diff --git a/pkg/security/probe/discarders_windows.go b/pkg/security/probe/discarders_windows.go index b62e53a61f5918..0bfe9eae23afb6 100644 --- a/pkg/security/probe/discarders_windows.go +++ b/pkg/security/probe/discarders_windows.go @@ -5,7 +5,10 @@ package probe -import "github.com/DataDog/datadog-agent/pkg/security/secl/rules" +import ( + "github.com/DataDog/datadog-agent/pkg/security/secl/model" + "github.com/DataDog/datadog-agent/pkg/security/secl/rules" +) func init() { SupportedMultiDiscarder = []*rules.MultiDiscarder{ @@ -13,45 +16,45 @@ func init() { Entries: []rules.MultiDiscarderEntry{ { Field: "create.file.path", - EventType: "create", + EventType: model.CreateNewFileEventType, }, { Field: "rename.file.path", - EventType: "rename", + EventType: model.FileRenameEventType, }, { Field: "delete.file.path", - EventType: "delete", + EventType: model.DeleteFileEventType, }, { Field: "write.file.path", - EventType: "write", + EventType: model.WriteFileEventType, }, }, FinalField: "create.file.path", - FinalEventType: "create", + FinalEventType: model.CreateNewFileEventType, }, { Entries: []rules.MultiDiscarderEntry{ { Field: "create.file.name", - EventType: "create", + EventType: model.CreateNewFileEventType, }, { Field: "rename.file.name", - EventType: "rename", + EventType: model.FileRenameEventType, }, { Field: "delete.file.name", - EventType: "delete", + EventType: model.DeleteFileEventType, }, { Field: "write.file.name", - EventType: "write", + EventType: model.WriteFileEventType, }, }, FinalField: "create.file.name", - FinalEventType: "create", + FinalEventType: model.CreateNewFileEventType, }, } } diff --git a/pkg/security/secl/rules/opts.go b/pkg/security/secl/rules/opts.go index e5eca0513d2592..4b18328ccce1e4 100644 --- a/pkg/security/secl/rules/opts.go +++ b/pkg/security/secl/rules/opts.go @@ -108,11 +108,11 @@ func NewEvalOpts(eventTypeEnabled map[eval.EventType]bool) (*Opts, *eval.Opts) { type MultiDiscarder struct { Entries []MultiDiscarderEntry FinalField string - FinalEventType string + FinalEventType model.EventType } // MultiDiscarderEntry represents a multi discarder entry (a field, and associated event type) type MultiDiscarderEntry struct { Field string - EventType string + EventType model.EventType } diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go index 274cf74ebc8b98..93b8b2ca449158 100644 --- a/pkg/security/secl/rules/ruleset.go +++ b/pkg/security/secl/rules/ruleset.go @@ -765,12 +765,12 @@ func (rs *RuleSet) EvaluateDiscarders(event eval.Event) { for _, check := range mdiscsToCheck { isMultiDiscarder := true for _, entry := range check.mdisc.Entries { - bucket := rs.eventRuleBuckets[entry.EventType] - if bucket == nil { + bucket := rs.eventRuleBuckets[entry.EventType.String()] + if bucket == nil || len(bucket.rules) == 0 { continue } - dctx, err := buildDiscarderCtx(entry.Field, check.value) + dctx, err := buildDiscarderCtx(entry.EventType, entry.Field, check.value) if err != nil { rs.logger.Errorf("failed to build discarder context: %v", err) isMultiDiscarder = false @@ -784,7 +784,7 @@ func (rs *RuleSet) EvaluateDiscarders(event eval.Event) { } if isMultiDiscarder { - rs.NotifyDiscarderFound(event, check.mdisc.FinalField, check.mdisc.FinalEventType) + rs.NotifyDiscarderFound(event, check.mdisc.FinalField, check.mdisc.FinalEventType.String()) } } } @@ -808,8 +808,9 @@ type multiDiscarderCheck struct { value string } -func buildDiscarderCtx(field string, value interface{}) (*eval.Context, error) { +func buildDiscarderCtx(eventType model.EventType, field string, value interface{}) (*eval.Context, error) { ev := model.NewFakeEvent() + ev.BaseEvent.Type = uint32(eventType) if err := ev.SetFieldValue(field, value); err != nil { return nil, err }