Documentation ¶
Overview ¶
Package events holds events related files
Package events holds events related files ¶
Package events holds events related files ¶
Package events holds events related files ¶
Package events holds events related files ¶
Package events holds events related files ¶
Package events holds events related files
Index ¶
- Constants
- func AllCustomRuleIDs() []string
- func NewCustomRule(id eval.RuleID, description string) *rules.Rule
- type AgentContainerContext
- type AgentContext
- type AnomalyDetectionLimiter
- type BackendEvent
- type CustomEvent
- func (ce *CustomEvent) Clone() CustomEvent
- func (ce *CustomEvent) GetActionReports() []model.ActionReport
- func (ce *CustomEvent) GetEventType() model.EventType
- func (ce *CustomEvent) GetFieldValue(_ eval.Field) (interface{}, error)
- func (ce *CustomEvent) GetTags() []string
- func (ce *CustomEvent) GetType() string
- func (ce *CustomEvent) GetWorkloadID() string
- func (ce *CustomEvent) MarshalJSON() ([]byte, error)
- type CustomEventCommonFields
- type Event
- type EventMarshaler
- type EventSender
- type Limiter
- type RateLimiter
- type StdLimiter
- type TokenLimiter
Constants ¶
const ( // ServiceName is the service tag of the custom event types defined in this package ServiceName = "runtime-security-agent" // RulesetLoadedRuleID is the rule ID for the ruleset_loaded events RulesetLoadedRuleID = "ruleset_loaded" // RulesetLoadedRuleDesc is the rule description for the ruleset_loaded events RulesetLoadedRuleDesc = "New ruleset loaded" // HeartbeatRuleID is the rule ID for the heartbeat events HeartbeatRuleID = "heartbeat" // HeartbeatRuleDesc is the rule description for the heartbeat events HeartbeatRuleDesc = "Heartbeat" // AbnormalPathRuleID is the rule ID for the abnormal_path events AbnormalPathRuleID = "abnormal_path" // AbnormalPathRuleDesc is the rule description for the abnormal_path events AbnormalPathRuleDesc = "Abnormal path detected" // SelfTestRuleID is the rule ID for the self_test events SelfTestRuleID = "self_test" // SelfTestRuleDesc is the rule description for the self_test events SelfTestRuleDesc = "Self tests result" // AnomalyDetectionRuleID is the rule ID for anomaly_detection events AnomalyDetectionRuleID = "anomaly_detection" // AnomalyDetectionRuleDesc is the rule description for anomaly_detection events AnomalyDetectionRuleDesc = "Anomaly detection" // NoProcessContextErrorRuleID is the rule ID for events without process context NoProcessContextErrorRuleID = "no_process_context" // NoProcessContextErrorRuleDesc is the rule description for events without process context NoProcessContextErrorRuleDesc = "No process context detected" // BrokenProcessLineageErrorRuleID is the rule ID for events with a broken process lineage BrokenProcessLineageErrorRuleID = "broken_process_lineage" // BrokenProcessLineageErrorRuleDesc is the rule description for events with a broken process lineage BrokenProcessLineageErrorRuleDesc = "Broken process lineage detected" // EBPFLessHelloMessageRuleID is the rule ID used when a hello message is received EBPFLessHelloMessageRuleID = "ebpfless_hello_msg" // EBPFLessHelloMessageRuleDesc is the rule description for the hello msg event EBPFLessHelloMessageRuleDesc = "Hello message received" // InternalCoreDumpRuleID internal core dump InternalCoreDumpRuleID = "internal_core_dump" // InternalCoreDumpRuleDesc internal core dump InternalCoreDumpRuleDesc = "Internal Core Dump" )
Variables ¶
This section is empty.
Functions ¶
func AllCustomRuleIDs ¶
func AllCustomRuleIDs() []string
AllCustomRuleIDs returns the list of custom rule IDs
Types ¶
type AgentContainerContext ¶
type AgentContainerContext struct { ContainerID containerutils.ContainerID `json:"id,omitempty"` CreatedAt uint64 `json:"created_at"` }
AgentContainerContext is like model.ContainerContext, but without event based resolvers
type AgentContext ¶
type AgentContext struct { RuleID string `json:"rule_id"` RuleVersion string `json:"rule_version,omitempty"` RuleActions []json.RawMessage `json:"rule_actions,omitempty"` PolicyName string `json:"policy_name,omitempty"` PolicyVersion string `json:"policy_version,omitempty"` Version string `json:"version,omitempty"` OS string `json:"os,omitempty"` Arch string `json:"arch,omitempty"` Origin string `json:"origin,omitempty"` KernelVersion string `json:"kernel_version,omitempty"` Distribution string `json:"distribution,omitempty"` }
AgentContext serializes the agent context to JSON easyjson:json
func (AgentContext) MarshalEasyJSON ¶
func (v AgentContext) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*AgentContext) UnmarshalEasyJSON ¶
func (v *AgentContext) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type AnomalyDetectionLimiter ¶
type AnomalyDetectionLimiter struct {
// contains filtered or unexported fields
}
AnomalyDetectionLimiter limiter specific to anomaly detection
func NewAnomalyDetectionLimiter ¶
func NewAnomalyDetectionLimiter(numWorkloads int, numEventsAllowedPerPeriod int, period time.Duration) (*AnomalyDetectionLimiter, error)
NewAnomalyDetectionLimiter returns a new rate limiter which is bucketed by workload ID
func (*AnomalyDetectionLimiter) Allow ¶
func (al *AnomalyDetectionLimiter) Allow(event Event) bool
Allow returns whether the event is allowed
func (*AnomalyDetectionLimiter) SwapStats ¶
func (al *AnomalyDetectionLimiter) SwapStats() []utils.LimiterStat
SwapStats return dropped and allowed stats
type BackendEvent ¶
type BackendEvent struct { AgentContext `json:"agent"` Title string `json:"title"` }
BackendEvent - Rule event wrapper used to send an event to the backend easyjson:json
func (BackendEvent) MarshalEasyJSON ¶
func (v BackendEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*BackendEvent) UnmarshalEasyJSON ¶
func (v *BackendEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type CustomEvent ¶
type CustomEvent struct {
// contains filtered or unexported fields
}
CustomEvent is used to send custom security events to Datadog
func NewCustomEvent ¶
func NewCustomEvent(eventType model.EventType, marshaler EventMarshaler, tags ...string) *CustomEvent
NewCustomEvent returns a new custom event
func NewCustomEventLazy ¶
func NewCustomEventLazy(eventType model.EventType, marshalerCtor func() EventMarshaler, tags ...string) *CustomEvent
NewCustomEventLazy returns a new custom event
func (*CustomEvent) Clone ¶
func (ce *CustomEvent) Clone() CustomEvent
Clone returns a copy of the current CustomEvent
func (*CustomEvent) GetActionReports ¶
func (ce *CustomEvent) GetActionReports() []model.ActionReport
GetActionReports returns reports of the action triggered
func (*CustomEvent) GetEventType ¶
func (ce *CustomEvent) GetEventType() model.EventType
GetEventType returns the event type
func (*CustomEvent) GetFieldValue ¶
func (ce *CustomEvent) GetFieldValue(_ eval.Field) (interface{}, error)
GetFieldValue returns the field value
func (*CustomEvent) GetTags ¶
func (ce *CustomEvent) GetTags() []string
GetTags returns the tags of the custom event
func (*CustomEvent) GetType ¶
func (ce *CustomEvent) GetType() string
GetType returns the type of the custom event as a string
func (*CustomEvent) GetWorkloadID ¶
func (ce *CustomEvent) GetWorkloadID() string
GetWorkloadID returns the workload id
func (*CustomEvent) MarshalJSON ¶
func (ce *CustomEvent) MarshalJSON() ([]byte, error)
MarshalJSON marshals the custom event to JSON using easyJSON
type CustomEventCommonFields ¶
type CustomEventCommonFields struct { Timestamp time.Time `json:"date"` Service string `json:"service"` AgentContainerContext *AgentContainerContext `json:"container"` }
CustomEventCommonFields represents the fields common to all custom events
func (*CustomEventCommonFields) FillCustomEventCommonFields ¶
func (commonFields *CustomEventCommonFields) FillCustomEventCommonFields(acc *AgentContainerContext)
FillCustomEventCommonFields fills the common fields with default values
type Event ¶
type Event interface { GetWorkloadID() string GetTags() []string GetType() string GetActionReports() []model.ActionReport GetFieldValue(eval.Field) (interface{}, error) }
Event is the interface that an event must implement to be sent to the backend
type EventMarshaler ¶
EventMarshaler defines an abstract json marshaller
type EventSender ¶
type EventSender interface {
SendEvent(rule *rules.Rule, event Event, extTagsCb func() []string, service string)
}
EventSender defines an event sender
type Limiter ¶
type Limiter interface { Allow(event Event) bool SwapStats() []utils.LimiterStat }
Limiter defines a limiter interface
type RateLimiter ¶
RateLimiter describes a set of rule rate limiters
func NewRateLimiter ¶
func NewRateLimiter(config *config.RuntimeSecurityConfig, client statsd.ClientInterface) *RateLimiter
NewRateLimiter initializes an empty rate limiter
func (*RateLimiter) Allow ¶
func (rl *RateLimiter) Allow(ruleID string, event Event) bool
Allow returns true if a specific rule shall be allowed to sent a new event
func (*RateLimiter) Apply ¶
func (rl *RateLimiter) Apply(ruleSet *rules.RuleSet, customRuleIDs []eval.RuleID)
Apply a set of rules
func (*RateLimiter) GetStats ¶
func (rl *RateLimiter) GetStats() map[string][]utils.LimiterStat
GetStats returns a map indexed by ids that describes the amount of events that were dropped because of the rate limiter
func (*RateLimiter) SendStats ¶
func (rl *RateLimiter) SendStats() error
SendStats sends statistics about the number of sent and drops events for the set of rules
type StdLimiter ¶
type StdLimiter struct {
// contains filtered or unexported fields
}
StdLimiter describes an object that applies limits on the rate of triggering of a rule to ensure we don't overflow with too permissive rules
func NewStdLimiter ¶
func NewStdLimiter(limit rate.Limit, burst int) *StdLimiter
NewStdLimiter returns a new rule limiter
func (*StdLimiter) Allow ¶
func (l *StdLimiter) Allow(_ Event) bool
Allow returns whether the event is allowed
func (*StdLimiter) SwapStats ¶
func (l *StdLimiter) SwapStats() []utils.LimiterStat
SwapStats returns the dropped and allowed stats, and zeros the stats
type TokenLimiter ¶
type TokenLimiter struct {
// contains filtered or unexported fields
}
TokenLimiter limiter specific to anomaly detection
func NewTokenLimiter ¶
func NewTokenLimiter(maxUniqueToken int, numEventsAllowedPerPeriod int, period time.Duration, fields []eval.Field) (*TokenLimiter, error)
NewTokenLimiter returns a new rate limiter which is bucketed by fields
func (*TokenLimiter) Allow ¶
func (tkl *TokenLimiter) Allow(event Event) bool
Allow returns whether the event is allowed
func (*TokenLimiter) SwapStats ¶
func (tkl *TokenLimiter) SwapStats() []utils.LimiterStat
SwapStats return dropped and allowed stats