From e7182fdb2265312beb62118c1fbdafd344bfd1b3 Mon Sep 17 00:00:00 2001
From: Diamon Wiggins <diamonw757@gmail.com>
Date: Fri, 12 Apr 2024 16:56:35 -0400
Subject: [PATCH 1/4] add collector and analyzer to detect security tools

---
 host/default.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/host/default.yaml b/host/default.yaml
index c149705..ec57261 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -384,6 +384,10 @@ spec:
         collectorName: "ps-high-load"
         command: "sh"
         args: ["-c", "ps -eo s,user,cmd | grep ^[RD] | sort | uniq -c | sort -nbr | head -20"]
+    - run:
+        collectName: "ps-detect-antivirus-and-security-tools"
+        command: "sh"
+        args: [-c, "ps aux | grep -E 'clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio' | grep -v grep"]
     - filesystemPerformance:
         collectorName: filesystem-latency-two-minute-benchmark
         timeout: 2m
@@ -761,3 +765,15 @@ spec:
           - pass:
               when: "false"
               message: "SELinux is disabled as expected"
+    - textAnalyze:
+        checkName: Detect Threat Management and Network Security Tools 
+        filename: host-collectors/run-host/ps-detect-antivirus-and-security-tools.txt
+        regex: '\b(clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio)\b'
+        ignoreIfNoFiles: true
+        outcomes:
+          - warn:
+              when: "true"
+              message: "Antivirus or Network Security tools detected. These tools can interfere with kubernetes operation."
+          - pass:
+              when: "false"
+              message: "No Antivirus or Network Security tools detected."

From c08738719540b081602019bd59a9959093f45f29 Mon Sep 17 00:00:00 2001
From: Diamon Wiggins <diamonw757@gmail.com>
Date: Fri, 12 Apr 2024 16:58:33 -0400
Subject: [PATCH 2/4] change flags for ps

---
 host/default.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/default.yaml b/host/default.yaml
index ec57261..686346d 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -387,7 +387,7 @@ spec:
     - run:
         collectName: "ps-detect-antivirus-and-security-tools"
         command: "sh"
-        args: [-c, "ps aux | grep -E 'clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio' | grep -v grep"]
+        args: [-c, "ps -ef | grep -E 'clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio' | grep -v grep"]
     - filesystemPerformance:
         collectorName: filesystem-latency-two-minute-benchmark
         timeout: 2m

From 26c92489a74cc8c23076413f6db2005a3505909b Mon Sep 17 00:00:00 2001
From: Diamon Wiggins <diamonw757@gmail.com>
Date: Fri, 12 Apr 2024 17:13:11 -0400
Subject: [PATCH 3/4] fix antivirus textanalyzer

---
 host/default.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/host/default.yaml b/host/default.yaml
index 686346d..ff35e15 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -385,7 +385,7 @@ spec:
         command: "sh"
         args: ["-c", "ps -eo s,user,cmd | grep ^[RD] | sort | uniq -c | sort -nbr | head -20"]
     - run:
-        collectName: "ps-detect-antivirus-and-security-tools"
+        collectorName: "ps-detect-antivirus-and-security-tools"
         command: "sh"
         args: [-c, "ps -ef | grep -E 'clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio' | grep -v grep"]
     - filesystemPerformance:
@@ -767,11 +767,11 @@ spec:
               message: "SELinux is disabled as expected"
     - textAnalyze:
         checkName: Detect Threat Management and Network Security Tools 
-        filename: host-collectors/run-host/ps-detect-antivirus-and-security-tools.txt
+        fileName: host-collectors/run-host/ps-detect-antivirus-and-security-tools.txt
         regex: '\b(clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio)\b'
         ignoreIfNoFiles: true
         outcomes:
-          - warn:
+          - fail:
               when: "true"
               message: "Antivirus or Network Security tools detected. These tools can interfere with kubernetes operation."
           - pass:

From 684d4f6ff9da2069648e26ccba5c8cec16be68c9 Mon Sep 17 00:00:00 2001
From: Diamon Wiggins <diamonw757@gmail.com>
Date: Tue, 16 Apr 2024 14:00:14 -0400
Subject: [PATCH 4/4] remove trailing space

---
 host/default.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/default.yaml b/host/default.yaml
index ff35e15..3bfd1df 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -766,7 +766,7 @@ spec:
               when: "false"
               message: "SELinux is disabled as expected"
     - textAnalyze:
-        checkName: Detect Threat Management and Network Security Tools 
+        checkName: "Detect Threat Management and Network Security Tools"
         fileName: host-collectors/run-host/ps-detect-antivirus-and-security-tools.txt
         regex: '\b(clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio)\b'
         ignoreIfNoFiles: true