feat: add kernel_rootkit field to finding's list of attributes

Google APIs · copybara-github · commit 6aff6786b511 · 2022-12-05T14:52:10.000-08:00
docs: miscellaneous style improvements

PiperOrigin-RevId: 493119809
diff --git a/google/cloud/securitycenter/v1/BUILD.bazel b/google/cloud/securitycenter/v1/BUILD.bazel
@@ -67,6 +67,7 @@ proto_library(
         "folder.proto",
         "iam_binding.proto",
         "indicator.proto",
+        "kernel_rootkit.proto",
         "kubernetes.proto",
         "label.proto",
         "mitre_attack.proto",
diff --git a/google/cloud/securitycenter/v1/external_system.proto b/google/cloud/securitycenter/v1/external_system.proto
@@ -36,11 +36,10 @@ message ExternalSystem {
     pattern: "projects/{project}/sources/{source}/findings/{finding}/externalSystems/{externalsystem}"
   };
 
-  // External System Name e.g. jira, demisto, etc.
-  //  e.g.:
-  //  `organizations/1234/sources/5678/findings/123456/externalSystems/jira`
-  // `folders/1234/sources/5678/findings/123456/externalSystems/jira`
-  // `projects/1234/sources/5678/findings/123456/externalSystems/jira`
+  // Full resource name of the external system, for example:
+  // "organizations/1234/sources/5678/findings/123456/externalSystems/jira",
+  // "folders/1234/sources/5678/findings/123456/externalSystems/jira",
+  // "projects/1234/sources/5678/findings/123456/externalSystems/jira"
   string name = 1;
 
   // References primary/secondary etc assignees in the external system.
diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto
@@ -29,6 +29,7 @@ import "google/cloud/securitycenter/v1/external_system.proto";
 import "google/cloud/securitycenter/v1/file.proto";
 import "google/cloud/securitycenter/v1/iam_binding.proto";
 import "google/cloud/securitycenter/v1/indicator.proto";
+import "google/cloud/securitycenter/v1/kernel_rootkit.proto";
 import "google/cloud/securitycenter/v1/kubernetes.proto";
 import "google/cloud/securitycenter/v1/mitre_attack.proto";
 import "google/cloud/securitycenter/v1/process.proto";
@@ -253,7 +254,7 @@ message Finding {
   // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
   Indicator indicator = 18;
 
-  // Represents vulnerability specific fields like cve, cvss scores etc.
+  // Represents vulnerability-specific fields like CVE and CVS scores.
   // CVE stands for Common Vulnerabilities and Exposures
   // (https://cve.mitre.org/about/)
   Vulnerability vulnerability = 20;
@@ -336,4 +337,7 @@ message Finding {
 
   // File associated with the finding.
   repeated File files = 46;
+
+  // Kernel Rootkit signature.
+  KernelRootkit kernel_rootkit = 50;
 }
diff --git a/google/cloud/securitycenter/v1/kernel_rootkit.proto b/google/cloud/securitycenter/v1/kernel_rootkit.proto
@@ -0,0 +1,62 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "KernelRootkitProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Kernel mode rootkit signatures.
+message KernelRootkit {
+  // Rootkit name when available.
+  string name = 1;
+
+  // True if unexpected modifications of kernel code memory are present.
+  bool unexpected_code_modification = 2;
+
+  // True if unexpected modifications of kernel read-only data memory are
+  // present.
+  bool unexpected_read_only_data_modification = 3;
+
+  // True if `ftrace` points are present with callbacks pointing to regions
+  // that are not in the expected kernel or module code range.
+  bool unexpected_ftrace_handler = 4;
+
+  // True if `kprobe` points are present with callbacks pointing to regions
+  // that are not in the expected kernel or module code range.
+  bool unexpected_kprobe_handler = 5;
+
+  // True if kernel code pages that are not in the expected kernel or module
+  // code regions are present.
+  bool unexpected_kernel_code_pages = 6;
+
+  // True if system call handlers that are are not in the expected kernel or
+  // module code regions are present.
+  bool unexpected_system_call_handler = 7;
+
+  // True if interrupt handlers that are are not in the expected kernel or
+  // module code regions are present.
+  bool unexpected_interrupt_handler = 8;
+
+  // True if unexpected processes in the scheduler run queue are present. Such
+  // processes are in the run queue, but not in the process task list.
+  bool unexpected_processes_in_runqueue = 9;
+}
diff --git a/google/cloud/securitycenter/v1/notification_config.proto b/google/cloud/securitycenter/v1/notification_config.proto
@@ -73,7 +73,9 @@ message NotificationConfig {
   // The relative resource name of this notification config. See:
   // https://cloud.google.com/apis/design/resource_names#relative_resource_name
   // Example:
-  // "organizations/{organization_id}/notificationConfigs/notify_public_bucket".
+  // "organizations/{organization_id}/notificationConfigs/notify_public_bucket",
+  // "folders/{folder_id}/notificationConfigs/notify_public_bucket",
+  // or "projects/{project_id}/notificationConfigs/notify_public_bucket".
   string name = 1;
 
   // The description of the notification config (max of 1024 characters).
diff --git a/google/cloud/securitycenter/v1/securitycenter_service.proto b/google/cloud/securitycenter/v1/securitycenter_service.proto
@@ -161,7 +161,7 @@ service SecurityCenter {
     option (google.api.method_signature) = "name";
   }
 
-  // Gets a big query export.
+  // Gets a BigQuery export.
   rpc GetBigQueryExport(GetBigQueryExportRequest) returns (BigQueryExport) {
     option (google.api.http) = {
       get: "/v1/{name=organizations/*/bigQueryExports/*}"
@@ -507,7 +507,7 @@ service SecurityCenter {
     option (google.api.method_signature) = "security_marks";
   }
 
-  // Creates a big query export.
+  // Creates a BigQuery export.
   rpc CreateBigQueryExport(CreateBigQueryExportRequest)
       returns (BigQueryExport) {
     option (google.api.http) = {
@@ -526,7 +526,7 @@ service SecurityCenter {
         "parent,big_query_export,big_query_export_id";
   }
 
-  // Deletes an existing big query export.
+  // Deletes an existing BigQuery export.
   rpc DeleteBigQueryExport(DeleteBigQueryExportRequest)
       returns (google.protobuf.Empty) {
     option (google.api.http) = {
@@ -673,8 +673,8 @@ message CreateNotificationConfigRequest {
 
   // Required.
   // Unique identifier provided by the client within the parent scope.
-  // It must be between 1 and 128 characters, and contains alphanumeric
-  // characters, underscores or hyphens only.
+  // It must be between 1 and 128 characters and contain alphanumeric
+  // characters, underscores, or hyphens only.
   string config_id = 2 [(google.api.field_behavior) = REQUIRED];
 
   // Required. The notification config being created. The name and the service
@@ -717,7 +717,9 @@ message DeleteMuteConfigRequest {
 // Request message for deleting a notification config.
 message DeleteNotificationConfigRequest {
   // Required. Name of the notification config to delete. Its format is
-  // "organizations/[organization_id]/notificationConfigs/[config_id]".
+  // "organizations/[organization_id]/notificationConfigs/[config_id]",
+  // "folders/[folder_id]/notificationConfigs/[config_id]",
+  // or "projects/[project_id]/notificationConfigs/[config_id]".
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -726,9 +728,9 @@ message DeleteNotificationConfigRequest {
   ];
 }
 
-// Request message for retrieving a big query export.
+// Request message for retrieving a BigQuery export.
 message GetBigQueryExportRequest {
-  // Required. Name of the big query export to retrieve. Its format is
+  // Required. Name of the BigQuery export to retrieve. Its format is
   // organizations/{organization}/bigQueryExports/{export_id},
   // folders/{folder}/bigQueryExports/{export_id}, or
   // projects/{project}/bigQueryExports/{export_id}
@@ -757,7 +759,9 @@ message GetMuteConfigRequest {
 // Request message for getting a notification config.
 message GetNotificationConfigRequest {
   // Required. Name of the notification config to get. Its format is
-  // "organizations/[organization_id]/notificationConfigs/[config_id]".
+  // "organizations/[organization_id]/notificationConfigs/[config_id]",
+  // "folders/[folder_id]/notificationConfigs/[config_id]",
+  // or "projects/[project_id]/notificationConfigs/[config_id]".
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -792,7 +796,7 @@ message GetSourceRequest {
 
 // Request message for grouping by assets.
 message GroupAssetsRequest {
-  // Required. Name of the organization to groupBy. Its format is
+  // Required. The name of the parent to group the assets by. Its format is
   // "organizations/[organization_id], folders/[folder_id], or
   // projects/[project_id]".
   string parent = 1 [
@@ -1159,9 +1163,9 @@ message ListMuteConfigsResponse {
 
 // Request message for listing notification configs.
 message ListNotificationConfigsRequest {
-  // Required. Name of the organization to list notification configs. Its format
-  // is "organizations/[organization_id]", "folders/[folder_id]", or
-  // "projects/[project_id]".
+  // Required. The name of the parent in which to list the notification
+  // configurations. Its format is "organizations/[organization_id]",
+  // "folders/[folder_id]", or "projects/[project_id]".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -1223,8 +1227,8 @@ message ListSourcesResponse {
 
 // Request message for listing assets.
 message ListAssetsRequest {
-  // Required. Name of the organization assets should belong to. Its format is
-  // "organizations/[organization_id], folders/[folder_id], or
+  // Required. The name of the parent that the listed assets belong to. Its
+  // format is "organizations/[organization_id], folders/[folder_id], or
   // projects/[project_id]".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
@@ -1652,10 +1656,12 @@ message ListFindingsResponse {
 
 // Request message for updating a finding's state.
 message SetFindingStateRequest {
-  // Required. The relative resource name of the finding. See:
-  // https://cloud.google.com/apis/design/resource_names#relative_resource_name
-  // Example:
-  // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}".
+  // Required. The [relative resource
+  // name](https://cloud.google.com/apis/design/resource_names#relative_resource_name)
+  // of the finding. Example:
+  // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
+  // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}",
+  // "projects/{project_id}/sources/{source_id}/findings/{finding_id}".
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -1673,9 +1679,9 @@ message SetFindingStateRequest {
 
 // Request message for updating a finding's mute status.
 message SetMuteRequest {
-  // Required. The relative resource name of the finding. See:
-  // https://cloud.google.com/apis/design/resource_names#relative_resource_name
-  // Example:
+  // Required. The [relative resource
+  // name](https://cloud.google.com/apis/design/resource_names#relative_resource_name)
+  // of the finding. Example:
   // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
   // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}",
   // "projects/{project_id}/sources/{source_id}/findings/{finding_id}".
@@ -1797,10 +1803,10 @@ message UpdateSecurityMarksRequest {
   google.protobuf.Timestamp start_time = 3;
 }
 
-// Request message for creating a big query export.
+// Request message for creating a BigQuery export.
 message CreateBigQueryExportRequest {
-  // Required. Resource name of the new big query export's parent. Its format is
-  // "organizations/[organization_id]", "folders/[folder_id]", or
+  // Required. The name of the parent resource of the new BigQuery export. Its
+  // format is "organizations/[organization_id]", "folders/[folder_id]", or
   // "projects/[project_id]".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
@@ -1809,7 +1815,7 @@ message CreateBigQueryExportRequest {
     }
   ];
 
-  // Required. The big query export being created.
+  // Required. The BigQuery export being created.
   BigQueryExport big_query_export = 2 [(google.api.field_behavior) = REQUIRED];
 
   // Required. Unique identifier provided by the client within the parent scope.
@@ -1865,9 +1871,9 @@ message ListBigQueryExportsResponse {
   string next_page_token = 2;
 }
 
-// Request message for deleting a big query export.
+// Request message for deleting a BigQuery export.
 message DeleteBigQueryExportRequest {
-  // Required. Name of the big query export to delete. Its format is
+  // Required. The name of the BigQuery export to delete. Its format is
   // organizations/{organization}/bigQueryExports/{export_id},
   // folders/{folder}/bigQueryExports/{export_id}, or
   // projects/{project}/bigQueryExports/{export_id}
