This repository has been archived by the owner on Mar 24, 2024. It is now read-only.
Docker sysdig pip install heuristics monitoring #20587
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker sysdig pip install heuristics monitoring | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '*/20 * * * *' | |
| jobs: | |
| install_new_pypi_pkgs: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: ensure apt pkgs are installed | |
| run: sudo apt-get install sysdig ripgrep golang-go tcpdump -y | |
| - name: get new packages names | |
| run: python3 get_packages.py | tee new.txt | |
| - name: build extractor | |
| run: cd sysdig_ioc_extractor; go build ioc_extractor.go; cd .. | |
| - name: for each package, start sysdig, run pip install on each container | |
| run: | | |
| for i in $(cat new.txt) | |
| do | |
| sudo sysdig -p "*%evt.num %evt.outputtime %container.name %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info %evt.arg.flags %fd.name %fd.cip %fd.sip %fd.sport %proc.exeline" -j "(container.name contains pip-install) and not (fd.sip.name=pypi.org or fd.cip.name=pypi.org) and not (fd.sip.name=files.pythonhosted.org or fd.cip.name=files.pythonhosted.org)" > "$i".sysdig.json & | |
| sudo docker run --rm --name pip-install-$(echo $i | tr '=' '_') python:3.10-buster pip install "$i" || echo error docker run $? | |
| sudo pkill -c sysdig | |
| sysdig_ioc_extractor/ioc_extractor "$i".sysdig.json > "$i".iocs.json | |
| sudo rm "$i".sysdig.json | |
| done | |
| - name: Upload IOCs | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: extracted-iocs | |
| path: ./*.iocs.json | |
| # - name: Upload pcaps | |
| # uses: actions/upload-artifact@v3 | |
| # with: | |
| # name: pcaps | |
| # path: ./*.pcap | |
| - name: raise alerts | |
| run: python3 raise_sus_heuristics.py *iocs.json | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |