module

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 20, 2021 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var SelfTestFunctions = []func(*SelfTester) error{
	selfTestOpen,
	selfTestChmod,
	selfTestChown,
}

SelfTestFunctions slice of self test functions representing each individual file test

Functions

func NewModule

func NewModule(cfg *sconfig.Config) (module.Module, error)

NewModule instantiates a runtime security system-probe module

Types

type APIServer

type APIServer struct {
	// contains filtered or unexported fields
}

APIServer represents a gRPC server in charge of receiving events sent by the runtime security system-probe module and forwards them to Datadog

func NewAPIServer

func NewAPIServer(cfg *config.Config, probe *sprobe.Probe, client *statsd.Client) *APIServer

NewAPIServer returns a new gRPC event server

func (*APIServer) Apply

func (a *APIServer) Apply(ruleIDs []rules.RuleID)

Apply a rule set

func (*APIServer) DumpProcessCache

DumpProcessCache handle process dump cache requests

func (*APIServer) GetConfig

func (a *APIServer) GetConfig(ctx context.Context, params *api.GetConfigParams) (*api.SecurityConfigMessage, error)

GetConfig returns config of the runtime security module required by the security agent

func (*APIServer) GetEvents

func (a *APIServer) GetEvents(params *api.GetEventParams, stream api.SecurityModule_GetEventsServer) error

GetEvents waits for security events

func (*APIServer) GetStats

func (a *APIServer) GetStats() map[string]int64

GetStats returns a map indexed by ruleIDs that describes the amount of events that were expired or rate limited before reaching

func (*APIServer) RunSelfTest

RunSelfTest runs self test and then reload the current policies

func (*APIServer) SendEvent

func (a *APIServer) SendEvent(rule *rules.Rule, event Event, extTagsCb func() []string, service string)

SendEvent forwards events sent by the runtime security module to Datadog

func (*APIServer) SendStats

func (a *APIServer) SendStats() error

SendStats sends statistics about the number of dropped events

func (*APIServer) Start

func (a *APIServer) Start(ctx context.Context)

Start the api server, starts to consume the msg queue

type AgentContext

type AgentContext struct {
	RuleID        string `json:"rule_id"`
	RuleVersion   string `json:"rule_version,omitempty"`
	PolicyName    string `json:"policy_name,omitempty"`
	PolicyVersion string `json:"policy_version,omitempty"`
	Version       string `json:"version,omitempty"`
}

AgentContext serializes the agent context to JSON easyjson:json

func (AgentContext) MarshalEasyJSON

func (v AgentContext) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (AgentContext) MarshalJSON

func (v AgentContext) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*AgentContext) UnmarshalEasyJSON

func (v *AgentContext) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*AgentContext) UnmarshalJSON

func (v *AgentContext) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type Event

type Event interface {
	GetTags() []string
	GetType() string
}

Event is the interface that an event must implement to be sent to the backend

type Limit

type Limit struct {
	Limit int
	Burst int
}

Limit defines rate limiter limit

type Limiter

type Limiter struct {
	// contains filtered or unexported fields
}

Limiter describes an object that applies limits on the rate of triggering of a rule to ensure we don't overflow with too permissive rules

func NewLimiter

func NewLimiter(limit rate.Limit, burst int) *Limiter

NewLimiter returns a new rule limiter

type LimiterOpts

type LimiterOpts struct {
	Limits map[rules.RuleID]Limit
}

LimiterOpts rate limiter options

type Module

type Module struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Module represents the system-probe module for the runtime security agent

func (*Module) Close

func (m *Module) Close()

Close the module

func (*Module) EventDiscarderFound

func (m *Module) EventDiscarderFound(rs *rules.RuleSet, event eval.Event, field eval.Field, eventType eval.EventType)

EventDiscarderFound is called by the ruleset when a new discarder discovered

func (*Module) GetProbe

func (m *Module) GetProbe() *sprobe.Probe

GetProbe returns the module's probe

func (*Module) GetRuleSet

func (m *Module) GetRuleSet() (rs *rules.RuleSet)

GetRuleSet returns the set of loaded rules

func (*Module) GetStats

func (m *Module) GetStats() map[string]interface{}

GetStats returns statistics about the module

func (*Module) HandleCustomEvent

func (m *Module) HandleCustomEvent(rule *rules.Rule, event *sprobe.CustomEvent)

HandleCustomEvent is called by the probe when an event should be sent to Datadog but doesn't need evaluation

func (*Module) HandleEvent

func (m *Module) HandleEvent(event *sprobe.Event)

HandleEvent is called by the probe when an event arrives from the kernel

func (*Module) Init

func (m *Module) Init() error

Init initializes the module

func (*Module) Register

func (m *Module) Register(_ *module.Router) error

Register the runtime security agent module

func (*Module) Reload

func (m *Module) Reload() error

Reload the rule set

func (*Module) RuleMatch

func (m *Module) RuleMatch(rule *rules.Rule, event eval.Event)

RuleMatch is called by the ruleset when a rule matches

func (*Module) SendEvent

func (m *Module) SendEvent(rule *rules.Rule, event Event, extTagsCb func() []string, service string)

SendEvent sends an event to the backend after checking that the rate limiter allows it for the provided rule

func (*Module) SetRulesetLoadedCallback

func (m *Module) SetRulesetLoadedCallback(cb func(rs *rules.RuleSet))

SetRulesetLoadedCallback allows setting a callback called when a rule set is loaded

func (*Module) Start

func (m *Module) Start() error

Start the module

type RateLimiter

type RateLimiter struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

RateLimiter describes a set of rule rate limiters

func NewRateLimiter

func NewRateLimiter(client *statsd.Client, opts LimiterOpts) *RateLimiter

NewRateLimiter initializes an empty rate limiter

func (*RateLimiter) Allow

func (rl *RateLimiter) Allow(ruleID string) bool

Allow returns true if a specific rule shall be allowed to sent a new event

func (*RateLimiter) Apply

func (rl *RateLimiter) Apply(rules []rules.RuleID)

Apply a set of rules

func (*RateLimiter) GetStats

func (rl *RateLimiter) GetStats() map[rules.RuleID]RateLimiterStat

GetStats returns a map indexed by ruleIDs that describes the amount of events that were dropped because of the rate limiter

func (*RateLimiter) SendStats

func (rl *RateLimiter) SendStats() error

SendStats sends statistics about the number of sent and drops events for the set of rules

type RateLimiterStat

type RateLimiterStat struct {
	// contains filtered or unexported fields
}

RateLimiterStat represents the rate limiting statistics

type RuleEvent

type RuleEvent struct {
	RuleID string `json:"rule_id"`
	Event  Event  `json:"event"`
}

RuleEvent is a wrapper used to send an event to the backend

type SelfTester

type SelfTester struct {
	// contains filtered or unexported fields
}

SelfTester represents all the state needed to conduct rule injection test at startup

func NewSelfTester

func NewSelfTester() *SelfTester

NewSelfTester returns a new SelfTester, enabled or not

func (*SelfTester) AddSelfTestRulesToRuleSets

func (t *SelfTester) AddSelfTestRulesToRuleSets(ruleSet, approverRuleSet *rules.RuleSet)

AddSelfTestRulesToRuleSets adds self test rules to the rulesets

func (*SelfTester) BeginWaitingForEvent

func (t *SelfTester) BeginWaitingForEvent() error

BeginWaitingForEvent passes the tester in the waiting for event state

func (*SelfTester) Cleanup

func (t *SelfTester) Cleanup() error

Cleanup removes temp directories and files used by the self tester

func (*SelfTester) CreateTargetFileIfNeeded

func (t *SelfTester) CreateTargetFileIfNeeded() error

CreateTargetFileIfNeeded creates the needed target file for self test operations

func (*SelfTester) EndWaitingForEvent

func (t *SelfTester) EndWaitingForEvent()

EndWaitingForEvent exits the waiting for event state

func (*SelfTester) GetSelfTestPolicy

func (t *SelfTester) GetSelfTestPolicy() *rules.Policy

GetSelfTestPolicy returns the additional policy containing self test rules

func (*SelfTester) RunSelfTest

func (t *SelfTester) RunSelfTest() error

RunSelfTest runs the self test

func (*SelfTester) SendEventIfExpecting

func (t *SelfTester) SendEventIfExpecting(rule *rules.Rule, event eval.Event)

SendEventIfExpecting sends an event to the tester

type Signal

type Signal struct {
	*AgentContext `json:"agent"`
	Title         string `json:"title"`
}

Signal - Rule event wrapper used to send an event to the backend easyjson:json

func (Signal) MarshalEasyJSON

func (v Signal) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (Signal) MarshalJSON

func (v Signal) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*Signal) UnmarshalEasyJSON

func (v *Signal) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*Signal) UnmarshalJSON

func (v *Signal) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL