Skip to content

Commit

Permalink
[CWS] review changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@Gui774ume
Gui774ume committed Mar 3, 2025
1 parent 2528a71 commit 95d38d8
Show file tree
Hide file tree
Showing 22 changed files with 344 additions and 224 deletions.
40 changes: 20 additions & 20 deletions docs/cloud-workload-security/backend_linux.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1638,21 +1638,21 @@ CSM Threats event for Linux systems have the following JSON schema:
"type": "boolean",
"description": "name_truncated indicates if the name field is truncated"
},
"current_value": {
"value": {
"type": "string",
"description": "current_value is the value of the system control parameter before the event"
"description": "value is the new and/or current value for the system control parameter depending on the action type"
},
"current_value_truncated": {
"value_truncated": {
"type": "boolean",
"description": "current_value_truncated indicates if the current_value field is truncated"
"description": "value_truncated indicates if the value field is truncated"
},
"new_value": {
"old_value": {
"type": "string",
"description": "new_value is the newly set value of the system control"
"description": "old_value is the old value of the system control parameter"
},
"new_value_truncated": {
"old_value_truncated": {
"type": "boolean",
"description": "new_value_truncated indicates if the new_value field is truncated"
"description": "old_value_truncated indicates if the old_value field is truncated"
}
},
"additionalProperties": false,
Expand Down Expand Up @@ -4415,21 +4415,21 @@ CSM Threats event for Linux systems have the following JSON schema:
"type": "boolean",
"description": "name_truncated indicates if the name field is truncated"
},
"current_value": {
"value": {
"type": "string",
"description": "current_value is the value of the system control parameter before the event"
"description": "value is the new and/or current value for the system control parameter depending on the action type"
},
"current_value_truncated": {
"value_truncated": {
"type": "boolean",
"description": "current_value_truncated indicates if the current_value field is truncated"
"description": "value_truncated indicates if the value field is truncated"
},
"new_value": {
"old_value": {
"type": "string",
"description": "new_value is the newly set value of the system control"
"description": "old_value is the old value of the system control parameter"
},
"new_value_truncated": {
"old_value_truncated": {
"type": "boolean",
"description": "new_value_truncated indicates if the new_value field is truncated"
"description": "old_value_truncated indicates if the old_value field is truncated"
}
},
"additionalProperties": false,
Expand All @@ -4445,10 +4445,10 @@ CSM Threats event for Linux systems have the following JSON schema:
| `file_position` | file_position is the position in the sysctl control parameter file at which the action occurred |
| `name` | name is the name of the system control parameter |
| `name_truncated` | name_truncated indicates if the name field is truncated |
| `current_value` | current_value is the value of the system control parameter before the event |
| `current_value_truncated` | current_value_truncated indicates if the current_value field is truncated |
| `new_value` | new_value is the newly set value of the system control |
| `new_value_truncated` | new_value_truncated indicates if the new_value field is truncated |
| `value` | value is the new and/or current value for the system control parameter depending on the action type |
| `value_truncated` | value_truncated indicates if the value field is truncated |
| `old_value` | old_value is the old value of the system control parameter |
| `old_value_truncated` | old_value_truncated indicates if the old_value field is truncated |


## `Syscall`
Expand Down
16 changes: 8 additions & 8 deletions docs/cloud-workload-security/backend_linux.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1627,21 +1627,21 @@
"type": "boolean",
"description": "name_truncated indicates if the name field is truncated"
},
"current_value": {
"value": {
"type": "string",
"description": "current_value is the value of the system control parameter before the event"
"description": "value is the new and/or current value for the system control parameter depending on the action type"
},
"current_value_truncated": {
"value_truncated": {
"type": "boolean",
"description": "current_value_truncated indicates if the current_value field is truncated"
"description": "value_truncated indicates if the value field is truncated"
},
"new_value": {
"old_value": {
"type": "string",
"description": "new_value is the newly set value of the system control"
"description": "old_value is the old value of the system control parameter"
},
"new_value_truncated": {
"old_value_truncated": {
"type": "boolean",
"description": "new_value_truncated indicates if the new_value field is truncated"
"description": "old_value_truncated indicates if the old_value field is truncated"
}
},
"additionalProperties": false,
Expand Down
42 changes: 21 additions & 21 deletions docs/cloud-workload-security/linux_expressions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1750,13 +1750,13 @@ A sysctl parameter was read or modified
| Property | Definition |
| -------- | ------------- |
| [`sysctl.action`](#sysctl-action-doc) | Action performed on the system control parameter |
| [`sysctl.current_value`](#sysctl-current_value-doc) | Current value of the system control parameter |
| [`sysctl.current_value_truncated`](#sysctl-current_value_truncated-doc) | Indicates that the current value field is truncated |
| [`sysctl.file_position`](#sysctl-file_position-doc) | Position in the sysctl control parameter file at which the action occurred |
| [`sysctl.name`](#sysctl-name-doc) | Name of the system control parameter |
| [`sysctl.name_truncated`](#sysctl-name_truncated-doc) | Indicates that the name field is truncated |
| [`sysctl.new_value`](#sysctl-new_value-doc) | In case of Write accesses, new value for the system control parameter |
| [`sysctl.new_value_truncated`](#sysctl-new_value_truncated-doc) | Indicates that the new_value field is truncated |
| [`sysctl.old_value`](#sysctl-old_value-doc) | Old value of the system control parameter |
| [`sysctl.old_value_truncated`](#sysctl-old_value_truncated-doc) | Indicates that the old value field is truncated |
| [`sysctl.value`](#sysctl-value-doc) | New and/or current value for the system control parameter depending on the action type |
| [`sysctl.value_truncated`](#sysctl-value_truncated-doc) | Indicates that the value field is truncated |

### Event `unlink`

Expand Down Expand Up @@ -3431,52 +3431,52 @@ Constants: [SysCtl Actions](#sysctl-actions)



### `sysctl.current_value` {#sysctl-current_value-doc}
Type: string
### `sysctl.file_position` {#sysctl-file_position-doc}
Type: int

Definition: Current value of the system control parameter
Definition: Position in the sysctl control parameter file at which the action occurred



### `sysctl.current_value_truncated` {#sysctl-current_value_truncated-doc}
Type: bool
### `sysctl.name` {#sysctl-name-doc}
Type: string

Definition: Indicates that the current value field is truncated
Definition: Name of the system control parameter



### `sysctl.file_position` {#sysctl-file_position-doc}
Type: int
### `sysctl.name_truncated` {#sysctl-name_truncated-doc}
Type: bool

Definition: Position in the sysctl control parameter file at which the action occurred
Definition: Indicates that the name field is truncated



### `sysctl.name` {#sysctl-name-doc}
### `sysctl.old_value` {#sysctl-old_value-doc}
Type: string

Definition: Name of the system control parameter
Definition: Old value of the system control parameter



### `sysctl.name_truncated` {#sysctl-name_truncated-doc}
### `sysctl.old_value_truncated` {#sysctl-old_value_truncated-doc}
Type: bool

Definition: Indicates that the name field is truncated
Definition: Indicates that the old value field is truncated



### `sysctl.new_value` {#sysctl-new_value-doc}
### `sysctl.value` {#sysctl-value-doc}
Type: string

Definition: In case of Write accesses, new value for the system control parameter
Definition: New and/or current value for the system control parameter depending on the action type



### `sysctl.new_value_truncated` {#sysctl-new_value_truncated-doc}
### `sysctl.value_truncated` {#sysctl-value_truncated-doc}
Type: bool

Definition: Indicates that the new_value field is truncated
Definition: Indicates that the value field is truncated



Expand Down
80 changes: 40 additions & 40 deletions docs/cloud-workload-security/secl_linux.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7295,16 +7295,6 @@
"definition": "Action performed on the system control parameter",
"property_doc_link": "sysctl-action-doc"
},
{
"name": "sysctl.current_value",
"definition": "Current value of the system control parameter",
"property_doc_link": "sysctl-current_value-doc"
},
{
"name": "sysctl.current_value_truncated",
"definition": "Indicates that the current value field is truncated",
"property_doc_link": "sysctl-current_value_truncated-doc"
},
{
"name": "sysctl.file_position",
"definition": "Position in the sysctl control parameter file at which the action occurred",
Expand All @@ -7321,14 +7311,24 @@
"property_doc_link": "sysctl-name_truncated-doc"
},
{
"name": "sysctl.new_value",
"definition": "In case of Write accesses, new value for the system control parameter",
"property_doc_link": "sysctl-new_value-doc"
"name": "sysctl.old_value",
"definition": "Old value of the system control parameter",
"property_doc_link": "sysctl-old_value-doc"
},
{
"name": "sysctl.old_value_truncated",
"definition": "Indicates that the old value field is truncated",
"property_doc_link": "sysctl-old_value_truncated-doc"
},
{
"name": "sysctl.value",
"definition": "New and/or current value for the system control parameter depending on the action type",
"property_doc_link": "sysctl-value-doc"
},
{
"name": "sysctl.new_value_truncated",
"definition": "Indicates that the new_value field is truncated",
"property_doc_link": "sysctl-new_value_truncated-doc"
"name": "sysctl.value_truncated",
"definition": "Indicates that the value field is truncated",
"property_doc_link": "sysctl-value_truncated-doc"
}
]
},
Expand Down Expand Up @@ -11084,10 +11084,10 @@
"examples": []
},
{
"name": "sysctl.current_value",
"link": "sysctl-current_value-doc",
"type": "string",
"definition": "Current value of the system control parameter",
"name": "sysctl.file_position",
"link": "sysctl-file_position-doc",
"type": "int",
"definition": "Position in the sysctl control parameter file at which the action occurred",
"prefixes": [
"sysctl"
],
Expand All @@ -11096,10 +11096,10 @@
"examples": []
},
{
"name": "sysctl.current_value_truncated",
"link": "sysctl-current_value_truncated-doc",
"type": "bool",
"definition": "Indicates that the current value field is truncated",
"name": "sysctl.name",
"link": "sysctl-name-doc",
"type": "string",
"definition": "Name of the system control parameter",
"prefixes": [
"sysctl"
],
Expand All @@ -11108,10 +11108,10 @@
"examples": []
},
{
"name": "sysctl.file_position",
"link": "sysctl-file_position-doc",
"type": "int",
"definition": "Position in the sysctl control parameter file at which the action occurred",
"name": "sysctl.name_truncated",
"link": "sysctl-name_truncated-doc",
"type": "bool",
"definition": "Indicates that the name field is truncated",
"prefixes": [
"sysctl"
],
Expand All @@ -11120,10 +11120,10 @@
"examples": []
},
{
"name": "sysctl.name",
"link": "sysctl-name-doc",
"name": "sysctl.old_value",
"link": "sysctl-old_value-doc",
"type": "string",
"definition": "Name of the system control parameter",
"definition": "Old value of the system control parameter",
"prefixes": [
"sysctl"
],
Expand All @@ -11132,10 +11132,10 @@
"examples": []
},
{
"name": "sysctl.name_truncated",
"link": "sysctl-name_truncated-doc",
"name": "sysctl.old_value_truncated",
"link": "sysctl-old_value_truncated-doc",
"type": "bool",
"definition": "Indicates that the name field is truncated",
"definition": "Indicates that the old value field is truncated",
"prefixes": [
"sysctl"
],
Expand All @@ -11144,10 +11144,10 @@
"examples": []
},
{
"name": "sysctl.new_value",
"link": "sysctl-new_value-doc",
"name": "sysctl.value",
"link": "sysctl-value-doc",
"type": "string",
"definition": "In case of Write accesses, new value for the system control parameter",
"definition": "New and/or current value for the system control parameter depending on the action type",
"prefixes": [
"sysctl"
],
Expand All @@ -11156,10 +11156,10 @@
"examples": []
},
{
"name": "sysctl.new_value_truncated",
"link": "sysctl-new_value_truncated-doc",
"name": "sysctl.value_truncated",
"link": "sysctl-value_truncated-doc",
"type": "bool",
"definition": "Indicates that the new_value field is truncated",
"definition": "Indicates that the value field is truncated",
"prefixes": [
"sysctl"
],
Expand Down
3 changes: 1 addition & 2 deletions pkg/security/ebpf/c/include/constants/custom.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,15 +234,14 @@ static __attribute__((always_inline)) u64 is_network_flow_monitor_enabled() {
return is_network_flow_monitor_enabled;
}

#define SYSCTL_SHOT 0
#define SYSCTL_OK 1

#define MAX_SYSCTL_BUFFER_LEN 1024
#define MAX_SYSCTL_OBJ_LEN 256
#define SYSCTL_EVENT_GEN_KEY 0

#define SYSCTL_NAME_TRUNCATED (1 << 0)
#define SYSCTL_CURRENT_VALUE_TRUNCATED (1 << 1)
#define SYSCTL_OLD_VALUE_TRUNCATED (1 << 1)
#define SYSCTL_NEW_VALUE_TRUNCATED (1 << 2)

static __attribute__((always_inline)) u64 has_tracing_helpers_in_cgroup_sysctl() {
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/ebpf/c/include/events_definition.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -487,7 +487,7 @@ struct sysctl_event_t {
u32 action;
u32 file_position;
u16 name_len;
u16 current_value_len;
u16 old_value_len;
u16 new_value_len;
u16 flags;
char sysctl_buffer[MAX_SYSCTL_BUFFER_LEN];
Expand Down
Loading

0 comments on commit 95d38d8

Please sign in to comment.