events

package

v0.0.0-...-1dd94e2 Latest Latest Go to latest Published: Apr 26, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/DataDog/datadog-agent

Documentation ¶

Overview ¶

Package events holds events related files

Package events holds events related files ¶

Package events holds events related files

Index ¶

Constants
func AllCustomRuleIDs() []string
func NewCustomRule(id eval.RuleID, description string) *rules.Rule
type AgentContext
- func (v AgentContext) MarshalEasyJSON(w *jwriter.Writer)
- func (v *AgentContext) UnmarshalEasyJSON(l *jlexer.Lexer)
type AnomalyDetectionLimiter
- func NewAnomalyDetectionLimiter(numWorkloads int, numEventsAllowedPerPeriod int, period time.Duration) (*AnomalyDetectionLimiter, error)
- func (al *AnomalyDetectionLimiter) Allow(event Event) bool
- func (al *AnomalyDetectionLimiter) SwapStats() []utils.LimiterStat
type BackendEvent
- func (v BackendEvent) MarshalEasyJSON(w *jwriter.Writer)
- func (v *BackendEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
type CustomEvent
- func NewCustomEvent(eventType model.EventType, marshaler EventMarshaler, tags ...string) *CustomEvent
- func NewCustomEventLazy(eventType model.EventType, marshalerCtor func() EventMarshaler, tags ...string) *CustomEvent
- func (ce *CustomEvent) Clone() CustomEvent
- func (ce *CustomEvent) GetActionReports() []model.ActionReport
- func (ce *CustomEvent) GetEventType() model.EventType
- func (ce *CustomEvent) GetTags() []string
- func (ce *CustomEvent) GetType() string
- func (ce *CustomEvent) GetWorkloadID() string
- func (ce *CustomEvent) MarshalJSON() ([]byte, error)
type CustomEventCommonFields
- func (commonFields *CustomEventCommonFields) FillCustomEventCommonFields()
type Event
type EventMarshaler
type EventSender
type Limiter
type RateLimiter
- func NewRateLimiter(config *config.RuntimeSecurityConfig, client statsd.ClientInterface) *RateLimiter
- func (rl *RateLimiter) Allow(ruleID string, event Event) bool
- func (rl *RateLimiter) Apply(ruleSet *rules.RuleSet, customRuleIDs []eval.RuleID)
- func (rl *RateLimiter) GetStats() map[string][]utils.LimiterStat
- func (rl *RateLimiter) SendStats() error
type StdLimiter
- func NewStdLimiter(limit rate.Limit, burst int) *StdLimiter
- func (l *StdLimiter) Allow(_ Event) bool
- func (l *StdLimiter) SwapStats() []utils.LimiterStat

Constants ¶

View Source

const (
	// ServiceName is the service tag of the custom event types defined in this package
	ServiceName = "runtime-security-agent"

	// LostEventsRuleID is the rule ID for the lost_events_* events
	LostEventsRuleID = "lost_events"
	//LostEventsRuleDesc is the rule description for the lost_events_* events
	LostEventsRuleDesc = "Lost events"

	// RulesetLoadedRuleID is the rule ID for the ruleset_loaded events
	RulesetLoadedRuleID = "ruleset_loaded"
	// RulesetLoadedRuleDesc is the rule description for the ruleset_loaded events
	RulesetLoadedRuleDesc = "New ruleset loaded"

	// HeartbeatRuleID is the rule ID for the heartbeat events
	HeartbeatRuleID = "heartbeat"
	// HeartbeatRuleDesc is the rule description for the heartbeat events
	HeartbeatRuleDesc = "Heartbeat"

	// AbnormalPathRuleID is the rule ID for the abnormal_path events
	AbnormalPathRuleID = "abnormal_path"
	// AbnormalPathRuleDesc is the rule description for the abnormal_path events
	AbnormalPathRuleDesc = "Abnormal path detected"

	// SelfTestRuleID is the rule ID for the self_test events
	SelfTestRuleID = "self_test"
	// SelfTestRuleDesc is the rule description for the self_test events
	SelfTestRuleDesc = "Self tests result"

	// AnomalyDetectionRuleID is the rule ID for anomaly_detection events
	AnomalyDetectionRuleID = "anomaly_detection"
	// AnomalyDetectionRuleDesc is the rule description for anomaly_detection events
	AnomalyDetectionRuleDesc = "Anomaly detection"

	// NoProcessContextErrorRuleID is the rule ID for events without process context
	NoProcessContextErrorRuleID = "no_process_context"
	// NoProcessContextErrorRuleDesc is the rule description for events without process context
	NoProcessContextErrorRuleDesc = "No process context detected"

	// BrokenProcessLineageErrorRuleID is the rule ID for events with a broken process lineage
	BrokenProcessLineageErrorRuleID = "broken_process_lineage"
	// BrokenProcessLineageErrorRuleDesc is the rule description for events with a broken process lineage
	BrokenProcessLineageErrorRuleDesc = "Broken process lineage detected"

	// RefreshUserCacheRuleID is the rule ID used to refresh users and groups cache
	RefreshUserCacheRuleID = "refresh_user_cache"

	// EBPFLessHelloMessageRuleID is the rule ID used when a hello message is received
	EBPFLessHelloMessageRuleID = "ebpfless_hello_msg"
	// EBPFLessHelloMessageRuleDesc is the rule description for the hello msg event
	EBPFLessHelloMessageRuleDesc = "Hello message received"
)

Variables ¶

This section is empty.

Functions ¶

func AllCustomRuleIDs ¶

func AllCustomRuleIDs() []string

AllCustomRuleIDs returns the list of custom rule IDs

func NewCustomRule ¶

func NewCustomRule(id eval.RuleID, description string) *rules.Rule

NewCustomRule returns a new custom rule

Types ¶

type AgentContext ¶

type AgentContext struct {
	RuleID        string            `json:"rule_id"`
	RuleVersion   string            `json:"rule_version,omitempty"`
	RuleActions   []json.RawMessage `json:"rule_actions,omitempty"`
	PolicyName    string            `json:"policy_name,omitempty"`
	PolicyVersion string            `json:"policy_version,omitempty"`
	Version       string            `json:"version,omitempty"`
	OS            string            `json:"os,omitempty"`
	Arch          string            `json:"arch,omitempty"`
	Origin        string            `json:"origin,omitempty"`
}

AgentContext serializes the agent context to JSON easyjson:json

func (AgentContext) MarshalEasyJSON ¶

func (v AgentContext) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*AgentContext) UnmarshalEasyJSON ¶

func (v *AgentContext) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type AnomalyDetectionLimiter ¶

type AnomalyDetectionLimiter struct {
	// contains filtered or unexported fields
}

AnomalyDetectionLimiter limiter specific to anomaly detection

func NewAnomalyDetectionLimiter ¶

func NewAnomalyDetectionLimiter(numWorkloads int, numEventsAllowedPerPeriod int, period time.Duration) (*AnomalyDetectionLimiter, error)

NewAnomalyDetectionLimiter returns a new rate limiter which is bucketed by workload ID

func (*AnomalyDetectionLimiter) Allow ¶

func (al *AnomalyDetectionLimiter) Allow(event Event) bool

Allow returns whether the event is allowed

func (*AnomalyDetectionLimiter) SwapStats ¶

func (al *AnomalyDetectionLimiter) SwapStats() []utils.LimiterStat

SwapStats return dropped and allowed stats

type BackendEvent ¶

type BackendEvent struct {
	AgentContext `json:"agent"`
	Title        string `json:"title"`
}

BackendEvent - Rule event wrapper used to send an event to the backend easyjson:json

func (BackendEvent) MarshalEasyJSON ¶

func (v BackendEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*BackendEvent) UnmarshalEasyJSON ¶

func (v *BackendEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type CustomEvent ¶

type CustomEvent struct {
	// contains filtered or unexported fields
}

CustomEvent is used to send custom security events to Datadog

func NewCustomEvent ¶

func NewCustomEvent(eventType model.EventType, marshaler EventMarshaler, tags ...string) *CustomEvent

NewCustomEvent returns a new custom event

func NewCustomEventLazy ¶

func NewCustomEventLazy(eventType model.EventType, marshalerCtor func() EventMarshaler, tags ...string) *CustomEvent

NewCustomEventLazy returns a new custom event

func (*CustomEvent) Clone ¶

func (ce *CustomEvent) Clone() CustomEvent

Clone returns a copy of the current CustomEvent

func (*CustomEvent) GetActionReports ¶

func (ce *CustomEvent) GetActionReports() []model.ActionReport

GetActionReports returns reports of the action triggered

func (*CustomEvent) GetEventType ¶

func (ce *CustomEvent) GetEventType() model.EventType

GetEventType returns the event type

func (*CustomEvent) GetTags ¶

func (ce *CustomEvent) GetTags() []string

GetTags returns the tags of the custom event

func (*CustomEvent) GetType ¶

func (ce *CustomEvent) GetType() string

GetType returns the type of the custom event as a string

func (*CustomEvent) GetWorkloadID ¶

func (ce *CustomEvent) GetWorkloadID() string

GetWorkloadID returns the workload id

func (*CustomEvent) MarshalJSON ¶

func (ce *CustomEvent) MarshalJSON() ([]byte, error)

MarshalJSON marshals the custom event to JSON using easyJSON

type CustomEventCommonFields ¶

type CustomEventCommonFields struct {
	Timestamp time.Time `json:"date"`
	Service   string    `json:"service"`
}

CustomEventCommonFields represents the fields common to all custom events

func (*CustomEventCommonFields) FillCustomEventCommonFields ¶

func (commonFields *CustomEventCommonFields) FillCustomEventCommonFields()

FillCustomEventCommonFields fills the common fields with default values

type Event ¶

type Event interface {
	GetWorkloadID() string
	GetTags() []string
	GetType() string
	GetActionReports() []model.ActionReport
}

Event is the interface that an event must implement to be sent to the backend

type EventMarshaler ¶

type EventMarshaler interface {
	ToJSON() ([]byte, error)
}

EventMarshaler defines an abstract json marshaller

type EventSender ¶

type EventSender interface {
	SendEvent(rule *rules.Rule, event Event, extTagsCb func() []string, service string)
}

EventSender defines an event sender

type Limiter ¶

type Limiter interface {
	Allow(event Event) bool
	SwapStats() []utils.LimiterStat
}

Limiter defines a limiter interface

type RateLimiter ¶

type RateLimiter struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

RateLimiter describes a set of rule rate limiters

func NewRateLimiter ¶

func NewRateLimiter(config *config.RuntimeSecurityConfig, client statsd.ClientInterface) *RateLimiter

NewRateLimiter initializes an empty rate limiter

func (*RateLimiter) Allow ¶

func (rl *RateLimiter) Allow(ruleID string, event Event) bool

Allow returns true if a specific rule shall be allowed to sent a new event

func (*RateLimiter) Apply ¶

func (rl *RateLimiter) Apply(ruleSet *rules.RuleSet, customRuleIDs []eval.RuleID)

Apply a set of rules

func (*RateLimiter) GetStats ¶

func (rl *RateLimiter) GetStats() map[string][]utils.LimiterStat

GetStats returns a map indexed by ids that describes the amount of events that were dropped because of the rate limiter

func (*RateLimiter) SendStats ¶

func (rl *RateLimiter) SendStats() error

SendStats sends statistics about the number of sent and drops events for the set of rules

type StdLimiter ¶

type StdLimiter struct {
	// contains filtered or unexported fields
}

StdLimiter describes an object that applies limits on the rate of triggering of a rule to ensure we don't overflow with too permissive rules

func NewStdLimiter ¶

func NewStdLimiter(limit rate.Limit, burst int) *StdLimiter

NewStdLimiter returns a new rule limiter

func (*StdLimiter) Allow ¶

func (l *StdLimiter) Allow(_ Event) bool

Allow returns whether the event is allowed

func (*StdLimiter) SwapStats ¶

func (l *StdLimiter) SwapStats() []utils.LimiterStat

SwapStats returns the dropped and allowed stats, and zeros the stats

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL