Documentation
¶
Overview ¶
Package monitor represents a wrapper to netlink, which gives us the ability to monitor process events like Exec and Exit, and activate the registered callbacks for the relevant events
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FindDeletedProcesses ¶
FindDeletedProcesses returns the terminated PIDs from the given map.
Types ¶
type ProcessCallback ¶
type ProcessCallback func(pid uint32)
ProcessCallback is a callback function that is called on a given pid that represents a new process.
type ProcessMonitor ¶
type ProcessMonitor struct {
// contains filtered or unexported fields
}
ProcessMonitor uses netlink process events like Exec and Exit and activate the registered callbacks for the relevant events. ProcessMonitor require root or CAP_NET_ADMIN capabilities
func GetProcessMonitor ¶
func GetProcessMonitor() *ProcessMonitor
GetProcessMonitor create a monitor (only once) that register to netlink process events.
This monitor can monitor.Subscribe(callback, filter) callback on particular event like process EXEC, EXIT. The callback will be called when the filter will match. Filter can be applied on :
process name (NAME) by default ANY is applied
Typical initialization:
mon := GetProcessMonitor() mon.Subscribe(callback) mon.Initialize()
note: o GetProcessMonitor() will always return the same instance
as we can only register once with netlink process event
o mon.Subscribe() will subscribe callback before or after the Initialization
o mon.Initialize() will scan current processes and call subscribed callback
o callback{Event: EXIT, Metadata: ANY} callback is called for all exit events (system-wide)
o callback{Event: EXIT, Metadata: NAME} callback will be called if we have seen the process Exec event,
the metadata will be saved between Exec and Exit event per pid
then the Exit callback will evaluate the same metadata on Exit.
We need to save the metadata here as /proc/pid doesn't exist anymore.
func (*ProcessMonitor) Initialize ¶
func (pm *ProcessMonitor) Initialize() error
Initialize setting up the process monitor only once, no matter how many times it was called. The initialization order:
- Initializes callback workers.
- Initializes the netlink process monitor.
- Run the main event loop in a goroutine.
- Scans already running processes and call the Exec callbacks on them.
func (*ProcessMonitor) Stop ¶
func (pm *ProcessMonitor) Stop()
Stop decreasing the refcount, and if we reach 0 we terminate the main event loop.
func (*ProcessMonitor) SubscribeExec ¶
func (pm *ProcessMonitor) SubscribeExec(callback ProcessCallback) func()
SubscribeExec register an exec callback and returns unsubscribe function callback that removes the callback.
A callback can be registered only once, callback with a filter type (not ANY) must be registered before the matching Exit callback.
func (*ProcessMonitor) SubscribeExit ¶
func (pm *ProcessMonitor) SubscribeExit(callback ProcessCallback) func()
SubscribeExit register an exit callback and returns unsubscribe function callback that removes the callback.
Source Files