[CWS] add os/kernel data to events

docs/cloud-workload-security/backend_linux.md

@@ -94,6 +94,12 @@ CSM Threats event for Linux systems have the following JSON schema:
                 },
                 "origin": {
                     "type": "string"
+                },
+                "kernel_version": {
+                    "type": "string"
+                },
+                "distribution": {
+                    "type": "string"
                 }
             },
             "additionalProperties": false,
@@ -1941,6 +1947,12 @@ CSM Threats event for Linux systems have the following JSON schema:
         },
         "origin": {
             "type": "string"
+        },
+        "kernel_version": {
+            "type": "string"
+        },
+        "distribution": {
+            "type": "string"
         }
     },
     "additionalProperties": false,

docs/cloud-workload-security/backend_linux.schema.json

@@ -83,6 +83,12 @@
         },
         "origin": {
           "type": "string"
+        },
+        "kernel_version": {
+          "type": "string"
+        },
+        "distribution": {
+          "type": "string"
         }
       },
       "additionalProperties": false,

pkg/security/events/event.go

@@ -28,6 +28,8 @@ type AgentContext struct {
 	OS            string            `json:"os,omitempty"`
 	Arch          string            `json:"arch,omitempty"`
 	Origin        string            `json:"origin,omitempty"`
+	KernelVersion string            `json:"kernel_version,omitempty"`
+	Distribution  string            `json:"distribution,omitempty"`
 }
 
 // BackendEvent - Rule event wrapper used to send an event to the backend

pkg/security/module/server.go

@@ -128,6 +128,10 @@ type APIServer struct {
 	policiesStatus     []*api.PolicyStatus
 	msgSender          MsgSender
 
+	// os release data
+	kernelVersion string
+	distribution  string
+
 	stopChan chan struct{}
 	stopper  startstop.Stopper
 }
@@ -314,12 +318,14 @@ func (a *APIServer) SendEvent(rule *rules.Rule, event events.Event, extTagsCb fu
 	backendEvent := events.BackendEvent{
 		Title: rule.Def.Description,
 		AgentContext: events.AgentContext{
-			RuleID:      rule.Def.ID,
-			RuleVersion: rule.Def.Version,
-			Version:     version.AgentVersion,
-			OS:          runtime.GOOS,
-			Arch:        utils.RuntimeArch(),
-			Origin:      a.probe.Origin(),
+			RuleID:        rule.Def.ID,
+			RuleVersion:   rule.Def.Version,
+			Version:       version.AgentVersion,
+			OS:            runtime.GOOS,
+			Arch:          utils.RuntimeArch(),
+			Origin:        a.probe.Origin(),
+			KernelVersion: a.kernelVersion,
+			Distribution:  a.distribution,
 		},
 	}
 
@@ -576,6 +582,8 @@ func NewAPIServer(cfg *config.RuntimeSecurityConfig, probe *sprobe.Probe, msgSen
 		msgSender:     msgSender,
 	}
 
+	as.collectOSReleaseData()
+
 	if as.msgSender == nil {
 		if pkgconfigsetup.SystemProbe().GetBool("runtime_security_config.direct_send_from_system_probe") {
 			msgSender, err := NewDirectMsgSender(stopper)

pkg/security/module/server_linux.go

@@ -267,3 +267,15 @@ func (a *APIServer) RunSelfTest(_ context.Context, _ *api.RunSelfTestParams) (*a
 		Error: "",
 	}, nil
 }
+
+func (a *APIServer) collectOSReleaseData() {
+	p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+	if !ok {
+		return
+	}
+
+	kv := p.GetKernelVersion()
+
+	a.kernelVersion = kv.Code.String()
+	a.distribution = fmt.Sprintf("%s - %s", kv.OsRelease["ID"], kv.OsRelease["VERSION_ID"])
+}

pkg/security/module/server_windows.go

@@ -88,3 +88,5 @@ func (a *APIServer) RunSelfTest(_ context.Context, _ *api.RunSelfTestParams) (*a
 		Error: "",
 	}, nil
 }
+
+func (a *APIServer) collectOSReleaseData() {}

pkg/security/secl/schemas/agent_context.schema.json

@@ -27,6 +27,12 @@
         "origin": {
             "type": "string"
         },
+        "kernel_version": {
+            "type": "string"
+        },
+        "distribution": {
+            "type": "string"
+        },
         "rule_actions": {
             "type": "array",
             "items": {
@@ -50,4 +56,4 @@
         "arch",
         "origin"
     ]
-}
+}