[CWS] Fix flaky tests and remove unneeded code (#45508)

### What does this PR do?

This PR:
* Fixes the TestActionKillContainerWithSignature flakyness
* Removes auto-suppression logic from dumps and profiles and related tests
* Removes load controller logic and tests (keeping only the size checks of dumps)

### Motivation

### Describe how you validated your changes

### Additional Notes


Co-authored-by: jonathan.ribas <jonathan.ribas@datadoghq.com>

Author: spikat

pkg/security/config/config.go

@@ -278,8 +278,6 @@ type RuntimeSecurityConfig struct {
 	ActivityDumpSilentWorkloadsDelay time.Duration
 	// ActivityDumpSilentWorkloadsTicker configures ticker that will check if a workload is silent and should be traced
 	ActivityDumpSilentWorkloadsTicker time.Duration
-	// ActivityDumpAutoSuppressionEnabled bool do not send event if part of a dump
-	ActivityDumpAutoSuppressionEnabled bool
 
 	// # Dynamic configuration fields:
 	// ActivityDumpMaxDumpSize defines the maximum size of a dump
@@ -302,11 +300,6 @@ type RuntimeSecurityConfig struct {
 	// SecurityProfileNodeEvictionTimeout defines the timeout after which non-touched nodes are evicted from profiles
 	SecurityProfileNodeEvictionTimeout time.Duration
 
-	// SecurityProfileAutoSuppressionEnabled do not send event if part of a profile
-	SecurityProfileAutoSuppressionEnabled bool
-	// SecurityProfileAutoSuppressionEventTypes defines the list of event types the can be auto suppressed using security profiles
-	SecurityProfileAutoSuppressionEventTypes []model.EventType
-
 	// AnomalyDetectionEventTypes defines the list of events that should be allowed to generate anomaly detections
 	AnomalyDetectionEventTypes []model.EventType
 	// AnomalyDetectionDefaultMinimumStablePeriod defines the default minimum amount of time during which the events
@@ -566,7 +559,6 @@ func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error) {
 		ActivityDumpSilentWorkloadsDelay:      pkgconfigsetup.SystemProbe().GetDuration("runtime_security_config.activity_dump.silent_workloads.delay"),
 		ActivityDumpSilentWorkloadsTicker:     pkgconfigsetup.SystemProbe().GetDuration("runtime_security_config.activity_dump.silent_workloads.ticker"),
 		ActivityDumpWorkloadDenyList:          pkgconfigsetup.SystemProbe().GetStringSlice("runtime_security_config.activity_dump.workload_deny_list"),
-		ActivityDumpAutoSuppressionEnabled:    pkgconfigsetup.SystemProbe().GetBool("runtime_security_config.activity_dump.auto_suppression.enabled"),
 		// activity dump dynamic fields
 		ActivityDumpMaxDumpSize: func() int {
 			mds := max(pkgconfigsetup.SystemProbe().GetInt("runtime_security_config.activity_dump.max_dump_size"), ADMinMaxDumSize)
@@ -605,10 +597,6 @@ func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error) {
 		SecurityProfileDNSMatchMaxDepth:    pkgconfigsetup.SystemProbe().GetInt("runtime_security_config.security_profile.dns_match_max_depth"),
 		SecurityProfileNodeEvictionTimeout: pkgconfigsetup.SystemProbe().GetDuration("runtime_security_config.security_profile.node_eviction_timeout"),
 
-		// auto suppression
-		SecurityProfileAutoSuppressionEnabled:    pkgconfigsetup.SystemProbe().GetBool("runtime_security_config.security_profile.auto_suppression.enabled"),
-		SecurityProfileAutoSuppressionEventTypes: parseEventTypeStringSlice(pkgconfigsetup.SystemProbe().GetStringSlice("runtime_security_config.security_profile.auto_suppression.event_types")),
-
 		// anomaly detection
 		AnomalyDetectionEventTypes:                   parseEventTypeStringSlice(pkgconfigsetup.SystemProbe().GetStringSlice("runtime_security_config.security_profile.anomaly_detection.event_types")),
 		AnomalyDetectionDefaultMinimumStablePeriod:   pkgconfigsetup.SystemProbe().GetDuration("runtime_security_config.security_profile.anomaly_detection.default_minimum_stable_period"),

pkg/security/metrics/metrics.go

@@ -33,12 +33,6 @@ var (
 	// Tags: rule_id
 	MetricRateLimiterAllow = newRuntimeMetric(".rules.rate_limiter.allow")
 
-	// Rule Suppression metrics
-
-	// MetricRulesSuppressed is the name of the metric used to count the number of auto suppressed events
-	// Tags: rule_id
-	MetricRulesSuppressed = newRuntimeMetric(".rules.suppressed")
-
 	// MetricRulesNoMatch is the number of events that reached userspace but didn't match any rule
 	// Tags: event_type, category
 	MetricRulesNoMatch = newRuntimeMetric(".rules.no_match")
@@ -242,9 +236,6 @@ var (
 	// MetricActivityDumpActiveDumps is the name of the metric used to report the number of active dumps
 	// Tags: -
 	MetricActivityDumpActiveDumps = newRuntimeMetric(".activity_dump.active_dumps")
-	// MetricActivityDumpLoadControllerTriggered is the name of the metric used to report that the ADM load controller reduced the config envelope
-	// Tags:reduction, event_type
-	MetricActivityDumpLoadControllerTriggered = newRuntimeMetric(".activity_dump.load_controller_triggered")
 	// MetricActivityDumpActiveDumpSizeInMemory is the size of an activity dump in memory
 	// Tags: dump_index
 	MetricActivityDumpActiveDumpSizeInMemory = newRuntimeMetric(".activity_dump.size_in_memory")
@@ -320,7 +311,7 @@ var (
 	// Security Profile metrics
 
 	// MetricSecurityProfileProfiles is the name of the metric used to report the count of Security Profiles per category
-	// Tags: in_kernel (true or false), anomaly_detection (true or false), auto_suppression (true or false), workload_hardening (true or false)
+	// Tags: in_kernel (true or false), anomaly_detection (true or false), workload_hardening (true or false)
 	MetricSecurityProfileProfiles = newRuntimeMetric(".security_profile.profiles")
 	// MetricSecurityProfileCacheLen is the name of the metric used to report the size of the Security Profile cache
 	// Tags: -

pkg/security/module/cws.go

@@ -389,16 +389,6 @@ func (c *CWSConsumer) sendStats() {
 	}
 
 	c.ruleEngine.SendStats()
-
-	for statsTags, counter := range c.ruleEngine.AutoSuppression.GetStats() {
-		if counter > 0 {
-			tags := []string{
-				"rule_id:" + statsTags.RuleID,
-				"suppression_type:" + statsTags.SuppressionType,
-			}
-			_ = c.statsdClient.Count(metrics.MetricRulesSuppressed, counter, tags, 1.0)
-		}
-	}
 }
 
 func (c *CWSConsumer) statsSender() {

pkg/security/probe/probe_ebpf.go

@@ -897,7 +897,6 @@ func (p *EBPFProbe) DispatchEvent(event *model.Event, notifyConsumers bool) {
 	p.profileManager.LookupEventInProfiles(event)
 
 	// mark the events that have an associated activity dump
-	// this is needed for auto suppressions performed by the CWS rule engine
 	if p.profileManager.HasActiveActivityDump(event) {
 		event.AddToFlags(model.EventFlagsHasActiveActivityDump)
 	}

pkg/security/rules/autosuppression/autosuppression.go

@@ -29,7 +29,6 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/security/probe"
 	"github.com/DataDog/datadog-agent/pkg/security/proto/api"
 	"github.com/DataDog/datadog-agent/pkg/security/rconfig"
-	"github.com/DataDog/datadog-agent/pkg/security/rules/autosuppression"
 	"github.com/DataDog/datadog-agent/pkg/security/rules/bundled"
 	"github.com/DataDog/datadog-agent/pkg/security/rules/filtermodel"
 	"github.com/DataDog/datadog-agent/pkg/security/rules/monitor"
@@ -65,7 +64,6 @@ type RuleEngine struct {
 	statsdClient     statsd.ClientInterface
 	eventSender      events.EventSender
 	rulesetListeners []rules.RuleSetListener
-	AutoSuppression  autosuppression.AutoSuppression
 	pid              uint32
 	wg               sync.WaitGroup
 	ipc              ipc.Component
@@ -103,14 +101,6 @@ func NewRuleEngine(evm *eventmonitor.EventMonitor, config *config.RuntimeSecurit
 
 	engine.noMatchCounters = make([]atomic.Uint64, model.MaxAllEventType)
 
-	engine.AutoSuppression.Init(autosuppression.Opts{
-		SecurityProfileEnabled:                config.SecurityProfileEnabled,
-		SecurityProfileAutoSuppressionEnabled: config.SecurityProfileAutoSuppressionEnabled,
-		ActivityDumpEnabled:                   config.ActivityDumpEnabled,
-		ActivityDumpAutoSuppressionEnabled:    config.ActivityDumpAutoSuppressionEnabled,
-		EventTypes:                            config.SecurityProfileAutoSuppressionEventTypes,
-	})
-
 	// register as event handler
 	if err := probe.AddEventHandler(engine); err != nil {
 		return nil, err
@@ -409,9 +399,6 @@ func (e *RuleEngine) LoadPolicies(providers []rules.PolicyProvider, sendLoadedRe
 	// set the rate limiters on sending events to the backend
 	e.rateLimiter.Apply(rs, events.AllCustomRuleIDs())
 
-	// update the stats of auto-suppression rules
-	e.AutoSuppression.Apply(rs)
-
 	if replayEvents {
 		e.probe.ReplayEvents()
 	}
@@ -544,15 +531,11 @@ func (e *RuleEngine) EventDiscarderFound(rs *rules.RuleSet, event eval.Event, fi
 func (e *RuleEngine) RuleMatch(ctx *eval.Context, rule *rules.Rule, event eval.Event) bool {
 	ev := event.(*model.Event)
 
-	// add matched rules before any auto suppression check to ensure that this information is available in activity dumps
+	// add matched rules to ensure that this information is available in activity dumps
 	if ev.ProcessContext.Process.ContainerContext.ContainerID != "" && (e.config.ActivityDumpTagRulesEnabled || e.config.AnomalyDetectionTagRulesEnabled) {
 		ev.Rules = append(ev.Rules, model.NewMatchedRule(rule.Def.ID, rule.Def.Version, rule.Def.Tags, rule.Policy.Name, rule.Policy.Version))
 	}
 
-	if e.AutoSuppression.Suppresses(rule, ev) {
-		return false
-	}
-
 	e.probe.HandleActions(rule, event)
 
 	if rule.Def.Silent {

pkg/security/rules/engine.go

@@ -51,71 +51,23 @@ func (m *Manager) getDefaultLoadConfig() *model.ActivityDumpLoadConfig {
 	return m.activityDumpLoadConfig
 }
 
-func (m *Manager) sendLoadControllerTriggeredMetric(tags []string) error {
-	if err := m.statsdClient.Count(metrics.MetricActivityDumpLoadControllerTriggered, 1, tags, 1.0); err != nil {
-		return fmt.Errorf("couldn't send %s metric: %v", metrics.MetricActivityDumpLoadControllerTriggered, err)
-	}
-	return nil
-}
-
 func (m *Manager) nextPartialDump(prev *dump.ActivityDump) *dump.ActivityDump {
 	previousLoadConfig := prev.LoadConfig.Load()
-	timeToThreshold := time.Since(prev.Profile.Metadata.Start)
-
-	newRate := previousLoadConfig.Rate
-	if timeToThreshold < m.minDumpTimeout {
-		newRate = previousLoadConfig.Rate * 3 / 4 // reduce by 25%
-		if err := m.sendLoadControllerTriggeredMetric([]string{"reduction:rate"}); err != nil {
-			seclog.Errorf("%v", err)
-		}
-	}
-
-	newTimeout := previousLoadConfig.Timeout
-	if timeToThreshold < m.minDumpTimeout/2 && previousLoadConfig.Timeout > m.minDumpTimeout {
-		newTimeout = previousLoadConfig.Timeout * 3 / 4 // reduce by 25%
-		if newTimeout < m.minDumpTimeout {
-			newTimeout = m.minDumpTimeout
-		}
-		if err := m.sendLoadControllerTriggeredMetric([]string{"reduction:dump_timeout"}); err != nil {
-			seclog.Errorf("%v", err)
-		}
-	}
-
-	newEvents := make([]model.EventType, len(previousLoadConfig.TracedEventTypes))
-	copy(newEvents, previousLoadConfig.TracedEventTypes)
-	if timeToThreshold < m.minDumpTimeout/4 {
-		var evtToRemove model.EventType
-		newEvents = newEvents[:0]
-	reductionOrder:
-		for _, evt := range TracedEventTypesReductionOrder {
-			for _, tracedEvt := range previousLoadConfig.TracedEventTypes {
-				if evt == tracedEvt {
-					evtToRemove = evt
-					break reductionOrder
-				}
-			}
-		}
-		for _, evt := range previousLoadConfig.TracedEventTypes {
-			if evt != evtToRemove {
-				newEvents = append(newEvents, evt)
-			}
-		}
-
-		if evtToRemove != model.UnknownEventType {
-			if err := m.sendLoadControllerTriggeredMetric([]string{"reduction:traced_event_types", "event_type:" + evtToRemove.String()}); err != nil {
-				seclog.Errorf("%v", err)
-			}
-		}
-	}
 
 	now := time.Now()
-	newLoadConfig := m.newActivityDumpLoadConfig(newEvents, newTimeout, m.config.RuntimeSecurity.ActivityDumpCgroupWaitListTimeout, newRate, now)
+	newLoadConfig := m.newActivityDumpLoadConfig(
+		previousLoadConfig.TracedEventTypes,
+		previousLoadConfig.Timeout,
+		m.config.RuntimeSecurity.ActivityDumpCgroupWaitListTimeout,
+		previousLoadConfig.Rate,
+		now,
+	)
 	newDump := dump.NewActivityDump(m.pathsReducer, prev.Profile.Metadata.DifferentiateArgs, 0, m.config.RuntimeSecurity.ActivityDumpTracedEventTypes, m.updateTracedPid, newLoadConfig, func(ad *dump.ActivityDump) {
 		ad.Profile.Header = prev.Profile.Header
 		ad.Profile.Metadata = prev.Profile.Metadata
 		ad.Profile.Metadata.Name = "activity-dump-" + utils.RandString(10)
 		ad.Profile.Metadata.Start = now
-		ad.Profile.Metadata.End = now.Add(newTimeout)
+		ad.Profile.Metadata.End = now.Add(previousLoadConfig.Timeout)
 		ad.Profile.AddTags(prev.Profile.GetTags())
 	})
 

pkg/security/security_profile/load_controller.go

@@ -270,9 +270,6 @@ func NewManager(cfg *config.Config, statsdClient statsd.ClientInterface, ebpf *e
 	}
 
 	var secProfEventTypes []model.EventType
-	if cfg.RuntimeSecurity.SecurityProfileAutoSuppressionEnabled {
-		secProfEventTypes = append(secProfEventTypes, cfg.RuntimeSecurity.SecurityProfileAutoSuppressionEventTypes...)
-	}
 	if cfg.RuntimeSecurity.AnomalyDetectionEnabled {
 		secProfEventTypes = append(secProfEventTypes, cfg.RuntimeSecurity.AnomalyDetectionEventTypes...)
 	}