-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CWS] Report rule actions in events #20960
Conversation
7fcd3cb
to
7cf2a38
Compare
66bfdc7
to
2064280
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No docs review needed.
pkg/security/events/event.go
Outdated
Arch string `json:"arch,omitempty"` | ||
RuleID string `json:"rule_id"` | ||
RuleVersion string `json:"rule_version,omitempty"` | ||
RuleActions []map[string]interface{} `json:"rule_actions,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of map[string]interface{}
, why not using a real struct type ? This would simplify the SendEvent
later down
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM !
I think we can simply use a string instead of an interface, unless you have something in mind. But overall it doesn't change anything for the backend and more specifically the kill action, so we can always revisit later if need be.
2064280
to
71e8847
Compare
What does this PR do?
Report the actions associated to the triggered rule in the event sent to the backend.
Motivation
Actions are not part of the sent event which makes it necessary to correlate with
remote config to match event with the rule actions.
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
Reviewer's Checklist
Triage
milestone is set.major_change
label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.changelog/no-changelog
label has been applied.qa/skip-qa
label is not applied.team/..
label has been applied, indicating the team(s) that should QA this change.need-change/operator
andneed-change/helm
labels have been applied.k8s/<min-version>
label, indicating the lowest Kubernetes version compatible with this feature.