events

package
v0.0.0-...-a6860d5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 23, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package events holds events related files

Package events holds events related files

Index

Constants

View Source
const (
	// ServiceName is the service tag of the custom event types defined in this package
	ServiceName = "runtime-security-agent"

	// RulesetLoadedRuleID is the rule ID for the ruleset_loaded events
	RulesetLoadedRuleID = "ruleset_loaded"
	// RulesetLoadedRuleDesc is the rule description for the ruleset_loaded events
	RulesetLoadedRuleDesc = "New ruleset loaded"

	// HeartbeatRuleID is the rule ID for the heartbeat events
	HeartbeatRuleID = "heartbeat"
	// HeartbeatRuleDesc is the rule description for the heartbeat events
	HeartbeatRuleDesc = "Heartbeat"

	// AbnormalPathRuleID is the rule ID for the abnormal_path events
	AbnormalPathRuleID = "abnormal_path"
	// AbnormalPathRuleDesc is the rule description for the abnormal_path events
	AbnormalPathRuleDesc = "Abnormal path detected"

	// SelfTestRuleID is the rule ID for the self_test events
	SelfTestRuleID = "self_test"
	// SelfTestRuleDesc is the rule description for the self_test events
	SelfTestRuleDesc = "Self tests result"

	// AnomalyDetectionRuleID is the rule ID for anomaly_detection events
	AnomalyDetectionRuleID = "anomaly_detection"
	// AnomalyDetectionRuleDesc is the rule description for anomaly_detection events
	AnomalyDetectionRuleDesc = "Anomaly detection"

	// NoProcessContextErrorRuleID is the rule ID for events without process context
	NoProcessContextErrorRuleID = "no_process_context"
	// NoProcessContextErrorRuleDesc is the rule description for events without process context
	NoProcessContextErrorRuleDesc = "No process context detected"

	// BrokenProcessLineageErrorRuleID is the rule ID for events with a broken process lineage
	BrokenProcessLineageErrorRuleID = "broken_process_lineage"
	// BrokenProcessLineageErrorRuleDesc is the rule description for events with a broken process lineage
	BrokenProcessLineageErrorRuleDesc = "Broken process lineage detected"

	// EBPFLessHelloMessageRuleID is the rule ID used when a hello message is received
	EBPFLessHelloMessageRuleID = "ebpfless_hello_msg"
	// EBPFLessHelloMessageRuleDesc is the rule description for the hello msg event
	EBPFLessHelloMessageRuleDesc = "Hello message received"

	// InternalCoreDumpRuleID internal core dump
	InternalCoreDumpRuleID = "internal_core_dump"
	// InternalCoreDumpRuleDesc internal core dump
	InternalCoreDumpRuleDesc = "Internal Core Dump"
)

Variables

This section is empty.

Functions

func AllCustomRuleIDs

func AllCustomRuleIDs() []string

AllCustomRuleIDs returns the list of custom rule IDs

func NewCustomRule

func NewCustomRule(id eval.RuleID, description string) *rules.Rule

NewCustomRule returns a new custom rule

Types

type AgentContainerContext

type AgentContainerContext struct {
	ContainerID containerutils.ContainerID `json:"id,omitempty"`
	CreatedAt   uint64                     `json:"created_at"`
}

AgentContainerContext is like model.ContainerContext, but without event based resolvers

type AgentContext

type AgentContext struct {
	RuleID        string            `json:"rule_id"`
	RuleVersion   string            `json:"rule_version,omitempty"`
	RuleActions   []json.RawMessage `json:"rule_actions,omitempty"`
	PolicyName    string            `json:"policy_name,omitempty"`
	PolicyVersion string            `json:"policy_version,omitempty"`
	Version       string            `json:"version,omitempty"`
	OS            string            `json:"os,omitempty"`
	Arch          string            `json:"arch,omitempty"`
	Origin        string            `json:"origin,omitempty"`
	KernelVersion string            `json:"kernel_version,omitempty"`
	Distribution  string            `json:"distribution,omitempty"`
}

AgentContext serializes the agent context to JSON easyjson:json

func (AgentContext) MarshalEasyJSON

func (v AgentContext) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*AgentContext) UnmarshalEasyJSON

func (v *AgentContext) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type AnomalyDetectionLimiter

type AnomalyDetectionLimiter struct {
	// contains filtered or unexported fields
}

AnomalyDetectionLimiter limiter specific to anomaly detection

func NewAnomalyDetectionLimiter

func NewAnomalyDetectionLimiter(numWorkloads int, numEventsAllowedPerPeriod int, period time.Duration) (*AnomalyDetectionLimiter, error)

NewAnomalyDetectionLimiter returns a new rate limiter which is bucketed by workload ID

func (*AnomalyDetectionLimiter) Allow

func (al *AnomalyDetectionLimiter) Allow(event Event) bool

Allow returns whether the event is allowed

func (*AnomalyDetectionLimiter) SwapStats

func (al *AnomalyDetectionLimiter) SwapStats() []utils.LimiterStat

SwapStats return dropped and allowed stats

type BackendEvent

type BackendEvent struct {
	AgentContext `json:"agent"`
	Title        string `json:"title"`
}

BackendEvent - Rule event wrapper used to send an event to the backend easyjson:json

func (BackendEvent) MarshalEasyJSON

func (v BackendEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*BackendEvent) UnmarshalEasyJSON

func (v *BackendEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type CustomEvent

type CustomEvent struct {
	// contains filtered or unexported fields
}

CustomEvent is used to send custom security events to Datadog

func NewCustomEvent

func NewCustomEvent(eventType model.EventType, marshaler EventMarshaler, tags ...string) *CustomEvent

NewCustomEvent returns a new custom event

func NewCustomEventLazy

func NewCustomEventLazy(eventType model.EventType, marshalerCtor func() EventMarshaler, tags ...string) *CustomEvent

NewCustomEventLazy returns a new custom event

func (*CustomEvent) Clone

func (ce *CustomEvent) Clone() CustomEvent

Clone returns a copy of the current CustomEvent

func (*CustomEvent) GetActionReports

func (ce *CustomEvent) GetActionReports() []model.ActionReport

GetActionReports returns reports of the action triggered

func (*CustomEvent) GetEventType

func (ce *CustomEvent) GetEventType() model.EventType

GetEventType returns the event type

func (*CustomEvent) GetFieldValue

func (ce *CustomEvent) GetFieldValue(_ eval.Field) (interface{}, error)

GetFieldValue returns the field value

func (*CustomEvent) GetTags

func (ce *CustomEvent) GetTags() []string

GetTags returns the tags of the custom event

func (*CustomEvent) GetType

func (ce *CustomEvent) GetType() string

GetType returns the type of the custom event as a string

func (*CustomEvent) GetWorkloadID

func (ce *CustomEvent) GetWorkloadID() string

GetWorkloadID returns the workload id

func (*CustomEvent) MarshalJSON

func (ce *CustomEvent) MarshalJSON() ([]byte, error)

MarshalJSON marshals the custom event to JSON using easyJSON

type CustomEventCommonFields

type CustomEventCommonFields struct {
	Timestamp             time.Time              `json:"date"`
	Service               string                 `json:"service"`
	AgentContainerContext *AgentContainerContext `json:"container"`
}

CustomEventCommonFields represents the fields common to all custom events

func (*CustomEventCommonFields) FillCustomEventCommonFields

func (commonFields *CustomEventCommonFields) FillCustomEventCommonFields(acc *AgentContainerContext)

FillCustomEventCommonFields fills the common fields with default values

type Event

type Event interface {
	GetWorkloadID() string
	GetTags() []string
	GetType() string
	GetActionReports() []model.ActionReport
	GetFieldValue(eval.Field) (interface{}, error)
}

Event is the interface that an event must implement to be sent to the backend

type EventMarshaler

type EventMarshaler interface {
	ToJSON() ([]byte, error)
}

EventMarshaler defines an abstract json marshaller

type EventSender

type EventSender interface {
	SendEvent(rule *rules.Rule, event Event, extTagsCb func() []string, service string)
}

EventSender defines an event sender

type Limiter

type Limiter interface {
	Allow(event Event) bool
	SwapStats() []utils.LimiterStat
}

Limiter defines a limiter interface

type RateLimiter

type RateLimiter struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

RateLimiter describes a set of rule rate limiters

func NewRateLimiter

func NewRateLimiter(config *config.RuntimeSecurityConfig, client statsd.ClientInterface) *RateLimiter

NewRateLimiter initializes an empty rate limiter

func (*RateLimiter) Allow

func (rl *RateLimiter) Allow(ruleID string, event Event) bool

Allow returns true if a specific rule shall be allowed to sent a new event

func (*RateLimiter) Apply

func (rl *RateLimiter) Apply(ruleSet *rules.RuleSet, customRuleIDs []eval.RuleID)

Apply a set of rules

func (*RateLimiter) GetStats

func (rl *RateLimiter) GetStats() map[string][]utils.LimiterStat

GetStats returns a map indexed by ids that describes the amount of events that were dropped because of the rate limiter

func (*RateLimiter) SendStats

func (rl *RateLimiter) SendStats() error

SendStats sends statistics about the number of sent and drops events for the set of rules

type StdLimiter

type StdLimiter struct {
	// contains filtered or unexported fields
}

StdLimiter describes an object that applies limits on the rate of triggering of a rule to ensure we don't overflow with too permissive rules

func NewStdLimiter

func NewStdLimiter(limit rate.Limit, burst int) *StdLimiter

NewStdLimiter returns a new rule limiter

func (*StdLimiter) Allow

func (l *StdLimiter) Allow(_ Event) bool

Allow returns whether the event is allowed

func (*StdLimiter) SwapStats

func (l *StdLimiter) SwapStats() []utils.LimiterStat

SwapStats returns the dropped and allowed stats, and zeros the stats

type TokenLimiter

type TokenLimiter struct {
	// contains filtered or unexported fields
}

TokenLimiter limiter specific to anomaly detection

func NewTokenLimiter

func NewTokenLimiter(maxUniqueToken int, numEventsAllowedPerPeriod int, period time.Duration, fields []eval.Field) (*TokenLimiter, error)

NewTokenLimiter returns a new rate limiter which is bucketed by fields

func (*TokenLimiter) Allow

func (tkl *TokenLimiter) Allow(event Event) bool

Allow returns whether the event is allowed

func (*TokenLimiter) SwapStats

func (tkl *TokenLimiter) SwapStats() []utils.LimiterStat

SwapStats return dropped and allowed stats

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL