aquasecurity · yanivagman · Dec 18, 2024 · Dec 12, 2024 · Dec 15, 2024
diff --git a/.github/actions/build-dependencies/action.yaml b/.github/actions/build-dependencies/action.yaml
@@ -64,11 +64,6 @@ runs:
         sudo ln -s /usr/local/clang/bin/llvm-readelf /usr/bin/llvm-readelf
         sudo ln -s /usr/local/clang/bin/opt /usr/bin/opt
       shell: bash
-    - name: Install OPA
-      run: |
-        sudo curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_amd64_static
-        sudo chmod 755 /usr/bin/opa
-      shell: bash
     - name: Install staticchecker
       run: |
         GOROOT=/usr/local/go GOPATH=$HOME/go go install honnef.co/go/tools/cmd/staticcheck@2023.1.7

diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -56,12 +56,10 @@ area/signatures:
   - pkg/signatures/**/*
   - signatures/*
   - signatures/**/*
-  - "**/*.rego"
 area/testing:
   - tests/*
   - tests/**/*
   - "**/*_test.go"
-  - "**/*_test.rego"
 # area/uprobe:
 area/UX:
   - pkg/cmd/*

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -161,27 +161,6 @@ jobs:
         run: |
           make check-err
   #
-  # SIGNATURES CODE VERIFICATION
-  #
-  verify-signatures:
-    name: Verify Signatures
-    needs:
-      - verify-analyze-code
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          submodules: true
-      - name: Install Dependencies
-        uses: ./.github/actions/build-dependencies
-      - name: Build Signatures
-        run: |
-          make signatures
-      - name: Test Signatures
-        run: |
-          make test-signatures
-  #
   # TOOLS BUILD VERIFICATION
   #
   verify-tools:

diff --git a/Makefile b/Makefile
@@ -37,7 +37,6 @@ CMD_INSTALL ?= install
 CMD_LLC ?= llc
 CMD_MD5 ?= md5sum
 CMD_MKDIR ?= mkdir
-CMD_OPA ?= opa
 CMD_PKGCONFIG ?= pkg-config
 CMD_RM ?= rm
 CMD_SED ?= sed
@@ -205,7 +204,6 @@ env:
 	@echo "CMD_LLC                  $(CMD_LLC)"
 	@echo "CMD_MD5                  $(CMD_MD5)"
 	@echo "CMD_MKDIR                $(CMD_MKDIR)"
-	@echo "CMD_OPA                  $(CMD_OPA)"
 	@echo "CMD_PKGCONFIG            $(CMD_PKGCONFIG)"
 	@echo "CMD_RM                   $(CMD_RM)"
 	@echo "CMD_SED                  $(CMD_SED)"
@@ -266,9 +264,6 @@ env:
 	@echo "GOSIGNATURES_DIR         $(GOSIGNATURES_DIR)"
 	@echo "GOSIGNATURES_SRC         $(GOSIGNATURES_SRC)"
 	@echo ---------------------------------------
-	@echo "REGO_SIGNATURES_DIR      $(REGO_SIGNATURES_DIR)"
-	@echo "REGO_SIGNATURES_SRC      $(REGO_SIGNATURES_SRC)"
-	@echo ---------------------------------------
 	@echo "E2E_NET_DIR              $(E2E_NET_DIR)"
 	@echo "E2E_NET_SRC              $(E2E_NET_SRC)"
 	@echo "E2E_INST_DIR             $(E2E_INST_DIR)"
@@ -318,7 +313,6 @@ help:
 	@echo "    $$ make test-unit                # run unit tests"
 	@echo "    $$ make test-types               # run unit tests for types module"
 	@echo "    $$ make test-integration         # run integration tests"
-	@echo "    $$ make test-signatures          # opa test (tracee-rules)"
 	@echo ""
 	@echo "# flags"
 	@echo ""
@@ -591,20 +585,11 @@ GOSIGNATURES_SRC :=	$(shell find $(GOSIGNATURES_DIR) \
 			! -path '$(GOSIGNATURES_DIR)/examples/*' \
 			)
 
-REGO_SIGNATURES_DIR ?= signatures/rego
-REGO_SIGNATURES_SRC :=	$(shell find $(REGO_SIGNATURES_DIR) \
-			-type f \
-			-name '*.rego' \
-			! -name '*_test.rego' \
-			! -path '$(REGO_SIGNATURES_DIR)/examples/*' \
-			)
-
 .PHONY: signatures
 signatures: $(OUTPUT_DIR)/signatures
 
 $(OUTPUT_DIR)/signatures: \
 	$(GOSIGNATURES_SRC) \
-	$(REGO_SIGNATURES_SRC) \
 	| .eval_goenv \
 	.checkver_$(CMD_GO) \
 	.check_$(CMD_INSTALL) \
@@ -615,8 +600,6 @@ $(OUTPUT_DIR)/signatures: \
 		--buildmode=plugin \
 		-o $@/builtin.so \
 		$(GOSIGNATURES_SRC)
-	# disable rego signatures by default (keep golang signatures only)
-	# $(CMD_INSTALL) -m 0644 $(REGO_SIGNATURES_SRC) $@
 
 .PHONY: clean-signatures
 clean-signatures:
@@ -823,12 +806,6 @@ test-integration: \
 		-count=1 \
 		./tests/integration/... \
 
-.PHONY: test-signatures
-test-signatures: \
-	| .check_$(CMD_OPA)
-#
-	$(CMD_OPA) test $(REGO_SIGNATURES_DIR) --verbose
-
 .PHONY: test-upstream-libbpfgo
 test-upstream-libbpfgo: \
 	| .eval_goenv \

diff --git a/Vagrantfile b/Vagrantfile
@@ -131,7 +131,6 @@ Vagrant.configure("2") do |config|
       HOME="/home/#{vm_user}"
       LLVM_VERSION="14"
       GO_VERSION="1.22.3"
-      OPA_VERSION="v0.63.0"
       KUBECTL_VERSION="v1.29"
       VM_TYPE="#{vm_type}"
 
@@ -224,13 +223,6 @@ Vagrant.configure("2") do |config|
       apt-get install --yes docker.io
       usermod -aG docker ${USER}
 
-      #
-      # opa
-      #
-
-      echo ">>> Installing opa"
-      curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${ARCH}_static
-      chmod 755 /usr/bin/opa
     SHELL
 
     vm_config.vm.provision "shell", privileged: true, reboot: true, inline: <<-SHELL

diff --git a/builder/Dockerfile.alpine-tracee-container b/builder/Dockerfile.alpine-tracee-container
@@ -10,15 +10,8 @@ ARG FLAVOR=tracee-ebpf-core
 #
 
 ARG GO_VERSION=1.22.0
-ARG OPA_VERSION=v0.63.0
 
 
-# This workaround is required since OPA 0.65.0 (latest published release) has cve-2024-24790.
-# After solved we can rollback to the commented installation lines below.
-#
-# Stage 1: Set the base image to get the OPA binary
-FROM openpolicyagent/opa:0.66.0-dev-static AS opa-extractor
-
 #
 # tracee-base
 #
@@ -35,15 +28,6 @@ RUN apk --no-cache update && \
     apk --no-cache add libelf zlib zstd && \
     apk --no-cache add libc6-compat
 
-# install OPA
-
-# ARG OPA_VERSION
-# RUN curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${TARGETARCH}_static && \
-# chmod 755 /usr/bin/opa
-
-# Stage 2: Copy the OPA binary from the OPA extractor
-COPY --from=opa-extractor /opa /usr/bin/opa
-
 #
 # tracee-make-base
 #

diff --git a/builder/Dockerfile.alpine-tracee-make b/builder/Dockerfile.alpine-tracee-make
@@ -40,11 +40,6 @@ RUN cd /tmp && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
-# install OPA
-RUN TARGETARCH=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${TARGETARCH}_static && \
-    chmod 755 /usr/bin/opa
-
 # install extra tools for testing things
 RUN apk --no-cache add man-pages man-pages-posix bash-completion vim iproute2 vlan bridge-utils net-tools \
     netcat-openbsd iputils wget lynx w3m stress-ng

diff --git a/builder/Dockerfile.ubuntu-tracee-make b/builder/Dockerfile.ubuntu-tracee-make
@@ -12,7 +12,6 @@ ARG gid=1000
 #
 
 ARG GO_VERSION=1.22.0
-ARG OPA_VERSION=v0.63.0
 
 # install needed environment
 
@@ -36,11 +35,6 @@ RUN cd /tmp && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
-# install OPA
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
-    chmod 755 /usr/bin/opa
-
 # extra tools for testing things
 
 RUN export DEBIAN_FRONTEND=noninteractive && \

diff --git a/cmd/tracee-rules/main.go b/cmd/tracee-rules/main.go
@@ -11,7 +11,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/open-policy-agent/opa/compile"
 	"github.com/urfave/cli/v2"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 
@@ -44,27 +43,14 @@ func main() {
 				return errors.New("no flags specified")
 			}
 
-			var target string
-			switch strings.ToLower(c.String("rego-runtime-target")) {
-			case "wasm":
-				return errors.New("target unsupported: wasm")
-			case "rego":
-				target = compile.TargetRego
-			default:
-				return fmt.Errorf("invalid target specified: %s", strings.ToLower(c.String("rego-runtime-target")))
-			}
-
 			var rulesDir []string
 			if c.String("rules-dir") != "" {
 				rulesDir = []string{c.String("rules-dir")}
 			}
 
 			sigs, _, err := signature.Find(
-				target,
-				c.Bool("rego-partial-eval"),
 				rulesDir,
 				c.StringSlice("rules"),
-				c.Bool("rego-aio"),
 			)
 			if err != nil {
 				return err
@@ -187,11 +173,7 @@ func main() {
 			},
 			&cli.StringFlag{
 				Name:  "rules-dir",
-				Usage: "directory where to search for rules in OPA (.rego) and Go plugin (.so) formats",
-			},
-			&cli.BoolFlag{
-				Name:  "rego-partial-eval",
-				Usage: "enable partial evaluation of rego rules",
+				Usage: "directory where to search for rules in Go plugin (.so) format",
 			},
 			&cli.BoolFlag{
 				Name:  "list",
@@ -227,15 +209,6 @@ func main() {
 				Usage: "enable pyroscope agent",
 				Value: false,
 			},
-			&cli.BoolFlag{
-				Name:  "rego-aio",
-				Usage: "compile rego signatures altogether as an aggregate policy. By default each signature is compiled separately.",
-			},
-			&cli.StringFlag{
-				Name:  "rego-runtime-target",
-				Usage: "select which runtime target to use for evaluation of rego rules: rego, wasm",
-				Value: "rego",
-			},
 			&cli.BoolFlag{
 				Name:  "list-events",
 				Usage: "print a list of events that currently loaded signatures require",

diff --git a/cmd/tracee/cmd/analyze.go b/cmd/tracee/cmd/analyze.go
@@ -45,14 +45,7 @@ func init() {
 	analyzeCmd.Flags().StringArray(
 		"signatures-dir",
 		[]string{},
-		"Directory where to search for signatures in OPA (.rego) and Go plugin (.so) formats",
-	)
-
-	// rego
-	analyzeCmd.Flags().StringArray(
-		"rego",
-		[]string{},
-		"Control event rego settings",
+		"Directory where to search for signatures in Go plugin (.so) format",
 	)
 
 	analyzeCmd.Flags().StringArrayP(
@@ -79,7 +72,6 @@ tracee analyze --events anti_debugging --source events.json`,
 		bindViperFlag(cmd, "source")
 		bindViperFlag(cmd, "output")
 		bindViperFlag(cmd, "log")
-		bindViperFlag(cmd, "rego")
 		bindViperFlag(cmd, "signatures-dir")
 	},
 	Run:                   command,
@@ -150,13 +142,6 @@ func command(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	// Rego command line flags
-
-	rego, err := flags.PrepareRego(viper.GetStringSlice("rego"))
-	if err != nil {
-		logger.Fatalw("Failed to parse rego flags", "err", err)
-	}
-
 	// Signature directory command line flags
 
 	signatureEvents := viper.GetStringSlice("events")
@@ -168,7 +153,6 @@ func command(cmd *cobra.Command, args []string) {
 	signatureDirs := viper.GetStringSlice("signatures-dir")
 
 	analyze.Analyze(analyze.Config{
-		Rego:            rego,
 		Source:          sourceFile,
 		Printer:         p,
 		Legacy:          isLegacy,

diff --git a/cmd/tracee/cmd/list.go b/cmd/tracee/cmd/list.go
@@ -3,7 +3,6 @@ package cmd
 import (
 	"os"
 
-	"github.com/open-policy-agent/opa/compile"
 	"github.com/spf13/cobra"
 
 	"github.com/aquasecurity/tracee/pkg/cmd"
@@ -24,7 +23,7 @@ func init() {
 	listCmd.Flags().StringArray(
 		"signatures-dir",
 		[]string{},
-		"Directories where to search for signatures in OPA (.rego) and Go plugin (.so) formats",
+		"Directories where to search for signatures in Go plugin (.so) format",
 	)
 }
 
@@ -41,13 +40,7 @@ var listCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		signatures, _, err := signature.Find(
-			compile.TargetRego,
-			false,
-			sigsDir,
-			nil,
-			false,
-		)
+		signatures, _, err := signature.Find(sigsDir, nil)
 		if err != nil {
 			logger.Fatalw("Failed to find signatures", "err", err)
 			os.Exit(1)

diff --git a/cmd/tracee/cmd/man.go b/cmd/tracee/cmd/man.go
@@ -24,7 +24,6 @@ func init() {
 		eventsCmd,
 		logCmd,
 		outputCmd,
-		regoCmd,
 		scopeCmd,
 	)
 }
@@ -115,15 +114,6 @@ var outputCmd = &cobra.Command{
 	},
 }
 
-var regoCmd = &cobra.Command{
-	Use:     "rego",
-	Aliases: []string{},
-	Short:   "rego flag help",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		return runManForFlag("rego")
-	},
-}
-
 var scopeCmd = &cobra.Command{
 	Use:     "scope",
 	Aliases: []string{"s"},