From 16defd061fe156c19df8f5bda8bb7cb3c734603a Mon Sep 17 00:00:00 2001 From: gui774ume Date: Wed, 26 Feb 2025 17:32:41 +0100 Subject: [PATCH] [CWS] Introducing sysctl event --- docs/cloud-workload-security/backend_linux.md | 101 ++++++ .../backend_linux.schema.json | 42 +++ .../linux_expressions.md | 83 +++++ docs/cloud-workload-security/secl_linux.json | 160 ++++++++++ .../ebpf/c/include/constants/custom.h | 11 + pkg/security/ebpf/c/include/constants/enums.h | 8 + .../ebpf/c/include/events_definition.h | 15 + pkg/security/ebpf/c/include/helpers/all.h | 1 + .../ebpf/c/include/helpers/container.h | 4 +- pkg/security/ebpf/c/include/helpers/process.h | 6 +- pkg/security/ebpf/c/include/helpers/span.h | 2 +- pkg/security/ebpf/c/include/helpers/sysctl.h | 103 +++++++ pkg/security/ebpf/c/include/hooks/all.h | 1 + pkg/security/ebpf/c/include/hooks/sysctl.h | 14 + pkg/security/ebpf/c/include/maps.h | 1 + pkg/security/ebpf/probes/all.go | 1 + pkg/security/ebpf/probes/event_types.go | 13 + pkg/security/ebpf/probes/sysctl.go | 23 ++ pkg/security/probe/probe_ebpf.go | 5 + pkg/security/secl/model/accessors_unix.go | 161 ++++++++++ pkg/security/secl/model/category.go | 3 +- pkg/security/secl/model/consts_common.go | 1 + pkg/security/secl/model/consts_darwin.go | 1 + pkg/security/secl/model/consts_linux.go | 31 ++ pkg/security/secl/model/consts_windows.go | 1 + pkg/security/secl/model/events.go | 4 + .../secl/model/field_handlers_unix.go | 1 + pkg/security/secl/model/model_unix.go | 13 + .../secl/model/unmarshallers_linux.go | 57 ++++ pkg/security/seclwin/model/consts_common.go | 1 + pkg/security/seclwin/model/consts_win.go | 1 + pkg/security/seclwin/model/events.go | 4 + pkg/security/serializers/serializers_base.go | 21 ++ .../serializers_base_linux_easyjson.go | 289 +++++++++++++----- pkg/security/serializers/serializers_linux.go | 16 + .../serializers/serializers_linux_easyjson.go | 236 +++++++++++--- 36 files changed, 1309 insertions(+), 126 deletions(-) create mode 100644 pkg/security/ebpf/c/include/helpers/sysctl.h create mode 100644 pkg/security/ebpf/c/include/hooks/sysctl.h create mode 100644 pkg/security/ebpf/probes/sysctl.go diff --git a/docs/cloud-workload-security/backend_linux.md b/docs/cloud-workload-security/backend_linux.md index 8d4a78ad43576a..6983ddeffd5315 100644 --- a/docs/cloud-workload-security/backend_linux.md +++ b/docs/cloud-workload-security/backend_linux.md @@ -1620,6 +1620,45 @@ CSM Threats event for Linux systems have the following JSON schema: ], "description": "SpliceEventSerializer serializes a splice event to JSON" }, + "SysCtlEvent": { + "properties": { + "action": { + "type": "string", + "description": "action performed on the system control parameter" + }, + "file_position": { + "type": "integer", + "description": "file_position is the position in the sysctl control parameter file at which the action occurred" + }, + "name": { + "type": "string", + "description": "name is the name of the system control parameter" + }, + "name_truncated": { + "type": "boolean", + "description": "name_truncated indicates if the name field is truncated" + }, + "current_value": { + "type": "string", + "description": "current_value is the value of the system control parameter before the event" + }, + "current_value_truncated": { + "type": "boolean", + "description": "current_value_truncated indicates if the current_value field is truncated" + }, + "new_value": { + "type": "string", + "description": "new_value is the newly set value of the system control" + }, + "new_value_truncated": { + "type": "boolean", + "description": "new_value_truncated indicates if the new_value field is truncated" + } + }, + "additionalProperties": false, + "type": "object", + "description": "SysCtlEventSerializer defines a sysctl event serializer" + }, "Syscall": { "properties": { "name": { @@ -1892,6 +1931,9 @@ CSM Threats event for Linux systems have the following JSON schema: }, "network_flow_monitor": { "$ref": "#/$defs/NetworkFlowMonitor" + }, + "sysctl": { + "$ref": "#/$defs/SysCtlEvent" } }, "additionalProperties": false, @@ -1937,6 +1979,7 @@ CSM Threats event for Linux systems have the following JSON schema: | `syscall` | $ref | Please see [SyscallContext](#syscallcontext) | | `packet` | $ref | Please see [RawPacket](#rawpacket) | | `network_flow_monitor` | $ref | Please see [NetworkFlowMonitor](#networkflowmonitor) | +| `sysctl` | $ref | Please see [SysCtlEvent](#sysctlevent) | ## `AWSIMDSEvent` @@ -4350,6 +4393,64 @@ CSM Threats event for Linux systems have the following JSON schema: | `pipe_exit_flag` | Exit flag of the fd_out pipe passed to the splice syscall | +## `SysCtlEvent` + + +{{< code-block lang="json" collapsible="true" >}} +{ + "properties": { + "action": { + "type": "string", + "description": "action performed on the system control parameter" + }, + "file_position": { + "type": "integer", + "description": "file_position is the position in the sysctl control parameter file at which the action occurred" + }, + "name": { + "type": "string", + "description": "name is the name of the system control parameter" + }, + "name_truncated": { + "type": "boolean", + "description": "name_truncated indicates if the name field is truncated" + }, + "current_value": { + "type": "string", + "description": "current_value is the value of the system control parameter before the event" + }, + "current_value_truncated": { + "type": "boolean", + "description": "current_value_truncated indicates if the current_value field is truncated" + }, + "new_value": { + "type": "string", + "description": "new_value is the newly set value of the system control" + }, + "new_value_truncated": { + "type": "boolean", + "description": "new_value_truncated indicates if the new_value field is truncated" + } + }, + "additionalProperties": false, + "type": "object", + "description": "SysCtlEventSerializer defines a sysctl event serializer" +} + +{{< /code-block >}} + +| Field | Description | +| ----- | ----------- | +| `action` | action performed on the system control parameter | +| `file_position` | file_position is the position in the sysctl control parameter file at which the action occurred | +| `name` | name is the name of the system control parameter | +| `name_truncated` | name_truncated indicates if the name field is truncated | +| `current_value` | current_value is the value of the system control parameter before the event | +| `current_value_truncated` | current_value_truncated indicates if the current_value field is truncated | +| `new_value` | new_value is the newly set value of the system control | +| `new_value_truncated` | new_value_truncated indicates if the new_value field is truncated | + + ## `Syscall` diff --git a/docs/cloud-workload-security/backend_linux.schema.json b/docs/cloud-workload-security/backend_linux.schema.json index b4e6fed9659142..2785a9aed3256c 100644 --- a/docs/cloud-workload-security/backend_linux.schema.json +++ b/docs/cloud-workload-security/backend_linux.schema.json @@ -1609,6 +1609,45 @@ ], "description": "SpliceEventSerializer serializes a splice event to JSON" }, + "SysCtlEvent": { + "properties": { + "action": { + "type": "string", + "description": "action performed on the system control parameter" + }, + "file_position": { + "type": "integer", + "description": "file_position is the position in the sysctl control parameter file at which the action occurred" + }, + "name": { + "type": "string", + "description": "name is the name of the system control parameter" + }, + "name_truncated": { + "type": "boolean", + "description": "name_truncated indicates if the name field is truncated" + }, + "current_value": { + "type": "string", + "description": "current_value is the value of the system control parameter before the event" + }, + "current_value_truncated": { + "type": "boolean", + "description": "current_value_truncated indicates if the current_value field is truncated" + }, + "new_value": { + "type": "string", + "description": "new_value is the newly set value of the system control" + }, + "new_value_truncated": { + "type": "boolean", + "description": "new_value_truncated indicates if the new_value field is truncated" + } + }, + "additionalProperties": false, + "type": "object", + "description": "SysCtlEventSerializer defines a sysctl event serializer" + }, "Syscall": { "properties": { "name": { @@ -1881,6 +1920,9 @@ }, "network_flow_monitor": { "$ref": "#/$defs/NetworkFlowMonitor" + }, + "sysctl": { + "$ref": "#/$defs/SysCtlEvent" } }, "additionalProperties": false, diff --git a/docs/cloud-workload-security/linux_expressions.md b/docs/cloud-workload-security/linux_expressions.md index 5fd42e04b1a72b..4c231daf2140e5 100644 --- a/docs/cloud-workload-security/linux_expressions.md +++ b/docs/cloud-workload-security/linux_expressions.md @@ -60,6 +60,7 @@ Triggers are events that correspond to types of activity seen by the system. The | `setxattr` | File | Set exteneded attributes | 7.27 | | `signal` | Process | A signal was sent | 7.35 | | `splice` | File | A splice command was executed | 7.36 | +| `sysctl` | Kernel | A sysctl parameter was read or modified | 7.65 | | `unlink` | File | A file was deleted | 7.27 | | `unload_module` | Kernel | A kernel module was deleted | 7.35 | | `utimes` | File | Change file access/modification times | 7.27 | @@ -1742,6 +1743,21 @@ A splice command was executed | [`splice.pipe_exit_flag`](#splice-pipe_exit_flag-doc) | Exit flag of the "fd_out" pipe passed to the splice syscall | | [`splice.retval`](#common-syscallevent-retval-doc) | Return value of the syscall | +### Event `sysctl` + +A sysctl parameter was read or modified + +| Property | Definition | +| -------- | ------------- | +| [`sysctl.action`](#sysctl-action-doc) | Action performed on the system control parameter | +| [`sysctl.current_value`](#sysctl-current_value-doc) | Current value of the system control parameter | +| [`sysctl.current_value_truncated`](#sysctl-current_value_truncated-doc) | Indicates that the current value field is truncated | +| [`sysctl.file_position`](#sysctl-file_position-doc) | Position in the sysctl control parameter file at which the action occurred | +| [`sysctl.name`](#sysctl-name-doc) | Name of the system control parameter | +| [`sysctl.name_truncated`](#sysctl-name_truncated-doc) | Indicates that the name field is truncated | +| [`sysctl.new_value`](#sysctl-new_value-doc) | In case of Write accesses, new value for the system control parameter | +| [`sysctl.new_value_truncated`](#sysctl-new_value_truncated-doc) | Indicates that the new_value field is truncated | + ### Event `unlink` A file was deleted @@ -3405,6 +3421,65 @@ Constants: [Pipe buffer flags](#pipe-buffer-flags) +### `sysctl.action` {#sysctl-action-doc} +Type: int + +Definition: Action performed on the system control parameter + + +Constants: [SysCtl Actions](#sysctl-actions) + + + +### `sysctl.current_value` {#sysctl-current_value-doc} +Type: string + +Definition: Current value of the system control parameter + + + +### `sysctl.current_value_truncated` {#sysctl-current_value_truncated-doc} +Type: bool + +Definition: Indicates that the current value field is truncated + + + +### `sysctl.file_position` {#sysctl-file_position-doc} +Type: int + +Definition: Position in the sysctl control parameter file at which the action occurred + + + +### `sysctl.name` {#sysctl-name-doc} +Type: string + +Definition: Name of the system control parameter + + + +### `sysctl.name_truncated` {#sysctl-name_truncated-doc} +Type: bool + +Definition: Indicates that the name field is truncated + + + +### `sysctl.new_value` {#sysctl-new_value-doc} +Type: string + +Definition: In case of Write accesses, new value for the system control parameter + + + +### `sysctl.new_value_truncated` {#sysctl-new_value_truncated-doc} +Type: bool + +Definition: Indicates that the new_value field is truncated + + + ### `unlink.flags` {#unlink-flags-doc} Type: int @@ -4513,6 +4588,14 @@ Signal constants are the supported signals for the kill syscall. | `SIGPWR` | all | | `SIGSYS` | all | +### `SysCtl Actions` {#sysctl-actions} +SysCtl Actions are the supported actions for the sysctl event. + +| Name | Architectures | +| ---- |---------------| +| `READ` | all | +| `WRITE` | all | + ### `Unlink flags` {#unlink-flags} Unlink flags are the supported flags for the unlink syscall. diff --git a/docs/cloud-workload-security/secl_linux.json b/docs/cloud-workload-security/secl_linux.json index 26db453c02425c..85b3d88f09f9da 100644 --- a/docs/cloud-workload-security/secl_linux.json +++ b/docs/cloud-workload-security/secl_linux.json @@ -7283,6 +7283,55 @@ } ] }, + { + "name": "sysctl", + "definition": "A sysctl parameter was read or modified", + "type": "Kernel", + "from_agent_version": "7.65", + "experimental": false, + "properties": [ + { + "name": "sysctl.action", + "definition": "Action performed on the system control parameter", + "property_doc_link": "sysctl-action-doc" + }, + { + "name": "sysctl.current_value", + "definition": "Current value of the system control parameter", + "property_doc_link": "sysctl-current_value-doc" + }, + { + "name": "sysctl.current_value_truncated", + "definition": "Indicates that the current value field is truncated", + "property_doc_link": "sysctl-current_value_truncated-doc" + }, + { + "name": "sysctl.file_position", + "definition": "Position in the sysctl control parameter file at which the action occurred", + "property_doc_link": "sysctl-file_position-doc" + }, + { + "name": "sysctl.name", + "definition": "Name of the system control parameter", + "property_doc_link": "sysctl-name-doc" + }, + { + "name": "sysctl.name_truncated", + "definition": "Indicates that the name field is truncated", + "property_doc_link": "sysctl-name_truncated-doc" + }, + { + "name": "sysctl.new_value", + "definition": "In case of Write accesses, new value for the system control parameter", + "property_doc_link": "sysctl-new_value-doc" + }, + { + "name": "sysctl.new_value_truncated", + "definition": "Indicates that the new_value field is truncated", + "property_doc_link": "sysctl-new_value_truncated-doc" + } + ] + }, { "name": "unlink", "definition": "A file was deleted", @@ -11022,6 +11071,102 @@ "constants_link": "pipe-buffer-flags", "examples": [] }, + { + "name": "sysctl.action", + "link": "sysctl-action-doc", + "type": "int", + "definition": "Action performed on the system control parameter", + "prefixes": [ + "sysctl" + ], + "constants": "SysCtl Actions", + "constants_link": "sysctl-actions", + "examples": [] + }, + { + "name": "sysctl.current_value", + "link": "sysctl-current_value-doc", + "type": "string", + "definition": "Current value of the system control parameter", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, + { + "name": "sysctl.current_value_truncated", + "link": "sysctl-current_value_truncated-doc", + "type": "bool", + "definition": "Indicates that the current value field is truncated", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, + { + "name": "sysctl.file_position", + "link": "sysctl-file_position-doc", + "type": "int", + "definition": "Position in the sysctl control parameter file at which the action occurred", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, + { + "name": "sysctl.name", + "link": "sysctl-name-doc", + "type": "string", + "definition": "Name of the system control parameter", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, + { + "name": "sysctl.name_truncated", + "link": "sysctl-name_truncated-doc", + "type": "bool", + "definition": "Indicates that the name field is truncated", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, + { + "name": "sysctl.new_value", + "link": "sysctl-new_value-doc", + "type": "string", + "definition": "In case of Write accesses, new value for the system control parameter", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, + { + "name": "sysctl.new_value_truncated", + "link": "sysctl-new_value_truncated-doc", + "type": "bool", + "definition": "Indicates that the new_value field is truncated", + "prefixes": [ + "sysctl" + ], + "constants": "", + "constants_link": "", + "examples": [] + }, { "name": "unlink.flags", "link": "unlink-flags-doc", @@ -14958,6 +15103,21 @@ } ] }, + { + "name": "SysCtl Actions", + "link": "sysctl-actions", + "description": "SysCtl Actions are the supported actions for the sysctl event.", + "all": [ + { + "name": "READ", + "architecture": "all" + }, + { + "name": "WRITE", + "architecture": "all" + } + ] + }, { "name": "Unlink flags", "link": "unlink-flags", diff --git a/pkg/security/ebpf/c/include/constants/custom.h b/pkg/security/ebpf/c/include/constants/custom.h index ac470714a2c64f..662f97ac09c7c4 100644 --- a/pkg/security/ebpf/c/include/constants/custom.h +++ b/pkg/security/ebpf/c/include/constants/custom.h @@ -234,4 +234,15 @@ static __attribute__((always_inline)) u64 is_network_flow_monitor_enabled() { return is_network_flow_monitor_enabled; } +#define SYSCTL_SHOT 0 +#define SYSCTL_OK 1 + +#define MAX_SYSCTL_BUFFER_LEN 1024 +#define MAX_SYSCTL_OBJ_LEN 256 +#define SYSCTL_EVENT_GEN_KEY 0 + +#define SYSCTL_NAME_TRUNCATED (1 << 0) +#define SYSCTL_CURRENT_VALUE_TRUNCATED (1 << 1) +#define SYSCTL_NEW_VALUE_TRUNCATED (1 << 2) + #endif diff --git a/pkg/security/ebpf/c/include/constants/enums.h b/pkg/security/ebpf/c/include/constants/enums.h index a2475849001ab9..a3b5149fc16235 100644 --- a/pkg/security/ebpf/c/include/constants/enums.h +++ b/pkg/security/ebpf/c/include/constants/enums.h @@ -55,6 +55,7 @@ enum event_type EVENT_RAW_PACKET, EVENT_NETWORK_FLOW_MONITOR, EVENT_STAT, + EVENT_SYSCTL, EVENT_MAX, // has to be the last one EVENT_ALL = 0xffffffff // used as a mask for all the events @@ -223,4 +224,11 @@ enum selinux_event_kind_t SELINUX_BOOL_COMMIT_EVENT_KIND, }; +enum sysctl_action_t +{ + SYSCTL_UNKNOWN, + SYSCTL_READ, + SYSCTL_WRITE, +}; + #endif diff --git a/pkg/security/ebpf/c/include/events_definition.h b/pkg/security/ebpf/c/include/events_definition.h index ab5e135724b2ec..d7a9abb907c2e4 100644 --- a/pkg/security/ebpf/c/include/events_definition.h +++ b/pkg/security/ebpf/c/include/events_definition.h @@ -478,4 +478,19 @@ struct network_flow_monitor_event_t { struct flow_stats_t flows[ACTIVE_FLOWS_MAX_SIZE]; }; +struct sysctl_event_t { + struct kevent_t event; + struct process_context_t process; + struct span_context_t span; + struct container_context_t container; + + u32 action; + u32 file_position; + u16 name_len; + u16 current_value_len; + u16 new_value_len; + u16 flags; + char sysctl_buffer[MAX_SYSCTL_BUFFER_LEN]; +}; + #endif diff --git a/pkg/security/ebpf/c/include/helpers/all.h b/pkg/security/ebpf/c/include/helpers/all.h index 824d34c4f7c937..920d11d9d4fa7e 100644 --- a/pkg/security/ebpf/c/include/helpers/all.h +++ b/pkg/security/ebpf/c/include/helpers/all.h @@ -19,6 +19,7 @@ #include "span.h" #include "syscall_macro.h" #include "syscalls.h" +#include "sysctl.h" #include "user_sessions.h" #include "utils.h" diff --git a/pkg/security/ebpf/c/include/helpers/container.h b/pkg/security/ebpf/c/include/helpers/container.h index c75de85ba6a347..c79c9098932a1e 100644 --- a/pkg/security/ebpf/c/include/helpers/container.h +++ b/pkg/security/ebpf/c/include/helpers/container.h @@ -5,7 +5,7 @@ #include "utils.h" static __attribute__((always_inline)) void copy_container_id(const container_id_t src, container_id_t dst) { - bpf_probe_read(dst, CONTAINER_ID_LEN, (void *)src); + bpf_probe_read_kernel(dst, CONTAINER_ID_LEN, (void *)src); } #define copy_container_id_no_tracing(src, dst) __builtin_memmove(dst, src, CONTAINER_ID_LEN) @@ -14,6 +14,8 @@ static void __attribute__((always_inline)) fill_container_context(struct proc_ca if (entry) { copy_container_id(entry->container.container_id, context->container_id); context->cgroup_context = entry->container.cgroup_context; + } else { + context->container_id[0] = 0; } } diff --git a/pkg/security/ebpf/c/include/helpers/process.h b/pkg/security/ebpf/c/include/helpers/process.h index 83f5774753d840..e3ed6d0d9d4d9e 100644 --- a/pkg/security/ebpf/c/include/helpers/process.h +++ b/pkg/security/ebpf/c/include/helpers/process.h @@ -129,15 +129,15 @@ u32 __attribute__((always_inline)) get_root_nr_from_task_struct(struct task_stru u32 __attribute__((always_inline)) get_namespace_nr_from_task_struct(struct task_struct *task) { struct pid *pid = NULL; - bpf_probe_read(&pid, sizeof(pid), (void *)task + get_task_struct_pid_offset()); + bpf_probe_read_kernel(&pid, sizeof(pid), (void *)task + get_task_struct_pid_offset()); u32 pid_level = 0; - bpf_probe_read(&pid_level, sizeof(pid_level), (void *)pid + get_pid_level_offset()); + bpf_probe_read_kernel(&pid_level, sizeof(pid_level), (void *)pid + get_pid_level_offset()); // read the namespace nr from &pid->numbers[pid_level].nr u32 namespace_nr = 0; u64 namespace_numbers_offset = pid_level * get_sizeof_upid(); - bpf_probe_read(&namespace_nr, sizeof(namespace_nr), (void *)pid + get_pid_numbers_offset() + namespace_numbers_offset); + bpf_probe_read_kernel(&namespace_nr, sizeof(namespace_nr), (void *)pid + get_pid_numbers_offset() + namespace_numbers_offset); return namespace_nr; } diff --git a/pkg/security/ebpf/c/include/helpers/span.h b/pkg/security/ebpf/c/include/helpers/span.h index c77567fdb54721..1fd9c78a63e8eb 100644 --- a/pkg/security/ebpf/c/include/helpers/span.h +++ b/pkg/security/ebpf/c/include/helpers/span.h @@ -41,7 +41,7 @@ void __attribute__((always_inline)) fill_span_context(struct span_context_t *spa } int offset = (tid % tls->max_threads) * sizeof(struct span_context_t); - int ret = bpf_probe_read(span, sizeof(struct span_context_t), tls->base + offset); + int ret = bpf_probe_read_kernel(span, sizeof(struct span_context_t), tls->base + offset); if (ret < 0) { span->span_id = 0; span->trace_id[0] = span->trace_id[1] = 0; diff --git a/pkg/security/ebpf/c/include/helpers/sysctl.h b/pkg/security/ebpf/c/include/helpers/sysctl.h new file mode 100644 index 00000000000000..1716deee11b63d --- /dev/null +++ b/pkg/security/ebpf/c/include/helpers/sysctl.h @@ -0,0 +1,103 @@ +#ifndef _HELPERS_SYSCTL_H_ +#define _HELPERS_SYSCTL_H_ + +#include "constants/custom.h" +#include "helpers/container.h" +#include "helpers/process.h" + +#include "maps.h" + +__attribute__((always_inline)) struct sysctl_event_t *reset_sysctl_event() { + u32 key = SYSCTL_EVENT_GEN_KEY; + struct sysctl_event_t *evt = bpf_map_lookup_elem(&sysctl_event_gen, &key); + if (evt == NULL) { + // should never happen + return NULL; + } + + // reset event + evt->action = SYSCTL_UNKNOWN; + evt->file_position = 0; + evt->name_len = 0; + evt->current_value_len = 0; + evt->new_value_len = 0; + evt->flags = 0; + evt->sysctl_buffer[0] = 0; + + // process, container, span contexts + struct proc_cache_t *entry = fill_process_context(&evt->process); + fill_container_context(entry, &evt->container); + fill_span_context(&evt->span); + + return evt; +} + +__attribute__((always_inline)) void handle_cgroup_sysctl(struct bpf_sysctl *ctx) { + struct sysctl_event_t *evt = reset_sysctl_event(); + if (evt == NULL) { + return; + } + + // copy sysctl action and operation file position + if (ctx->write) { + evt->action = SYSCTL_WRITE; + } else { + evt->action = SYSCTL_READ; + } + evt->file_position = ctx->file_pos; + + // copy the name of the control parameter + u32 cursor = 0; + u32 ret = bpf_sysctl_get_name(ctx, &evt->sysctl_buffer[0], MAX_SYSCTL_OBJ_LEN - 2, 0); + if ((int)ret == -E2BIG) { + evt->flags |= SYSCTL_NAME_TRUNCATED; + evt->name_len = MAX_SYSCTL_OBJ_LEN - 1; + } else { + evt->name_len = ret + 1; + } + + // advance cursor in sysctl_buffer + cursor += evt->name_len; + + // copy the current value of the control parameter + ret = bpf_sysctl_get_current_value(ctx, &evt->sysctl_buffer[cursor & (MAX_SYSCTL_OBJ_LEN-1)], MAX_SYSCTL_OBJ_LEN - 1); + switch ((int)ret) { + case -E2BIG: + evt->flags |= SYSCTL_CURRENT_VALUE_TRUNCATED; + evt->current_value_len = MAX_SYSCTL_OBJ_LEN; + break; + case -EINVAL: + evt->current_value_len = 1; + evt->sysctl_buffer[cursor & (MAX_SYSCTL_BUFFER_LEN - 1)] = 0; + break; + default: + evt->current_value_len = ret + 1; + break; + } + + // advance cursor in sysctl_buffer + cursor += evt->current_value_len; + + // copy the new value for the control parameter + ret = bpf_sysctl_get_new_value(ctx, &evt->sysctl_buffer[cursor & (2*MAX_SYSCTL_OBJ_LEN - 1)], MAX_SYSCTL_OBJ_LEN - 1); + switch ((int)ret) { + case -E2BIG: + evt->flags |= SYSCTL_NEW_VALUE_TRUNCATED; + evt->new_value_len = MAX_SYSCTL_OBJ_LEN; + break; + case -EINVAL: + evt->new_value_len = 1; + evt->sysctl_buffer[cursor & (MAX_SYSCTL_BUFFER_LEN - 1)] = 0; + break; + default: + evt->new_value_len = ret + 1; + break; + } + + // advance cursor in sysctl_buffer + cursor += evt->new_value_len; + + send_event_with_size_ptr(ctx, EVENT_SYSCTL, evt, offsetof(struct sysctl_event_t, sysctl_buffer) + (cursor & (MAX_SYSCTL_BUFFER_LEN - 1))); +} + +#endif diff --git a/pkg/security/ebpf/c/include/hooks/all.h b/pkg/security/ebpf/c/include/hooks/all.h index 8f1370edf651c3..44af20d584d8c7 100644 --- a/pkg/security/ebpf/c/include/hooks/all.h +++ b/pkg/security/ebpf/c/include/hooks/all.h @@ -30,6 +30,7 @@ #include "setxattr.h" #include "signal.h" #include "splice.h" +#include "sysctl.h" #include "umount.h" #include "unlink.h" #include "utimes.h" diff --git a/pkg/security/ebpf/c/include/hooks/sysctl.h b/pkg/security/ebpf/c/include/hooks/sysctl.h new file mode 100644 index 00000000000000..041da74f23965e --- /dev/null +++ b/pkg/security/ebpf/c/include/hooks/sysctl.h @@ -0,0 +1,14 @@ +#ifndef _HOOKS_SYSCTL_H_ +#define _HOOKS_SYSCTL_H_ + +#include "helpers/sysctl.h" +#include "helpers/sysctl.h" + +SEC("cgroup/sysctl") +int cgroup_sysctl(struct bpf_sysctl *ctx) { + handle_cgroup_sysctl(ctx); + // make sure we don't disrupt the sysctl command + return SYSCTL_OK; +} + +#endif diff --git a/pkg/security/ebpf/c/include/maps.h b/pkg/security/ebpf/c/include/maps.h index 41f6852a47cb30..3ced3b7416171b 100644 --- a/pkg/security/ebpf/c/include/maps.h +++ b/pkg/security/ebpf/c/include/maps.h @@ -109,6 +109,7 @@ BPF_PERCPU_ARRAY_MAP(raw_packet_event, struct raw_packet_event_t, 1) BPF_PERCPU_ARRAY_MAP(network_flow_monitor_event_gen, struct network_flow_monitor_event_t, 1) BPF_PERCPU_ARRAY_MAP(active_flows_gen, struct active_flows_t, 1) BPF_PERCPU_ARRAY_MAP(raw_packet_enabled, u32, 1) +BPF_PERCPU_ARRAY_MAP(sysctl_event_gen, struct sysctl_event_t, 1) BPF_PROG_ARRAY(args_envs_progs, 3) BPF_PROG_ARRAY(dentry_resolver_kprobe_or_fentry_callbacks, EVENT_MAX) diff --git a/pkg/security/ebpf/probes/all.go b/pkg/security/ebpf/probes/all.go index cf4290fbb9276e..b256c10fcbfd49 100644 --- a/pkg/security/ebpf/probes/all.go +++ b/pkg/security/ebpf/probes/all.go @@ -99,6 +99,7 @@ func AllProbes(fentry bool) []*manager.Probe { allProbes = append(allProbes, getChdirProbes(fentry)...) allProbes = append(allProbes, GetOnDemandProbes()...) allProbes = append(allProbes, GetPerfEventProbes()...) + allProbes = append(allProbes, getSysCtlProbes()...) allProbes = append(allProbes, &manager.Probe{ diff --git a/pkg/security/ebpf/probes/event_types.go b/pkg/security/ebpf/probes/event_types.go index 0528e2fa1f6eb5..149938b2117aa5 100644 --- a/pkg/security/ebpf/probes/event_types.go +++ b/pkg/security/ebpf/probes/event_types.go @@ -487,6 +487,7 @@ func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSe &manager.OneOf{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "fchdir", fentry, EntryAndExit)}, }, + // List of probes required to capture network_flow_monitor events "network_flow_monitor": { // perf_event probes &manager.AllOf{Selectors: []manager.ProbesSelector{ @@ -498,6 +499,18 @@ func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSe }, }}, }, + + // List of probes required to capture sysctl events + "sysctl": { + &manager.AllOf{Selectors: []manager.ProbesSelector{ + &manager.ProbeSelector{ + ProbeIdentificationPair: manager.ProbeIdentificationPair{ + UID: SecurityAgentUID, + EBPFFuncName: "cgroup_sysctl", + }, + }, + }}, + }, } // Add probes required to track network interfaces and map network flows to processes diff --git a/pkg/security/ebpf/probes/sysctl.go b/pkg/security/ebpf/probes/sysctl.go new file mode 100644 index 00000000000000..e1714f73ba19b0 --- /dev/null +++ b/pkg/security/ebpf/probes/sysctl.go @@ -0,0 +1,23 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build linux + +// Package probes holds probes related files +package probes + +import manager "github.com/DataDog/ebpf-manager" + +func getSysCtlProbes() []*manager.Probe { + return []*manager.Probe{ + { + ProbeIdentificationPair: manager.ProbeIdentificationPair{ + UID: SecurityAgentUID, + EBPFFuncName: "cgroup_sysctl", + }, + CGroupPath: "/sys/fs/cgroup", + }, + } +} diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go index 4655d7a0c5078f..5619a0c2e3d929 100644 --- a/pkg/security/probe/probe_ebpf.go +++ b/pkg/security/probe/probe_ebpf.go @@ -1318,6 +1318,11 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) { seclog.Errorf("failed to decode on-demand event for syscall event: %s (offset %d, len %d)", err, offset, len(data)) return } + case model.SysCtlEventType: + if _, err = event.SysCtl.UnmarshalBinary(data[offset:]); err != nil { + seclog.Errorf("failed to decode sysctl event: %s (offset %d, len %d)", err, offset, len(data)) + return + } } // resolve the container context diff --git a/pkg/security/secl/model/accessors_unix.go b/pkg/security/secl/model/accessors_unix.go index 9a6cbaeb41ee51..b133674482642c 100644 --- a/pkg/security/secl/model/accessors_unix.go +++ b/pkg/security/secl/model/accessors_unix.go @@ -54,6 +54,7 @@ func (_ *Model) GetEventTypes() []eval.EventType { eval.EventType("setxattr"), eval.EventType("signal"), eval.EventType("splice"), + eval.EventType("sysctl"), eval.EventType("unlink"), eval.EventType("unload_module"), eval.EventType("utimes"), @@ -20309,6 +20310,86 @@ func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval Field: field, Weight: eval.FunctionWeight, }, nil + case "sysctl.action": + return &eval.IntEvaluator{ + EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return int(ev.SysCtl.Action) + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.current_value": + return &eval.StringEvaluator{ + EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return ev.SysCtl.CurrentValue + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.current_value_truncated": + return &eval.BoolEvaluator{ + EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return ev.SysCtl.CurrentValueTruncated + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.file_position": + return &eval.IntEvaluator{ + EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return int(ev.SysCtl.FilePosition) + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.name": + return &eval.StringEvaluator{ + EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return ev.SysCtl.Name + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.name_truncated": + return &eval.BoolEvaluator{ + EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return ev.SysCtl.NameTruncated + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.new_value": + return &eval.StringEvaluator{ + EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return ev.SysCtl.NewValue + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil + case "sysctl.new_value_truncated": + return &eval.BoolEvaluator{ + EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) + ev := ctx.Event.(*Event) + return ev.SysCtl.NewValueTruncated + }, + Field: field, + Weight: eval.FunctionWeight, + }, nil case "unlink.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { @@ -22209,6 +22290,14 @@ func (ev *Event) GetFields() []eval.Field { "splice.pipe_entry_flag", "splice.pipe_exit_flag", "splice.retval", + "sysctl.action", + "sysctl.current_value", + "sysctl.current_value_truncated", + "sysctl.file_position", + "sysctl.name", + "sysctl.name_truncated", + "sysctl.new_value", + "sysctl.new_value_truncated", "unlink.file.change_time", "unlink.file.filesystem", "unlink.file.gid", @@ -25066,6 +25155,22 @@ func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kin return "splice", reflect.Int, nil case "splice.retval": return "splice", reflect.Int, nil + case "sysctl.action": + return "sysctl", reflect.Int, nil + case "sysctl.current_value": + return "sysctl", reflect.String, nil + case "sysctl.current_value_truncated": + return "sysctl", reflect.Bool, nil + case "sysctl.file_position": + return "sysctl", reflect.Int, nil + case "sysctl.name": + return "sysctl", reflect.String, nil + case "sysctl.name_truncated": + return "sysctl", reflect.Bool, nil + case "sysctl.new_value": + return "sysctl", reflect.String, nil + case "sysctl.new_value_truncated": + return "sysctl", reflect.Bool, nil case "unlink.file.change_time": return "unlink", reflect.Int, nil case "unlink.file.filesystem": @@ -40216,6 +40321,62 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error { } ev.Splice.SyscallEvent.Retval = int64(rv) return nil + case "sysctl.action": + rv, ok := value.(int) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.action"} + } + ev.SysCtl.Action = uint32(rv) + return nil + case "sysctl.current_value": + rv, ok := value.(string) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.current_value"} + } + ev.SysCtl.CurrentValue = rv + return nil + case "sysctl.current_value_truncated": + rv, ok := value.(bool) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.current_value_truncated"} + } + ev.SysCtl.CurrentValueTruncated = rv + return nil + case "sysctl.file_position": + rv, ok := value.(int) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.file_position"} + } + ev.SysCtl.FilePosition = uint32(rv) + return nil + case "sysctl.name": + rv, ok := value.(string) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.name"} + } + ev.SysCtl.Name = rv + return nil + case "sysctl.name_truncated": + rv, ok := value.(bool) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.name_truncated"} + } + ev.SysCtl.NameTruncated = rv + return nil + case "sysctl.new_value": + rv, ok := value.(string) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.new_value"} + } + ev.SysCtl.NewValue = rv + return nil + case "sysctl.new_value_truncated": + rv, ok := value.(bool) + if !ok { + return &eval.ErrValueTypeMismatch{Field: "sysctl.new_value_truncated"} + } + ev.SysCtl.NewValueTruncated = rv + return nil case "unlink.file.change_time": rv, ok := value.(int) if !ok { diff --git a/pkg/security/secl/model/category.go b/pkg/security/secl/model/category.go index 9a1a5107c033dc..8ea2eed788af3e 100644 --- a/pkg/security/secl/model/category.go +++ b/pkg/security/secl/model/category.go @@ -59,7 +59,8 @@ func GetEventTypeCategory(eventType eval.EventType) EventCategory { UnloadModuleEventType.String(), AcceptEventType.String(), BindEventType.String(), - ConnectEventType.String(): + ConnectEventType.String(), + SyscallsEventType.String(): return KernelCategory // Network diff --git a/pkg/security/secl/model/consts_common.go b/pkg/security/secl/model/consts_common.go index 1b3f9f9309bb2f..f1d06d2ad4327e 100644 --- a/pkg/security/secl/model/consts_common.go +++ b/pkg/security/secl/model/consts_common.go @@ -484,6 +484,7 @@ func initConstants() { initAUIDConstants() usersession.InitUserSessionTypes() initSSLVersionConstants() + initSysCtlActionConstants() } // RetValError represents a syscall return error value diff --git a/pkg/security/secl/model/consts_darwin.go b/pkg/security/secl/model/consts_darwin.go index 9fd253d0ebadf2..615da73f91813b 100644 --- a/pkg/security/secl/model/consts_darwin.go +++ b/pkg/security/secl/model/consts_darwin.go @@ -55,3 +55,4 @@ func initMMapFlagsConstants() {} func initSignalConstants() {} func initBPFMapNamesConstants() {} func initAUIDConstants() {} +func initSysCtlActionConstants() {} diff --git a/pkg/security/secl/model/consts_linux.go b/pkg/security/secl/model/consts_linux.go index 01981583ecfad7..a81dc9c1b594d4 100644 --- a/pkg/security/secl/model/consts_linux.go +++ b/pkg/security/secl/model/consts_linux.go @@ -838,6 +838,13 @@ var ( "PIPE_BUF_FLAG_WHOLE": PipeBufFlagWhole, "PIPE_BUF_FLAG_LOSS": PipeBufFlagLoss, } + + // SysCtlActionConstants is the list of available actions for sysctl events + // generate_constants:SysCtl Actions,SysCtl Actions are the supported actions for the sysctl event. + SysCtlActionConstants = map[string]SysCtlAction{ + "SYSCTL_READ": SysCtlReadAction, + "SYSCTL_WRITE": SysCtlWriteAction, + } ) func initVMConstants() { @@ -980,6 +987,13 @@ func initSignalConstants() { } } +func initSysCtlActionConstants() { + for k, v := range SysCtlActionConstants { + seclConstants[k] = &eval.IntEvaluator{Value: int(v)} + sysctlActionStrings[uint32(v)] = k + } +} + func initBPFMapNamesConstants() { seclConstants["CWS_MAP_NAMES"] = &eval.StringArrayEvaluator{Values: bpfMapNames} } @@ -1869,4 +1883,21 @@ var ( mmapFlagStrings = map[uint64]string{} signalStrings = map[int]string{} pipeBufFlagStrings = map[int]string{} + sysctlActionStrings = map[uint32]string{} +) + +// SysCtlAction is used to define the action of a sysctl event +type SysCtlAction uint32 + +func (t SysCtlAction) String() string { + return sysctlActionStrings[uint32(t)] +} + +const ( + // SysCtlUnknownAction sysctl action type + SysCtlUnknownAction SysCtlAction = iota + // SysCtlReadAction sysctl action type + SysCtlReadAction + // SysCtlWriteAction sysctl action type + SysCtlWriteAction ) diff --git a/pkg/security/secl/model/consts_windows.go b/pkg/security/secl/model/consts_windows.go index 396c05a668fa44..bcee9c19cf151b 100644 --- a/pkg/security/secl/model/consts_windows.go +++ b/pkg/security/secl/model/consts_windows.go @@ -39,3 +39,4 @@ func initMMapFlagsConstants() {} func initSignalConstants() {} func initBPFMapNamesConstants() {} func initAUIDConstants() {} +func initSysCtlActionConstants() {} diff --git a/pkg/security/secl/model/events.go b/pkg/security/secl/model/events.go index 77afd53f202e2a..801a017aaf40d5 100644 --- a/pkg/security/secl/model/events.go +++ b/pkg/security/secl/model/events.go @@ -107,6 +107,8 @@ const ( NetworkFlowMonitorEventType // StatEventType stat event (used kernel side only) StatEventType + // SysCtlEventType sysctl event + SysCtlEventType // MaxKernelEventType is used internally to get the maximum number of kernel events. MaxKernelEventType @@ -265,6 +267,8 @@ func (t EventType) String() string { return "login_uid_write" case CgroupWriteEventType: return "cgroup_write" + case SysCtlEventType: + return "sysctl" default: return "unknown" } diff --git a/pkg/security/secl/model/field_handlers_unix.go b/pkg/security/secl/model/field_handlers_unix.go index 418e4bc8750f4e..bea44aeb06cbb7 100644 --- a/pkg/security/secl/model/field_handlers_unix.go +++ b/pkg/security/secl/model/field_handlers_unix.go @@ -1101,6 +1101,7 @@ func (ev *Event) resolveFields(forADs bool) { if !forADs { _ = ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File) } + case "sysctl": case "unlink": _ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Unlink.File.FileFields) _ = ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Unlink.File.FileFields) diff --git a/pkg/security/secl/model/model_unix.go b/pkg/security/secl/model/model_unix.go index da3c0307a5b572..69cce52094fd89 100644 --- a/pkg/security/secl/model/model_unix.go +++ b/pkg/security/secl/model/model_unix.go @@ -99,6 +99,7 @@ type Event struct { MProtect MProtectEvent `field:"mprotect" event:"mprotect"` // [7.35] [Kernel] A mprotect command was executed LoadModule LoadModuleEvent `field:"load_module" event:"load_module"` // [7.35] [Kernel] A new kernel module was loaded UnloadModule UnloadModuleEvent `field:"unload_module" event:"unload_module"` // [7.35] [Kernel] A kernel module was deleted + SysCtl SysCtlEvent `field:"sysctl" event:"sysctl"` // [7.65] [Kernel] A sysctl parameter was read or modified // network events DNS DNSEvent `field:"dns" event:"dns"` // [7.36] [Network] A DNS request was sent @@ -901,3 +902,15 @@ func (it *FlowsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) * func (it *FlowsIterator) Len(ctx *eval.Context) int { return len(ctx.Event.(*Event).NetworkFlowMonitor.Flows) } + +// SysCtlEvent is used to represent a system control parameter event +type SysCtlEvent struct { + Action uint32 `field:"action"` // SECLDoc[action] Definition:`Action performed on the system control parameter` Constants:`SysCtl Actions` + FilePosition uint32 `field:"file_position"` // SECLDoc[file_position] Definition:`Position in the sysctl control parameter file at which the action occurred` + Name string `field:"name"` // SECLDoc[name] Definition:`Name of the system control parameter` + NameTruncated bool `field:"name_truncated"` // SECLDoc[name_truncated] Definition:`Indicates that the name field is truncated` + CurrentValue string `field:"current_value"` // SECLDoc[current_value] Definition:`Current value of the system control parameter` + CurrentValueTruncated bool `field:"current_value_truncated"` // SECLDoc[current_value_truncated] Definition:`Indicates that the current value field is truncated` + NewValue string `field:"new_value"` // SECLDoc[new_value] Definition:`In case of Write accesses, new value for the system control parameter` + NewValueTruncated bool `field:"new_value_truncated"` // SECLDoc[new_value_truncated] Definition:`Indicates that the new_value field is truncated` +} diff --git a/pkg/security/secl/model/unmarshallers_linux.go b/pkg/security/secl/model/unmarshallers_linux.go index 8eae204d52652d..c9430b83ed421f 100644 --- a/pkg/security/secl/model/unmarshallers_linux.go +++ b/pkg/security/secl/model/unmarshallers_linux.go @@ -1505,3 +1505,60 @@ func (e *NetworkFlowMonitorEvent) UnmarshalBinary(data []byte) (int, error) { return total, nil } + +// UnmarshalBinary unmarshals a binary representation of itself +func (e *SysCtlEvent) UnmarshalBinary(data []byte) (int, error) { + if len(data) < 16 { + return 0, ErrNotEnoughData + } + var cursor int + + e.Action = binary.NativeEndian.Uint32(data[0:4]) + e.FilePosition = binary.NativeEndian.Uint32(data[4:8]) + + nameLen := int(binary.NativeEndian.Uint16(data[8:10])) + currentValueLen := int(binary.NativeEndian.Uint16(data[10:12])) + newValueLen := int(binary.NativeEndian.Uint16(data[12:14])) + flags := binary.NativeEndian.Uint16(data[14:16]) + + // handle truncated fields + switch { + case flags&(1<<0) > 0: + e.NameTruncated = true + fallthrough + case flags&(1<<1) > 0: + e.CurrentValueTruncated = true + fallthrough + case flags&(1<<2) > 0: + e.NewValueTruncated = true + } + cursor += 16 + + // parse name and values + if nameLen+currentValueLen+newValueLen > len(data[cursor:]) { + return 0, ErrNotEnoughData + } + + var err error + e.Name, err = UnmarshalString(data[cursor:cursor+nameLen], nameLen) + if err != nil { + return 0, err + } + e.Name = strings.TrimSpace(e.Name) + cursor += nameLen + + e.CurrentValue, err = UnmarshalString(data[cursor:cursor+currentValueLen], currentValueLen) + if err != nil { + return 0, err + } + e.CurrentValue = strings.TrimSpace(e.CurrentValue) + cursor += currentValueLen + + e.NewValue, err = UnmarshalString(data[cursor:cursor+newValueLen], newValueLen) + if err != nil { + return 0, err + } + e.NewValue = strings.TrimSpace(e.NewValue) + cursor += newValueLen + return cursor, nil +} diff --git a/pkg/security/seclwin/model/consts_common.go b/pkg/security/seclwin/model/consts_common.go index 1b3f9f9309bb2f..f1d06d2ad4327e 100644 --- a/pkg/security/seclwin/model/consts_common.go +++ b/pkg/security/seclwin/model/consts_common.go @@ -484,6 +484,7 @@ func initConstants() { initAUIDConstants() usersession.InitUserSessionTypes() initSSLVersionConstants() + initSysCtlActionConstants() } // RetValError represents a syscall return error value diff --git a/pkg/security/seclwin/model/consts_win.go b/pkg/security/seclwin/model/consts_win.go index 396c05a668fa44..bcee9c19cf151b 100644 --- a/pkg/security/seclwin/model/consts_win.go +++ b/pkg/security/seclwin/model/consts_win.go @@ -39,3 +39,4 @@ func initMMapFlagsConstants() {} func initSignalConstants() {} func initBPFMapNamesConstants() {} func initAUIDConstants() {} +func initSysCtlActionConstants() {} diff --git a/pkg/security/seclwin/model/events.go b/pkg/security/seclwin/model/events.go index 77afd53f202e2a..801a017aaf40d5 100644 --- a/pkg/security/seclwin/model/events.go +++ b/pkg/security/seclwin/model/events.go @@ -107,6 +107,8 @@ const ( NetworkFlowMonitorEventType // StatEventType stat event (used kernel side only) StatEventType + // SysCtlEventType sysctl event + SysCtlEventType // MaxKernelEventType is used internally to get the maximum number of kernel events. MaxKernelEventType @@ -265,6 +267,8 @@ func (t EventType) String() string { return "login_uid_write" case CgroupWriteEventType: return "cgroup_write" + case SysCtlEventType: + return "sysctl" default: return "unknown" } diff --git a/pkg/security/serializers/serializers_base.go b/pkg/security/serializers/serializers_base.go index 17e2d1c713a823..35b29f61afeb5e 100644 --- a/pkg/security/serializers/serializers_base.go +++ b/pkg/security/serializers/serializers_base.go @@ -261,6 +261,27 @@ type NetworkFlowMonitorSerializer struct { Flows []*FlowSerializer `json:"flows,omitempty"` } +// SysCtlEventSerializer defines a sysctl event serializer +// easyjson:json +type SysCtlEventSerializer struct { + // action performed on the system control parameter + Action string `json:"action,omitempty"` + // file_position is the position in the sysctl control parameter file at which the action occurred + FilePosition uint32 `json:"file_position,omitempty"` + // name is the name of the system control parameter + Name string `json:"name,omitempty"` + // name_truncated indicates if the name field is truncated + NameTruncated bool `json:"name_truncated,omitempty"` + // current_value is the value of the system control parameter before the event + CurrentValue string `json:"current_value,omitempty"` + // current_value_truncated indicates if the current_value field is truncated + CurrentValueTruncated bool `json:"current_value_truncated,omitempty"` + // new_value is the newly set value of the system control + NewValue string `json:"new_value,omitempty"` + // new_value_truncated indicates if the new_value field is truncated + NewValueTruncated bool `json:"new_value_truncated,omitempty"` +} + func newMatchedRulesSerializer(r *model.MatchedRule) MatchedRuleSerializer { mrs := MatchedRuleSerializer{ ID: r.RuleID, diff --git a/pkg/security/serializers/serializers_base_linux_easyjson.go b/pkg/security/serializers/serializers_base_linux_easyjson.go index 33140f9ad960c2..4865742738c045 100644 --- a/pkg/security/serializers/serializers_base_linux_easyjson.go +++ b/pkg/security/serializers/serializers_base_linux_easyjson.go @@ -136,7 +136,144 @@ func (v TLSContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { func (v *TLSContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers1(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(in *jlexer.Lexer, out *RawPacketSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(in *jlexer.Lexer, out *SysCtlEventSerializer) { + isTopLevel := in.IsStart() + if in.IsNull() { + if isTopLevel { + in.Consumed() + } + in.Skip() + return + } + in.Delim('{') + for !in.IsDelim('}') { + key := in.UnsafeFieldName(false) + in.WantColon() + if in.IsNull() { + in.Skip() + in.WantComma() + continue + } + switch key { + case "action": + out.Action = string(in.String()) + case "file_position": + out.FilePosition = uint32(in.Uint32()) + case "name": + out.Name = string(in.String()) + case "name_truncated": + out.NameTruncated = bool(in.Bool()) + case "current_value": + out.CurrentValue = string(in.String()) + case "current_value_truncated": + out.CurrentValueTruncated = bool(in.Bool()) + case "new_value": + out.NewValue = string(in.String()) + case "new_value_truncated": + out.NewValueTruncated = bool(in.Bool()) + default: + in.SkipRecursive() + } + in.WantComma() + } + in.Delim('}') + if isTopLevel { + in.Consumed() + } +} +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(out *jwriter.Writer, in SysCtlEventSerializer) { + out.RawByte('{') + first := true + _ = first + if in.Action != "" { + const prefix string = ",\"action\":" + first = false + out.RawString(prefix[1:]) + out.String(string(in.Action)) + } + if in.FilePosition != 0 { + const prefix string = ",\"file_position\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Uint32(uint32(in.FilePosition)) + } + if in.Name != "" { + const prefix string = ",\"name\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.String(string(in.Name)) + } + if in.NameTruncated { + const prefix string = ",\"name_truncated\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Bool(bool(in.NameTruncated)) + } + if in.CurrentValue != "" { + const prefix string = ",\"current_value\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.String(string(in.CurrentValue)) + } + if in.CurrentValueTruncated { + const prefix string = ",\"current_value_truncated\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Bool(bool(in.CurrentValueTruncated)) + } + if in.NewValue != "" { + const prefix string = ",\"new_value\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.String(string(in.NewValue)) + } + if in.NewValueTruncated { + const prefix string = ",\"new_value_truncated\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Bool(bool(in.NewValueTruncated)) + } + out.RawByte('}') +} + +// MarshalEasyJSON supports easyjson.Marshaler interface +func (v SysCtlEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(w, v) +} + +// UnmarshalEasyJSON supports easyjson.Unmarshaler interface +func (v *SysCtlEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(l, v) +} +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(in *jlexer.Lexer, out *RawPacketSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -198,7 +335,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(out *jwriter.Writer, in RawPacketSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(out *jwriter.Writer, in RawPacketSerializer) { out.RawByte('{') first := true _ = first @@ -258,14 +395,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v RawPacketSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *RawPacketSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(in *jlexer.Lexer, out *ProcessContextSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(in *jlexer.Lexer, out *ProcessContextSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -528,7 +665,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(i } for !in.IsDelim(']') { var v6 SyscallSerializer - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(in, &v6) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(in, &v6) *out.Syscalls = append(*out.Syscalls, v6) in.WantComma() } @@ -576,7 +713,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(out *jwriter.Writer, in ProcessContextSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(out *jwriter.Writer, in ProcessContextSerializer) { out.RawByte('{') first := true _ = first @@ -813,7 +950,7 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(o if v14 > 0 { out.RawByte(',') } - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(out, v15) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(out, v15) } out.RawByte(']') } @@ -841,14 +978,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v ProcessContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *ProcessContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers3(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(in *jlexer.Lexer, out *SyscallSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(in *jlexer.Lexer, out *SyscallSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -881,7 +1018,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(out *jwriter.Writer, in SyscallSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(out *jwriter.Writer, in SyscallSerializer) { out.RawByte('{') first := true _ = first @@ -897,7 +1034,7 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(o } out.RawByte('}') } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(in *jlexer.Lexer, out *NetworkStatsSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(in *jlexer.Lexer, out *NetworkStatsSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -930,7 +1067,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(out *jwriter.Writer, in NetworkStatsSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(out *jwriter.Writer, in NetworkStatsSerializer) { out.RawByte('{') first := true _ = first @@ -955,14 +1092,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v NetworkStatsSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *NetworkStatsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(in *jlexer.Lexer, out *NetworkFlowMonitorSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(in *jlexer.Lexer, out *NetworkFlowMonitorSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1032,7 +1169,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(out *jwriter.Writer, in NetworkFlowMonitorSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(out *jwriter.Writer, in NetworkFlowMonitorSerializer) { out.RawByte('{') first := true _ = first @@ -1070,14 +1207,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v NetworkFlowMonitorSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *NetworkFlowMonitorSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(in *jlexer.Lexer, out *NetworkContextSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(in *jlexer.Lexer, out *NetworkContextSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1128,7 +1265,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(out *jwriter.Writer, in NetworkContextSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(out *jwriter.Writer, in NetworkContextSerializer) { out.RawByte('{') first := true _ = first @@ -1178,14 +1315,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v NetworkContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *NetworkContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(in *jlexer.Lexer, out *MatchedRuleSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(in *jlexer.Lexer, out *MatchedRuleSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1245,7 +1382,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(out *jwriter.Writer, in MatchedRuleSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(out *jwriter.Writer, in MatchedRuleSerializer) { out.RawByte('{') first := true _ = first @@ -1309,14 +1446,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v MatchedRuleSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *MatchedRuleSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(in *jlexer.Lexer, out *IPPortSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(in *jlexer.Lexer, out *IPPortSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1349,7 +1486,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(i in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(out *jwriter.Writer, in IPPortSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(out *jwriter.Writer, in IPPortSerializer) { out.RawByte('{') first := true _ = first @@ -1368,14 +1505,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(o // MarshalEasyJSON supports easyjson.Marshaler interface func (v IPPortSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *IPPortSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(in *jlexer.Lexer, out *IPPortFamilySerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(in *jlexer.Lexer, out *IPPortFamilySerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1410,7 +1547,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(out *jwriter.Writer, in IPPortFamilySerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(out *jwriter.Writer, in IPPortFamilySerializer) { out.RawByte('{') first := true _ = first @@ -1434,14 +1571,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10( // MarshalEasyJSON supports easyjson.Marshaler interface func (v IPPortFamilySerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *IPPortFamilySerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(in *jlexer.Lexer, out *IMDSEventSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(in *jlexer.Lexer, out *IMDSEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1492,7 +1629,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(out *jwriter.Writer, in IMDSEventSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(out *jwriter.Writer, in IMDSEventSerializer) { out.RawByte('{') first := true _ = first @@ -1536,14 +1673,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11( // MarshalEasyJSON supports easyjson.Marshaler interface func (v IMDSEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *IMDSEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(in *jlexer.Lexer, out *FlowSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(in *jlexer.Lexer, out *FlowSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1600,7 +1737,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(out *jwriter.Writer, in FlowSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(out *jwriter.Writer, in FlowSerializer) { out.RawByte('{') first := true _ = first @@ -1639,14 +1776,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12( // MarshalEasyJSON supports easyjson.Marshaler interface func (v FlowSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *FlowSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(in *jlexer.Lexer, out *ExitEventSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(in *jlexer.Lexer, out *ExitEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1679,7 +1816,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(out *jwriter.Writer, in ExitEventSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(out *jwriter.Writer, in ExitEventSerializer) { out.RawByte('{') first := true _ = first @@ -1698,14 +1835,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13( // MarshalEasyJSON supports easyjson.Marshaler interface func (v ExitEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *ExitEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(in *jlexer.Lexer, out *EventContextSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(in *jlexer.Lexer, out *EventContextSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1767,7 +1904,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(out *jwriter.Writer, in EventContextSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(out *jwriter.Writer, in EventContextSerializer) { out.RawByte('{') first := true _ = first @@ -1841,14 +1978,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14( // MarshalEasyJSON supports easyjson.Marshaler interface func (v EventContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *EventContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(in *jlexer.Lexer, out *DNSQuestionSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(in *jlexer.Lexer, out *DNSQuestionSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1887,7 +2024,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(out *jwriter.Writer, in DNSQuestionSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(out *jwriter.Writer, in DNSQuestionSerializer) { out.RawByte('{') first := true _ = first @@ -1921,14 +2058,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15( // MarshalEasyJSON supports easyjson.Marshaler interface func (v DNSQuestionSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *DNSQuestionSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(in *jlexer.Lexer, out *DNSEventSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(in *jlexer.Lexer, out *DNSEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -1961,7 +2098,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(out *jwriter.Writer, in DNSEventSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(out *jwriter.Writer, in DNSEventSerializer) { out.RawByte('{') first := true _ = first @@ -1980,14 +2117,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16( // MarshalEasyJSON supports easyjson.Marshaler interface func (v DNSEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *DNSEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(in *jlexer.Lexer, out *ContainerContextSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(in *jlexer.Lexer, out *ContainerContextSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -2032,7 +2169,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(out *jwriter.Writer, in ContainerContextSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(out *jwriter.Writer, in ContainerContextSerializer) { out.RawByte('{') first := true _ = first @@ -2067,14 +2204,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17( // MarshalEasyJSON supports easyjson.Marshaler interface func (v ContainerContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *ContainerContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(in *jlexer.Lexer, out *BaseEventSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(in *jlexer.Lexer, out *BaseEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -2153,7 +2290,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(out *jwriter.Writer, in BaseEventSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(out *jwriter.Writer, in BaseEventSerializer) { out.RawByte('{') first := true _ = first @@ -2218,14 +2355,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18( // MarshalEasyJSON supports easyjson.Marshaler interface func (v BaseEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *BaseEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(in *jlexer.Lexer, out *AWSSecurityCredentialsSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(in *jlexer.Lexer, out *AWSSecurityCredentialsSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -2264,7 +2401,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(out *jwriter.Writer, in AWSSecurityCredentialsSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(out *jwriter.Writer, in AWSSecurityCredentialsSerializer) { out.RawByte('{') first := true _ = first @@ -2298,14 +2435,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19( // MarshalEasyJSON supports easyjson.Marshaler interface func (v AWSSecurityCredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *AWSSecurityCredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(l, v) } -func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(in *jlexer.Lexer, out *AWSIMDSEventSerializer) { +func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(in *jlexer.Lexer, out *AWSIMDSEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -2346,7 +2483,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20( in.Consumed() } } -func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(out *jwriter.Writer, in AWSIMDSEventSerializer) { +func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(out *jwriter.Writer, in AWSIMDSEventSerializer) { out.RawByte('{') first := true _ = first @@ -2365,10 +2502,10 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20( // MarshalEasyJSON supports easyjson.Marshaler interface func (v AWSIMDSEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(w, v) + easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *AWSIMDSEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(l, v) + easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(l, v) } diff --git a/pkg/security/serializers/serializers_linux.go b/pkg/security/serializers/serializers_linux.go index 08186f1d473a63..c8e2593f049a53 100644 --- a/pkg/security/serializers/serializers_linux.go +++ b/pkg/security/serializers/serializers_linux.go @@ -673,6 +673,7 @@ type EventSerializer struct { *SyscallContextSerializer `json:"syscall,omitempty"` *RawPacketSerializer `json:"packet,omitempty"` *NetworkFlowMonitorSerializer `json:"network_flow_monitor,omitempty"` + *SysCtlEventSerializer `json:"sysctl,omitempty"` } func newSyscallsEventSerializer(e *model.SyscallsEvent) *SyscallsEventSerializer { @@ -1095,6 +1096,19 @@ func newNetworkFlowMonitorSerializer(nm *model.NetworkFlowMonitorEvent, e *model return s } +func newSysCtlEventSerializer(sce *model.SysCtlEvent, e *model.Event) *SysCtlEventSerializer { + return &SysCtlEventSerializer{ + Action: model.SysCtlAction(sce.Action).String(), + FilePosition: sce.FilePosition, + Name: sce.Name, + NameTruncated: sce.NameTruncated, + CurrentValue: sce.CurrentValue, + CurrentValueTruncated: sce.CurrentValueTruncated, + NewValue: sce.NewValue, + NewValueTruncated: sce.NewValueTruncated, + } +} + func serializeOutcome(retval int64) string { switch { case retval < 0: @@ -1523,6 +1537,8 @@ func NewEventSerializer(event *model.Event, opts *eval.Opts) *EventSerializer { s.RawPacketSerializer = newRawPacketEventSerializer(&event.RawPacket, event) case model.NetworkFlowMonitorEventType: s.NetworkFlowMonitorSerializer = newNetworkFlowMonitorSerializer(&event.NetworkFlowMonitor, event) + case model.SysCtlEventType: + s.SysCtlEventSerializer = newSysCtlEventSerializer(&event.SysCtl, event) } return s diff --git a/pkg/security/serializers/serializers_linux_easyjson.go b/pkg/security/serializers/serializers_linux_easyjson.go index 0a079aaae163b8..8eba1648bb87c1 100644 --- a/pkg/security/serializers/serializers_linux_easyjson.go +++ b/pkg/security/serializers/serializers_linux_easyjson.go @@ -3655,6 +3655,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers24( out.SyscallContextSerializer = new(SyscallContextSerializer) out.RawPacketSerializer = new(RawPacketSerializer) out.NetworkFlowMonitorSerializer = new(NetworkFlowMonitorSerializer) + out.SysCtlEventSerializer = new(SysCtlEventSerializer) in.Delim('{') for !in.IsDelim('}') { key := in.UnsafeFieldName(false) @@ -3916,6 +3917,16 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers24( } (*out.NetworkFlowMonitorSerializer).UnmarshalEasyJSON(in) } + case "sysctl": + if in.IsNull() { + in.Skip() + out.SysCtlEventSerializer = nil + } else { + if out.SysCtlEventSerializer == nil { + out.SysCtlEventSerializer = new(SysCtlEventSerializer) + } + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(in, out.SysCtlEventSerializer) + } case "evt": (out.EventContextSerializer).UnmarshalEasyJSON(in) case "date": @@ -4213,6 +4224,16 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers24( } (*in.NetworkFlowMonitorSerializer).MarshalEasyJSON(out) } + if in.SysCtlEventSerializer != nil { + const prefix string = ",\"sysctl\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(out, *in.SysCtlEventSerializer) + } if true { const prefix string = ",\"evt\":" if first { @@ -4285,7 +4306,134 @@ func (v EventSerializer) MarshalEasyJSON(w *jwriter.Writer) { func (v *EventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers24(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(in *jlexer.Lexer, out *DDContextSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(in *jlexer.Lexer, out *SysCtlEventSerializer) { + isTopLevel := in.IsStart() + if in.IsNull() { + if isTopLevel { + in.Consumed() + } + in.Skip() + return + } + in.Delim('{') + for !in.IsDelim('}') { + key := in.UnsafeFieldName(false) + in.WantColon() + if in.IsNull() { + in.Skip() + in.WantComma() + continue + } + switch key { + case "action": + out.Action = string(in.String()) + case "file_position": + out.FilePosition = uint32(in.Uint32()) + case "name": + out.Name = string(in.String()) + case "name_truncated": + out.NameTruncated = bool(in.Bool()) + case "current_value": + out.CurrentValue = string(in.String()) + case "current_value_truncated": + out.CurrentValueTruncated = bool(in.Bool()) + case "new_value": + out.NewValue = string(in.String()) + case "new_value_truncated": + out.NewValueTruncated = bool(in.Bool()) + default: + in.SkipRecursive() + } + in.WantComma() + } + in.Delim('}') + if isTopLevel { + in.Consumed() + } +} +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(out *jwriter.Writer, in SysCtlEventSerializer) { + out.RawByte('{') + first := true + _ = first + if in.Action != "" { + const prefix string = ",\"action\":" + first = false + out.RawString(prefix[1:]) + out.String(string(in.Action)) + } + if in.FilePosition != 0 { + const prefix string = ",\"file_position\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Uint32(uint32(in.FilePosition)) + } + if in.Name != "" { + const prefix string = ",\"name\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.String(string(in.Name)) + } + if in.NameTruncated { + const prefix string = ",\"name_truncated\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Bool(bool(in.NameTruncated)) + } + if in.CurrentValue != "" { + const prefix string = ",\"current_value\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.String(string(in.CurrentValue)) + } + if in.CurrentValueTruncated { + const prefix string = ",\"current_value_truncated\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Bool(bool(in.CurrentValueTruncated)) + } + if in.NewValue != "" { + const prefix string = ",\"new_value\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.String(string(in.NewValue)) + } + if in.NewValueTruncated { + const prefix string = ",\"new_value_truncated\":" + if first { + first = false + out.RawString(prefix[1:]) + } else { + out.RawString(prefix) + } + out.Bool(bool(in.NewValueTruncated)) + } + out.RawByte('}') +} +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(in *jlexer.Lexer, out *DDContextSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4318,7 +4466,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers25( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(out *jwriter.Writer, in DDContextSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(out *jwriter.Writer, in DDContextSerializer) { out.RawByte('{') first := true _ = first @@ -4343,14 +4491,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers25( // MarshalEasyJSON supports easyjson.Marshaler interface func (v DDContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *DDContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers25(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(in *jlexer.Lexer, out *CredentialsSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(in *jlexer.Lexer, out *CredentialsSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4451,7 +4599,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers26( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(out *jwriter.Writer, in CredentialsSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(out *jwriter.Writer, in CredentialsSerializer) { out.RawByte('{') first := true _ = first @@ -4557,14 +4705,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers26( // MarshalEasyJSON supports easyjson.Marshaler interface func (v CredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *CredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers26(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(in *jlexer.Lexer, out *ConnectEventSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(in *jlexer.Lexer, out *ConnectEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4597,7 +4745,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers27( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(out *jwriter.Writer, in ConnectEventSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(out *jwriter.Writer, in ConnectEventSerializer) { out.RawByte('{') first := true _ = first @@ -4616,14 +4764,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers27( // MarshalEasyJSON supports easyjson.Marshaler interface func (v ConnectEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *ConnectEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers27(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(in *jlexer.Lexer, out *CapsetSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(in *jlexer.Lexer, out *CapsetSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4698,7 +4846,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers28( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(out *jwriter.Writer, in CapsetSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(out *jwriter.Writer, in CapsetSerializer) { out.RawByte('{') first := true _ = first @@ -4739,14 +4887,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers28( // MarshalEasyJSON supports easyjson.Marshaler interface func (v CapsetSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *CapsetSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers28(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(in *jlexer.Lexer, out *CGroupContextSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(in *jlexer.Lexer, out *CGroupContextSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4779,7 +4927,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers29( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(out *jwriter.Writer, in CGroupContextSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(out *jwriter.Writer, in CGroupContextSerializer) { out.RawByte('{') first := true _ = first @@ -4804,14 +4952,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers29( // MarshalEasyJSON supports easyjson.Marshaler interface func (v CGroupContextSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *CGroupContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers29(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(in *jlexer.Lexer, out *BindEventSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(in *jlexer.Lexer, out *BindEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4844,7 +4992,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers30( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(out *jwriter.Writer, in BindEventSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(out *jwriter.Writer, in BindEventSerializer) { out.RawByte('{') first := true _ = first @@ -4863,14 +5011,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers30( // MarshalEasyJSON supports easyjson.Marshaler interface func (v BindEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *BindEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers30(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(in *jlexer.Lexer, out *BPFProgramSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(in *jlexer.Lexer, out *BPFProgramSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -4930,7 +5078,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers31( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(out *jwriter.Writer, in BPFProgramSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(out *jwriter.Writer, in BPFProgramSerializer) { out.RawByte('{') first := true _ = first @@ -4994,14 +5142,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers31( // MarshalEasyJSON supports easyjson.Marshaler interface func (v BPFProgramSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *BPFProgramSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers31(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(in *jlexer.Lexer, out *BPFMapSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(in *jlexer.Lexer, out *BPFMapSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -5034,7 +5182,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers32( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(out *jwriter.Writer, in BPFMapSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(out *jwriter.Writer, in BPFMapSerializer) { out.RawByte('{') first := true _ = first @@ -5059,14 +5207,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers32( // MarshalEasyJSON supports easyjson.Marshaler interface func (v BPFMapSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *BPFMapSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers32(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(in *jlexer.Lexer, out *BPFEventSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(in *jlexer.Lexer, out *BPFEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -5117,7 +5265,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers33( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(out *jwriter.Writer, in BPFEventSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(out *jwriter.Writer, in BPFEventSerializer) { out.RawByte('{') first := true _ = first @@ -5141,14 +5289,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers33( // MarshalEasyJSON supports easyjson.Marshaler interface func (v BPFEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *BPFEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers33(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(in *jlexer.Lexer, out *AnomalyDetectionSyscallEventSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(in *jlexer.Lexer, out *AnomalyDetectionSyscallEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -5179,7 +5327,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers34( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(out *jwriter.Writer, in AnomalyDetectionSyscallEventSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(out *jwriter.Writer, in AnomalyDetectionSyscallEventSerializer) { out.RawByte('{') first := true _ = first @@ -5193,14 +5341,14 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers34( // MarshalEasyJSON supports easyjson.Marshaler interface func (v AnomalyDetectionSyscallEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *AnomalyDetectionSyscallEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers34(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(l, v) } -func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(in *jlexer.Lexer, out *AcceptEventSerializer) { +func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers36(in *jlexer.Lexer, out *AcceptEventSerializer) { isTopLevel := in.IsStart() if in.IsNull() { if isTopLevel { @@ -5231,7 +5379,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers35( in.Consumed() } } -func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(out *jwriter.Writer, in AcceptEventSerializer) { +func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers36(out *jwriter.Writer, in AcceptEventSerializer) { out.RawByte('{') first := true _ = first @@ -5245,10 +5393,10 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers35( // MarshalEasyJSON supports easyjson.Marshaler interface func (v AcceptEventSerializer) MarshalEasyJSON(w *jwriter.Writer) { - easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(w, v) + easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers36(w, v) } // UnmarshalEasyJSON supports easyjson.Unmarshaler interface func (v *AcceptEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) { - easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers35(l, v) + easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers36(l, v) }