WIP try creating terraform objects instead

Author: Arnas Navašinskas

examples/gke/gke_cluster_with_security_runtime_rules/castai.tf

@@ -8,31 +8,6 @@ module "castai-gke-iam" {
   service_accounts_unique_ids = length(var.service_accounts_unique_ids) == 0 ? [] : var.service_accounts_unique_ids
 }
 
-# Import rules file
-locals {
-  rules = yamldecode(file(var.runtime_security_rules_file)).rules
-}
-
-resource "castai_runtime_rule" "rules" {
-  for_each = {
-    for rule in local.rules : rule.name => rule
-  }
-
-  name              = each.value.name
-  type              = each.value.type
-  category          = each.value.category
-  enabled           = each.value.enabled
-  severity          = each.value.severity
-  rule_text         = each.value.ruleText
-  rule_engine_type  = each.value.ruleEngineType
-  is_builtin        = each.value.isBuiltIn
-  resource_selector = each.value.resourceSelector
-  labels            = each.value.labels
-  used_custom_lists = each.value.usedCustomLists
-
-  depends_on = [module.castai-gke-cluster]
-}
-
 # Configure GKE cluster connection to CAST AI with enabled Kvisor security agent.
 module "castai-gke-cluster" {
   source = "castai/gke-cluster/castai"

examples/gke/gke_cluster_with_security_runtime_rules/castai_runtime_rules.tf

@@ -0,0 +1,354 @@
+# This file is autogenerated by fetch_castai_runtime_rules.sh
+
+resource "castai_runtime_rule" "test_create_" {
+  name              = "test create"
+  type              = "test_create"
+  severity          = "SEVERITY_CRITICAL"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_exec && event.exec.is_upper_layer
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = false
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "connection_to_non_standard_ports__not_80_or_443__" {
+  name              = "Connection to non-standard ports (not 80 or 443)"
+  type              = "network:tcp_public_non_standard_port"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_tcp_connect &&
+event.tcp.destination.ip.public() &&
+!(event.tcp.destination.port in [80, 443])
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "crypto_mining_command_line_arguments_" {
+  name              = "Crypto mining command line arguments"
+  type              = "crypto_mining:binary_executed"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(bad_args, ["stratum+tcp://", "stratum+udp://", "stratum+tls://"],
+cel.bind(known_miners, ["xmrig", "minerd", "cpuminer", "minergate", "ccminer", "cgminer", "ethminer", "claymore", "bfgminer", "sgminer"],
+event.type == event_exec &&
+(
+	event.exec.file_details.category == category_crypto ||
+	known_miners.exists_one(v, event.exec.path.contains(v)) ||
+	bad_args.exists_one(bad_arg,
+		event.exec.args.exists_one(arg, arg.lowerAscii().contains(bad_arg))
+	)
+)
+))
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "dns_to_crypto_mining_" {
+  name              = "DNS to crypto mining"
+  type              = "crypto_mining:dns_lookup"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_dns && event.dns.network_details.category == category_crypto
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "dropped_and_executed_binary__container_drift__" {
+  name              = "Dropped and executed binary (container drift)"
+  type              = "general:dropped_and_executed_binary"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_exec && event.exec.is_upper_layer
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "dropped_new_binary__container_drift__" {
+  name              = "Dropped new binary (container drift)"
+  type              = "general:dropped_binary"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_magic_write
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "fileless_binary_executed_" {
+  name              = "Fileless binary executed"
+  type              = "general:fileless_execution"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_exec && event.exec.is_memfd
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "hacking_tool_executed_" {
+  name              = "Hacking tool executed"
+  type              = "suspicious_binary:hacking_tool_executed"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(known_tools,
+["amicontained", "botb-linux", "deepce", "harpoon", "kdigger", "kubeletmein", "linpeas", "peirates", "crackmapexec", "pmapper", "lazagne", "wapiti", "mitmproxy", "commix", "cadaver", "kali-tweaks", "ettercap", "ffuf", "wfuzz", "rkhunter", "dirsearch", "legion", "chkrootkit"],
+event.type == event_exec && (
+	event.exec.file_details.category == category_hacking ||
+	known_tools.exists_one(v, event.exec.path.contains(v) || event.process.name.contains(v))
+))
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "ingress_nightmare_exploit_attempt_detected_" {
+  name              = "Ingress Nightmare Exploit Attempt detected"
+  type              = "general:ingress_nginx_nightmare_exploit_attempt_detected"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_ingress_nightmare_exploit_attempt
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "potential_attempt_to_establish_a_reverse_shell_" {
+  name              = "Potential attempt to establish a reverse shell"
+  type              = "network:potential_reverse_shell"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(shell_pattern, "/bin/.*sh",
+		event.type == event_exec &&
+(event.process.name == "socat" &&
+	   	event.exec.args.exists_one(arg, arg.lowerAscii().startsWith("tcp-connect")) &&
+	   	event.exec.args.exists_one(arg,
+	   		arg.lowerAscii().startsWith("exec") && arg.lowerAscii().matches(shell_pattern))
+) || (
+ ["ncat", "nc"].exists_one(name, name == event.process.name) &&
+	event.exec.args.exists_one(arg, arg.lowerAscii().startsWith("-e")) &&
+	event.exec.args.exists_one(arg, arg.lowerAscii().matches(shell_pattern))
+))
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "potential_proxy_started_" {
+  name              = "Potential proxy started"
+  type              = "suspicious_binary:proxy_executed"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(known_proxies,
+["caddy", "frp", "glider", "hysteria", "lucky", "proxychain", "mieru", "ngrok", "pgrok", "piko", "rathole", "sshuttle", "sslh", "tinyproxy", "v2ray", "xray", "zaproxy"],
+	event.type == event_exec && (
+		event.exec.file_details.category == category_proxy ||
+		known_proxies.exists_one(v, event.exec.path.contains(v)) ||
+		event.process.name == "tor"
+	)
+)
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "potential_tunnel_started_" {
+  name              = "Potential tunnel started"
+  type              = "suspicious_binary:tunnel_executed"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(known_tunnel,
+["bore", "chisel", "dns2tcp", "gost", "jprq", "iodine", "ptunnel", "tunnelto", "turbo-tunnel", "wiretap", "stunnel", "wstunnel", "zrok"],
+	event.type == event_exec && (
+		event.exec.file_details.category == category_tunnel ||
+		known_tunnel.exists_one(v, event.exec.path.contains(v))
+	)
+)
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "process_oom_killed_" {
+  name              = "Process OOM killed"
+  type              = "general:oom_killed"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_process_oom_killed
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "scanner_to_discover_internal_services_detected_" {
+  name              = "Scanner to discover internal services detected"
+  type              = "suspicious_binary:network_scanner_detected"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(known_scanners,
+["nmap", "fierce", "kportscan", "ladon", "masscan", "p0f", "fscan", "unicornscan", "zmap", "zgrab"],
+	event.type == event_exec && (
+		event.exec.file_details.category == category_discovery ||
+		known_scanners.exists_one(v, event.process.name.contains(v) || event.exec.path.lowerAscii().contains(v)
+		)
+	)
+)
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "socks5_protocol_detected_" {
+  name              = "Socks5 protocol detected"
+  type              = "network:socks5"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_socks5_detected
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "standard_i_o_via_socket_" {
+  name              = "Standard I/O via socket"
+  type              = "network:stdio_via_socket"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_stdio_via_socket && event.stdio_via_socket.destination.port != 0 && event.stdio_via_socket.destination.ip.public()
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "suspicious_destination_ip_" {
+  name              = "Suspicious Destination IP"
+  type              = "network:suspicious_destination_ip"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_tcp_connect &&
+event.tcp.destination.ip.public() &&
+event.tcp.ip_details.abuse_confidence_score >= 75
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "suspicious_tool_executed_" {
+  name              = "Suspicious tool executed"
+  type              = "suspicious_binary:executed"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_exec && event.exec.file_details.category in [category_other, category_suspicious]
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "tcp_connection_to_crypto_mining_" {
+  name              = "TCP connection to crypto mining"
+  type              = "crypto_mining:tcp_connect"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+event.type == event_tcp_connect && event.tcp.network_details.category == category_crypto
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}
+
+resource "castai_runtime_rule" "vnc_server_related_command_line_arguments_" {
+  name              = "VNC server related command line arguments"
+  type              = "suspicious_binary:vnc_server"
+  severity          = "SEVERITY_LOW"
+  enabled           = true
+  rule_text         = <<-EOT
+cel.bind(bad_args, ["tigervnc", "novnc", "--vnc", "rfbport"],
+event.type == event_exec &&
+bad_args.exists_one(bad_arg,
+	event.exec.args.exists_one(arg, arg.lowerAscii().contains(bad_arg))
+))
+EOT
+  rule_engine_type  = "RULE_ENGINE_TYPE_CEL"
+  is_builtin        = true
+  resource_selector = ""
+
+  depends_on = [module.castai-gke-cluster]
+}