github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/rules/opts.go (about)

     1  // Unless explicitly stated otherwise all files in this repository are licensed
     2  // under the Apache License Version 2.0.
     3  // This product includes software developed at Datadog (https://www.datadoghq.com/).
     4  // Copyright 2016-present Datadog, Inc.
     5  
     6  // Package rules holds rules related files
     7  package rules
     8  
     9  import (
    10  	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
    11  	"github.com/DataDog/datadog-agent/pkg/security/secl/log"
    12  	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
    13  )
    14  
    15  // VariableProvider is the interface implemented by SECL variable providers
    16  type VariableProvider interface {
    17  	GetVariable(name string, value interface{}) (eval.VariableValue, error)
    18  }
    19  
    20  // VariableProviderFactory describes a function called to instantiate a variable provider
    21  type VariableProviderFactory func() VariableProvider
    22  
    23  // Opts defines rules set options
    24  type Opts struct {
    25  	RuleSetTag               map[string]eval.RuleSetTagValue
    26  	SupportedDiscarders      map[eval.Field]bool
    27  	SupportedMultiDiscarders []*MultiDiscarder
    28  	ReservedRuleIDs          []RuleID
    29  	EventTypeEnabled         map[eval.EventType]bool
    30  	StateScopes              map[Scope]VariableProviderFactory
    31  	Logger                   log.Logger
    32  }
    33  
    34  // WithRuleSetTag sets the rule set tag with the value of the tag of the rules that belong in this rule set
    35  func (o *Opts) WithRuleSetTag(tagValue eval.RuleSetTagValue) *Opts {
    36  	if o.RuleSetTag == nil {
    37  		o.RuleSetTag = make(map[string]eval.RuleSetTagValue)
    38  	}
    39  	o.RuleSetTag[RuleSetTagKey] = tagValue
    40  	return o
    41  }
    42  
    43  // WithSupportedDiscarders set supported discarders
    44  func (o *Opts) WithSupportedDiscarders(discarders map[eval.Field]bool) *Opts {
    45  	o.SupportedDiscarders = discarders
    46  	return o
    47  }
    48  
    49  // WithSupportedMultiDiscarder set supported multi discarders
    50  func (o *Opts) WithSupportedMultiDiscarder(discarders []*MultiDiscarder) *Opts {
    51  	o.SupportedMultiDiscarders = discarders
    52  	return o
    53  }
    54  
    55  // WithEventTypeEnabled set event types enabled
    56  func (o *Opts) WithEventTypeEnabled(eventTypes map[eval.EventType]bool) *Opts {
    57  	o.EventTypeEnabled = eventTypes
    58  	return o
    59  }
    60  
    61  // WithReservedRuleIDs set reserved rule ids
    62  func (o *Opts) WithReservedRuleIDs(ruleIds []RuleID) *Opts {
    63  	o.ReservedRuleIDs = ruleIds
    64  	return o
    65  }
    66  
    67  // WithLogger set logger
    68  func (o *Opts) WithLogger(logger log.Logger) *Opts {
    69  	o.Logger = logger
    70  	return o
    71  }
    72  
    73  // WithStateScopes set state scopes
    74  func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts {
    75  	o.StateScopes = stateScopes
    76  	return o
    77  }
    78  
    79  // NewRuleOpts returns rule options
    80  func NewRuleOpts(eventTypeEnabled map[eval.EventType]bool) *Opts {
    81  	var ruleOpts Opts
    82  	ruleOpts.
    83  		WithEventTypeEnabled(eventTypeEnabled).
    84  		WithStateScopes(map[Scope]VariableProviderFactory{
    85  			"process": func() VariableProvider {
    86  				return eval.NewScopedVariables(func(ctx *eval.Context) eval.ScopedVariable {
    87  					return ctx.Event.(*model.Event).ProcessCacheEntry
    88  				})
    89  			},
    90  			"container": func() VariableProvider {
    91  				return eval.NewScopedVariables(func(ctx *eval.Context) eval.ScopedVariable {
    92  					return ctx.Event.(*model.Event).ContainerContext
    93  				})
    94  			},
    95  		}).WithRuleSetTag(DefaultRuleSetTagValue)
    96  
    97  	return &ruleOpts
    98  }
    99  
   100  // NewEvalOpts returns eval options
   101  func NewEvalOpts() *eval.Opts {
   102  	var evalOpts eval.Opts
   103  	evalOpts.
   104  		WithConstants(model.SECLConstants()).
   105  		WithLegacyFields(model.SECLLegacyFields).
   106  		WithVariables(model.SECLVariables)
   107  
   108  	return &evalOpts
   109  }
   110  
   111  // NewBothOpts returns rule and eval options
   112  func NewBothOpts(eventTypeEnabled map[eval.EventType]bool) (*Opts, *eval.Opts) {
   113  	return NewRuleOpts(eventTypeEnabled), NewEvalOpts()
   114  }
   115  
   116  // MultiDiscarder represents a multi discarder, i.e. a discarder across multiple rule buckets
   117  type MultiDiscarder struct {
   118  	Entries        []MultiDiscarderEntry
   119  	FinalField     string
   120  	FinalEventType model.EventType
   121  }
   122  
   123  // MultiDiscarderEntry represents a multi discarder entry (a field, and associated event type)
   124  type MultiDiscarderEntry struct {
   125  	Field     string
   126  	EventType model.EventType
   127  }