Skip to content

Commit

Permalink
Report rule actions in events
Browse files Browse the repository at this point in the history
  • Loading branch information
lebauce committed Nov 20, 2023
1 parent aaecb26 commit 2064280
Show file tree
Hide file tree
Showing 5 changed files with 117 additions and 7 deletions.
15 changes: 8 additions & 7 deletions pkg/security/events/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,14 @@ import "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
// AgentContext serializes the agent context to JSON
// easyjson:json
type AgentContext struct {
RuleID string `json:"rule_id"`
RuleVersion string `json:"rule_version,omitempty"`
PolicyName string `json:"policy_name,omitempty"`
PolicyVersion string `json:"policy_version,omitempty"`
Version string `json:"version,omitempty"`
OS string `json:"os,omitempty"`
Arch string `json:"arch,omitempty"`
RuleID string `json:"rule_id"`
RuleVersion string `json:"rule_version,omitempty"`
RuleActions []map[string]interface{} `json:"rule_actions,omitempty"`
PolicyName string `json:"policy_name,omitempty"`
PolicyVersion string `json:"policy_version,omitempty"`
Version string `json:"version,omitempty"`
OS string `json:"os,omitempty"`
Arch string `json:"arch,omitempty"`
}

// Signal - Rule event wrapper used to send an event to the backend
Expand Down
83 changes: 83 additions & 0 deletions pkg/security/events/event_easyjson.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 24 additions & 0 deletions pkg/security/module/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,9 +259,33 @@ func (a *APIServer) GetConfig(ctx context.Context, params *api.GetConfigParams)

// SendEvent forwards events sent by the runtime security module to Datadog
func (a *APIServer) SendEvent(rule *rules.Rule, e events.Event, extTagsCb func() []string, service string) {
ruleActions := make([]map[string]interface{}, 0, len(rule.Definition.Actions))
for _, action := range rule.Definition.Actions {
switch {
case action.Kill != nil:
ruleActions = append(ruleActions, map[string]interface{}{"name": "kill", "signal": action.Kill.Signal})
case action.Set != nil:
ruleAction := map[string]interface{}{"name": "set"}
if action.Set.Value != nil {
ruleAction["value"] = action.Set.Value
}
if action.Set.Field != "" {
ruleAction["field"] = action.Set.Field
}
if action.Set.Append {
ruleAction["append"] = action.Set.Append
}
if action.Set.Scope != "" {
ruleAction["scope"] = string(action.Set.Scope)
}
ruleActions = append(ruleActions, ruleAction)
}
}

agentContext := events.AgentContext{
RuleID: rule.Definition.ID,
RuleVersion: rule.Definition.Version,
RuleActions: ruleActions,
Version: version.AgentVersion,
OS: runtime.GOOS,
Arch: utils.RuntimeArch(),
Expand Down
1 change: 1 addition & 0 deletions pkg/security/secl/model/model.go
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,7 @@ type MatchedRule struct {
RuleID string
RuleVersion string
RuleTags map[string]string
RuleActions []map[string]interface{}
PolicyName string
PolicyVersion string
}
Expand Down
1 change: 1 addition & 0 deletions pkg/security/serializers/serializers_base.go
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ func newMatchedRulesSerializer(r *model.MatchedRule) MatchedRuleSerializer {
for tagName, tagValue := range r.RuleTags {
mrs.Tags = append(mrs.Tags, tagName+":"+tagValue)
}

return mrs
}

Expand Down

0 comments on commit 2064280

Please sign in to comment.