[CWS] Introducing sysctl event

DataDog · Feb 26, 2025 · b03cf85 · b03cf85
1 parent 7c2c93d
commit b03cf85
Show file tree

Hide file tree

Showing 36 changed files with 1,309 additions and 126 deletions.
diff --git a/docs/cloud-workload-security/backend_linux.md b/docs/cloud-workload-security/backend_linux.md
@@ -1620,6 +1620,45 @@ CSM Threats event for Linux systems have the following JSON schema:
             ],
             "description": "SpliceEventSerializer serializes a splice event to JSON"
         },
+        "SysCtlEvent": {
+            "properties": {
+                "action": {
+                    "type": "string",
+                    "description": "action performed on the system control parameter"
+                },
+                "file_position": {
+                    "type": "integer",
+                    "description": "file_position is the position in the sysctl control parameter file at which the action occurred"
+                },
+                "name": {
+                    "type": "string",
+                    "description": "name is the name of the system control parameter"
+                },
+                "name_truncated": {
+                    "type": "boolean",
+                    "description": "name_truncated indicates if the name field is truncated"
+                },
+                "current_value": {
+                    "type": "string",
+                    "description": "current_value is the value of the system control parameter before the event"
+                },
+                "current_value_truncated": {
+                    "type": "boolean",
+                    "description": "current_value_truncated indicates if the current_value field is truncated"
+                },
+                "new_value": {
+                    "type": "string",
+                    "description": "new_value is the newly set value of the system control"
+                },
+                "new_value_truncated": {
+                    "type": "boolean",
+                    "description": "new_value_truncated indicates if the new_value field is truncated"
+                }
+            },
+            "additionalProperties": false,
+            "type": "object",
+            "description": "SysCtlEventSerializer defines a sysctl event serializer"
+        },
         "Syscall": {
             "properties": {
                 "name": {
@@ -1892,6 +1931,9 @@ CSM Threats event for Linux systems have the following JSON schema:
         },
         "network_flow_monitor": {
             "$ref": "#/$defs/NetworkFlowMonitor"
+        },
+        "sysctl": {
+            "$ref": "#/$defs/SysCtlEvent"
         }
     },
     "additionalProperties": false,
@@ -1937,6 +1979,7 @@ CSM Threats event for Linux systems have the following JSON schema:
 | `syscall` | $ref | Please see [SyscallContext](#syscallcontext) |
 | `packet` | $ref | Please see [RawPacket](#rawpacket) |
 | `network_flow_monitor` | $ref | Please see [NetworkFlowMonitor](#networkflowmonitor) |
+| `sysctl` | $ref | Please see [SysCtlEvent](#sysctlevent) |
 
 ## `AWSIMDSEvent`
 
@@ -4350,6 +4393,64 @@ CSM Threats event for Linux systems have the following JSON schema:
 | `pipe_exit_flag` | Exit flag of the fd_out pipe passed to the splice syscall |
 
 
+## `SysCtlEvent`
+
+
+{{< code-block lang="json" collapsible="true" >}}
+{
+    "properties": {
+        "action": {
+            "type": "string",
+            "description": "action performed on the system control parameter"
+        },
+        "file_position": {
+            "type": "integer",
+            "description": "file_position is the position in the sysctl control parameter file at which the action occurred"
+        },
+        "name": {
+            "type": "string",
+            "description": "name is the name of the system control parameter"
+        },
+        "name_truncated": {
+            "type": "boolean",
+            "description": "name_truncated indicates if the name field is truncated"
+        },
+        "current_value": {
+            "type": "string",
+            "description": "current_value is the value of the system control parameter before the event"
+        },
+        "current_value_truncated": {
+            "type": "boolean",
+            "description": "current_value_truncated indicates if the current_value field is truncated"
+        },
+        "new_value": {
+            "type": "string",
+            "description": "new_value is the newly set value of the system control"
+        },
+        "new_value_truncated": {
+            "type": "boolean",
+            "description": "new_value_truncated indicates if the new_value field is truncated"
+        }
+    },
+    "additionalProperties": false,
+    "type": "object",
+    "description": "SysCtlEventSerializer defines a sysctl event serializer"
+}
+
+{{< /code-block >}}
+
+| Field | Description |
+| ----- | ----------- |
+| `action` | action performed on the system control parameter |
+| `file_position` | file_position is the position in the sysctl control parameter file at which the action occurred |
+| `name` | name is the name of the system control parameter |
+| `name_truncated` | name_truncated indicates if the name field is truncated |
+| `current_value` | current_value is the value of the system control parameter before the event |
+| `current_value_truncated` | current_value_truncated indicates if the current_value field is truncated |
+| `new_value` | new_value is the newly set value of the system control |
+| `new_value_truncated` | new_value_truncated indicates if the new_value field is truncated |
+
+
 ## `Syscall`
 
 

diff --git a/docs/cloud-workload-security/backend_linux.schema.json b/docs/cloud-workload-security/backend_linux.schema.json
@@ -1609,6 +1609,45 @@
       ],
       "description": "SpliceEventSerializer serializes a splice event to JSON"
     },
+    "SysCtlEvent": {
+      "properties": {
+        "action": {
+          "type": "string",
+          "description": "action performed on the system control parameter"
+        },
+        "file_position": {
+          "type": "integer",
+          "description": "file_position is the position in the sysctl control parameter file at which the action occurred"
+        },
+        "name": {
+          "type": "string",
+          "description": "name is the name of the system control parameter"
+        },
+        "name_truncated": {
+          "type": "boolean",
+          "description": "name_truncated indicates if the name field is truncated"
+        },
+        "current_value": {
+          "type": "string",
+          "description": "current_value is the value of the system control parameter before the event"
+        },
+        "current_value_truncated": {
+          "type": "boolean",
+          "description": "current_value_truncated indicates if the current_value field is truncated"
+        },
+        "new_value": {
+          "type": "string",
+          "description": "new_value is the newly set value of the system control"
+        },
+        "new_value_truncated": {
+          "type": "boolean",
+          "description": "new_value_truncated indicates if the new_value field is truncated"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "description": "SysCtlEventSerializer defines a sysctl event serializer"
+    },
     "Syscall": {
       "properties": {
         "name": {
@@ -1881,6 +1920,9 @@
     },
     "network_flow_monitor": {
       "$ref": "#/$defs/NetworkFlowMonitor"
+    },
+    "sysctl": {
+      "$ref": "#/$defs/SysCtlEvent"
     }
   },
   "additionalProperties": false,

diff --git a/docs/cloud-workload-security/linux_expressions.md b/docs/cloud-workload-security/linux_expressions.md
@@ -60,6 +60,7 @@ Triggers are events that correspond to types of activity seen by the system. The
 | `setxattr` | File | Set exteneded attributes | 7.27 |
 | `signal` | Process | A signal was sent | 7.35 |
 | `splice` | File | A splice command was executed | 7.36 |
+| `sysctl` | Kernel | A sysctl parameter was read or modified | 7.65 |
 | `unlink` | File | A file was deleted | 7.27 |
 | `unload_module` | Kernel | A kernel module was deleted | 7.35 |
 | `utimes` | File | Change file access/modification times | 7.27 |
@@ -1742,6 +1743,21 @@ A splice command was executed
 | [`splice.pipe_exit_flag`](#splice-pipe_exit_flag-doc) | Exit flag of the "fd_out" pipe passed to the splice syscall |
 | [`splice.retval`](#common-syscallevent-retval-doc) | Return value of the syscall |
 
+### Event `sysctl`
+
+A sysctl parameter was read or modified
+
+| Property | Definition |
+| -------- | ------------- |
+| [`sysctl.action`](#sysctl-action-doc) | Action performed on the system control parameter |
+| [`sysctl.current_value`](#sysctl-current_value-doc) | Current value of the system control parameter |
+| [`sysctl.current_value_truncated`](#sysctl-current_value_truncated-doc) | Indicates that the current value field is truncated |
+| [`sysctl.file_position`](#sysctl-file_position-doc) | Position in the sysctl control parameter file at which the action occurred |
+| [`sysctl.name`](#sysctl-name-doc) | Name of the system control parameter |
+| [`sysctl.name_truncated`](#sysctl-name_truncated-doc) | Indicates that the name field is truncated |
+| [`sysctl.new_value`](#sysctl-new_value-doc) | In case of Write accesses, new value for the system control parameter |
+| [`sysctl.new_value_truncated`](#sysctl-new_value_truncated-doc) | Indicates that the new_value field is truncated |
+
 ### Event `unlink`
 
 A file was deleted
@@ -3405,6 +3421,65 @@ Constants: [Pipe buffer flags](#pipe-buffer-flags)
 
 
 
+### `sysctl.action` {#sysctl-action-doc}
+Type: int
+
+Definition: Action performed on the system control parameter
+
+
+Constants: [SysCtl Actions](#sysctl-actions)
+
+
+
+### `sysctl.current_value` {#sysctl-current_value-doc}
+Type: string
+
+Definition: Current value of the system control parameter
+
+
+
+### `sysctl.current_value_truncated` {#sysctl-current_value_truncated-doc}
+Type: bool
+
+Definition: Indicates that the current value field is truncated
+
+
+
+### `sysctl.file_position` {#sysctl-file_position-doc}
+Type: int
+
+Definition: Position in the sysctl control parameter file at which the action occurred
+
+
+
+### `sysctl.name` {#sysctl-name-doc}
+Type: string
+
+Definition: Name of the system control parameter
+
+
+
+### `sysctl.name_truncated` {#sysctl-name_truncated-doc}
+Type: bool
+
+Definition: Indicates that the name field is truncated
+
+
+
+### `sysctl.new_value` {#sysctl-new_value-doc}
+Type: string
+
+Definition: In case of Write accesses, new value for the system control parameter
+
+
+
+### `sysctl.new_value_truncated` {#sysctl-new_value_truncated-doc}
+Type: bool
+
+Definition: Indicates that the new_value field is truncated
+
+
+
 ### `unlink.flags` {#unlink-flags-doc}
 Type: int
 
@@ -4513,6 +4588,14 @@ Signal constants are the supported signals for the kill syscall.
 | `SIGPWR` | all |
 | `SIGSYS` | all |
 
+### `SysCtl Actions` {#sysctl-actions}
+SysCtl Actions are the supported actions for the sysctl event.
+
+| Name | Architectures |
+| ---- |---------------|
+| `READ` | all |
+| `WRITE` | all |
+
 ### `Unlink flags` {#unlink-flags}
 Unlink flags are the supported flags for the unlink syscall.