Report rule actions in events

DataDog · Nov 20, 2023 · 7cf2a38 · 7cf2a38
1 parent aaecb26
commit 7cf2a38
Show file tree

Hide file tree

Showing 5 changed files with 164 additions and 11 deletions.
diff --git a/docs/cloud-workload-security/backend.schema.json b/docs/cloud-workload-security/backend.schema.json
@@ -2,6 +2,10 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://github.com/DataDog/datadog-agent/pkg/security/serializers/event",
   "$defs": {
+    "ActionRule": {
+      "type": "object",
+      "description": "ActionRuleSerializer serializes a rule action context to JSON"
+    },
     "AnomalyDetectionSyscallEvent": {
       "properties": {
         "syscall": {
@@ -592,6 +596,13 @@
         "policy_version": {
           "type": "string",
           "description": "Version of the policy that introduced the rule"
+        },
+        "actions": {
+          "items": {
+            "$ref": "#/$defs/ActionRule"
+          },
+          "type": "array",
+          "description": "Actions triggered"
         }
       },
       "additionalProperties": false,

diff --git a/pkg/security/rules/engine.go b/pkg/security/rules/engine.go
@@ -379,7 +379,31 @@ func (e *RuleEngine) RuleMatch(rule *rules.Rule, event eval.Event) bool {
 	ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.ContainerContext)
 
 	if ev.ContainerContext.ID != "" && (e.config.ActivityDumpTagRulesEnabled || e.config.AnomalyDetectionTagRulesEnabled) {
-		ev.Rules = append(ev.Rules, model.NewMatchedRule(rule.Definition.ID, rule.Definition.Version, rule.Definition.Tags, rule.Definition.Policy.Name, rule.Definition.Policy.Version))
+		ruleActions := make([]map[string]interface{}, 0, len(rule.Definition.Actions))
+
+		for _, action := range rule.Definition.Actions {
+			switch {
+			case action.Kill != nil:
+				ruleActions = append(ruleActions, map[string]interface{}{"name": "kill", "signal": action.Kill.Signal})
+			case action.Set != nil:
+				ruleAction := map[string]interface{}{"name": "set"}
+				if action.Set.Value != nil {
+					ruleAction["value"] = action.Set.Value
+				}
+				if action.Set.Field != "" {
+					ruleAction["field"] = action.Set.Field
+				}
+				if action.Set.Append {
+					ruleAction["append"] = action.Set.Append
+				}
+				if action.Set.Scope != "" {
+					ruleAction["scope"] = string(action.Set.Scope)
+				}
+				ruleActions = append(ruleActions, ruleAction)
+
+			}
+		}
+		ev.Rules = append(ev.Rules, model.NewMatchedRule(rule.Definition.ID, rule.Definition.Version, rule.Definition.Tags, ruleActions, rule.Definition.Policy.Name, rule.Definition.Policy.Version))
 	}
 
 	// do not send event if a anomaly detection event will be sent

diff --git a/pkg/security/secl/model/model.go b/pkg/security/secl/model/model.go
@@ -375,16 +375,18 @@ type MatchedRule struct {
 	RuleID        string
 	RuleVersion   string
 	RuleTags      map[string]string
+	RuleActions   []map[string]interface{}
 	PolicyName    string
 	PolicyVersion string
 }
 
 // NewMatchedRule return a new MatchedRule instance
-func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule {
+func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, ruleActions []map[string]interface{}, policyName, policyVersion string) *MatchedRule {
 	return &MatchedRule{
 		RuleID:        ruleID,
 		RuleVersion:   ruleVersion,
 		RuleTags:      ruleTags,
+		RuleActions:   ruleActions,
 		PolicyName:    policyName,
 		PolicyVersion: policyVersion,
 	}

diff --git a/pkg/security/serializers/serializers_base.go b/pkg/security/serializers/serializers_base.go
@@ -35,8 +35,14 @@ type MatchedRuleSerializer struct {
 	PolicyName string `json:"policy_name,omitempty"`
 	// Version of the policy that introduced the rule
 	PolicyVersion string `json:"policy_version,omitempty"`
+	// Actions triggered
+	Actions []ActionRuleSerializer `json:"actions,omitempty"`
 }
 
+// ActionRuleSerializer serializes a rule action context to JSON
+// easyjson:json
+type ActionRuleSerializer map[string]interface{}
+
 // EventContextSerializer serializes an event context to JSON
 // easyjson:json
 type EventContextSerializer struct {
@@ -161,11 +167,17 @@ func newMatchedRulesSerializer(r *model.MatchedRule) MatchedRuleSerializer {
 		PolicyName:    r.PolicyName,
 		PolicyVersion: r.PolicyVersion,
 		Tags:          make([]string, 0, len(r.RuleTags)),
+		Actions:       make([]ActionRuleSerializer, 0, len(r.RuleActions)),
 	}
 
 	for tagName, tagValue := range r.RuleTags {
 		mrs.Tags = append(mrs.Tags, tagName+":"+tagValue)
 	}
+
+	for _, ruleAction := range r.RuleActions {
+		mrs.Actions = append(mrs.Actions, ruleAction)
+	}
+
 	return mrs
 }
 

diff --git a/pkg/security/serializers/serializers_base_linux_easyjson.go b/pkg/security/serializers/serializers_base_linux_easyjson.go