Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CWS] add security profile sliding window #20506

Merged
merged 15 commits into from
Mar 22, 2024
Merged

[CWS] add security profile sliding window #20506

merged 15 commits into from
Mar 22, 2024

Conversation

spikat
Copy link
Contributor

@spikat spikat commented Oct 30, 2023
edited
Loading

What does this PR do?

This PR adds a life-cycle for security profiles. The selector is no longer focused on image_name + image_tag: now the selector is only image_name and each profiles could now contains several image_tag versions.

The maximum number of versions for a profile can be configured via runtime_security_config.security_profile.max_image_tags (10 by default).
Once the limit is reached, the last seen version is evicted.

The first version would come from a security dump, then further versions will be directly added by the profile manager.

New set of tests has been added to validate the changes:

TestSecurityProfileLifeCycleExecs/life-cycle-v1-learning-new-process
TestSecurityProfileLifeCycleExecs/life-cycle-v1-stable-process-anomaly
TestSecurityProfileLifeCycleExecs/life-cycle-v2-learning-new-process-anomaly
TestSecurityProfileLifeCycleExecs/life-cycle-v2-learning-v1-process
TestSecurityProfileLifeCycleExecs/life-cycle-v1-unstable-new-process
TestSecurityProfileLifeCycleDNS/life-cycle-v1-learning-new-dns
TestSecurityProfileLifeCycleDNS/life-cycle-v1-stable-dns-anomaly
TestSecurityProfileLifeCycleDNS/life-cycle-v2-learning-new-dns-anomaly
TestSecurityProfileLifeCycleDNS/life-cycle-v2-learning-v1-dns
TestSecurityProfileLifeCycleDNS/life-cycle-v1-unstable-new-dns
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v1-learning-new-process
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v1-stable-process-anomaly
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v2-learning-new-process-anomaly
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-check-v1-evicted
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v1-process-anomaly
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v1-learning-new-process
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v1-stable-process-anomaly
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v2-learning-new-process-anomaly
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-check-v1-evicted
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v1-process-anomaly
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v1-learning-new-process
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v1-unstable
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v2-learning
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v3-learning
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v3-process-anomaly

There is also new metrics to follow the new sec profile behaviors:
.security_profile.evicted_versions will be send each time a profile version has been evicted (when reaching the max number of concurrent versions).
.security_profile.versions will reflect the number of version for each profile

Motivation

This will allow to raise coverage on short lived containers, allowing to learn from a previous version instead of starting from blank each time.

Additional Notes

We'll have to pay attention on how it behaves on some workloads where the image_tag is not used to version the image (we know that some uses the same image with multiple purposes, specifying it through image_tag).

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

Run the tests is a first way. Play with images and change image tag each time, have a look on profile states, try to generate anomalies.

Reviewer's Checklist

  • If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
  • Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
  • A release note has been added or the changelog/no-changelog label has been applied.
  • Changed code has automated tests for its functionality.
  • Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
  • At least one team/.. label has been applied, indicating the team(s) that should QA this change.
  • If applicable, docs team has been notified or an issue has been opened on the documentation repo.
  • If applicable, the need-change/operator and need-change/helm labels have been applied.
  • If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
  • If applicable, the config template has been updated.

@spikat spikat added this to the Triage milestone Oct 30, 2023
@cit-pr-commenter cit-pr-commenter
Copy link

cit-pr-commenter bot commented Nov 8, 2023
edited
Loading

Go Package Import Differences

Baseline: 8ac53d3
Comparison: 0b09e90

binaryosarchchange
cluster-agentlinuxamd64
+0, -1 
-github.com/DataDog/datadog-agent/pkg/security/security_profile
cluster-agentlinuxarm64
+0, -1 
-github.com/DataDog/datadog-agent/pkg/security/security_profile
security-agentlinuxamd64
+0, -1 
-github.com/DataDog/datadog-agent/pkg/security/security_profile
security-agentlinuxarm64
+0, -1 
-github.com/DataDog/datadog-agent/pkg/security/security_profile
system-probelinuxamd64
+0, -1 
-github.com/DataDog/datadog-agent/pkg/security/security_profile
system-probelinuxarm64
+0, -1 
-github.com/DataDog/datadog-agent/pkg/security/security_profile

@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from b1d3006 to bdfe288 Compare November 10, 2023 16:09
@pr-commenter
Copy link

pr-commenter bot commented Nov 13, 2023
edited
Loading

Bloop Bleep... Dogbot Here

Regression Detector Results

Run ID: 64464f39-e758-4179-8758-c68149388ade
Baseline: e8334ca
Comparison: b4e75e7
Total CPUs: 7

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

Experiments with missing or malformed data

  • basic_py_check

Usually, this warning means that there is no usable optimization goal data for that experiment, which could be a result of misconfiguration.

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI
file_to_blackhole % cpu utilization -0.71 [-7.25, +5.83]

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI
process_agent_standard_check_with_stats memory utilization +0.13 [+0.10, +0.17]
trace_agent_msgpack ingress throughput +0.00 [-0.01, +0.01]
uds_dogstatsd_to_api ingress throughput +0.00 [-0.00, +0.00]
tcp_dd_logs_filter_exclude ingress throughput +0.00 [-0.00, +0.00]
trace_agent_json ingress throughput -0.03 [-0.06, +0.00]
process_agent_standard_check memory utilization -0.03 [-0.08, +0.01]
process_agent_real_time_mode memory utilization -0.21 [-0.24, -0.18]
tcp_syslog_to_blackhole ingress throughput -0.49 [-0.55, -0.43]
otel_to_otel_logs ingress throughput -0.49 [-1.08, +0.09]
idle memory utilization -0.61 [-0.64, -0.57]
file_tree memory utilization -0.64 [-0.72, -0.55]
file_to_blackhole % cpu utilization -0.71 [-7.25, +5.83]
uds_dogstatsd_to_api_cpu % cpu utilization -1.36 [-2.76, +0.05]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

@spikat spikat closed this Nov 14, 2023
@spikat spikat reopened this Feb 14, 2024
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch 5 times, most recently from 47376b8 to b4e75e7 Compare February 21, 2024 15:45
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch 3 times, most recently from 3f62ad0 to 149792b Compare March 12, 2024 15:59
YoannGh
YoannGh reviewed Mar 12, 2024
View reviewed changes
Copy link
Contributor

@YoannGh YoannGh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the manager.OnCGroupDeletedEvent function should use the profile selector ("*") instead of the one from the cgroup model parameter. Otherwise the manager fails to lookup the corresponding profile.

@spikat
Copy link
Contributor Author

spikat commented Mar 13, 2024

I think the manager.OnCGroupDeletedEvent function should use the profile selector ("*") instead of the one from the cgroup model parameter. Otherwise the manager fails to lookup the corresponding profile.

Thanks, good catch! Fixed in the last commit :)

@spikat spikat mentioned this pull request Mar 13, 2024
Merged
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from 34345c7 to 8e628c6 Compare March 14, 2024 16:08
@spikat spikat marked this pull request as ready for review March 19, 2024 09:09
@spikat spikat requested a review from a team as a code owner March 19, 2024 09:09
@spikat spikat modified the milestones: Triage, 7.53.0 Mar 19, 2024
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from 0ba3ec4 to 00d5ff9 Compare March 19, 2024 09:55
@pr-commenter
Copy link

pr-commenter bot commented Mar 19, 2024
edited
Loading

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv create-vm --pipeline-id=30615551 --os-family=ubuntu

@pr-commenter
Copy link

pr-commenter bot commented Mar 19, 2024
edited
Loading

Regression Detector

Regression Detector Results

Run ID: 0976b26-6bbd-4e0b-bb34-8a8b9b6f15d1
Baseline: 8ac53d3
Comparison: 0b09e90

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI
file_to_blackhole % cpu utilization +0.58 [-5.76, +6.93]

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI
pycheck_1000_100byte_tags % cpu utilization +1.24 [-3.68, +6.15]
file_to_blackhole % cpu utilization +0.58 [-5.76, +6.93]
uds_dogstatsd_to_api_cpu % cpu utilization +0.44 [-2.27, +3.15]
process_agent_standard_check_with_stats memory utilization +0.19 [+0.15, +0.22]
tcp_dd_logs_filter_exclude ingress throughput +0.05 [+0.02, +0.08]
trace_agent_json ingress throughput +0.00 [-0.04, +0.04]
uds_dogstatsd_to_api ingress throughput +0.00 [-0.20, +0.20]
process_agent_standard_check memory utilization -0.03 [-0.06, +0.00]
trace_agent_msgpack ingress throughput -0.03 [-0.05, -0.02]
idle memory utilization -0.22 [-0.25, -0.18]
basic_py_check % cpu utilization -0.26 [-2.78, +2.26]
otel_to_otel_logs ingress throughput -0.26 [-0.69, +0.16]
tcp_syslog_to_blackhole ingress throughput -0.41 [-0.50, -0.33]
process_agent_real_time_mode memory utilization -0.45 [-0.48, -0.41]
file_tree memory utilization -1.03 [-1.11, -0.94]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

@YoannGh YoannGh mentioned this pull request Mar 20, 2024
Merged
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from 77aac6e to ca413c2 Compare March 20, 2024 10:12
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from f0faff6 to 6273b21 Compare March 21, 2024 08:41
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from c73100c to d222567 Compare March 21, 2024 16:23
@spikat
First iteration of sliding window with functional tests and new metrics
1aaac62
@spikat
fix OnCGroupDeletedEvent selector
e4b2910
@spikat
switch metric from cout to gauge and fix first lastano timestamp
3bcb5ee
@spikat
Manage errors coming from profile encoding func
b5dcf6b
@spikat
remove status from proto
2b39f80
@spikat
Add secagent cmd to dump secprofile details
d957cb9
@spikat
Add a fast exit when lookup unloaded profile
20b664d
@spikat
Apply review suggestions
d032110
@spikat
Apply another review suggestion
34c675e
@spikat
apply review suggestion by simplifying a slice contains/append pattern
517b92c
@spikat
avoid logging error when dump have unresolved tags (could be for paus…
3523f5a 
…ed or excluded workloads)
@spikat
simplify AppendIfNotPresent to a single func
95649ff
@spikat
add two new tests to validate a corner case
2865991
@spikat
update go.mod to target new agent payload release
c560a92
@spikat spikat force-pushed the jrs/add-profile-sliding-window branch from 6e1c4f2 to c560a92 Compare March 22, 2024 09:09
@spikat
Copy link
Contributor Author

spikat commented Mar 22, 2024

/merge

@dd-devflow
Copy link

dd-devflow bot commented Mar 22, 2024

🚂 MergeQueue

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

Use /merge -c to cancel this operation!

@dd-devflow
Copy link

dd-devflow bot commented Mar 22, 2024

🚂 MergeQueue

Added to the queue.

This build is next! (estimated merge in less than 28m)

Use /merge -c to cancel this operation!

@dd-mergequeue dd-mergequeue bot merged commit dfad48e into main Mar 22, 2024
197 checks passed
@dd-mergequeue dd-mergequeue bot deleted the jrs/add-profile-sliding-window branch March 22, 2024 11:12
alexgallotta pushed a commit that referenced this pull request May 9, 2024
@spikat @alexgallotta
[CWS] add security profile sliding window (#20506)
fe48f21 
* First iteration of sliding window with functional tests and new metrics

* fix OnCGroupDeletedEvent selector

* switch metric from cout to gauge and fix first lastano timestamp

* Manage errors coming from profile encoding func

* remove status from proto

* Add secagent cmd to dump secprofile details

* Add a fast exit when lookup unloaded profile

* Apply review suggestions

* Apply another review suggestion

* apply review suggestion by simplifying a slice contains/append pattern

* avoid logging error when dump have unresolved tags (could be for paused or excluded workloads)

* simplify AppendIfNotPresent to a single func

* add two new tests to validate a corner case

* update go.mod to target new agent payload release

* Add the missing encoding/decoding of activity-tree node image tags
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YoannGh YoannGh YoannGh approved these changes

@safchain safchain safchain approved these changes

Assignees
No one assigned
Labels
changelog/no-changelog component/system-probe team/agent-security
Projects
None yet
Milestone
7.53.0
Development

Successfully merging this pull request may close these issues.
3 participants
@spikat @safchain @YoannGh