 20:04
@JoukoVirtanen
Copy link
Copy Markdown
Contributor Author

JoukoVirtanen commented Mar 25, 2026

/test gke-upgrade-tests

@JoukoVirtanen JoukoVirtanen requested a review from clickboo March 25, 2026 22:41
@JoukoVirtanen JoukoVirtanen merged commit 96335e9 into master Mar 26, 2026
98 checks passed
@JoukoVirtanen JoukoVirtanen deleted the jv-ROX-33000-support-for-process-details-in-detection-node branch March 26, 2026 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Stringy Stringy Stringy approved these changes

@clickboo clickboo Awaiting requested review from clickboo

Assignees

No one assigned

Labels

area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JoukoVirtanen @rhacs-bot @Stringy