Documentation
¶
Overview ¶
Package config holds config related files
Package config holds config related files ¶
Package config holds config related files
Index ¶
Constants ¶
View Source
const (
// ADMinMaxDumSize represents the minimum value for runtime_security_config.activity_dump.max_dump_size
ADMinMaxDumSize = 100
)
Variables ¶
This section is empty.
Functions ¶
func IsEBPFLessModeEnabled ¶
func IsEBPFLessModeEnabled() bool
IsEBPFLessModeEnabled returns true if the ebpfless mode is enabled it's based on the configuration itself, but will default on true if running in sidecar mode
Types ¶
type Config ¶
type Config struct {
// Probe Config
Probe *pconfig.Config
// CWS specific parameters
RuntimeSecurity *RuntimeSecurityConfig
}
Config defines a security config
type Policy ¶
type Policy struct {
Name string `mapstructure:"name"`
Files []string `mapstructure:"files"`
Tags []string `mapstructure:"tags"`
}
Policy represents a policy file in the configuration file
type RuntimeSecurityConfig ¶
type RuntimeSecurityConfig struct {
// RuntimeEnabled defines if the runtime security module should be enabled
RuntimeEnabled bool
// PoliciesDir defines the folder in which the policy files are located
PoliciesDir string
// PolicyMonitorEnabled enable policy monitoring
PolicyMonitorEnabled bool
// PolicyMonitorPerRuleEnabled enabled per-rule policy monitoring
PolicyMonitorPerRuleEnabled bool
// PolicyMonitorReportInternalPolicies enable internal policies monitoring
PolicyMonitorReportInternalPolicies bool
// SocketPath is the path to the socket that is used to communicate with the security agent
SocketPath string
// SocketPath is the path to the socket that is used to communicate with system-probe
CmdSocketPath string
// EventServerBurst defines the maximum burst of events that can be sent over the grpc server
EventServerBurst int
// EventServerRate defines the grpc server rate at which events can be sent
EventServerRate int
// EventServerRetention defines an event retention period so that some fields can be resolved
EventServerRetention time.Duration
// FIMEnabled determines whether fim rules will be loaded
FIMEnabled bool
// SelfTestEnabled defines if the self tests should be executed at startup or not
SelfTestEnabled bool
// SelfTestSendReport defines if a self test event will be emitted
SelfTestSendReport bool
// RemoteConfigurationEnabled defines whether to use remote monitoring
RemoteConfigurationEnabled bool
// RemoteConfigurationDumpPolicies defines whether to dump remote config policy
RemoteConfigurationDumpPolicies bool
// LogPatterns pattern to be used by the logger for trace level
LogPatterns []string
// LogTags tags to be used by the logger for trace level
LogTags []string
// EnvAsTags convert envs to tags
EnvAsTags []string
// HostServiceName string
HostServiceName string
// OnDemandEnabled defines whether the on-demand probes should be enabled
OnDemandEnabled bool
// OnDemandRateLimiterEnabled defines whether the on-demand probes rate limit getting hit disabled the on demand probes
OnDemandRateLimiterEnabled bool
// ReducedProcPidCacheSize defines whether the `proc_cache` and `pid_cache` map should use reduced size
ReducedProcPidCacheSize bool
// InternalMonitoringEnabled determines if the monitoring events of the agent should be sent to Datadog
InternalMonitoringEnabled bool
// ActivityDumpEnabled defines if the activity dump manager should be enabled
ActivityDumpEnabled bool
// ActivityDumpCleanupPeriod defines the period at which the activity dump manager should perform its cleanup
// operation.
ActivityDumpCleanupPeriod time.Duration
// ActivityDumpTagsResolutionPeriod defines the period at which the activity dump manager should try to resolve
// missing container tags.
ActivityDumpTagsResolutionPeriod time.Duration
// ActivityDumpLoadControlPeriod defines the period at which the activity dump manager should trigger the load controller
ActivityDumpLoadControlPeriod time.Duration
// ActivityDumpLoadControlMinDumpTimeout defines minimal duration of a activity dump recording
ActivityDumpLoadControlMinDumpTimeout time.Duration
// ActivityDumpTracedCgroupsCount defines the maximum count of cgroups that should be monitored concurrently. Leave this parameter to 0 to prevent the generation
// of activity dumps based on cgroups.
ActivityDumpTracedCgroupsCount int
// ActivityDumpTraceSystemdCgroups defines if you want to trace systemd cgroups
ActivityDumpTraceSystemdCgroups bool
// ActivityDumpTracedEventTypes defines the list of events that should be captured in an activity dump. Leave this
// parameter empty to monitor all event types. If not already present, the `exec` event will automatically be added
// to this list.
ActivityDumpTracedEventTypes []model.EventType
// ActivityDumpCgroupDumpTimeout defines the cgroup activity dumps timeout.
ActivityDumpCgroupDumpTimeout time.Duration
// ActivityDumpRateLimiter defines the kernel rate of max events per sec for activity dumps.
ActivityDumpRateLimiter uint16
// ActivityDumpCgroupWaitListTimeout defines the time to wait before a cgroup can be dumped again.
ActivityDumpCgroupWaitListTimeout time.Duration
// ActivityDumpCgroupDifferentiateArgs defines if system-probe should differentiate process nodes using process
// arguments for dumps.
ActivityDumpCgroupDifferentiateArgs bool
// ActivityDumpLocalStorageDirectory defines the output directory for the activity dumps and graphs. Leave
// this field empty to prevent writing any output to disk.
ActivityDumpLocalStorageDirectory string
// ActivityDumpLocalStorageFormats defines the formats that should be used to persist the activity dumps locally.
ActivityDumpLocalStorageFormats []StorageFormat
// ActivityDumpLocalStorageCompression defines if the local storage should compress the persisted data.
ActivityDumpLocalStorageCompression bool
// ActivityDumpLocalStorageMaxDumpsCount defines the maximum count of activity dumps that should be kept locally.
// When the limit is reached, the oldest dumps will be deleted first.
ActivityDumpLocalStorageMaxDumpsCount int
// ActivityDumpSyscallMonitorPeriod defines the minimum amount of time to wait between 2 syscalls event for the same
// process.
ActivityDumpSyscallMonitorPeriod time.Duration
// ActivityDumpMaxDumpCountPerWorkload defines the maximum amount of dumps that the agent should send for a workload
ActivityDumpMaxDumpCountPerWorkload int
// ActivityDumpWorkloadDenyList defines the list of workloads for which we shouldn't generate dumps. Workloads should
// be provided as strings in the following format "{image_name}:[{image_tag}|*]". If "*" is provided instead of a
// specific image tag, then the entry will match any workload with the input {image_name} regardless of their tag.
ActivityDumpWorkloadDenyList []string
// ActivityDumpTagRulesEnabled enable the tagging of nodes with matched rules
ActivityDumpTagRulesEnabled bool
// ActivityDumpSilentWorkloadsDelay defines the minimum amount of time to wait before the activity dump manager will start tracing silent workloads
ActivityDumpSilentWorkloadsDelay time.Duration
// ActivityDumpSilentWorkloadsTicker configures ticker that will check if a workload is silent and should be traced
ActivityDumpSilentWorkloadsTicker time.Duration
// ActivityDumpAutoSuppressionEnabled bool do not send event if part of a dump
ActivityDumpAutoSuppressionEnabled bool
// # Dynamic configuration fields:
// ActivityDumpMaxDumpSize defines the maximum size of a dump
ActivityDumpMaxDumpSize func() int
// SecurityProfileEnabled defines if the Security Profile manager should be enabled
SecurityProfileEnabled bool
// SecurityProfileMaxImageTags defines the maximum number of profile versions to maintain
SecurityProfileMaxImageTags int
// SecurityProfileDir defines the directory in which Security Profiles are stored
SecurityProfileDir string
// SecurityProfileWatchDir defines if the Security Profiles directory should be monitored
SecurityProfileWatchDir bool
// SecurityProfileCacheSize defines the count of Security Profiles held in cache
SecurityProfileCacheSize int
// SecurityProfileMaxCount defines the maximum number of Security Profiles that may be evaluated concurrently
SecurityProfileMaxCount int
// SecurityProfileDNSMatchMaxDepth defines the max depth of subdomain to be matched for DNS anomaly detection (0 to match everything)
SecurityProfileDNSMatchMaxDepth int
// SecurityProfileNodeEvictionTimeout defines the timeout after which non-touched nodes are evicted from profiles
SecurityProfileNodeEvictionTimeout time.Duration
// SecurityProfileAutoSuppressionEnabled do not send event if part of a profile
SecurityProfileAutoSuppressionEnabled bool
// SecurityProfileAutoSuppressionEventTypes defines the list of event types the can be auto suppressed using security profiles
SecurityProfileAutoSuppressionEventTypes []model.EventType
// AnomalyDetectionEventTypes defines the list of events that should be allowed to generate anomaly detections
AnomalyDetectionEventTypes []model.EventType
// AnomalyDetectionDefaultMinimumStablePeriod defines the default minimum amount of time during which the events
// that diverge from their profiles are automatically added in their profiles without triggering an anomaly detection
// event.
AnomalyDetectionDefaultMinimumStablePeriod time.Duration
// AnomalyDetectionMinimumStablePeriods defines the minimum amount of time per event type during which the events
// that diverge from their profiles are automatically added in their profiles without triggering an anomaly detection
// event.
AnomalyDetectionMinimumStablePeriods map[model.EventType]time.Duration
// AnomalyDetectionUnstableProfileTimeThreshold defines the maximum amount of time to wait until a profile that
// hasn't reached a stable state is considered as unstable.
AnomalyDetectionUnstableProfileTimeThreshold time.Duration
// AnomalyDetectionUnstableProfileSizeThreshold defines the maximum size a profile can reach past which it is
// considered unstable
AnomalyDetectionUnstableProfileSizeThreshold int64
// AnomalyDetectionWorkloadWarmupPeriod defines the duration we ignore the anomaly detections for
// because of workload warm up
AnomalyDetectionWorkloadWarmupPeriod time.Duration
// AnomalyDetectionRateLimiterPeriod is the duration during which a limited number of anomaly detection events are allowed
AnomalyDetectionRateLimiterPeriod time.Duration
// AnomalyDetectionRateLimiterNumEventsAllowed is the number of anomaly detection events allowed per duration by the rate limiter
AnomalyDetectionRateLimiterNumEventsAllowed int
// AnomalyDetectionRateLimiterNumKeys is the number of keys in the rate limiter
AnomalyDetectionRateLimiterNumKeys int
// AnomalyDetectionTagRulesEnabled defines if the events that triggered anomaly detections should be tagged with the
// rules they might have matched.
AnomalyDetectionTagRulesEnabled bool
// AnomalyDetectionSilentRuleEventsEnabled do not send rule event if also part of an anomaly event
AnomalyDetectionSilentRuleEventsEnabled bool
// AnomalyDetectionEnabled defines if we should send anomaly detection events
AnomalyDetectionEnabled bool
// SBOMResolverEnabled defines if the SBOM resolver should be enabled
SBOMResolverEnabled bool
// SBOMResolverWorkloadsCacheSize defines the count of SBOMs to keep in memory in order to prevent re-computing
// the SBOMs of short-lived and periodical workloads
SBOMResolverWorkloadsCacheSize int
// SBOMResolverHostEnabled defines if the SBOM resolver should compute the host's SBOM
SBOMResolverHostEnabled bool
// HashResolverEnabled defines if the hash resolver should be enabled
HashResolverEnabled bool
// HashResolverMaxFileSize defines the maximum size of the files that the hash resolver is allowed to hash
HashResolverMaxFileSize int64
// HashResolverMaxHashRate defines the rate at which the hash resolver may compute hashes
HashResolverMaxHashRate int
// HashResolverHashAlgorithms defines the hashes that hash resolver needs to compute
HashResolverHashAlgorithms []model.HashAlgorithm
// HashResolverEventTypes defines the list of event which files may be hashed
HashResolverEventTypes []model.EventType
// HashResolverCacheSize defines the number of hashes to keep in cache
HashResolverCacheSize int
// HashResolverReplace is used to apply specific hash to specific file path
HashResolverReplace map[string]string
// SysCtlEnabled defines if the sysctl event should be enabled
SysCtlEnabled bool
// SysCtlEBPFEnabled defines if the sysctl eBPF collection should be enabled
SysCtlEBPFEnabled bool
// SysCtlSnapshotEnabled defines if the sysctl snapshot feature should be enabled
SysCtlSnapshotEnabled bool
// SysCtlSnapshotPeriod defines at which time interval a new snapshot of sysctl parameters should be sent
SysCtlSnapshotPeriod time.Duration
// SysCtlSnapshotIgnoredBaseNames defines the list of basenaes that should be ignored from the snapshot
SysCtlSnapshotIgnoredBaseNames []string
// SysCtlSnapshotKernelCompilationFlags defines the list of kernel compilation flags that should be collected by the agent
SysCtlSnapshotKernelCompilationFlags map[string]uint8
// UserSessionsCacheSize defines the size of the User Sessions cache size
UserSessionsCacheSize int
// EBPFLessEnabled enables the ebpfless probe
EBPFLessEnabled bool
// EBPFLessSocket defines the socket used for the communication between system-probe and the ebpfless source
EBPFLessSocket string
// Enforcement capabilities
// EnforcementEnabled defines if the enforcement capability should be enabled
EnforcementEnabled bool
// EnforcementRawSyscallEnabled defines if the enforcement should be performed using the sys_enter tracepoint
EnforcementRawSyscallEnabled bool
EnforcementBinaryExcluded []string
EnforcementRuleSourceAllowed []string
// EnforcementDisarmerContainerEnabled defines if an enforcement rule should be disarmed when hitting too many different containers
EnforcementDisarmerContainerEnabled bool
// EnforcementDisarmerContainerMaxAllowed defines the maximum number of different containers that can trigger an enforcement rule
// within a period before the enforcement is disarmed for this rule
EnforcementDisarmerContainerMaxAllowed int
// EnforcementDisarmerContainerPeriod defines the period during which EnforcementDisarmerContainerMaxAllowed is checked
EnforcementDisarmerContainerPeriod time.Duration
// EnforcementDisarmerExecutableEnabled defines if an enforcement rule should be disarmed when hitting too many different executables
EnforcementDisarmerExecutableEnabled bool
// EnforcementDisarmerExecutableMaxAllowed defines the maximum number of different executables that can trigger an enforcement rule
// within a period before the enforcement is disarmed for this rule
EnforcementDisarmerExecutableMaxAllowed int
// EnforcementDisarmerExecutablePeriod defines the period during which EnforcementDisarmerExecutableMaxAllowed is checked
EnforcementDisarmerExecutablePeriod time.Duration
//WindowsFilenameCacheSize is the max number of filenames to cache
WindowsFilenameCacheSize int
//WindowsRegistryCacheSize is the max number of registry paths to cache
WindowsRegistryCacheSize int
// ETWEventsChannelSize windows specific ETW channel buffer size
ETWEventsChannelSize int
//ETWEventsMaxBuffers sets the maximumbuffers argument to ETW
ETWEventsMaxBuffers int
// WindowsProbeChannelUnbuffered defines if the windows probe channel should be unbuffered
WindowsProbeBlockOnChannelSend bool
WindowsWriteEventRateLimiterMaxAllowed int
WindowsWriteEventRateLimiterPeriod time.Duration
// IMDSIPv4 is used to provide a custom IP address for the IMDS endpoint
IMDSIPv4 uint32
// EventGRPCServer defines which process should be used to send events and activity dumps
EventGRPCServer string
// SendPayloadsFromSystemProbe defines when the event and activity dumps are sent directly from system-probe
SendPayloadsFromSystemProbe bool
// FileMetadataResolverEnabled defines if the file metadata is enabled
FileMetadataResolverEnabled bool
}
RuntimeSecurityConfig holds the configuration for the runtime security agent
func NewRuntimeSecurityConfig ¶
func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error)
NewRuntimeSecurityConfig returns the runtime security (CWS) config, build from the system probe one
func (*RuntimeSecurityConfig) GetAnomalyDetectionMinimumStablePeriod ¶
func (c *RuntimeSecurityConfig) GetAnomalyDetectionMinimumStablePeriod(eventType model.EventType) time.Duration
GetAnomalyDetectionMinimumStablePeriod returns the minimum stable period for a given event type
func (*RuntimeSecurityConfig) IsRuntimeEnabled ¶
func (c *RuntimeSecurityConfig) IsRuntimeEnabled() bool
IsRuntimeEnabled returns true if any feature is enabled. Has to be applied in config package too
func (*RuntimeSecurityConfig) IsSysctlEventEnabled ¶
func (c *RuntimeSecurityConfig) IsSysctlEventEnabled() bool
IsSysctlEventEnabled returns whether the sysctl event is enabled
func (*RuntimeSecurityConfig) IsSysctlSnapshotEnabled ¶
func (c *RuntimeSecurityConfig) IsSysctlSnapshotEnabled() bool
IsSysctlSnapshotEnabled returns whether the sysctl snapshot feature is enabled
type StorageFormat ¶
type StorageFormat int
StorageFormat is used to define the format of a dump
const ( // JSON is used to request the JSON format JSON StorageFormat = iota // json // Protobuf is used to request the protobuf format Protobuf // protobuf // Dot is used to request the dot format Dot // dot // Profile is used to request the generation of a profile Profile // profile )
func AllStorageFormats ¶
func AllStorageFormats() []StorageFormat
AllStorageFormats returns the list of supported formats
func ParseStorageFormat ¶
func ParseStorageFormat(input string) (StorageFormat, error)
ParseStorageFormat returns a storage format from a string input
func ParseStorageFormats ¶
func ParseStorageFormats(input []string) ([]StorageFormat, error)
ParseStorageFormats returns a list of storage formats from a list of strings
func (StorageFormat) String ¶
func (i StorageFormat) String() string
type StorageRequest ¶
type StorageRequest struct {
Type StorageType
Format StorageFormat
Compression bool
// LocalStorage specific parameters
OutputDirectory string
}
StorageRequest is used to request a type of storage for a dump
func NewStorageRequest ¶
func NewStorageRequest(storageType StorageType, format StorageFormat, compression bool, outputDirectory string) StorageRequest
NewStorageRequest returns a new StorageRequest instance
func ParseStorageRequests ¶
func ParseStorageRequests(requests *api.StorageRequestParams) ([]StorageRequest, error)
ParseStorageRequests parses storage requests from a gRPC call
func (*StorageRequest) GetOutputPath ¶
func (sr *StorageRequest) GetOutputPath(filename string) string
GetOutputPath returns the output path to the file in the storage
func (*StorageRequest) ToStorageRequestMessage ¶
func (sr *StorageRequest) ToStorageRequestMessage(filename string) *api.StorageRequestMessage
ToStorageRequestMessage returns an api.StorageRequestMessage from the StorageRequest
type StorageType ¶
type StorageType int
StorageType is used to define the type of storage
const ( // LocalStorage is used to request a local storage LocalStorage StorageType = iota // local_storage // RemoteStorage is used to request a remote storage RemoteStorage // remote_storage )
func AllStorageTypes ¶
func AllStorageTypes() []StorageType
AllStorageTypes returns the list of supported storage types
func ParseStorageType ¶
func ParseStorageType(input string) (StorageType, error)
ParseStorageType returns a storage type from its string representation
func (StorageType) String ¶
func (i StorageType) String() string
Source Files
Click to show internal directories.
Click to hide internal directories.