Documentation ¶
Overview ¶
Package config holds config related files
Package config holds config related files ¶
Package config holds config related files
Index ¶
- Constants
- func ActivityDumpRemoteStorageEndpoints(endpointPrefix string, intakeTrackType logsconfig.IntakeTrackType, ...) (*logsconfig.Endpoints, error)
- func GetFamilyAddress(path string) (string, string)
- func IsEBPFLessModeEnabled() bool
- func ParseEvalEventType(eventType eval.EventType) model.EventType
- type Config
- type Policy
- type RuntimeSecurityConfig
- type StorageFormat
- type StorageRequest
- type StorageType
Constants ¶
const (
// ADMinMaxDumSize represents the minimum value for runtime_security_config.activity_dump.max_dump_size
ADMinMaxDumSize = 100
)
Variables ¶
This section is empty.
Functions ¶
func ActivityDumpRemoteStorageEndpoints ¶
func ActivityDumpRemoteStorageEndpoints(endpointPrefix string, intakeTrackType logsconfig.IntakeTrackType, intakeProtocol logsconfig.IntakeProtocol, intakeOrigin logsconfig.IntakeOrigin) (*logsconfig.Endpoints, error)
ActivityDumpRemoteStorageEndpoints returns the list of activity dump remote storage endpoints parsed from the agent config
func GetFamilyAddress ¶
GetFamilyAddress returns the address famility to use for system-probe <-> security-agent communication
func IsEBPFLessModeEnabled ¶
func IsEBPFLessModeEnabled() bool
IsEBPFLessModeEnabled returns true if the ebpfless mode is enabled it's based on the configuration itself, but will default on true if running on fargate
Types ¶
type Config ¶
type Config struct { // Probe Config Probe *pconfig.Config // CWS specific parameters RuntimeSecurity *RuntimeSecurityConfig }
Config defines a security config
type Policy ¶
type Policy struct { Name string `mapstructure:"name"` Files []string `mapstructure:"files"` Tags []string `mapstructure:"tags"` }
Policy represents a policy file in the configuration file
type RuntimeSecurityConfig ¶
type RuntimeSecurityConfig struct { // RuntimeEnabled defines if the runtime security module should be enabled RuntimeEnabled bool // PoliciesDir defines the folder in which the policy files are located PoliciesDir string // PolicyMonitorEnabled enable policy monitoring PolicyMonitorEnabled bool // PolicyMonitorPerRuleEnabled enabled per-rule policy monitoring PolicyMonitorPerRuleEnabled bool // PolicyMonitorReportInternalPolicies enable internal policies monitoring PolicyMonitorReportInternalPolicies bool // SocketPath is the path to the socket that is used to communicate with the security agent SocketPath string // EventServerBurst defines the maximum burst of events that can be sent over the grpc server EventServerBurst int // EventServerRate defines the grpc server rate at which events can be sent EventServerRate int // EventServerRetention defines an event retention period so that some fields can be resolved EventServerRetention time.Duration // FIMEnabled determines whether fim rules will be loaded FIMEnabled bool // SelfTestEnabled defines if the self tests should be executed at startup or not SelfTestEnabled bool // SelfTestSendReport defines if a self test event will be emitted SelfTestSendReport bool // RemoteConfigurationEnabled defines whether to use remote monitoring RemoteConfigurationEnabled bool // RemoteConfigurationDumpPolicies defines whether to dump remote config policy RemoteConfigurationDumpPolicies bool // LogPatterns pattern to be used by the logger for trace level LogPatterns []string // LogTags tags to be used by the logger for trace level LogTags []string // HostServiceName string HostServiceName string // OnDemandEnabled defines whether the on-demand probes should be enabled OnDemandEnabled bool // OnDemandRateLimiterEnabled defines whether the on-demand probes rate limit getting hit disabled the on demand probes OnDemandRateLimiterEnabled bool // ReducedProcPidCacheSize defines whether the `proc_cache` and `pid_cache` map should use reduced size ReducedProcPidCacheSize bool // InternalMonitoringEnabled determines if the monitoring events of the agent should be sent to Datadog InternalMonitoringEnabled bool // ActivityDumpEnabled defines if the activity dump manager should be enabled ActivityDumpEnabled bool // ActivityDumpCleanupPeriod defines the period at which the activity dump manager should perform its cleanup // operation. ActivityDumpCleanupPeriod time.Duration // ActivityDumpTagsResolutionPeriod defines the period at which the activity dump manager should try to resolve // missing container tags. ActivityDumpTagsResolutionPeriod time.Duration // ActivityDumpLoadControlPeriod defines the period at which the activity dump manager should trigger the load controller ActivityDumpLoadControlPeriod time.Duration // ActivityDumpLoadControlMinDumpTimeout defines minimal duration of a activity dump recording ActivityDumpLoadControlMinDumpTimeout time.Duration // ActivityDumpTracedCgroupsCount defines the maximum count of cgroups that should be monitored concurrently. Leave this parameter to 0 to prevent the generation // of activity dumps based on cgroups. ActivityDumpTracedCgroupsCount int // ActivityDumpCgroupsManagers defines the cgroup managers we generate dumps for. ActivityDumpCgroupsManagers []string // ActivityDumpTracedEventTypes defines the list of events that should be captured in an activity dump. Leave this // parameter empty to monitor all event types. If not already present, the `exec` event will automatically be added // to this list. ActivityDumpTracedEventTypes []model.EventType // ActivityDumpCgroupDumpTimeout defines the cgroup activity dumps timeout. ActivityDumpCgroupDumpTimeout time.Duration // ActivityDumpRateLimiter defines the kernel rate of max events per sec for activity dumps. ActivityDumpRateLimiter int // ActivityDumpCgroupWaitListTimeout defines the time to wait before a cgroup can be dumped again. ActivityDumpCgroupWaitListTimeout time.Duration // ActivityDumpCgroupDifferentiateArgs defines if system-probe should differentiate process nodes using process // arguments for dumps. ActivityDumpCgroupDifferentiateArgs bool // ActivityDumpLocalStorageDirectory defines the output directory for the activity dumps and graphs. Leave // this field empty to prevent writing any output to disk. ActivityDumpLocalStorageDirectory string // ActivityDumpLocalStorageFormats defines the formats that should be used to persist the activity dumps locally. ActivityDumpLocalStorageFormats []StorageFormat // ActivityDumpLocalStorageCompression defines if the local storage should compress the persisted data. ActivityDumpLocalStorageCompression bool // ActivityDumpLocalStorageMaxDumpsCount defines the maximum count of activity dumps that should be kept locally. // When the limit is reached, the oldest dumps will be deleted first. ActivityDumpLocalStorageMaxDumpsCount int // ActivityDumpSyscallMonitorPeriod defines the minimum amount of time to wait between 2 syscalls event for the same // process. ActivityDumpSyscallMonitorPeriod time.Duration // ActivityDumpMaxDumpCountPerWorkload defines the maximum amount of dumps that the agent should send for a workload ActivityDumpMaxDumpCountPerWorkload int // ActivityDumpWorkloadDenyList defines the list of workloads for which we shouldn't generate dumps. Workloads should // be provided as strings in the following format "{image_name}:[{image_tag}|*]". If "*" is provided instead of a // specific image tag, then the entry will match any workload with the input {image_name} regardless of their tag. ActivityDumpWorkloadDenyList []string // ActivityDumpTagRulesEnabled enable the tagging of nodes with matched rules ActivityDumpTagRulesEnabled bool // ActivityDumpSilentWorkloadsDelay defines the minimum amount of time to wait before the activity dump manager will start tracing silent workloads ActivityDumpSilentWorkloadsDelay time.Duration // ActivityDumpSilentWorkloadsTicker configures ticker that will check if a workload is silent and should be traced ActivityDumpSilentWorkloadsTicker time.Duration // ActivityDumpAutoSuppressionEnabled bool do not send event if part of a dump ActivityDumpAutoSuppressionEnabled bool // # Dynamic configuration fields: // ActivityDumpMaxDumpSize defines the maximum size of a dump ActivityDumpMaxDumpSize func() int // SecurityProfileEnabled defines if the Security Profile manager should be enabled SecurityProfileEnabled bool // SecurityProfileMaxImageTags defines the maximum number of profile versions to maintain SecurityProfileMaxImageTags int // SecurityProfileDir defines the directory in which Security Profiles are stored SecurityProfileDir string // SecurityProfileWatchDir defines if the Security Profiles directory should be monitored SecurityProfileWatchDir bool // SecurityProfileCacheSize defines the count of Security Profiles held in cache SecurityProfileCacheSize int // SecurityProfileMaxCount defines the maximum number of Security Profiles that may be evaluated concurrently SecurityProfileMaxCount int // SecurityProfileDNSMatchMaxDepth defines the max depth of subdomain to be matched for DNS anomaly detection (0 to match everything) SecurityProfileDNSMatchMaxDepth int // SecurityProfileAutoSuppressionEnabled do not send event if part of a profile SecurityProfileAutoSuppressionEnabled bool // SecurityProfileAutoSuppressionEventTypes defines the list of event types the can be auto suppressed using security profiles SecurityProfileAutoSuppressionEventTypes []model.EventType // AnomalyDetectionEventTypes defines the list of events that should be allowed to generate anomaly detections AnomalyDetectionEventTypes []model.EventType // AnomalyDetectionDefaultMinimumStablePeriod defines the default minimum amount of time during which the events // that diverge from their profiles are automatically added in their profiles without triggering an anomaly detection // event. AnomalyDetectionDefaultMinimumStablePeriod time.Duration // AnomalyDetectionMinimumStablePeriods defines the minimum amount of time per event type during which the events // that diverge from their profiles are automatically added in their profiles without triggering an anomaly detection // event. AnomalyDetectionMinimumStablePeriods map[model.EventType]time.Duration // AnomalyDetectionUnstableProfileTimeThreshold defines the maximum amount of time to wait until a profile that // hasn't reached a stable state is considered as unstable. AnomalyDetectionUnstableProfileTimeThreshold time.Duration // AnomalyDetectionUnstableProfileSizeThreshold defines the maximum size a profile can reach past which it is // considered unstable AnomalyDetectionUnstableProfileSizeThreshold int64 // AnomalyDetectionWorkloadWarmupPeriod defines the duration we ignore the anomaly detections for // because of workload warm up AnomalyDetectionWorkloadWarmupPeriod time.Duration // AnomalyDetectionRateLimiterPeriod is the duration during which a limited number of anomaly detection events are allowed AnomalyDetectionRateLimiterPeriod time.Duration // AnomalyDetectionRateLimiterNumEventsAllowed is the number of anomaly detection events allowed per duration by the rate limiter AnomalyDetectionRateLimiterNumEventsAllowed int // AnomalyDetectionRateLimiterNumKeys is the number of keys in the rate limiter AnomalyDetectionRateLimiterNumKeys int // AnomalyDetectionTagRulesEnabled defines if the events that triggered anomaly detections should be tagged with the // rules they might have matched. AnomalyDetectionTagRulesEnabled bool // AnomalyDetectionSilentRuleEventsEnabled do not send rule event if also part of an anomaly event AnomalyDetectionSilentRuleEventsEnabled bool // AnomalyDetectionEnabled defines if we should send anomaly detection events AnomalyDetectionEnabled bool // SBOMResolverEnabled defines if the SBOM resolver should be enabled SBOMResolverEnabled bool // SBOMResolverWorkloadsCacheSize defines the count of SBOMs to keep in memory in order to prevent re-computing // the SBOMs of short-lived and periodical workloads SBOMResolverWorkloadsCacheSize int // SBOMResolverHostEnabled defines if the SBOM resolver should compute the host's SBOM SBOMResolverHostEnabled bool // HashResolverEnabled defines if the hash resolver should be enabled HashResolverEnabled bool // HashResolverMaxFileSize defines the maximum size of the files that the hash resolver is allowed to hash HashResolverMaxFileSize int64 // HashResolverMaxHashRate defines the rate at which the hash resolver may compute hashes HashResolverMaxHashRate int // HashResolverHashAlgorithms defines the hashes that hash resolver needs to compute HashResolverHashAlgorithms []model.HashAlgorithm // HashResolverEventTypes defines the list of event which files may be hashed HashResolverEventTypes []model.EventType // HashResolverCacheSize defines the number of hashes to keep in cache HashResolverCacheSize int // HashResolverReplace is used to apply specific hash to specific file path HashResolverReplace map[string]string // UserSessionsCacheSize defines the size of the User Sessions cache size UserSessionsCacheSize int // EBPFLessEnabled enables the ebpfless probe EBPFLessEnabled bool // EBPFLessSocket defines the socket used for the communication between system-probe and the ebpfless source EBPFLessSocket string // Enforcement capabilities // EnforcementEnabled defines if the enforcement capability should be enabled EnforcementEnabled bool // EnforcementRawSyscallEnabled defines if the enforcement should be performed using the sys_enter tracepoint EnforcementRawSyscallEnabled bool EnforcementBinaryExcluded []string EnforcementRuleSourceAllowed []string // EnforcementDisarmerContainerEnabled defines if an enforcement rule should be disarmed when hitting too many different containers EnforcementDisarmerContainerEnabled bool // EnforcementDisarmerContainerMaxAllowed defines the maximum number of different containers that can trigger an enforcement rule // within a period before the enforcement is disarmed for this rule EnforcementDisarmerContainerMaxAllowed int // EnforcementDisarmerContainerPeriod defines the period during which EnforcementDisarmerContainerMaxAllowed is checked EnforcementDisarmerContainerPeriod time.Duration // EnforcementDisarmerExecutableEnabled defines if an enforcement rule should be disarmed when hitting too many different executables EnforcementDisarmerExecutableEnabled bool // EnforcementDisarmerExecutableMaxAllowed defines the maximum number of different executables that can trigger an enforcement rule // within a period before the enforcement is disarmed for this rule EnforcementDisarmerExecutableMaxAllowed int // EnforcementDisarmerExecutablePeriod defines the period during which EnforcementDisarmerExecutableMaxAllowed is checked EnforcementDisarmerExecutablePeriod time.Duration //WindowsFilenameCacheSize is the max number of filenames to cache WindowsFilenameCacheSize int //WindowsRegistryCacheSize is the max number of registry paths to cache WindowsRegistryCacheSize int // ETWEventsChannelSize windows specific ETW channel buffer size ETWEventsChannelSize int //ETWEventsMaxBuffers sets the maximumbuffers argument to ETW ETWEventsMaxBuffers int // WindowsProbeChannelUnbuffered defines if the windows probe channel should be unbuffered WindowsProbeBlockOnChannelSend bool WindowsWriteEventRateLimiterMaxAllowed int WindowsWriteEventRateLimiterPeriod time.Duration // IMDSIPv4 is used to provide a custom IP address for the IMDS endpoint IMDSIPv4 uint32 }
RuntimeSecurityConfig holds the configuration for the runtime security agent
func NewRuntimeSecurityConfig ¶
func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error)
NewRuntimeSecurityConfig returns the runtime security (CWS) config, build from the system probe one
func (*RuntimeSecurityConfig) GetAnomalyDetectionMinimumStablePeriod ¶
func (c *RuntimeSecurityConfig) GetAnomalyDetectionMinimumStablePeriod(eventType model.EventType) time.Duration
GetAnomalyDetectionMinimumStablePeriod returns the minimum stable period for a given event type
func (*RuntimeSecurityConfig) IsRuntimeEnabled ¶
func (c *RuntimeSecurityConfig) IsRuntimeEnabled() bool
IsRuntimeEnabled returns true if any feature is enabled. Has to be applied in config package too
type StorageFormat ¶
type StorageFormat int
StorageFormat is used to define the format of a dump
const ( // JSON is used to request the JSON format JSON StorageFormat = iota // json // Protobuf is used to request the protobuf format Protobuf // protobuf // Dot is used to request the dot format Dot // dot // Profile is used to request the generation of a profile Profile // profile )
func AllStorageFormats ¶
func AllStorageFormats() []StorageFormat
AllStorageFormats returns the list of supported formats
func ParseStorageFormat ¶
func ParseStorageFormat(input string) (StorageFormat, error)
ParseStorageFormat returns a storage format from a string input
func ParseStorageFormats ¶
func ParseStorageFormats(input []string) ([]StorageFormat, error)
ParseStorageFormats returns a list of storage formats from a list of strings
func (StorageFormat) String ¶
func (i StorageFormat) String() string
type StorageRequest ¶
type StorageRequest struct { Type StorageType Format StorageFormat Compression bool // LocalStorage specific parameters OutputDirectory string }
StorageRequest is used to request a type of storage for a dump
func NewStorageRequest ¶
func NewStorageRequest(storageType StorageType, format StorageFormat, compression bool, outputDirectory string) StorageRequest
NewStorageRequest returns a new StorageRequest instance
func ParseStorageRequests ¶
func ParseStorageRequests(requests *api.StorageRequestParams) ([]StorageRequest, error)
ParseStorageRequests parses storage requests from a gRPC call
func (*StorageRequest) GetOutputPath ¶
func (sr *StorageRequest) GetOutputPath(filename string) string
GetOutputPath returns the output path to the file in the storage
func (*StorageRequest) ToStorageRequestMessage ¶
func (sr *StorageRequest) ToStorageRequestMessage(filename string) *api.StorageRequestMessage
ToStorageRequestMessage returns an api.StorageRequestMessage from the StorageRequest
type StorageType ¶
type StorageType int
StorageType is used to define the type of storage
const ( // LocalStorage is used to request a local storage LocalStorage StorageType = iota // local_storage // RemoteStorage is used to request a remote storage RemoteStorage // remote_storage )
func AllStorageTypes ¶
func AllStorageTypes() []StorageType
AllStorageTypes returns the list of supported storage types
func ParseStorageType ¶
func ParseStorageType(input string) (StorageType, error)
ParseStorageType returns a storage type from its string representation
func (StorageType) String ¶
func (i StorageType) String() string