datadog-agent icon indicating copy to clipboard operation
datadog-agent copied to clipboard
verified publisher icon DataDog

TLS Classification

Open usamasaqib opened this issue 3 years ago • 0 comments

What does this PR do?

This PR adds a mechanism to tag TLS connections.

Motivation

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

  1. Start system-probe with the following configuration:
system_probe_config:
  log_level: debug
  enable_runtime_compiler: true
network_config:
  enabled: true
  enable_http_monitoring: true
  enable_https_monitoring: true
  1. Do the following requests: wget https://httpbin.org/anything/foo
  2. Verify you see the tag "tls.encrypted:true" in the tags list and his index in the connection:
sudo curl -s --unix-socket /opt/datadog-agent/run/sysprobe.sock http://unix/network_tracer/connections | tee cnx | jq 'conns[].tags , .tags'

(please note your unix-socket path may be different)

jq output should be

[]
[
  0
]
[]
...
[
  "tls.encrypted:true"
]

[ 0 ] is conns.Tags array index (0 pointing to .tags[0] = "tls.encrypted:true") The last json array contains all aggregated tags from all connections ["tls.encrypted:true"]

You can look at the full connections (pid, addresses, ports) via cat cnx | jq '[ .conns[] | select( .tags | length > 0 ) ]'

Packets inscpection can be disabled via

system_probe_config:

 disable_packets_inspection: true

or by setting environment variable export DD_DISABLE_PACKETS_INSPECTION=true

Reviewer's Checklist

  • [ ] If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
  • [ ] Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
  • [ ] A release note has been added or the changelog/no-changelog label has been applied.
  • [ ] Changed code has automated tests for its functionality.
  • [ ] Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
  • [ ] At least one team/.. label has been applied, indicating the team(s) that should QA this change.
  • [ ] If applicable, docs team has been notified or an issue has been opened on the documentation repo.
  • [ ] If applicable, the need-change/operator and need-change/helm labels have been applied.
  • [ ] If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
  • [ ] If applicable, the config template has been updated.

usamasaqib avatar Jul 28 '22 15:07 usamasaqib