Skip to content

Kill Process Runtime Policies Support #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 19, 2024
Merged

Kill Process Runtime Policies Support #531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cfe6d32
add support for kill_process
IgorEulalio Jul 10, 2024
e569d3d
add docs for kill_process
IgorEulalio Jul 10, 2024
8b22982
fix lint
IgorEulalio Jul 10, 2024
6e73097
Merge branch 'master' into FR-2029-kill-process-runtime-policies-support
IgorEulalio Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions sysdig/data_source_sysdig_secure_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,11 @@ func createPolicyDataSourceSchema() map[string]*schema.Schema {
Optional: true,
Computed: true,
},
"kill_process": {
Type: schema.TypeString,
Optional: true,
Computed: true,
},
"capture": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -137,11 +142,9 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) {
_ = d.Set("runbook", policy.Runbook)

actions := []map[string]interface{}{{}}

for _, action := range policy.Actions {
if action.Type != "POLICY_ACTION_CAPTURE" {
action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
actions[0]["container"] = strings.ToLower(action)
} else {
if action.Type == "POLICY_ACTION_CAPTURE" {
actions[0]["capture"] = []map[string]interface{}{{
"seconds_after_event": action.AfterEventNs / 1000000000,
"seconds_before_event": action.BeforeEventNs / 1000000000,
Expand All @@ -150,6 +153,12 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) {
"bucket_name": action.BucketName,
"folder": action.Folder,
}}

} else if action.Type == "POLICY_ACTION_KILL_PROCESS" {
actions[0]["kill_process"] = "true"
} else {
action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
actions[0]["container"] = strings.ToLower(action)
}
}

Expand Down
28 changes: 26 additions & 2 deletions sysdig/resource_sysdig_secure_custom_policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ func TestAccCustomPolicy(t *testing.T) {
{
Config: customPoliciesWithDisabledRules(rText()),
},
{
Config: customPoliciesWithKillProcessAction(rText()),
},
}

if !buildinfo.OnpremSecure {
Expand Down Expand Up @@ -222,8 +225,8 @@ resource "sysdig_secure_custom_policy" "sample_%d" {

func customPoliciesWithKillAction(name string) (res string) {
return fmt.Sprintf(`
resource "sysdig_secure_custom_policy" "sample" {
name = "TERRAFORM TEST 1 %s"
resource "sysdig_secure_custom_policy" "sample10" {
name = "TERRAFORM TEST 10 %s"
description = "TERRAFORM TEST %s"
enabled = true
severity = 4
Expand All @@ -241,6 +244,27 @@ resource "sysdig_secure_custom_policy" "sample" {
`, name, name)
}

func customPoliciesWithKillProcessAction(name string) (res string) {
return fmt.Sprintf(`
resource "sysdig_secure_custom_policy" "sample10" {
name = "TERRAFORM TEST 1 %s"
description = "TERRAFORM TEST %s"
enabled = true
severity = 4
scope = "container.id != \"\""

rules {
name = "Terminal shell in container"
enabled = true
}

actions {
kill_process = "true"
}
}
`, name, name)
}

func customPoliciesForAWSCloudtrail(name string) string {
return fmt.Sprintf(`
resource "sysdig_secure_custom_policy" "sample4" {
Expand Down
17 changes: 12 additions & 5 deletions sysdig/resource_sysdig_secure_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,11 +121,7 @@ func commonPolicyToResourceData(policy *v2.Policy, d *schema.ResourceData) {

actions := []map[string]interface{}{{}}
for _, action := range policy.Actions {
if action.Type != "POLICY_ACTION_CAPTURE" {
action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
actions[0]["container"] = strings.ToLower(action)
// d.Set("actions.0.container", strings.ToLower(action))
} else {
if action.Type == "POLICY_ACTION_CAPTURE" {
actions[0]["capture"] = []map[string]interface{}{{
"seconds_after_event": action.AfterEventNs / 1000000000,
"seconds_before_event": action.BeforeEventNs / 1000000000,
Expand All @@ -134,6 +130,12 @@ func commonPolicyToResourceData(policy *v2.Policy, d *schema.ResourceData) {
"bucket_name": action.BucketName,
"folder": action.Folder,
}}

} else if action.Type == "POLICY_ACTION_KILL_PROCESS" {
actions[0]["kill_process"] = true
} else {
action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
actions[0]["container"] = strings.ToLower(action)
}
}

Expand Down Expand Up @@ -214,6 +216,11 @@ func addActionsToPolicy(d *schema.ResourceData, policy *v2.Policy) {
policy.Actions = append(policy.Actions, v2.Action{Type: "POLICY_ACTION_PREVENT_MALWARE"})
}

killProcessAction, ok := d.GetOk("actions.0.kill_process")
if ok && killProcessAction.(bool) {
policy.Actions = append(policy.Actions, v2.Action{Type: "POLICY_ACTION_KILL_PROCESS"})
}

containerAction := d.Get("actions.0.container").(string)
if containerAction != "" {
containerAction = strings.ToUpper("POLICY_ACTION_" + containerAction)
Expand Down
13 changes: 11 additions & 2 deletions sysdig/schema.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,14 @@ func ContainerActionSchema() *schema.Schema {
}
}

func ContainerKillProcessActionSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: false,
}
}

func ContainerActionComputedSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeString,
Expand Down Expand Up @@ -448,8 +456,9 @@ func createPolicySchema(original map[string]*schema.Schema) map[string]*schema.S
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"container": ContainerActionSchema(),
"capture": CaptureActionSchema(),
"container": ContainerActionSchema(),
"kill_process": ContainerKillProcessActionSchema(),
"capture": CaptureActionSchema(),
},
},
},
Expand Down
4 changes: 4 additions & 0 deletions website/docs/d/secure_custom_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ The actions block is optional and supports:
triggered. Can be *stop*, *pause* or *kill*. If this is not specified,
no action will be applied at the container level.

* `kill_process` - (Optional) Whether to kill the process that triggered the rule.
If this is not specified,
no action will be applied at the process level.

* `capture` - (Optional) Captures with Sysdig the stream of system calls:
* `seconds_before_event` - (Required) Captures the system calls during the
amount of seconds before the policy was triggered.
Expand Down
3 changes: 3 additions & 0 deletions website/docs/r/secure_custom_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ The actions block is optional and supports:
triggered. Can be *stop*, *pause* or *kill*. If this is not specified,
no action will be applied at the container level.

* `kill_process` - (Optional) Whether to kill the process that triggered the rule.
If this is not specified,
no action will be applied at the process level.
* `capture` - (Optional) Captures with Sysdig the stream of system calls:
* `seconds_before_event` - (Required) Captures the system calls during the
amount of seconds before the policy was triggered.
Expand Down