github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/model_windows.go

github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/model_windows.go (about)

     1  // Unless explicitly stated otherwise all files in this repository are licensed
     2  // under the Apache License Version 2.0.
     3  // This product includes software developed at Datadog (https://www.datadoghq.com/).
     4  // Copyright 2016-present Datadog, Inc.
     5  
     6  //go:generate accessors -tags windows -types-file model.go -output accessors_windows.go -field-handlers field_handlers_windows.go -field-accessors-output field_accessors_windows.go
     7  
     8  // Package model holds model related files
     9  package model
    10  
    11  import (
    12  	"time"
    13  
    14  	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
    15  )
    16  
    17  // ValidateField validates the value of a field
    18  func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error {
    19  	if m.ExtraValidateFieldFnc != nil {
    20  		return m.ExtraValidateFieldFnc(field, fieldValue)
    21  	}
    22  
    23  	return nil
    24  }
    25  
    26  // Event represents an event sent from the kernel
    27  // genaccessors
    28  type Event struct {
    29  	BaseEvent
    30  
    31  	// process events
    32  	Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked
    33  	Exit ExitEvent `field:"exit" event:"exit"` // [7.38] [Process] A process was terminated
    34  
    35  	// FIM
    36  	CreateNewFile CreateNewFileEvent `field:"create" event:"create"` // [7.52] [File] A file was created
    37  	RenameFile    RenameFileEvent    `field:"rename" event:"rename"` // [7.54] [File] A file was renamed
    38  	DeleteFile    DeleteFileEvent    `field:"delete" event:"delete"` // [7.54] [File] A file was deleted
    39  	WriteFile     WriteFileEvent     `field:"write" event:"write"`   // [7.54] [File] A file was written
    40  
    41  	// Registries
    42  	CreateRegistryKey   CreateRegistryKeyEvent   `field:"create_key;create" event:"create_key" `   // [7.52] [Registry] A registry key was created
    43  	OpenRegistryKey     OpenRegistryKeyEvent     `field:"open_key;open" event:"open_key"`          // [7.52] [Registry] A registry key was opened
    44  	SetRegistryKeyValue SetRegistryKeyValueEvent `field:"set_key_value;set" event:"set_key_value"` // [7.52] [Registry] A registry key value was set
    45  	DeleteRegistryKey   DeleteRegistryKeyEvent   `field:"delete_key;delete" event:"delete_key"`    // [7.52] [Registry] A registry key was deleted
    46  }
    47  
    48  // FileEvent is the common file event type
    49  type FileEvent struct {
    50  	FileObject  uint64 `field:"-"`                                                                                  // handle numeric value
    51  	PathnameStr string `field:"path,handler:ResolveFilePath,opts:length" op_override:"eval.WindowsPathCmp"`         // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "c:\cmd.bat"` Description:`Matches the execution of the file located at c:\cmd.bat`
    52  	BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "cmd.bat"` Description:`Matches the execution of any file named cmd.bat.`
    53  }
    54  
    55  // FimFileEvent is the common file event type
    56  type FimFileEvent struct {
    57  	FileObject  uint64 `field:"-"`                                                                                     // handle numeric value
    58  	PathnameStr string `field:"device_path,handler:ResolveFimFilePath,opts:length" op_override:"eval.WindowsPathCmp"`  // SECLDoc[device_path] Definition:`File's path` Example:`create.file.device_path == "\device\harddisk1\cmd.bat"` Description:`Matches the creation of the file located at c:\cmd.bat`
    59  	BasenameStr string `field:"name,handler:ResolveFimFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`File's basename` Example:`create.file.name == "cmd.bat"` Description:`Matches the creation of any file named cmd.bat.`
    60  }
    61  
    62  // RegistryEvent is the common registry event type
    63  type RegistryEvent struct {
    64  	KeyName string `field:"key_name,opts:length"`                                       // SECLDoc[key_name] Definition:`Registry's name`
    65  	KeyPath string `field:"key_path,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[key_path] Definition:`Registry's path`
    66  }
    67  
    68  // Process represents a process
    69  type Process struct {
    70  	PIDContext
    71  
    72  	FileEvent FileEvent `field:"file"`
    73  
    74  	ContainerID string `field:"container.id"` // SECLDoc[container.id] Definition:`Container ID`
    75  
    76  	ExitTime time.Time `field:"exit_time,opts:getters_only"`
    77  	ExecTime time.Time `field:"exec_time,opts:getters_only"`
    78  
    79  	CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process`
    80  
    81  	PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID`
    82  
    83  	ArgsEntry *ArgsEntry `field:"-"`
    84  	EnvsEntry *EnvsEntry `field:"-"`
    85  
    86  	CmdLine         string `field:"cmdline,handler:ResolveProcessCmdLine,weight:200" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[cmdline] Definition:`Command line of the process` Example:`exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.cmdline =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
    87  	CmdLineScrubbed string `field:"cmdline_scrubbed,handler:ResolveProcessCmdLineScrubbed,weight:500,opts:getters_only"`
    88  
    89  	OwnerSidString string `field:"user_sid"`                 // SECLDoc[user_sid] Definition:`Sid of the user of the process`
    90  	User           string `field:"user,handler:ResolveUser"` // SECLDoc[user] Definition:`User name`
    91  
    92  	Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process`
    93  	Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process`                                                                                                                         // SECLDoc[envp] Definition:`Environment variables of the process`
    94  
    95  	// cache version
    96  	Variables               eval.Variables `field:"-"`
    97  	ScrubbedCmdLineResolved bool           `field:"-"`
    98  }
    99  
   100  // ExecEvent represents a exec event
   101  type ExecEvent struct {
   102  	*Process
   103  }
   104  
   105  // PIDContext holds the process context of an kernel event
   106  type PIDContext struct {
   107  	Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)`
   108  }
   109  
   110  // NetworkDeviceContext defines a network device context
   111  type NetworkDeviceContext struct{}
   112  
   113  // ExtraFieldHandlers handlers not hold by any field
   114  type ExtraFieldHandlers interface {
   115  	BaseExtraFieldHandlers
   116  }
   117  
   118  // FIM
   119  
   120  // CreateNewFileEvent defines file creation
   121  type CreateNewFileEvent struct {
   122  	File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
   123  }
   124  
   125  // RenameFileEvent defines file renaming
   126  type RenameFileEvent struct {
   127  	Old FimFileEvent `field:"file"`             // SECLDoc[file] Definition:`File Event`
   128  	New FimFileEvent `field:"file.destination"` // SECLDoc[file] Definition:`File Event`
   129  }
   130  
   131  // DeleteFileEvent represents an unlink event
   132  type DeleteFileEvent struct {
   133  	File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
   134  }
   135  
   136  // WriteFileEvent represents a write event
   137  type WriteFileEvent struct {
   138  	File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
   139  }
   140  
   141  // Registries
   142  
   143  // CreateRegistryKeyEvent defines registry key creation
   144  type CreateRegistryKeyEvent struct {
   145  	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
   146  }
   147  
   148  // OpenRegistryKeyEvent defines registry key opening
   149  type OpenRegistryKeyEvent struct {
   150  	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
   151  }
   152  
   153  // SetRegistryKeyValueEvent defines the event of setting up a value of a registry key
   154  type SetRegistryKeyValueEvent struct {
   155  	Registry  RegistryEvent `field:"registry"`                                   // SECLDoc[registry] Definition:`Registry Event`
   156  	ValueName string        `field:"value_name;registry.value_name,opts:length"` // SECLDoc[value_name] Definition:`Registry's value name`
   157  
   158  }
   159  
   160  // DeleteRegistryKeyEvent defines registry key deletion
   161  type DeleteRegistryKeyEvent struct {
   162  	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
   163  }