we lost files during rebase and cherry pick

tests/chart/crds/rules.crd.yaml

@@ -91,6 +91,19 @@ spec:
                         type: object
                         additionalProperties: true
                         description: "State information for the rule"
+                      agentVersionRequirement:
+                        type: string
+                        description: "Agent version requirement to evaluate this rule (supports semver ranges like ~1.0, >=1.2.0, etc.)"
+                      isTriggerAlert:
+                        type: boolean
+                        description: "Whether the rule is a trigger alert"
+                        default: true
+                      mitreTechnique:
+                        type: string
+                        description: "MITRE technique associated with the rule"
+                      mitreTactic:
+                        type: string
+                        description: "MITRE tactic associated with the rule"
                     required:
                       - enabled
                       - id
@@ -100,7 +113,9 @@ spec:
                       - profileDependency
                       - severity
                       - supportPolicy
-                      - tags
+                      - isTriggerAlert
+                      - mitreTechnique
+                      - mitreTactic
               required:
                 - rules
       subresources:

tests/chart/crds/runtime-rule-binding.crd.yaml

@@ -95,4 +95,4 @@ spec:
                       items:
                         type: string
                     severity:
-                      type: string
+                      type: string

tests/chart/templates/node-agent/default-rules.yaml

@@ -1,7 +1,7 @@
 apiVersion: kubescape.io/v1
 kind: Rules
 metadata:
-  name: kubescape-rules
+  name: default-rules
   namespace: kubescape
   annotations:
     kubescape.io/namespace: kubescape
@@ -30,6 +30,7 @@ spec:
           - "process"
           - "exec"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Files Access Anomalies in container"
         enabled: true
         id: "R0002"
@@ -69,6 +70,7 @@ spec:
           - "file"
           - "open"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Syscalls Anomalies in container"
         enabled: true
         id: "R0003"
@@ -89,6 +91,7 @@ spec:
           - "anomaly"
           - "syscall"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Linux Capabilities Anomalies in container"
         enabled: true
         id: "R0004"
@@ -109,6 +112,7 @@ spec:
           - "anomaly"
           - "capabilities"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "DNS Anomalies in container"
         enabled: true
         id: "R0005"
@@ -129,6 +133,7 @@ spec:
           - "dns"
           - "anomaly"
           - "networkprofile"
+          - "context:kubernetes"
       - name: "Unexpected service account token access"
         enabled: true
         id: "R0006"
@@ -139,15 +144,12 @@ spec:
           ruleExpression:
             - eventType: "open"
               expression: >
-                ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || 
+                ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) ||
                  (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) ||
                  (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) ||
                  (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) &&
-                !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') &&
-                !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') &&
-                !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') &&
-                !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount')
-        profileDependency: 1
+                !ap.was_path_opened_with_suffix(event.containerId, '/token')
+        profileDependency: 0
         severity: 5
         supportPolicy: false
         isTriggerAlert: true
@@ -157,6 +159,7 @@ spec:
           - "anomaly"
           - "serviceaccount"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Workload uses Kubernetes API unexpectedly"
         enabled: true
         id: "R0007"
@@ -172,14 +175,15 @@ spec:
         profileDependency: 0
         severity: 5 # Medium
         supportPolicy: false
-        isTriggerAlert: true
+        isTriggerAlert: false
         mitreTactic: "TA0008"
         mitreTechnique: "T1210"
         tags:
           - "exec"
           - "network"
           - "anomaly"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Read Environment Variables from procfs"
         enabled: true
         id: "R0008"
@@ -190,7 +194,7 @@ spec:
           ruleExpression:
             - eventType: "open"
               expression: >
-                event.path.startsWith('/proc/') && 
+                event.path.startsWith('/proc/') &&
                 event.path.endsWith('/environ') &&
                 !ap.was_path_opened_with_suffix(event.containerId, '/environ')
         profileDependency: 0 # Required
@@ -204,6 +208,7 @@ spec:
           - "procfs"
           - "environment"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "eBPF Program Load"
         enabled: true
         id: "R0009"
@@ -224,6 +229,7 @@ spec:
           - "bpf"
           - "ebpf"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Unexpected Sensitive File Access"
         enabled: true
         id: "R0010"
@@ -244,6 +250,7 @@ spec:
           - "files"
           - "anomaly"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Unexpected Egress Network Traffic"
         enabled: true
         id: "R0011"
@@ -265,6 +272,7 @@ spec:
           - "network"
           - "anomaly"
           - "networkprofile"
+          - "context:kubernetes"
       - name: "Process executed from malicious source"
         enabled: true
         id: "R1000"
@@ -276,7 +284,7 @@ spec:
             - eventType: "exec"
               expression: >
                 (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) ||
-                (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || 
+                (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') ||
                 (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/')))
         profileDependency: 2
         severity: 8
@@ -288,6 +296,7 @@ spec:
           - "exec"
           - "signature"
           - "malicious"
+          - "context:kubernetes"
       - name: "Drifted process executed"
         enabled: true
         id: "R1001"
@@ -313,6 +322,7 @@ spec:
           - "binary"
           - "base image"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Process tries to load a kernel module"
         enabled: true
         id: "R1002"
@@ -334,6 +344,7 @@ spec:
           - "kernel"
           - "module"
           - "load"
+          - "context:kubernetes"
       - name: "Disallowed ssh connection"
         enabled: false
         id: "R1003"
@@ -356,13 +367,14 @@ spec:
           - "port"
           - "malicious"
           - "networkprofile"
+          - "context:kubernetes"
       - name: "Process executed from mount"
         enabled: true
         id: "R1004"
         description: "Detecting exec calls from mounted paths."
         expressions:
           message: "'Process (' + event.comm + ') was executed from a mounted path'"
-          uniqueId: "event.comm + '_' + event.exepath + '_'"
+          uniqueId: "event.comm"
           ruleExpression:
             - eventType: "exec"
               expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))"
@@ -376,6 +388,7 @@ spec:
           - "exec"
           - "mount"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Fileless execution detected"
         enabled: true
         id: "R1005"
@@ -396,6 +409,7 @@ spec:
           - "fileless"
           - "execution"
           - "malicious"
+          - "context:kubernetes"
       - name: "Process tries to escape container"
         enabled: true
         id: "R1006"
@@ -405,7 +419,7 @@ spec:
           uniqueId: "event.comm + '_' + 'unshare'"
           ruleExpression:
             - eventType: "unshare"
-              expression: "!ap.was_syscall_used(event.containerId, 'unshare')"
+              expression: "event.pcomm != 'runc' && !ap.was_syscall_used(event.containerId, 'unshare')"
         profileDependency: 2
         severity: 5
         supportPolicy: false
@@ -418,6 +432,7 @@ spec:
           - "unshare"
           - "anomaly"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Crypto miner launched"
         enabled: true
         id: "R1007"
@@ -438,6 +453,7 @@ spec:
           - "crypto"
           - "miners"
           - "malicious"
+          - "context:kubernetes"
       - name: "Crypto Mining Domain Communication"
         enabled: true
         id: "R1008"
@@ -447,7 +463,7 @@ spec:
           uniqueId: "event.name + '_' + event.comm"
           ruleExpression:
             - eventType: "dns"
-              expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']"
+              expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.', 'xmr.kryptex.network.']"
         profileDependency: 2
         severity: 10
         supportPolicy: false
@@ -460,6 +476,7 @@ spec:
           - "miners"
           - "malicious"
           - "dns"
+          - "context:kubernetes"
       - name: "Crypto Mining Related Port Communication"
         enabled: true
         id: "R1009"
@@ -482,6 +499,7 @@ spec:
           - "miners"
           - "malicious"
           - "networkprofile"
+          - "context:kubernetes"
       - name: "Soft link created over sensitive file"
         enabled: true
         id: "R1010"
@@ -502,6 +520,7 @@ spec:
           - "anomaly"
           - "symlink"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "ld_preload hooks technique detected"
         enabled: false
         id: "R1011"
@@ -524,6 +543,7 @@ spec:
           - "exec"
           - "malicious"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Hard link created over sensitive file"
         enabled: true
         id: "R1012"
@@ -544,6 +564,7 @@ spec:
           - "files"
           - "malicious"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Malicious Ptrace Usage"
         enabled: true
         id: "R1015"
@@ -563,6 +584,7 @@ spec:
         tags:
           - "process"
           - "malicious"
+          - "context:kubernetes"
       - name: "Unexpected io_uring Operation Detected"
         enabled: true
         id: "R1030"
@@ -583,6 +605,7 @@ spec:
           - "syscalls"
           - "io_uring"
           - "applicationprofile"
+          - "context:kubernetes"
       - name: "Signed profile tampered"
         enabled: true
         id: "R1016"

tests/chart/values.yaml

@@ -32,7 +32,7 @@ global:
 storage:
   name: "storage"
   image:
-    repository: quay.io/kubescape/storage
+    repository: ghcr.io/k8sstormcenter/storage
     tag: v0.0.156
     pullPolicy: Always
   cleanupInterval: "6h"
@@ -50,7 +50,7 @@ storage:
 nodeAgent:
   name: node-agent
   image:
-    repository: quay.io/kubescape/node-agent
+    repository: ghcr.io/k8sstormcenter/node-agent
     tag: v0.2.21
     pullPolicy: IfNotPresent
 

tests/scripts/storage-tag.sh

@@ -1,4 +1,2 @@
-#/bin/bash
-curl -s https://raw.githubusercontent.com/kubescape/helm-charts/main/charts/kubescape-operator/values.yaml -o values.yaml
-yq '.storage.image.tag' < values.yaml
-rm -rf values.yaml
+#!/bin/bash
+curl -s https://api.github.com/repos/k8sstormcenter/storage/tags | jq -r '.[0].name'