adding tarian-detection event to dgraph store

kube-tarian · Mar 18, 2024 · b60acd4 · b60acd4
1 parent 304d1f8
commit b60acd4
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 14 deletions.
diff --git a/.gitmodules b/.gitmodules
diff --git a/cmd/tarianctl/cmd/get/events.go b/cmd/tarianctl/cmd/get/events.go
@@ -161,6 +161,12 @@ func eventsTableOutput(events []*tarianpb.Event, logger *logrus.Logger) {
 				evt.WriteString("pod deleted")
 			}
 
+			if e.GetType() == tarianpb.EventTypeDetection {
+				detectionEventStr := fmt.Sprintf("detection: %s: %s", t.DetectionDataType, t.DetectionData)
+				evt.WriteString("tarian detection event\n")
+				evt.WriteString(detectionEventStr)
+			}
+
 			evt.WriteString("\n")
 
 			table.Append(

diff --git a/pkg/nodeagent/nodeagent.go b/pkg/nodeagent/nodeagent.go
@@ -466,7 +466,7 @@ func (n *NodeAgent) loopTarianDetectorReadEvents(ctx context.Context) error {
 			}
 
 			n.SendDetectionEventToClusterAgent(detectionDataType, string(byteData))
-			n.logger.Info("tarian-detector: ", detectionDataType, "binary_file_path", event["directory"], "hostProcessId", event["hostProcessId"],
+			n.logger.Info("tarian-detector: ", detectionDataType, "binary_file_path", event["directory"].(string)+"/"+event["processName"].(string), "hostProcessId", event["hostProcessId"],
 				"processId", event["processId"], "comm", event["processName"])
 		}
 	}()

diff --git a/pkg/server/dgraphstore/dgraph_event_store.go b/pkg/server/dgraphstore/dgraph_event_store.go
@@ -24,7 +24,8 @@ func newDgraphEventStore(dgraphClient *dgo.Dgraph) store.EventStore {
 	return &dgraphEventStore{dgraphClient: dgraphClient}
 }
 
-// GetAll retrieves all events from the Dgraph store.
+// GetAll retrieves all events from the Dgraph store, ignoring events
+// with target_detection_data_type and target_detection_data.
 //
 // Parameters:
 // - limit: The maximum number of events to retrieve.
@@ -33,12 +34,13 @@ func newDgraphEventStore(dgraphClient *dgo.Dgraph) store.EventStore {
 // - An array of protobuf Event messages representing the retrieved events.
 // - An error if there was an issue with the database query.
 func (d *dgraphEventStore) GetAll(limit uint) ([]*tarianpb.Event, error) {
-	// Dgraph query to retrieve all events.
+	// Dgraph query to retrieve all events, ignoring events with
+	// target_detection_data_type and target_detection_data.
 	q := fmt.Sprintf(`
 		{
-			events(func: type(Event)) {
+			 events(func: type(Event)) @filter(not has(target_detection_data_type) and not has(target_detection_data)) {
 				%s
-			}
+			 } 
 		}
 	`, eventFields)
 
@@ -127,6 +129,9 @@ func (d *dgraphEventList) toPbEvents() []*tarianpb.Event {
 				}
 			}
 
+			t.DetectionDataType = evtTarget.DetectionDataType
+			t.DetectionData = evtTarget.DetectionData
+
 			event.Targets = append(event.Targets, t)
 		}
 
@@ -159,6 +164,8 @@ const eventFields = `
 			pod_name
 			pod_labels
 		}
+		target_detection_data_type
+		target_detection_data
 	}
 `
 
@@ -290,6 +297,9 @@ func dgraphEventFromPb(pbEvent *tarianpb.Event) (*Event, error) {
 			}
 		}
 
+		t.DetectionDataType = pbTarget.GetDetectionDataType()
+		t.DetectionData = pbTarget.GetDetectionData()
+
 		dgraphEvent.Targets = append(dgraphEvent.Targets, t)
 	}
 

diff --git a/pkg/server/dgraphstore/schema.go b/pkg/server/dgraphstore/schema.go
@@ -80,13 +80,17 @@ var schema = `
 	target_violated_processes: string . # JSON
 	target_violated_files: string . # JSON
 	target_falco_alert: string .
+	target_detection_data_type: string .
+	target_detection_data: string .
 
 	type Target {
 		pod: Pod
 
 		target_violated_processes
 		target_violated_files
 		target_falco_alert
+		tarian_detection_data_type
+		tarian_detection_data
 	}
 `
 

diff --git a/pkg/server/dgraphstore/types.go b/pkg/server/dgraphstore/types.go
@@ -56,12 +56,14 @@ type Event struct {
 
 // Target represents a target in the Dgraph database.
 type Target struct {
-	UID               string   `json:"uid,omitempty"`                       // Unique identifier of the target.
-	DType             []string `json:"dgraph.type,omitempty"`               // Type information for Dgraph.
-	ViolatedProcesses string   `json:"target_violated_processes,omitempty"` // Violated processes associated with the target (in JSON format).
-	ViolatedFiles     string   `json:"target_violated_files,omitempty"`     // Violated files associated with the target (in JSON format).
-	FalcoAlert        string   `json:"target_falco_alert,omitempty"`        // Falco alert associated with the target (in JSON format).
-	Pod               *Pod     `json:"pod,omitempty"`                       // Pod associated with the target.
+	UID               string   `json:"uid,omitempty"`                        // Unique identifier of the target.
+	DType             []string `json:"dgraph.type,omitempty"`                // Type information for Dgraph.
+	ViolatedProcesses string   `json:"target_violated_processes,omitempty"`  // Violated processes associated with the target (in JSON format).
+	ViolatedFiles     string   `json:"target_violated_files,omitempty"`      // Violated files associated with the target (in JSON format).
+	FalcoAlert        string   `json:"target_falco_alert,omitempty"`         // Falco alert associated with the target (in JSON format).
+	Pod               *Pod     `json:"pod,omitempty"`                        // Pod associated with the target.
+	DetectionDataType string   `json:"tarian_detection_data_type,omitempty"` // Type of the tarian detection data.
+	DetectionData     string   `json:"tarian_detection_data,omitempty"`      // The tarian detection data in JSON format.
 }
 
 // Client is an interface for creating Dgraph clients.