feat(detectors): migrate system_request_key_config_modification signature to detector

Migrated from signatures/golang/system_request_key_config_modification.go
Detector ID: TRC-1031

Author: yanivagman

detectors/system_request_key_config_modification.go

@@ -0,0 +1,79 @@
+package detectors
+
+import (
+	"context"
+
+	"github.com/aquasecurity/tracee/api/v1beta1"
+	"github.com/aquasecurity/tracee/api/v1beta1/detection"
+	"github.com/aquasecurity/tracee/common/parsers"
+)
+
+func init() {
+	register(&SystemRequestKeyConfigModification{})
+}
+
+// SystemRequestKeyConfigModification detects modifications to sysrq configuration files.
+// Adversaries may use this to control system behavior or gather information for container escape.
+type SystemRequestKeyConfigModification struct {
+	logger detection.Logger
+}
+
+func (d *SystemRequestKeyConfigModification) GetDefinition() detection.DetectorDefinition {
+	return detection.DetectorDefinition{
+		ID: "TRC-1031",
+		Requirements: detection.DetectorRequirements{
+			Events: []detection.EventRequirement{
+				{
+					Name:         "security_file_open",
+					Dependency:   detection.DependencyRequired,
+					ScopeFilters: []string{"container=started"},
+					DataFilters: []string{
+						"pathname=/proc/sys/kernel/sysrq",
+						"pathname=/proc/sysrq-trigger",
+					},
+				},
+			},
+		},
+		ProducedEvent: v1beta1.EventDefinition{
+			Name:        "system_request_key_mod",
+			Description: "System request key configuration modification",
+			Version:     &v1beta1.Version{Major: 1, Minor: 0, Patch: 0},
+		},
+		ThreatMetadata: &v1beta1.Threat{
+			Name:        "System request key configuration modification",
+			Description: "An attempt to modify and activate the System Request Key configuration file was detected. The system request key allows immediate input to the kernel through simple key combinations. Adversaries may use this feature to immediately shut down or restart a system. With read access to kernel logs, host related information such as listing tasks and CPU registers may be disclosed and could be used for container escape.",
+			Severity:    v1beta1.Severity_HIGH,
+			Mitre: &v1beta1.Mitre{
+				Tactic:    &v1beta1.MitreTactic{Name: "Privilege Escalation"},
+				Technique: &v1beta1.MitreTechnique{Id: "T1611", Name: "Escape to Host"},
+			},
+			Properties: map[string]string{"Category": "privilege-escalation"},
+		},
+		AutoPopulate: detection.AutoPopulateFields{Threat: true, DetectedFrom: true},
+	}
+}
+
+func (d *SystemRequestKeyConfigModification) Init(params detection.DetectorParams) error {
+	d.logger = params.Logger
+	d.logger.Debugw("SystemRequestKeyConfigModification detector initialized")
+	return nil
+}
+
+func (d *SystemRequestKeyConfigModification) OnEvent(ctx context.Context, event *v1beta1.Event) ([]detection.DetectorOutput, error) {
+	flags, err := v1beta1.GetDataSafe[int32](event, "flags")
+	if err != nil {
+		return nil, nil
+	}
+
+	if !parsers.IsFileWrite(int(flags)) {
+		return nil, nil
+	}
+
+	d.logger.Debugw("sysrq modification detected", "container", v1beta1.GetContainerID(event))
+	return detection.Detected(), nil
+}
+
+func (d *SystemRequestKeyConfigModification) Close() error {
+	d.logger.Debugw("SystemRequestKeyConfigModification detector closed")
+	return nil
+}

detectors/system_request_key_config_modification_test.go

@@ -0,0 +1,81 @@
+package detectors
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/tracee/api/v1beta1"
+	"github.com/aquasecurity/tracee/api/v1beta1/detection"
+)
+
+func TestSystemRequestKeyConfigModification(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name           string
+		pathname       string
+		flags          int32
+		expectedOutput bool
+	}{
+		{
+			name:           "write to /proc/sys/kernel/sysrq",
+			pathname:       "/proc/sys/kernel/sysrq",
+			flags:          1, // O_WRONLY
+			expectedOutput: true,
+		},
+		{
+			name:           "write to /proc/sysrq-trigger",
+			pathname:       "/proc/sysrq-trigger",
+			flags:          1, // O_WRONLY
+			expectedOutput: true,
+		},
+		{
+			name:           "read from /proc/sys/kernel/sysrq - should not trigger",
+			pathname:       "/proc/sys/kernel/sysrq",
+			flags:          0, // O_RDONLY
+			expectedOutput: false,
+		},
+		// Note: different_file test removed - DataFilter would prevent this event from reaching OnEvent
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			detector := &SystemRequestKeyConfigModification{}
+			err := detector.Init(detection.DetectorParams{Logger: &mockLogger{}})
+			require.NoError(t, err)
+
+			event := &v1beta1.Event{
+				Id:   v1beta1.EventId_security_file_open,
+				Name: "security_file_open",
+				Workload: &v1beta1.Workload{
+					Process: &v1beta1.Process{
+						Executable: &v1beta1.Executable{Path: "/usr/bin/test"},
+					},
+					Container: &v1beta1.Container{
+						Id:      "test-container",
+						Started: true,
+					},
+				},
+				Data: []*v1beta1.EventValue{
+					v1beta1.NewStringValue("pathname", tc.pathname),
+					v1beta1.NewInt32Value("flags", tc.flags),
+				},
+			}
+
+			output, err := detector.OnEvent(context.Background(), event)
+			require.NoError(t, err)
+
+			if tc.expectedOutput {
+				assert.Len(t, output, 1, "Expected detection")
+			} else {
+				assert.Len(t, output, 0, "Expected no detection")
+			}
+		})
+	}
+}

signatures/golang/export.go

@@ -4,9 +4,7 @@ import "github.com/aquasecurity/tracee/types/detect"
 
 // ExportedSignatures fulfills the goplugins contract required by the rule-engine
 // this is a list of signatures that this plugin exports
-var ExportedSignatures = []detect.Signature{
-	&SystemRequestKeyConfigModification{},
-}
+var ExportedSignatures = []detect.Signature{}
 
 // ExportedDataSources fulfills the goplugins contract required by the rule-engine
 // this is a list of data-sources that this plugin exports