From c87e469e48707c3e9ab4b8a6663734561056fe62 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Mon, 6 Oct 2025 14:10:41 -0700 Subject: [PATCH 1/7] Update host-preflight.yaml --- pkg-new/preflights/host-preflight.yaml | 59 ++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index f3a349a138..07eb2f7d9e 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -220,6 +220,41 @@ spec: if [ ! "$bin_dir_type_label" = "bin_t" ]; then echo "bin_dir_type_label $bin_dir_type_label" fi + - run: + collectorName: "ps-detect-antivirus-and-security-tools" + command: "sh" + args: + - -c + - | + pat='(clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio|xagt|wdavdaemon|mdatp)' + + if command -v pgrep >/dev/null 2>&1; then + pgrep -afi "$pat" + else + ps -eo args= + fi \ + | awk -v pat="$pat" ' + BEGIN { IGNORECASE=1 } + /(awk|grep|pgrep|ps|sh -c)/ { next } + { + line=$0 + while (match(line, pat)) { + print tolower(substr(line, RSTART, RLENGTH)) + line=substr(line, RSTART+RLENGTH) + } + } + ' \ + | sort -u + - systemPackages: + collectorName: security-tools-packages + ubuntu: + - sdcss-kmod + - sdcss + - sdcss-scripts + rhel: + - sdcss-kmod + - sdcss + - sdcss-scripts analyzers: - cpu: checkName: CPU @@ -1307,3 +1342,27 @@ spec: The selinux type context label for the embedded cluster binary directory are incorrect. Try running: sudo semanage fcontext -a -t bin_t "{{ .DataDir }}/bin(/.*)?" && sudo restorecon -RvF {{ .DataDir }} - pass: when: "false" + - textAnalyze: + checkName: "Detect Threat Management and Network Security Tools" + fileName: host-collectors/run-host/ps-detect-antivirus-and-security-tools.txt + regexGroups: '(?ms)(?P.*)' + ignoreIfNoFiles: true + outcomes: + - pass: + when: "Detected == ''" + message: "No antivirus or network security tools detected." + - warn: + message: |- + The following antivirus or network security tools were detected: + {{ "{{" }} .Detected {{ "}}" }} + + These types of tools have been known to interfere with Kubernetes operation in various ways. If you experience an installation problem, you may need to disable these tools temporarily as part of the troubleshooting process to identify if any system administrator exceptions may be required to maintain necessary internal Kubernetes operations. + - systemPackages: + checkName: "Detected Security Packages" + collectorName: security-tools-packages + outcomes: + - warn: + when: '{{ "{{" }} .IsInstalled {{ "}}" }}' + message: Package {{ "{{" }} .Name {{ "}}" }} is installed. This tool can interfere with kubernetes operation. Ensure the tool is either disabled or configured to not interfere with kubernetes operation. + - pass: + message: Package {{ "{{" }} .Name {{ "}}" }} is not installed From 75cb5247b4d5b53d73dcaa9f12a1514ad9649334 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Mon, 6 Oct 2025 14:24:26 -0700 Subject: [PATCH 2/7] Update host-preflight.yaml --- pkg-new/preflights/host-preflight.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index 07eb2f7d9e..7ae83c11e0 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -1362,7 +1362,7 @@ spec: collectorName: security-tools-packages outcomes: - warn: - when: '{{ "{{" }} .IsInstalled {{ "}}" }}' + when: "IsInstalled" message: Package {{ "{{" }} .Name {{ "}}" }} is installed. This tool can interfere with kubernetes operation. Ensure the tool is either disabled or configured to not interfere with kubernetes operation. - pass: message: Package {{ "{{" }} .Name {{ "}}" }} is not installed From fd027586291490f8bb5f4fb1cc981de2bc717107 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Mon, 6 Oct 2025 14:33:06 -0700 Subject: [PATCH 3/7] addressed older bugbot concerns and reverted templating to standard --- pkg-new/preflights/host-preflight.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index 7ae83c11e0..b70513f5bc 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -227,15 +227,14 @@ spec: - -c - | pat='(clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio|xagt|wdavdaemon|mdatp)' - if command -v pgrep >/dev/null 2>&1; then - pgrep -afi "$pat" + pgrep -fli "$pat" | awk '{ $1=""; sub(/^ /,""); print }' else - ps -eo args= + # Fallback: list only command names (not full args) + ps -eo comm= fi \ | awk -v pat="$pat" ' BEGIN { IGNORECASE=1 } - /(awk|grep|pgrep|ps|sh -c)/ { next } { line=$0 while (match(line, pat)) { @@ -1362,7 +1361,7 @@ spec: collectorName: security-tools-packages outcomes: - warn: - when: "IsInstalled" + when: '{{ "{{" }} .IsInstalled {{ "}}" }}' message: Package {{ "{{" }} .Name {{ "}}" }} is installed. This tool can interfere with kubernetes operation. Ensure the tool is either disabled or configured to not interfere with kubernetes operation. - pass: message: Package {{ "{{" }} .Name {{ "}}" }} is not installed From c06a4a2551bc16b46c97e053b3388f2fa84ee1d6 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Tue, 7 Oct 2025 09:54:14 -0700 Subject: [PATCH 4/7] Security tool detection prints as single message --- pkg-new/preflights/host-preflight.yaml | 36 +++++++++++++++++++++----- 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index b70513f5bc..74db445cd0 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -254,6 +254,24 @@ spec: - sdcss-kmod - sdcss - sdcss-scripts + - run: + collectorName: security-tools-installed + command: sh + args: + - -c + - | + pkgs="sdcss-kmod sdcss sdcss-scripts" + installed="" + if command -v dpkg >/dev/null 2>&1; then + for p in $pkgs; do + dpkg -l "$p" >/dev/null 2>&1 && installed="$installed$p\n" + done + elif command -v rpm >/dev/null 2>&1; then + for p in $pkgs; do + rpm -q "$p" >/dev/null 2>&1 && installed="$installed$p\n" + done + fi + printf "%b" "$installed" | sed '/^$/d' analyzers: - cpu: checkName: CPU @@ -1356,12 +1374,18 @@ spec: {{ "{{" }} .Detected {{ "}}" }} These types of tools have been known to interfere with Kubernetes operation in various ways. If you experience an installation problem, you may need to disable these tools temporarily as part of the troubleshooting process to identify if any system administrator exceptions may be required to maintain necessary internal Kubernetes operations. - - systemPackages: + - textAnalyze: checkName: "Detected Security Packages" - collectorName: security-tools-packages + fileName: host-collectors/run-host/security-tools-installed.txt + regexGroups: '(?ms)(?P.*)' + ignoreIfNoFiles: true outcomes: - - warn: - when: '{{ "{{" }} .IsInstalled {{ "}}" }}' - message: Package {{ "{{" }} .Name {{ "}}" }} is installed. This tool can interfere with kubernetes operation. Ensure the tool is either disabled or configured to not interfere with kubernetes operation. - pass: - message: Package {{ "{{" }} .Name {{ "}}" }} is not installed + when: "Installed == ''" + message: "No security packages detected." + - warn: + message: |- + The following security packages were detected: + {{ "{{" }} .Installed {{ "}}" }} + + These packages can interfere with Kubernetes operation. Ensure they are disabled or configured to not interfere with required Kubernetes traffic and processes. From 140c365fa648f0d102b4e691e66ddc1c6e932a73 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Tue, 7 Oct 2025 10:04:58 -0700 Subject: [PATCH 5/7] removed \n and %b combination for tool detection --- pkg-new/preflights/host-preflight.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index 74db445cd0..4f21e34278 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -261,17 +261,15 @@ spec: - -c - | pkgs="sdcss-kmod sdcss sdcss-scripts" - installed="" if command -v dpkg >/dev/null 2>&1; then for p in $pkgs; do - dpkg -l "$p" >/dev/null 2>&1 && installed="$installed$p\n" + dpkg -l "$p" >/dev/null 2>&1 && printf '%s\n' "$p" done elif command -v rpm >/dev/null 2>&1; then for p in $pkgs; do - rpm -q "$p" >/dev/null 2>&1 && installed="$installed$p\n" + rpm -q "$p" >/dev/null 2>&1 && printf '%s\n' "$p" done fi - printf "%b" "$installed" | sed '/^$/d' analyzers: - cpu: checkName: CPU From 02b772273e11a74172ffe1f97c11b5a3a19d3331 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Thu, 9 Oct 2025 11:14:01 -0700 Subject: [PATCH 6/7] removed \n characters --- pkg-new/preflights/host-preflight.yaml | 27 ++++++++++---------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index 4f21e34278..b7e8347c90 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -243,7 +243,8 @@ spec: } } ' \ - | sort -u + | sort -u \ + | paste -sd ', ' - - systemPackages: collectorName: security-tools-packages ubuntu: @@ -262,13 +263,13 @@ spec: - | pkgs="sdcss-kmod sdcss sdcss-scripts" if command -v dpkg >/dev/null 2>&1; then - for p in $pkgs; do - dpkg -l "$p" >/dev/null 2>&1 && printf '%s\n' "$p" - done + { for p in $pkgs; do + dpkg -l "$p" >/dev/null 2>&1 && printf '%s\n' "$p"; + done; } | paste -sd ', ' - elif command -v rpm >/dev/null 2>&1; then - for p in $pkgs; do - rpm -q "$p" >/dev/null 2>&1 && printf '%s\n' "$p" - done + { for p in $pkgs; do + rpm -q "$p" >/dev/null 2>&1 && printf '%s\n' "$p"; + done; } | paste -sd ', ' - fi analyzers: - cpu: @@ -1367,11 +1368,7 @@ spec: when: "Detected == ''" message: "No antivirus or network security tools detected." - warn: - message: |- - The following antivirus or network security tools were detected: - {{ "{{" }} .Detected {{ "}}" }} - - These types of tools have been known to interfere with Kubernetes operation in various ways. If you experience an installation problem, you may need to disable these tools temporarily as part of the troubleshooting process to identify if any system administrator exceptions may be required to maintain necessary internal Kubernetes operations. + message: "The following antivirus or network security tools were detected: {{ \"{{\" }} .Detected {{ \"}}\" }}. These types of tools have been known to interfere with Kubernetes operation in various ways. If you experience an installation problem, you may need to disable these tools temporarily as part of the troubleshooting process to identify if any system administrator exceptions may be required to maintain necessary internal Kubernetes operations." - textAnalyze: checkName: "Detected Security Packages" fileName: host-collectors/run-host/security-tools-installed.txt @@ -1382,8 +1379,4 @@ spec: when: "Installed == ''" message: "No security packages detected." - warn: - message: |- - The following security packages were detected: - {{ "{{" }} .Installed {{ "}}" }} - - These packages can interfere with Kubernetes operation. Ensure they are disabled or configured to not interfere with required Kubernetes traffic and processes. + message: "The following security packages were detected: {{ \"{{\" }} .Installed {{ \"}}\" }}. These packages can interfere with Kubernetes operation. Ensure they are disabled or configured to not interfere with required Kubernetes traffic and processes." From c81ee1c1e9e4c88de4c86bdd11089399f6083660 Mon Sep 17 00:00:00 2001 From: Noah Campbell Date: Thu, 9 Oct 2025 12:00:30 -0700 Subject: [PATCH 7/7] Update host-preflight.yaml --- pkg-new/preflights/host-preflight.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index b7e8347c90..0f3abdd5e0 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -244,7 +244,8 @@ spec: } ' \ | sort -u \ - | paste -sd ', ' - + | paste -sd ', ' - \ + | tr -d '\n' - systemPackages: collectorName: security-tools-packages ubuntu: @@ -265,11 +266,11 @@ spec: if command -v dpkg >/dev/null 2>&1; then { for p in $pkgs; do dpkg -l "$p" >/dev/null 2>&1 && printf '%s\n' "$p"; - done; } | paste -sd ', ' - + done; } | paste -sd ', ' - | tr -d '\n' elif command -v rpm >/dev/null 2>&1; then { for p in $pkgs; do rpm -q "$p" >/dev/null 2>&1 && printf '%s\n' "$p"; - done; } | paste -sd ', ' - + done; } | paste -sd ', ' - | tr -d '\n' fi analyzers: - cpu: @@ -1368,7 +1369,7 @@ spec: when: "Detected == ''" message: "No antivirus or network security tools detected." - warn: - message: "The following antivirus or network security tools were detected: {{ \"{{\" }} .Detected {{ \"}}\" }}. These types of tools have been known to interfere with Kubernetes operation in various ways. If you experience an installation problem, you may need to disable these tools temporarily as part of the troubleshooting process to identify if any system administrator exceptions may be required to maintain necessary internal Kubernetes operations." + message: "The following antivirus or network security tools were detected: {{ "{{" }} .Detected {{ "}}" }}. These types of tools have been known to interfere with Kubernetes operation in various ways. If you experience an installation problem, you may need to disable these tools temporarily as part of the troubleshooting process to identify if any system administrator exceptions may be required to maintain necessary internal Kubernetes operations." - textAnalyze: checkName: "Detected Security Packages" fileName: host-collectors/run-host/security-tools-installed.txt @@ -1379,4 +1380,4 @@ spec: when: "Installed == ''" message: "No security packages detected." - warn: - message: "The following security packages were detected: {{ \"{{\" }} .Installed {{ \"}}\" }}. These packages can interfere with Kubernetes operation. Ensure they are disabled or configured to not interfere with required Kubernetes traffic and processes." + message: "The following security packages were detected: {{ "{{" }} .Installed {{ "}}" }}. These packages can interfere with Kubernetes operation. Ensure they are disabled or configured to not interfere with required Kubernetes traffic and processes."