Add envp to access from SECL to key value of envs (#10700)

DataDog · Feb 18, 2022 · 682d2e9 · 682d2e9
1 parent 6a9ba1f
commit 682d2e9
Show file tree

Hide file tree

Showing 11 changed files with 635 additions and 47 deletions.
diff --git a/docs/cloud-workload-security/agent_expressions.md b/docs/cloud-workload-security/agent_expressions.md
@@ -159,7 +159,8 @@ The *file.rights* attribute can now be used in addition to *file.mode*. *file.mo
 | `process.ancestors.created_at` | int | Timestamp of the creation of the process |
 | `process.ancestors.egid` | int | Effective GID of the process |
 | `process.ancestors.egroup` | string | Effective group of the process |
-| `process.ancestors.envs` | string | Environment variables of the process |
+| `process.ancestors.envp` | string | Environment variables of the process |
+| `process.ancestors.envs` | string | Environment variable names of the process |
 | `process.ancestors.envs_truncated` | bool | Indicator of environment variables truncation |
 | `process.ancestors.euid` | int | Effective UID of the process |
 | `process.ancestors.euser` | string | Effective user of the process |
@@ -203,7 +204,8 @@ The *file.rights* attribute can now be used in addition to *file.mode*. *file.mo
 | `process.created_at` | int | Timestamp of the creation of the process |
 | `process.egid` | int | Effective GID of the process |
 | `process.egroup` | string | Effective group of the process |
-| `process.envs` | string | Environment variables of the process |
+| `process.envp` | string | Environment variables of the process |
+| `process.envs` | string | Environment variable names of the process |
 | `process.envs_truncated` | bool | Indicator of environment variables truncation |
 | `process.euid` | int | Effective UID of the process |
 | `process.euser` | string | Effective user of the process |
@@ -329,7 +331,8 @@ A process was executed or forked
 | `exec.created_at` | int | Timestamp of the creation of the process |
 | `exec.egid` | int | Effective GID of the process |
 | `exec.egroup` | string | Effective group of the process |
-| `exec.envs` | string | Environment variables of the process |
+| `exec.envp` | string | Environment variables of the process |
+| `exec.envs` | string | Environment variable names of the process |
 | `exec.envs_truncated` | bool | Indicator of environment variables truncation |
 | `exec.euid` | int | Effective UID of the process |
 | `exec.euser` | string | Effective user of the process |
@@ -500,7 +503,8 @@ A ptrace command was executed
 | `ptrace.tracee.ancestors.created_at` | int | Timestamp of the creation of the process |
 | `ptrace.tracee.ancestors.egid` | int | Effective GID of the process |
 | `ptrace.tracee.ancestors.egroup` | string | Effective group of the process |
-| `ptrace.tracee.ancestors.envs` | string | Environment variables of the process |
+| `ptrace.tracee.ancestors.envp` | string | Environment variables of the process |
+| `ptrace.tracee.ancestors.envs` | string | Environment variable names of the process |
 | `ptrace.tracee.ancestors.envs_truncated` | bool | Indicator of environment variables truncation |
 | `ptrace.tracee.ancestors.euid` | int | Effective UID of the process |
 | `ptrace.tracee.ancestors.euser` | string | Effective user of the process |
@@ -544,7 +548,8 @@ A ptrace command was executed
 | `ptrace.tracee.created_at` | int | Timestamp of the creation of the process |
 | `ptrace.tracee.egid` | int | Effective GID of the process |
 | `ptrace.tracee.egroup` | string | Effective group of the process |
-| `ptrace.tracee.envs` | string | Environment variables of the process |
+| `ptrace.tracee.envp` | string | Environment variables of the process |
+| `ptrace.tracee.envs` | string | Environment variable names of the process |
 | `ptrace.tracee.envs_truncated` | bool | Indicator of environment variables truncation |
 | `ptrace.tracee.euid` | int | Effective UID of the process |
 | `ptrace.tracee.euser` | string | Effective user of the process |

diff --git a/docs/cloud-workload-security/secl.json b/docs/cloud-workload-security/secl.json
@@ -88,10 +88,15 @@
           "definition": "Effective group of the process"
         },
         {
-          "name": "process.ancestors.envs",
+          "name": "process.ancestors.envp",
           "type": "string",
           "definition": "Environment variables of the process"
         },
+        {
+          "name": "process.ancestors.envs",
+          "type": "string",
+          "definition": "Environment variable names of the process"
+        },
         {
           "name": "process.ancestors.envs_truncated",
           "type": "bool",
@@ -308,10 +313,15 @@
           "definition": "Effective group of the process"
         },
         {
-          "name": "process.envs",
+          "name": "process.envp",
           "type": "string",
           "definition": "Environment variables of the process"
         },
+        {
+          "name": "process.envs",
+          "type": "string",
+          "definition": "Environment variable names of the process"
+        },
         {
           "name": "process.envs_truncated",
           "type": "bool",
@@ -808,10 +818,15 @@
           "definition": "Effective group of the process"
         },
         {
-          "name": "exec.envs",
+          "name": "exec.envp",
           "type": "string",
           "definition": "Environment variables of the process"
         },
+        {
+          "name": "exec.envs",
+          "type": "string",
+          "definition": "Environment variable names of the process"
+        },
         {
           "name": "exec.envs_truncated",
           "type": "bool",
@@ -1507,10 +1522,15 @@
           "definition": "Effective group of the process"
         },
         {
-          "name": "ptrace.tracee.ancestors.envs",
+          "name": "ptrace.tracee.ancestors.envp",
           "type": "string",
           "definition": "Environment variables of the process"
         },
+        {
+          "name": "ptrace.tracee.ancestors.envs",
+          "type": "string",
+          "definition": "Environment variable names of the process"
+        },
         {
           "name": "ptrace.tracee.ancestors.envs_truncated",
           "type": "bool",
@@ -1727,10 +1747,15 @@
           "definition": "Effective group of the process"
         },
         {
-          "name": "ptrace.tracee.envs",
+          "name": "ptrace.tracee.envp",
           "type": "string",
           "definition": "Environment variables of the process"
         },
+        {
+          "name": "ptrace.tracee.envs",
+          "type": "string",
+          "definition": "Environment variable names of the process"
+        },
         {
           "name": "ptrace.tracee.envs_truncated",
           "type": "bool",