config

package
v0.0.0-...-ae3044e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 3, 2025 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package config holds config related files

Package config holds config related files

Index

Constants

View Source
const (
	// ADMinMaxDumSize represents the minimum value for runtime_security_config.activity_dump.max_dump_size
	ADMinMaxDumSize = 100
)

Variables

This section is empty.

Functions

func ActivityDumpRemoteStorageEndpoints

func ActivityDumpRemoteStorageEndpoints(endpointPrefix string, intakeTrackType logsconfig.IntakeTrackType, intakeProtocol logsconfig.IntakeProtocol, intakeOrigin logsconfig.IntakeOrigin) (*logsconfig.Endpoints, error)

ActivityDumpRemoteStorageEndpoints returns the list of activity dump remote storage endpoints parsed from the agent config

func GetFamilyAddress

func GetFamilyAddress(path string) (string, string)

GetFamilyAddress returns the address famility to use for system-probe <-> security-agent communication

func IsEBPFLessModeEnabled

func IsEBPFLessModeEnabled() bool

IsEBPFLessModeEnabled returns true if the ebpfless mode is enabled it's based on the configuration itself, but will default on true if running on fargate

func ParseEvalEventType

func ParseEvalEventType(eventType eval.EventType) model.EventType

ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions

Types

type Config

type Config struct {
	// Probe Config
	Probe *pconfig.Config

	// CWS specific parameters
	RuntimeSecurity *RuntimeSecurityConfig
}

Config defines a security config

func NewConfig

func NewConfig() (*Config, error)

NewConfig returns a new Config object

type Policy

type Policy struct {
	Name  string   `mapstructure:"name"`
	Files []string `mapstructure:"files"`
	Tags  []string `mapstructure:"tags"`
}

Policy represents a policy file in the configuration file

type RuntimeSecurityConfig

type RuntimeSecurityConfig struct {
	// RuntimeEnabled defines if the runtime security module should be enabled
	RuntimeEnabled bool
	// PoliciesDir defines the folder in which the policy files are located
	PoliciesDir string
	// PolicyMonitorEnabled enable policy monitoring
	PolicyMonitorEnabled bool
	// PolicyMonitorPerRuleEnabled enabled per-rule policy monitoring
	PolicyMonitorPerRuleEnabled bool
	// PolicyMonitorReportInternalPolicies enable internal policies monitoring
	PolicyMonitorReportInternalPolicies bool
	// SocketPath is the path to the socket that is used to communicate with the security agent
	SocketPath string
	// EventServerBurst defines the maximum burst of events that can be sent over the grpc server
	EventServerBurst int
	// EventServerRate defines the grpc server rate at which events can be sent
	EventServerRate int
	// EventServerRetention defines an event retention period so that some fields can be resolved
	EventServerRetention time.Duration
	// FIMEnabled determines whether fim rules will be loaded
	FIMEnabled bool
	// SelfTestEnabled defines if the self tests should be executed at startup or not
	SelfTestEnabled bool
	// SelfTestSendReport defines if a self test event will be emitted
	SelfTestSendReport bool
	// RemoteConfigurationEnabled defines whether to use remote monitoring
	RemoteConfigurationEnabled bool
	// RemoteConfigurationDumpPolicies defines whether to dump remote config policy
	RemoteConfigurationDumpPolicies bool
	// LogPatterns pattern to be used by the logger for trace level
	LogPatterns []string
	// LogTags tags to be used by the logger for trace level
	LogTags []string
	// HostServiceName string
	HostServiceName string
	// OnDemandEnabled defines whether the on-demand probes should be enabled
	OnDemandEnabled bool
	// OnDemandRateLimiterEnabled defines whether the on-demand probes rate limit getting hit disabled the on demand probes
	OnDemandRateLimiterEnabled bool
	// ReducedProcPidCacheSize defines whether the `proc_cache` and `pid_cache` map should use reduced size
	ReducedProcPidCacheSize bool

	// InternalMonitoringEnabled determines if the monitoring events of the agent should be sent to Datadog
	InternalMonitoringEnabled bool

	// ActivityDumpEnabled defines if the activity dump manager should be enabled
	ActivityDumpEnabled bool
	// ActivityDumpCleanupPeriod defines the period at which the activity dump manager should perform its cleanup
	// operation.
	ActivityDumpCleanupPeriod time.Duration
	// ActivityDumpTagsResolutionPeriod defines the period at which the activity dump manager should try to resolve
	// missing container tags.
	ActivityDumpTagsResolutionPeriod time.Duration
	// ActivityDumpLoadControlPeriod defines the period at which the activity dump manager should trigger the load controller
	ActivityDumpLoadControlPeriod time.Duration
	// ActivityDumpLoadControlMinDumpTimeout defines minimal duration of a activity dump recording
	ActivityDumpLoadControlMinDumpTimeout time.Duration

	// ActivityDumpTracedCgroupsCount defines the maximum count of cgroups that should be monitored concurrently. Leave this parameter to 0 to prevent the generation
	// of activity dumps based on cgroups.
	ActivityDumpTracedCgroupsCount int
	// ActivityDumpCgroupsManagers defines the cgroup managers we generate dumps for.
	ActivityDumpCgroupsManagers []string

	// ActivityDumpTracedEventTypes defines the list of events that should be captured in an activity dump. Leave this
	// parameter empty to monitor all event types. If not already present, the `exec` event will automatically be added
	// to this list.
	ActivityDumpTracedEventTypes []model.EventType
	// ActivityDumpCgroupDumpTimeout defines the cgroup activity dumps timeout.
	ActivityDumpCgroupDumpTimeout time.Duration
	// ActivityDumpRateLimiter defines the kernel rate of max events per sec for activity dumps.
	ActivityDumpRateLimiter int
	// ActivityDumpCgroupWaitListTimeout defines the time to wait before a cgroup can be dumped again.
	ActivityDumpCgroupWaitListTimeout time.Duration
	// ActivityDumpCgroupDifferentiateArgs defines if system-probe should differentiate process nodes using process
	// arguments for dumps.
	ActivityDumpCgroupDifferentiateArgs bool
	// ActivityDumpLocalStorageDirectory defines the output directory for the activity dumps and graphs. Leave
	// this field empty to prevent writing any output to disk.
	ActivityDumpLocalStorageDirectory string
	// ActivityDumpLocalStorageFormats defines the formats that should be used to persist the activity dumps locally.
	ActivityDumpLocalStorageFormats []StorageFormat
	// ActivityDumpLocalStorageCompression defines if the local storage should compress the persisted data.
	ActivityDumpLocalStorageCompression bool
	// ActivityDumpLocalStorageMaxDumpsCount defines the maximum count of activity dumps that should be kept locally.
	// When the limit is reached, the oldest dumps will be deleted first.
	ActivityDumpLocalStorageMaxDumpsCount int
	// ActivityDumpSyscallMonitorPeriod defines the minimum amount of time to wait between 2 syscalls event for the same
	// process.
	ActivityDumpSyscallMonitorPeriod time.Duration
	// ActivityDumpMaxDumpCountPerWorkload defines the maximum amount of dumps that the agent should send for a workload
	ActivityDumpMaxDumpCountPerWorkload int
	// ActivityDumpWorkloadDenyList defines the list of workloads for which we shouldn't generate dumps. Workloads should
	// be provided as strings in the following format "{image_name}:[{image_tag}|*]". If "*" is provided instead of a
	// specific image tag, then the entry will match any workload with the input {image_name} regardless of their tag.
	ActivityDumpWorkloadDenyList []string
	// ActivityDumpTagRulesEnabled enable the tagging of nodes with matched rules
	ActivityDumpTagRulesEnabled bool
	// ActivityDumpSilentWorkloadsDelay defines the minimum amount of time to wait before the activity dump manager will start tracing silent workloads
	ActivityDumpSilentWorkloadsDelay time.Duration
	// ActivityDumpSilentWorkloadsTicker configures ticker that will check if a workload is silent and should be traced
	ActivityDumpSilentWorkloadsTicker time.Duration
	// ActivityDumpAutoSuppressionEnabled bool do not send event if part of a dump
	ActivityDumpAutoSuppressionEnabled bool

	// # Dynamic configuration fields:
	// ActivityDumpMaxDumpSize defines the maximum size of a dump
	ActivityDumpMaxDumpSize func() int

	// SecurityProfileEnabled defines if the Security Profile manager should be enabled
	SecurityProfileEnabled bool
	// SecurityProfileMaxImageTags defines the maximum number of profile versions to maintain
	SecurityProfileMaxImageTags int
	// SecurityProfileDir defines the directory in which Security Profiles are stored
	SecurityProfileDir string
	// SecurityProfileWatchDir defines if the Security Profiles directory should be monitored
	SecurityProfileWatchDir bool
	// SecurityProfileCacheSize defines the count of Security Profiles held in cache
	SecurityProfileCacheSize int
	// SecurityProfileMaxCount defines the maximum number of Security Profiles that may be evaluated concurrently
	SecurityProfileMaxCount int
	// SecurityProfileDNSMatchMaxDepth defines the max depth of subdomain to be matched for DNS anomaly detection (0 to match everything)
	SecurityProfileDNSMatchMaxDepth int

	// SecurityProfileAutoSuppressionEnabled do not send event if part of a profile
	SecurityProfileAutoSuppressionEnabled bool
	// SecurityProfileAutoSuppressionEventTypes defines the list of event types the can be auto suppressed using security profiles
	SecurityProfileAutoSuppressionEventTypes []model.EventType

	// AnomalyDetectionEventTypes defines the list of events that should be allowed to generate anomaly detections
	AnomalyDetectionEventTypes []model.EventType
	// AnomalyDetectionDefaultMinimumStablePeriod defines the default minimum amount of time during which the events
	// that diverge from their profiles are automatically added in their profiles without triggering an anomaly detection
	// event.
	AnomalyDetectionDefaultMinimumStablePeriod time.Duration
	// AnomalyDetectionMinimumStablePeriods defines the minimum amount of time per event type during which the events
	// that diverge from their profiles are automatically added in their profiles without triggering an anomaly detection
	// event.
	AnomalyDetectionMinimumStablePeriods map[model.EventType]time.Duration
	// AnomalyDetectionUnstableProfileTimeThreshold defines the maximum amount of time to wait until a profile that
	// hasn't reached a stable state is considered as unstable.
	AnomalyDetectionUnstableProfileTimeThreshold time.Duration
	// AnomalyDetectionUnstableProfileSizeThreshold defines the maximum size a profile can reach past which it is
	// considered unstable
	AnomalyDetectionUnstableProfileSizeThreshold int64
	// AnomalyDetectionWorkloadWarmupPeriod defines the duration we ignore the anomaly detections for
	// because of workload warm up
	AnomalyDetectionWorkloadWarmupPeriod time.Duration
	// AnomalyDetectionRateLimiterPeriod is the duration during which a limited number of anomaly detection events are allowed
	AnomalyDetectionRateLimiterPeriod time.Duration
	// AnomalyDetectionRateLimiterNumEventsAllowed is the number of anomaly detection events allowed per duration by the rate limiter
	AnomalyDetectionRateLimiterNumEventsAllowed int
	// AnomalyDetectionRateLimiterNumKeys is the number of keys in the rate limiter
	AnomalyDetectionRateLimiterNumKeys int
	// AnomalyDetectionTagRulesEnabled defines if the events that triggered anomaly detections should be tagged with the
	// rules they might have matched.
	AnomalyDetectionTagRulesEnabled bool
	// AnomalyDetectionSilentRuleEventsEnabled do not send rule event if also part of an anomaly event
	AnomalyDetectionSilentRuleEventsEnabled bool
	// AnomalyDetectionEnabled defines if we should send anomaly detection events
	AnomalyDetectionEnabled bool

	// SBOMResolverEnabled defines if the SBOM resolver should be enabled
	SBOMResolverEnabled bool
	// SBOMResolverWorkloadsCacheSize defines the count of SBOMs to keep in memory in order to prevent re-computing
	// the SBOMs of short-lived and periodical workloads
	SBOMResolverWorkloadsCacheSize int
	// SBOMResolverHostEnabled defines if the SBOM resolver should compute the host's SBOM
	SBOMResolverHostEnabled bool

	// HashResolverEnabled defines if the hash resolver should be enabled
	HashResolverEnabled bool
	// HashResolverMaxFileSize defines the maximum size of the files that the hash resolver is allowed to hash
	HashResolverMaxFileSize int64
	// HashResolverMaxHashRate defines the rate at which the hash resolver may compute hashes
	HashResolverMaxHashRate int
	// HashResolverHashAlgorithms defines the hashes that hash resolver needs to compute
	HashResolverHashAlgorithms []model.HashAlgorithm
	// HashResolverEventTypes defines the list of event which files may be hashed
	HashResolverEventTypes []model.EventType
	// HashResolverCacheSize defines the number of hashes to keep in cache
	HashResolverCacheSize int
	// HashResolverReplace is used to apply specific hash to specific file path
	HashResolverReplace map[string]string

	// UserSessionsCacheSize defines the size of the User Sessions cache size
	UserSessionsCacheSize int

	// EBPFLessEnabled enables the ebpfless probe
	EBPFLessEnabled bool
	// EBPFLessSocket defines the socket used for the communication between system-probe and the ebpfless source
	EBPFLessSocket string

	// Enforcement capabilities
	// EnforcementEnabled defines if the enforcement capability should be enabled
	EnforcementEnabled bool
	// EnforcementRawSyscallEnabled defines if the enforcement should be performed using the sys_enter tracepoint
	EnforcementRawSyscallEnabled bool
	EnforcementBinaryExcluded    []string
	EnforcementRuleSourceAllowed []string
	// EnforcementDisarmerContainerEnabled defines if an enforcement rule should be disarmed when hitting too many different containers
	EnforcementDisarmerContainerEnabled bool
	// EnforcementDisarmerContainerMaxAllowed defines the maximum number of different containers that can trigger an enforcement rule
	// within a period before the enforcement is disarmed for this rule
	EnforcementDisarmerContainerMaxAllowed int
	// EnforcementDisarmerContainerPeriod defines the period during which EnforcementDisarmerContainerMaxAllowed is checked
	EnforcementDisarmerContainerPeriod time.Duration
	// EnforcementDisarmerExecutableEnabled defines if an enforcement rule should be disarmed when hitting too many different executables
	EnforcementDisarmerExecutableEnabled bool
	// EnforcementDisarmerExecutableMaxAllowed defines the maximum number of different executables that can trigger an enforcement rule
	// within a period before the enforcement is disarmed for this rule
	EnforcementDisarmerExecutableMaxAllowed int
	// EnforcementDisarmerExecutablePeriod defines the period during which EnforcementDisarmerExecutableMaxAllowed is checked
	EnforcementDisarmerExecutablePeriod time.Duration

	//WindowsFilenameCacheSize is the max number of filenames to cache
	WindowsFilenameCacheSize int
	//WindowsRegistryCacheSize is the max number of registry paths to cache
	WindowsRegistryCacheSize int

	// ETWEventsChannelSize windows specific ETW channel buffer size
	ETWEventsChannelSize int

	//ETWEventsMaxBuffers sets the maximumbuffers argument to ETW
	ETWEventsMaxBuffers int

	// WindowsProbeChannelUnbuffered defines if the windows probe channel should be unbuffered
	WindowsProbeBlockOnChannelSend bool

	WindowsWriteEventRateLimiterMaxAllowed int
	WindowsWriteEventRateLimiterPeriod     time.Duration

	// IMDSIPv4 is used to provide a custom IP address for the IMDS endpoint
	IMDSIPv4 uint32
}

RuntimeSecurityConfig holds the configuration for the runtime security agent

func NewRuntimeSecurityConfig

func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error)

NewRuntimeSecurityConfig returns the runtime security (CWS) config, build from the system probe one

func (*RuntimeSecurityConfig) GetAnomalyDetectionMinimumStablePeriod

func (c *RuntimeSecurityConfig) GetAnomalyDetectionMinimumStablePeriod(eventType model.EventType) time.Duration

GetAnomalyDetectionMinimumStablePeriod returns the minimum stable period for a given event type

func (*RuntimeSecurityConfig) IsRuntimeEnabled

func (c *RuntimeSecurityConfig) IsRuntimeEnabled() bool

IsRuntimeEnabled returns true if any feature is enabled. Has to be applied in config package too

type StorageFormat

type StorageFormat int

StorageFormat is used to define the format of a dump

const (
	// JSON is used to request the JSON format
	JSON StorageFormat = iota // json
	// Protobuf is used to request the protobuf format
	Protobuf // protobuf
	// Dot is used to request the dot format
	Dot // dot
	// Profile is used to request the generation of a profile
	Profile // profile
)

func AllStorageFormats

func AllStorageFormats() []StorageFormat

AllStorageFormats returns the list of supported formats

func ParseStorageFormat

func ParseStorageFormat(input string) (StorageFormat, error)

ParseStorageFormat returns a storage format from a string input

func ParseStorageFormats

func ParseStorageFormats(input []string) ([]StorageFormat, error)

ParseStorageFormats returns a list of storage formats from a list of strings

func (StorageFormat) String

func (i StorageFormat) String() string

type StorageRequest

type StorageRequest struct {
	Type        StorageType
	Format      StorageFormat
	Compression bool

	// LocalStorage specific parameters
	OutputDirectory string
}

StorageRequest is used to request a type of storage for a dump

func NewStorageRequest

func NewStorageRequest(storageType StorageType, format StorageFormat, compression bool, outputDirectory string) StorageRequest

NewStorageRequest returns a new StorageRequest instance

func ParseStorageRequests

func ParseStorageRequests(requests *api.StorageRequestParams) ([]StorageRequest, error)

ParseStorageRequests parses storage requests from a gRPC call

func (*StorageRequest) GetOutputPath

func (sr *StorageRequest) GetOutputPath(filename string) string

GetOutputPath returns the output path to the file in the storage

func (*StorageRequest) ToStorageRequestMessage

func (sr *StorageRequest) ToStorageRequestMessage(filename string) *api.StorageRequestMessage

ToStorageRequestMessage returns an api.StorageRequestMessage from the StorageRequest

type StorageType

type StorageType int

StorageType is used to define the type of storage

const (
	// LocalStorage is used to request a local storage
	LocalStorage StorageType = iota // local_storage
	// RemoteStorage is used to request a remote storage
	RemoteStorage // remote_storage
)

func AllStorageTypes

func AllStorageTypes() []StorageType

AllStorageTypes returns the list of supported storage types

func ParseStorageType

func ParseStorageType(input string) (StorageType, error)

ParseStorageType returns a storage type from its string representation

func (StorageType) String

func (i StorageType) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL