Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Process' environment variables array can be simplified #1272

Open
antchan2 opened this issue Dec 6, 2024 · 5 comments · May be fixed by antchan2/ocsf-schema#9
Open

Process' environment variables array can be simplified #1272

antchan2 opened this issue Dec 6, 2024 · 5 comments · May be fixed by antchan2/ocsf-schema#9
Labels
enhancement New feature or request system_activity Issues related to System Activity Category v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF

Comments

@antchan2
Copy link
Contributor

antchan2 commented Dec 6, 2024

The 1.4.0-dev draft added the ability to store a Process' environment variables as an array. To accommodate situations where the variable's name and/or value are very long and must be truncated, the long_string object was used as it provides built-in truncation indicators. However, when long_string is used in an array, as it is appropriate for storing multiple environment variables, the output data can be overly complex. @zschmerber shared in the system-activity Slack channel the following example:

"environment_variables": [{
		"variable_name": {
			"value": "UPDATE_IS_MACHINE"
		},
		"variable_value": {
			"value": "0"
		}
	}, {
		"variable_name": {
			"value": "PATH"
		},
		"variable_value": {
			"value": "/usr/bin:/bin:/usr/sbin:/sbin"
		}
	}],

We should revisit the environment_variable object definition and seek ways to simplify the data representation.
@antchan2
Copy link
Contributor Author

antchan2 commented Dec 6, 2024

During the course of the conversation I proposed considering labels, an array of strings already defined in the dictionary, to optionally indicate truncation. That simplifies the output for the more common non-truncation case. I recall this general approach was also discussed when environment_variables was first added. This is an example output:

"environment_variables": [{
			"name":"NAME",
			"value":"VALUE"
		}, {
			"name":"VERY_LONG_NAM",
			"value": "VALUE",
			"labels": ["name_truncated"]
		}, {
			"name":"NAME3",
			"value": "VERY_LONG_VALU",
			"labels": ["value_truncated"]
		}, {
			"name":"VERY_LONG_NAM4",
			"value": "VERY_LONG_VALU",
			"labels": ["name_truncated", "value_truncated"]
		}],
		...

@antchan2 antchan2 linked a pull request Dec 6, 2024 that will close this issue
Draft
@zschmerber
Copy link
Contributor

I think this is much cleaner thanks @antchan2 !

@mikeradka mikeradka added the system_activity Issues related to System Activity Category label Dec 9, 2024
@mikeradka
Copy link
Contributor

@antchan2 @zschmerber I like the thought process here. Could we dig into this one on a little bit during the 12/13/24 System Call?

@mikeradka mikeradka added enhancement New feature or request v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF labels Dec 9, 2024
@antchan2
Copy link
Contributor Author

antchan2 commented Dec 9, 2024

@mikeradka Sure. I can join that call.

@mikeradka
Copy link
Contributor

Note: name and value are of String data type rather than Long String data type.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request system_activity Issues related to System Activity Category v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Simplify environment variable object for more compact data representation antchan2/ocsf-schema
3 participants
@antchan2 @zschmerber @mikeradka