Skip to content

Commit

Permalink
[CWS] add flag to disable anomaly detection (#21070)
Browse files Browse the repository at this point in the history
  • Loading branch information
Gui774ume authored Nov 24, 2023
1 parent a4dda34 commit e6bef49
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 11 deletions.
21 changes: 11 additions & 10 deletions pkg/config/system_probe_cws.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,10 @@ func initCWSSystemProbeConfig(cfg Config) {
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.load_controller_period", "60s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.min_timeout", "10m")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.max_dump_size", 1750)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.traced_cgroups_count", 5)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.traced_cgroups_count", 10)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.traced_event_types", []string{"exec", "open", "dns"})
cfg.BindEnv("runtime_security_config.activity_dump.cgroup_dump_timeout") // deprecated in favor of dump_duration
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.dump_duration", "1800s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.dump_duration", "900s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.rate_limiter", 500)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.cgroup_wait_list_timeout", "4500s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.cgroup_differentiate_args", false)
Expand All @@ -69,21 +69,22 @@ func initCWSSystemProbeConfig(cfg Config) {
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.max_count", 400)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.remote_configuration.enabled", false)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.dns_match_max_depth", 3)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.auto_suppression.enabled", true)

// CWS - Anomaly detection
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.event_types", []string{"exec", "dns"})
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.default_minimum_stable_period", "48h")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.exec", "48h")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.dns", "96h")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.event_types", []string{"exec", "dns", "open"})
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.default_minimum_stable_period", "900s")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.exec", "900s")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.dns", "900s")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.workload_warmup_period", "180s")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.unstable_profile_time_threshold", "120h")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.unstable_profile_size_threshold", 5000000)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.period", "1s")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_keys", 400)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_events_allowed", 100)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.period", "5m")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_keys", 1000)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_events_allowed", 20)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.tag_rules.enabled", true)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.silent_rule_events.enabled", false)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.auto_suppression.enabled", false)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.enabled", false)

// CWS - Hash algorithms
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.enabled", true)
Expand Down
2 changes: 2 additions & 0 deletions pkg/security/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,8 @@ type RuntimeSecurityConfig struct {
AnomalyDetectionTagRulesEnabled bool
// AnomalyDetectionSilentRuleEventsEnabled do not send rule event if also part of an anomaly event
AnomalyDetectionSilentRuleEventsEnabled bool
// AnomalyDetectionEnabled defines if we should send anomaly detection events
AnomalyDetectionEnabled bool

// SBOMResolverEnabled defines if the SBOM resolver should be enabled
SBOMResolverEnabled bool
Expand Down
4 changes: 3 additions & 1 deletion pkg/security/probe/probe_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -395,7 +395,9 @@ func (p *Probe) DispatchEvent(event *model.Event) {
if event.IsKernelSpaceAnomalyDetectionEvent() {
p.profileManagers.securityProfileManager.FillProfileContextFromContainerID(event.FieldHandlers.ResolveContainerID(event, event.ContainerContext), &event.SecurityProfileContext)
}
p.sendAnomalyDetection(event)
if p.Config.RuntimeSecurity.AnomalyDetectionEnabled {
p.sendAnomalyDetection(event)
}
} else if event.Error == nil {
// Process event after evaluation because some monitors need the DentryResolver to have been called first.
if p.profileManagers.activityDumpManager != nil {
Expand Down

0 comments on commit e6bef49

Please sign in to comment.