Refactor: Remove Rego signature support

This commit removes support for Rego-based signatures in Tracee.

Rego signatures, while easier to write than compiled Go signatures,
introduced performance overhead. This removal simplifies the Tracee codebase
and prepares for the future introduction of Wasm-based signatures,
which will offer both improved performance and extended capabilities.

In the meantime, users can leverage the following:

- **Go-based signatures:** For optimal performance and custom event handling.
- **Tracee policies:** For basic event filtering needs, providing a convenient
way to define filters directly within the policy.

Tracee policies currently address the most common use case for signatures.
Future development will focus on expanding Tracee's capabilities to accommodate
more advanced scenarios.

.github/actions/build-dependencies/action.yaml

@@ -64,11 +64,6 @@ runs:
         sudo ln -s /usr/local/clang/bin/llvm-readelf /usr/bin/llvm-readelf
         sudo ln -s /usr/local/clang/bin/opt /usr/bin/opt
       shell: bash
-    - name: Install OPA
-      run: |
-        sudo curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_amd64_static
-        sudo chmod 755 /usr/bin/opa
-      shell: bash
     - name: Install staticchecker
       run: |
         GOROOT=/usr/local/go GOPATH=$HOME/go go install honnef.co/go/tools/cmd/[email protected]

.github/labeler.yml

@@ -56,12 +56,10 @@ area/signatures:
   - pkg/signatures/**/*
   - signatures/*
   - signatures/**/*
-  - "**/*.rego"
 area/testing:
   - tests/*
   - tests/**/*
   - "**/*_test.go"
-  - "**/*_test.rego"
 # area/uprobe:
 area/UX:
   - pkg/cmd/*

Makefile

@@ -37,7 +37,6 @@ CMD_INSTALL ?= install
 CMD_LLC ?= llc
 CMD_MD5 ?= md5sum
 CMD_MKDIR ?= mkdir
-CMD_OPA ?= opa
 CMD_PKGCONFIG ?= pkg-config
 CMD_RM ?= rm
 CMD_SED ?= sed
@@ -205,7 +204,6 @@ env:
 	@echo "CMD_LLC                  $(CMD_LLC)"
 	@echo "CMD_MD5                  $(CMD_MD5)"
 	@echo "CMD_MKDIR                $(CMD_MKDIR)"
-	@echo "CMD_OPA                  $(CMD_OPA)"
 	@echo "CMD_PKGCONFIG            $(CMD_PKGCONFIG)"
 	@echo "CMD_RM                   $(CMD_RM)"
 	@echo "CMD_SED                  $(CMD_SED)"
@@ -266,9 +264,6 @@ env:
 	@echo "GOSIGNATURES_DIR         $(GOSIGNATURES_DIR)"
 	@echo "GOSIGNATURES_SRC         $(GOSIGNATURES_SRC)"
 	@echo ---------------------------------------
-	@echo "REGO_SIGNATURES_DIR      $(REGO_SIGNATURES_DIR)"
-	@echo "REGO_SIGNATURES_SRC      $(REGO_SIGNATURES_SRC)"
-	@echo ---------------------------------------
 	@echo "E2E_NET_DIR              $(E2E_NET_DIR)"
 	@echo "E2E_NET_SRC              $(E2E_NET_SRC)"
 	@echo "E2E_INST_DIR             $(E2E_INST_DIR)"
@@ -318,7 +313,6 @@ help:
 	@echo "    $$ make test-unit                # run unit tests"
 	@echo "    $$ make test-types               # run unit tests for types module"
 	@echo "    $$ make test-integration         # run integration tests"
-	@echo "    $$ make test-signatures          # opa test (tracee-rules)"
 	@echo ""
 	@echo "# flags"
 	@echo ""
@@ -591,20 +585,11 @@ GOSIGNATURES_SRC :=	$(shell find $(GOSIGNATURES_DIR) \
 			! -path '$(GOSIGNATURES_DIR)/examples/*' \
 			)
 
-REGO_SIGNATURES_DIR ?= signatures/rego
-REGO_SIGNATURES_SRC :=	$(shell find $(REGO_SIGNATURES_DIR) \
-			-type f \
-			-name '*.rego' \
-			! -name '*_test.rego' \
-			! -path '$(REGO_SIGNATURES_DIR)/examples/*' \
-			)
-
 .PHONY: signatures
 signatures: $(OUTPUT_DIR)/signatures
 
 $(OUTPUT_DIR)/signatures: \
 	$(GOSIGNATURES_SRC) \
-	$(REGO_SIGNATURES_SRC) \
 	| .eval_goenv \
 	.checkver_$(CMD_GO) \
 	.check_$(CMD_INSTALL) \
@@ -615,8 +600,6 @@ $(OUTPUT_DIR)/signatures: \
 		--buildmode=plugin \
 		-o $@/builtin.so \
 		$(GOSIGNATURES_SRC)
-	# disable rego signatures by default (keep golang signatures only)
-	# $(CMD_INSTALL) -m 0644 $(REGO_SIGNATURES_SRC) $@
 
 .PHONY: clean-signatures
 clean-signatures:
@@ -823,12 +806,6 @@ test-integration: \
 		-count=1 \
 		./tests/integration/... \
 
-.PHONY: test-signatures
-test-signatures: \
-	| .check_$(CMD_OPA)
-#
-	$(CMD_OPA) test $(REGO_SIGNATURES_DIR) --verbose
-
 .PHONY: test-upstream-libbpfgo
 test-upstream-libbpfgo: \
 	| .eval_goenv \

Vagrantfile

@@ -131,7 +131,6 @@ Vagrant.configure("2") do |config|
       HOME="/home/#{vm_user}"
       LLVM_VERSION="14"
       GO_VERSION="1.22.3"
-      OPA_VERSION="v0.63.0"
       KUBECTL_VERSION="v1.29"
       VM_TYPE="#{vm_type}"
 
@@ -224,13 +223,6 @@ Vagrant.configure("2") do |config|
       apt-get install --yes docker.io
       usermod -aG docker ${USER}
 
-      #
-      # opa
-      #
-
-      echo ">>> Installing opa"
-      curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${ARCH}_static
-      chmod 755 /usr/bin/opa
     SHELL
 
     vm_config.vm.provision "shell", privileged: true, reboot: true, inline: <<-SHELL

builder/Dockerfile.alpine-tracee-container

@@ -10,15 +10,8 @@ ARG FLAVOR=tracee-ebpf-core
 #
 
 ARG GO_VERSION=1.22.0
-ARG OPA_VERSION=v0.63.0
 
 
-# This workaround is required since OPA 0.65.0 (latest published release) has cve-2024-24790.
-# After solved we can rollback to the commented installation lines below.
-#
-# Stage 1: Set the base image to get the OPA binary
-FROM openpolicyagent/opa:0.66.0-dev-static AS opa-extractor
-
 #
 # tracee-base
 #
@@ -35,15 +28,6 @@ RUN apk --no-cache update && \
     apk --no-cache add libelf zlib zstd && \
     apk --no-cache add libc6-compat
 
-# install OPA
-
-# ARG OPA_VERSION
-# RUN curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${TARGETARCH}_static && \
-# chmod 755 /usr/bin/opa
-
-# Stage 2: Copy the OPA binary from the OPA extractor
-COPY --from=opa-extractor /opa /usr/bin/opa
-
 #
 # tracee-make-base
 #

builder/Dockerfile.alpine-tracee-make

@@ -40,11 +40,6 @@ RUN cd /tmp && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
-# install OPA
-RUN TARGETARCH=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${TARGETARCH}_static && \
-    chmod 755 /usr/bin/opa
-
 # install extra tools for testing things
 RUN apk --no-cache add man-pages man-pages-posix bash-completion vim iproute2 vlan bridge-utils net-tools \
     netcat-openbsd iputils wget lynx w3m stress-ng

builder/Dockerfile.ubuntu-tracee-make

@@ -12,7 +12,6 @@ ARG gid=1000
 #
 
 ARG GO_VERSION=1.22.0
-ARG OPA_VERSION=v0.63.0
 
 # install needed environment
 
@@ -36,11 +35,6 @@ RUN cd /tmp && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
-# install OPA
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
-    chmod 755 /usr/bin/opa
-
 # extra tools for testing things
 
 RUN export DEBIAN_FRONTEND=noninteractive && \

cmd/tracee-rules/main.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/open-policy-agent/opa/compile"
 	"github.com/urfave/cli/v2"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 
@@ -44,27 +43,14 @@ func main() {
 				return errors.New("no flags specified")
 			}
 
-			var target string
-			switch strings.ToLower(c.String("rego-runtime-target")) {
-			case "wasm":
-				return errors.New("target unsupported: wasm")
-			case "rego":
-				target = compile.TargetRego
-			default:
-				return fmt.Errorf("invalid target specified: %s", strings.ToLower(c.String("rego-runtime-target")))
-			}
-
 			var rulesDir []string
 			if c.String("rules-dir") != "" {
 				rulesDir = []string{c.String("rules-dir")}
 			}
 
 			sigs, _, err := signature.Find(
-				target,
-				c.Bool("rego-partial-eval"),
 				rulesDir,
 				c.StringSlice("rules"),
-				c.Bool("rego-aio"),
 			)
 			if err != nil {
 				return err
@@ -187,11 +173,7 @@ func main() {
 			},
 			&cli.StringFlag{
 				Name:  "rules-dir",
-				Usage: "directory where to search for rules in OPA (.rego) and Go plugin (.so) formats",
-			},
-			&cli.BoolFlag{
-				Name:  "rego-partial-eval",
-				Usage: "enable partial evaluation of rego rules",
+				Usage: "directory where to search for rules in Go plugin (.so) format",
 			},
 			&cli.BoolFlag{
 				Name:  "list",
@@ -227,15 +209,6 @@ func main() {
 				Usage: "enable pyroscope agent",
 				Value: false,
 			},
-			&cli.BoolFlag{
-				Name:  "rego-aio",
-				Usage: "compile rego signatures altogether as an aggregate policy. By default each signature is compiled separately.",
-			},
-			&cli.StringFlag{
-				Name:  "rego-runtime-target",
-				Usage: "select which runtime target to use for evaluation of rego rules: rego, wasm",
-				Value: "rego",
-			},
 			&cli.BoolFlag{
 				Name:  "list-events",
 				Usage: "print a list of events that currently loaded signatures require",

cmd/tracee/cmd/analyze.go

@@ -45,14 +45,7 @@ func init() {
 	analyzeCmd.Flags().StringArray(
 		"signatures-dir",
 		[]string{},
-		"Directory where to search for signatures in OPA (.rego) and Go plugin (.so) formats",
-	)
-
-	// rego
-	analyzeCmd.Flags().StringArray(
-		"rego",
-		[]string{},
-		"Control event rego settings",
+		"Directory where to search for signatures in Go plugin (.so) format",
 	)
 
 	analyzeCmd.Flags().StringArrayP(
@@ -79,7 +72,6 @@ tracee analyze --events anti_debugging --source events.json`,
 		bindViperFlag(cmd, "source")
 		bindViperFlag(cmd, "output")
 		bindViperFlag(cmd, "log")
-		bindViperFlag(cmd, "rego")
 		bindViperFlag(cmd, "signatures-dir")
 	},
 	Run:                   command,
@@ -150,13 +142,6 @@ func command(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	// Rego command line flags
-
-	rego, err := flags.PrepareRego(viper.GetStringSlice("rego"))
-	if err != nil {
-		logger.Fatalw("Failed to parse rego flags", "err", err)
-	}
-
 	// Signature directory command line flags
 
 	signatureEvents := viper.GetStringSlice("events")
@@ -168,7 +153,6 @@ func command(cmd *cobra.Command, args []string) {
 	signatureDirs := viper.GetStringSlice("signatures-dir")
 
 	analyze.Analyze(analyze.Config{
-		Rego:            rego,
 		Source:          sourceFile,
 		Printer:         p,
 		Legacy:          isLegacy,

cmd/tracee/cmd/list.go

@@ -3,7 +3,6 @@ package cmd
 import (
 	"os"
 
-	"github.com/open-policy-agent/opa/compile"
 	"github.com/spf13/cobra"
 
 	"github.com/aquasecurity/tracee/pkg/cmd"
@@ -24,7 +23,7 @@ func init() {
 	listCmd.Flags().StringArray(
 		"signatures-dir",
 		[]string{},
-		"Directories where to search for signatures in OPA (.rego) and Go plugin (.so) formats",
+		"Directories where to search for signatures in Go plugin (.so) format",
 	)
 }
 
@@ -41,13 +40,7 @@ var listCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		signatures, _, err := signature.Find(
-			compile.TargetRego,
-			false,
-			sigsDir,
-			nil,
-			false,
-		)
+		signatures, _, err := signature.Find(sigsDir, nil)
 		if err != nil {
 			logger.Fatalw("Failed to find signatures", "err", err)
 			os.Exit(1)

cmd/tracee/cmd/man.go

@@ -24,7 +24,6 @@ func init() {
 		eventsCmd,
 		logCmd,
 		outputCmd,
-		regoCmd,
 		scopeCmd,
 	)
 }
@@ -115,15 +114,6 @@ var outputCmd = &cobra.Command{
 	},
 }
 
-var regoCmd = &cobra.Command{
-	Use:     "rego",
-	Aliases: []string{},
-	Short:   "rego flag help",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		return runManForFlag("rego")
-	},
-}
-
 var scopeCmd = &cobra.Command{
 	Use:     "scope",
 	Aliases: []string{"s"},

cmd/tracee/cmd/root.go

@@ -172,23 +172,13 @@ func initCmd() error {
 	rootCmd.Flags().StringArray(
 		"signatures-dir",
 		[]string{},
-		"<dir>\t\t\t\tDirectories where to search for signatures in OPA (.rego) and Go plugin (.so) formats",
+		"<dir>\t\t\t\tDirectories where to search for signatures in Go plugin (.so) format",
 	)
 	err = viper.BindPFlag("signatures-dir", rootCmd.Flags().Lookup("signatures-dir"))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}
 
-	rootCmd.Flags().StringArray(
-		"rego",
-		[]string{},
-		"[partial-eval|aio]\t\t\tControl event rego settings",
-	)
-	err = viper.BindPFlag("rego", rootCmd.Flags().Lookup("rego"))
-	if err != nil {
-		return errfmt.WrapError(err)
-	}
-
 	// Buffer/Cache flags
 
 	rootCmd.Flags().IntP(

docs/contributing/building/building.md

@@ -84,7 +84,6 @@
         $ make test-unit                # run unit tests
         $ make test-types               # run unit tests for types module
         $ make test-integration         # run integration tests
-        $ make test-signatures          # opa test (tracee-rules)
 
     # flags
 

docs/docs/events/builtin/network/index.md

@@ -56,7 +56,7 @@ tracee --output json --events net_packet_dns.data.src=8.8.8.8
 
 ## Network Based Signatures
 
-It is possible to create Golang (or Rego) signatures for the network events. If you haven't read about how to create signatures, do it [HERE](../../custom/golang.md).
+It is possible to create Golang signatures for the network events. If you haven't read about how to create signatures, do it [HERE](../../custom/golang.md).
 
 !!! Examples Note
     Below is an example of how to create a signature for the `net_packet_dns` event. This same example is used by Tracee CI/CD tests and can be found at the [GitHub repository](https://github.com/aquasecurity/tracee/tree/main/tests/e2e-net-signatures), together with some other signatures for the network events.