model

package
Version: v0.0.0-...-b79bd1f Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 24, 2021 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

View Source
const MaxPathDepth = 1500

MaxPathDepth defines the maximum depth of a path

View Source
const MaxSegmentLength = 255

MaxSegmentLength defines the maximum length of each segment of a path

Variables

View Source
var (

	// KernelCapabilityConstants list of kernel capabilities
	KernelCapabilityConstants = map[string]uint64{
		"CAP_AUDIT_CONTROL":      1 << unix.CAP_AUDIT_CONTROL,
		"CAP_AUDIT_READ":         1 << unix.CAP_AUDIT_READ,
		"CAP_AUDIT_WRITE":        1 << unix.CAP_AUDIT_WRITE,
		"CAP_BLOCK_SUSPEND":      1 << unix.CAP_BLOCK_SUSPEND,
		"CAP_BPF":                1 << unix.CAP_BPF,
		"CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE,
		"CAP_CHOWN":              1 << unix.CAP_CHOWN,
		"CAP_DAC_OVERRIDE":       1 << unix.CAP_DAC_OVERRIDE,
		"CAP_DAC_READ_SEARCH":    1 << unix.CAP_DAC_READ_SEARCH,
		"CAP_FOWNER":             1 << unix.CAP_FOWNER,
		"CAP_FSETID":             1 << unix.CAP_FSETID,
		"CAP_IPC_LOCK":           1 << unix.CAP_IPC_LOCK,
		"CAP_IPC_OWNER":          1 << unix.CAP_IPC_OWNER,
		"CAP_KILL":               1 << unix.CAP_KILL,
		"CAP_LAST_CAP":           1 << unix.CAP_LAST_CAP,
		"CAP_LEASE":              1 << unix.CAP_LEASE,
		"CAP_LINUX_IMMUTABLE":    1 << unix.CAP_LINUX_IMMUTABLE,
		"CAP_MAC_ADMIN":          1 << unix.CAP_MAC_ADMIN,
		"CAP_MAC_OVERRIDE":       1 << unix.CAP_MAC_OVERRIDE,
		"CAP_MKNOD":              1 << unix.CAP_MKNOD,
		"CAP_NET_ADMIN":          1 << unix.CAP_NET_ADMIN,
		"CAP_NET_BIND_SERVICE":   1 << unix.CAP_NET_BIND_SERVICE,
		"CAP_NET_BROADCAST":      1 << unix.CAP_NET_BROADCAST,
		"CAP_NET_RAW":            1 << unix.CAP_NET_RAW,
		"CAP_PERFMON":            1 << unix.CAP_PERFMON,
		"CAP_SETFCAP":            1 << unix.CAP_SETFCAP,
		"CAP_SETGID":             1 << unix.CAP_SETGID,
		"CAP_SETPCAP":            1 << unix.CAP_SETPCAP,
		"CAP_SETUID":             1 << unix.CAP_SETUID,
		"CAP_SYSLOG":             1 << unix.CAP_SYSLOG,
		"CAP_SYS_ADMIN":          1 << unix.CAP_SYS_ADMIN,
		"CAP_SYS_BOOT":           1 << unix.CAP_SYS_BOOT,
		"CAP_SYS_CHROOT":         1 << unix.CAP_SYS_CHROOT,
		"CAP_SYS_MODULE":         1 << unix.CAP_SYS_MODULE,
		"CAP_SYS_NICE":           1 << unix.CAP_SYS_NICE,
		"CAP_SYS_PACCT":          1 << unix.CAP_SYS_PACCT,
		"CAP_SYS_PTRACE":         1 << unix.CAP_SYS_PTRACE,
		"CAP_SYS_RAWIO":          1 << unix.CAP_SYS_RAWIO,
		"CAP_SYS_RESOURCE":       1 << unix.CAP_SYS_RESOURCE,
		"CAP_SYS_TIME":           1 << unix.CAP_SYS_TIME,
		"CAP_SYS_TTY_CONFIG":     1 << unix.CAP_SYS_TTY_CONFIG,
		"CAP_WAKE_ALARM":         1 << unix.CAP_WAKE_ALARM,
	}

	// SECLConstants are constants available in runtime security agent rules
	SECLConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}
)
View Source
var (
	// ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
	ErrNotEnoughData = errors.New("not enough data")

	// ErrStringArrayOverflow returned when there is a string array overflow
	ErrStringArrayOverflow = errors.New("string array overflow")

	// ErrNonPrintable returned when a string contains non printable char
	ErrNonPrintable = errors.New("non printable")
)
View Source
var ByteOrder binary.ByteOrder

ByteOrder holds the hosts byte order

View Source
var SECLLegacyAttributes = map[eval.Field]eval.Field{

	"chmod.filename": "chmod.file.path",
	"chmod.basename": "chmod.file.name",
	"chmod.mode":     "chmod.file.destination.mode",

	"chown.filename": "chown.file.path",
	"chown.basename": "chown.file.name",
	"chown.uid":      "chown.file.destination.uid",
	"chown.user":     "chown.file.destination.user",
	"chown.gid":      "chown.file.destination.gid",
	"chown.group":    "chown.file.destination.group",

	"open.filename": "open.file.path",
	"open.basename": "open.file.name",
	"open.mode":     "open.file.destination.mode",

	"mkdir.filename": "mkdir.file.path",
	"mkdir.basename": "mkdir.file.name",
	"mkdir.mode":     "mkdir.file.destination.mode",

	"rmdir.filename": "rmdir.file.path",
	"rmdir.basename": "rmdir.file.name",

	"rename.old.filename": "rename.file.path",
	"rename.old.basename": "rename.file.name",
	"rename.new.filename": "rename.file.destination.path",
	"rename.new.basename": "rename.file.destination.name",

	"unlink.filename": "unlink.file.path",
	"unlink.basename": "unlink.file.name",

	"utimes.filename": "utimes.file.path",
	"utimes.basename": "utimes.file.name",

	"link.source.filename": "link.file.path",
	"link.source.basename": "link.file.name",
	"link.target.filename": "link.file.destination.path",
	"link.target.basename": "link.file.destination.name",

	"setxattr.filename":  "setxattr.file.path",
	"setxattr.basename":  "setxattr.file.name",
	"setxattr.namespace": "setxattr.file.destination.namespace",
	"setxattr.name":      "setxattr.file.destination.name",

	"removexattr.filename":  "removexattr.file.path",
	"removexattr.basename":  "removexattr.file.name",
	"removexattr.namespace": "removexattr.file.destination.namespace",
	"removexattr.name":      "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":           "process.file.path",
	"process.basename":           "process.file.name",
	"process.name":               "process.comm",
	"process.ancestors.filename": "process.ancestors.file.path",
	"process.ancestors.basename": "process.ancestors.file.name",
	"process.ancestors.name":     "process.ancestors.comm",
}

SECLLegacyAttributes contains the list of the legacy attributes we need to support

Functions

func FindContainerID

func FindContainerID(s string) string

FindContainerID extracts the first sub string that matches the pattern of a container ID

func GetEventTypePerCategory

func GetEventTypePerCategory() map[EventCategory][]eval.EventType

GetEventTypePerCategory returns the event types per category

func GetHostByteOrder

func GetHostByteOrder() binary.ByteOrder

GetHostByteOrder guesses the hosts byte order

func IsAlphaNumeric

func IsAlphaNumeric(r rune) bool

IsAlphaNumeric returns whether a character is either a digit or a letter

func IsPrintable

func IsPrintable(s string) bool

IsPrintable returns whether the string does contain only unicode printable

func IsPrintableASCII

func IsPrintableASCII(s string) bool

IsPrintableASCII returns whether the string does contain only ASCII char

func SliceToArray

func SliceToArray(src []byte, dst unsafe.Pointer)

SliceToArray copy src bytes to dst. Destination should have enough space

func UnmarshalBinary

func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)

UnmarshalBinary calls a series of BinaryUnmarshaler

func UnmarshalString

func UnmarshalString(data []byte, size int) (string, error)

UnmarshalString unmarshal string

func UnmarshalStringArray

func UnmarshalStringArray(data []byte) ([]string, error)

UnmarshalStringArray extract array of string for array of byte

Types

type ArgsEntry

type ArgsEntry struct {
	*ArgsEnvsCacheEntry

	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) ToArray

func (p *ArgsEntry) ToArray() ([]string, bool)

ToArray returns args as array

type ArgsEnvs

type ArgsEnvs struct {
	ID        uint32
	Size      uint32
	ValuesRaw [256]byte
}

ArgsEnvs raw value for args and envs

type ArgsEnvsCacheEntry

type ArgsEnvsCacheEntry struct {
	ArgsEnvs
	// contains filtered or unexported fields
}

ArgsEnvsCacheEntry defines a args/envs base entry

func NewArgsEnvsCacheEntry

func NewArgsEnvsCacheEntry(onRelease func(_ *ArgsEnvsCacheEntry)) *ArgsEnvsCacheEntry

NewArgsEnvsCacheEntry returns a new args/env cache entry

func (*ArgsEnvsCacheEntry) Append

func (p *ArgsEnvsCacheEntry) Append(entry *ArgsEnvsCacheEntry)

Append an entry to the list

func (*ArgsEnvsCacheEntry) Release

func (p *ArgsEnvsCacheEntry) Release()

Release decrement and eventually release the entry

func (*ArgsEnvsCacheEntry) Retain

func (p *ArgsEnvsCacheEntry) Retain()

Retain increment ref counter

type ArgsEnvsEvent

type ArgsEnvsEvent struct {
	ArgsEnvs
}

ArgsEnvsEvent defines a args/envs event

func (*ArgsEnvsEvent) UnmarshalBinary

func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type BinaryUnmarshaler

type BinaryUnmarshaler interface {
	UnmarshalBinary(data []byte) (int, error)
}

BinaryUnmarshaler interface implemented by every event type

type CapsetEvent

type CapsetEvent struct {
	CapEffective uint64 `field:"cap_effective"`
	CapPermitted uint64 `field:"cap_permitted"`
}

CapsetEvent represents a capset event

func (*CapsetEvent) UnmarshalBinary

func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ChmodEvent

type ChmodEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode" field:"file.destination.rights"`
}

ChmodEvent represents a chmod event

func (*ChmodEvent) UnmarshalBinary

func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ChmodMode

type ChmodMode int

ChmodMode represent a chmod mode bitmask value

func (ChmodMode) String

func (m ChmodMode) String() string

type ChownEvent

type ChownEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	UID   uint32    `field:"file.destination.uid"`
	User  string    `field:"file.destination.user,ResolveChownUID"`
	GID   uint32    `field:"file.destination.gid"`
	Group string    `field:"file.destination.group,ResolveChownGID"`
}

ChownEvent represents a chown event

func (*ChownEvent) UnmarshalBinary

func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ContainerContext

type ContainerContext struct {
	ID   string   `field:"id,ResolveContainerID"`
	Tags []string `field:"tags,ResolveContainerTags:9999"`
}

ContainerContext holds the container context of an event

func (*ContainerContext) UnmarshalBinary

func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type Credentials

type Credentials struct {
	UID   uint32 `field:"uid"`
	GID   uint32 `field:"gid"`
	User  string `field:"user"`
	Group string `field:"group"`

	EUID   uint32 `field:"euid"`
	EGID   uint32 `field:"egid"`
	EUser  string `field:"euser"`
	EGroup string `field:"egroup"`

	FSUID   uint32 `field:"fsuid"`
	FSGID   uint32 `field:"fsgid"`
	FSUser  string `field:"fsuser"`
	FSGroup string `field:"fsgroup"`

	CapEffective uint64 `field:"cap_effective"`
	CapPermitted uint64 `field:"cap_permitted"`
}

Credentials represents the kernel credentials of a process

func (*Credentials) UnmarshalBinary

func (e *Credentials) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type EnvsEntry

type EnvsEntry struct {
	*ArgsEnvsCacheEntry

	Values    map[string]string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Get

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

func (*EnvsEntry) ToMap

func (p *EnvsEntry) ToMap() (map[string]string, bool)

ToMap returns envs as map

type Event

type Event struct {
	ID           string    `field:"-"`
	Type         uint64    `field:"-"`
	TimestampRaw uint64    `field:"-"`
	Timestamp    time.Time `field:"timestamp"`

	ProcessContext   ProcessContext   `field:"process" event:"*"`
	ContainerContext ContainerContext `field:"container"`

	Chmod       ChmodEvent    `field:"chmod" event:"chmod"`
	Chown       ChownEvent    `field:"chown" event:"chown"`
	Open        OpenEvent     `field:"open" event:"open"`
	Mkdir       MkdirEvent    `field:"mkdir" event:"mkdir"`
	Rmdir       RmdirEvent    `field:"rmdir" event:"rmdir"`
	Rename      RenameEvent   `field:"rename" event:"rename"`
	Unlink      UnlinkEvent   `field:"unlink" event:"unlink"`
	Utimes      UtimesEvent   `field:"utimes" event:"utimes"`
	Link        LinkEvent     `field:"link" event:"link"`
	SetXAttr    SetXAttrEvent `field:"setxattr" event:"setxattr"`
	RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"`
	Exec        ExecEvent     `field:"exec" event:"exec"`

	SetUID SetuidEvent `field:"setuid" event:"setuid"`
	SetGID SetgidEvent `field:"setgid" event:"setgid"`
	Capset CapsetEvent `field:"capset" event:"capset"`

	SELinux SELinuxEvent `field:"selinux" event:"selinux"`

	Mount            MountEvent            `field:"-"`
	Umount           UmountEvent           `field:"-"`
	InvalidateDentry InvalidateDentryEvent `field:"-"`
	ArgsEnvs         ArgsEnvsEvent         `field:"-"`
	MountReleased    MountReleasedEvent    `field:"-"`
}

Event represents an event sent from the kernel genaccessors

func (*Event) GetEventType

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetFieldEventType

func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)

func (*Event) GetFieldType

func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)

func (*Event) GetFieldValue

func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields

func (e *Event) GetFields() []eval.Field

func (*Event) GetPointer

func (e *Event) GetPointer() unsafe.Pointer

GetPointer return an unsafe.Pointer of the Event

func (*Event) GetTags

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetType

func (e *Event) GetType() string

GetType returns the event type

func (*Event) SetFieldValue

func (e *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) UnmarshalBinary

func (e *Event) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type EventCategory

type EventCategory = string

EventCategory category type

const (
	// FIMCategory FIM events
	FIMCategory EventCategory = "fim"
	// RuntimeCategory Process events
	RuntimeCategory EventCategory = "runtime"
)

Event categories

func GetEventTypeCategory

func GetEventTypeCategory(eventType eval.EventType) EventCategory

GetEventTypeCategory returns the category for the given event type

type EventType

type EventType uint64

EventType describes the type of an event sent from the kernel

const (
	// UnknownEventType unknow event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimesEventType Utime event
	FileUtimesEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// SELinuxEventType selinux event
	SELinuxEventType
	// MaxEventType is used internally to get the maximum number of kernel events.
	MaxEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileRemoveXAttrEventType

	// CustomLostReadEventType is the custom event used to report lost events detected in user space
	CustomLostReadEventType EventType = iota
	// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
	CustomLostWriteEventType
	// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
	CustomRulesetLoadedEventType
	// CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process
	CustomNoisyProcessEventType
	// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
	CustomForkBombEventType
	// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
	CustomTruncatedParentsEventType
)

func ParseEvalEventType

func ParseEvalEventType(eventType eval.EventType) EventType

ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions

func (EventType) String

func (t EventType) String() string

type ExecEvent

type ExecEvent struct {
	Process

	// defined to generate accessors
	Args          string   `field:"args,ResolveExecArgs"`
	Argv          []string `field:"argv,ResolveExecArgv" field:"args_flags,ResolveExecArgsFlags" field:"args_options,ResolveExecArgsOptions"`
	ArgsTruncated bool     `field:"args_truncated,ResolveExecArgsTruncated"`
	Envs          []string `field:"envs,ResolveExecEnvs"`
	EnvsTruncated bool     `field:"envs_truncated,ResolveExecEnvsTruncated"`
}

ExecEvent represents a exec event

func (*ExecEvent) UnmarshalBinary

func (e *ExecEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type FileEvent

type FileEvent struct {
	FileFields
	PathnameStr string `field:"path,ResolveFilePath"`
	BasenameStr string `field:"name,ResolveFileBasename"`
	Filesytem   string `field:"filesystem,ResolveFileFilesystem"`

	PathResolutionError error `field:"-"`
}

FileEvent is the common file event type

func (*FileEvent) GetPathResolutionError

func (e *FileEvent) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*FileEvent) UnmarshalBinary

func (e *FileEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type FileFields

type FileFields struct {
	UID   uint32 `field:"uid"`
	User  string `field:"user,ResolveFileFieldsUser"`
	GID   uint32 `field:"gid"`
	Group string `field:"group,ResolveFileFieldsGroup"`
	Mode  uint16 `field:"mode" field:"rights,ResolveRights"`
	CTime uint64 `field:"change_time"`
	MTime uint64 `field:"modification_time"`

	MountID      uint32 `field:"mount_id"`
	Inode        uint64 `field:"inode"`
	PathID       uint32 `field:"-"`
	Flags        int32  `field:"-"`
	InUpperLayer bool   `field:"in_upper_layer,ResolveFileFieldsInUpperLayer"`
}

FileFields holds the information required to identify a file

func (*FileFields) GetInLowerLayer

func (f *FileFields) GetInLowerLayer() bool

GetInLowerLayer returns whether a file is in a lower layer

func (*FileFields) GetInUpperLayer

func (f *FileFields) GetInUpperLayer() bool

GetInUpperLayer returns whether a file is in the upper layer

func (*FileFields) UnmarshalBinary

func (e *FileFields) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type InvalidateDentryEvent

type InvalidateDentryEvent struct {
	Inode             uint64
	MountID           uint32
	DiscarderRevision uint32
}

InvalidateDentryEvent defines a invalidate dentry event

func (*InvalidateDentryEvent) UnmarshalBinary

func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type KernelCapability

type KernelCapability uint64

KernelCapability represents a kernel capability bitmask value

func (KernelCapability) String

func (kc KernelCapability) String() string

func (KernelCapability) StringArray

func (kc KernelCapability) StringArray() []string

StringArray returns the kernel capabilities as an array of strings

type LinkEvent

type LinkEvent struct {
	SyscallEvent
	Source FileEvent `field:"file"`
	Target FileEvent `field:"file.destination"`
}

LinkEvent represents a link event

func (*LinkEvent) UnmarshalBinary

func (e *LinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MkdirEvent

type MkdirEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode" field:"file.destination.rights"`
}

MkdirEvent represents a mkdir event

func (*MkdirEvent) UnmarshalBinary

func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type Model

type Model struct{}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator

func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes

func (m *Model) GetEventTypes() []eval.EventType

func (*Model) GetIterator

func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)

func (*Model) NewEvent

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) ValidateField

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type MountEvent

type MountEvent struct {
	SyscallEvent
	MountID                       uint32
	GroupID                       uint32
	Device                        uint32
	ParentMountID                 uint32
	ParentInode                   uint64
	FSType                        string
	MountPointStr                 string
	MountPointPathResolutionError error
	RootMountID                   uint32
	RootInode                     uint64
	RootStr                       string
	RootPathResolutionError       error

	FSTypeRaw [16]byte
}

MountEvent represents a mount event

func (*MountEvent) GetFSType

func (m *MountEvent) GetFSType() string

GetFSType returns the filesystem type of the mountpoint

func (*MountEvent) GetMountPointPathResolutionError

func (m *MountEvent) GetMountPointPathResolutionError() string

GetMountPointPathResolutionError returns the mount point path resolution error as a string if there is one

func (*MountEvent) GetRootPathResolutionError

func (m *MountEvent) GetRootPathResolutionError() string

GetRootPathResolutionError returns the root path resolution error as a string if there is one

func (*MountEvent) IsOverlayFS

func (m *MountEvent) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

func (*MountEvent) UnmarshalBinary

func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MountReleasedEvent

type MountReleasedEvent struct {
	MountID           uint32
	DiscarderRevision uint32
}

MountReleasedEvent defines a mount released event

func (*MountReleasedEvent) UnmarshalBinary

func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type OpenEvent

type OpenEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"`
	Mode  uint32    `field:"file.destination.mode"`
}

OpenEvent represents an open event

func (*OpenEvent) UnmarshalBinary

func (e *OpenEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type OpenFlags

type OpenFlags int

OpenFlags represents an open flags bitmask value

func (OpenFlags) String

func (f OpenFlags) String() string

func (OpenFlags) StringArray

func (f OpenFlags) StringArray() []string

StringArray returns the open flags as an array of strings

type Process

type Process struct {
	// proc_cache_t
	FileFields FileFields `field:"file"`

	Pid uint32 `field:"pid"`
	Tid uint32 `field:"tid"`

	PathnameStr         string `field:"file.path"`
	BasenameStr         string `field:"file.name"`
	Filesystem          string `field:"file.filesystem"`
	PathResolutionError error  `field:"-"`

	ContainerID string `field:"container.id"`

	TTYName string `field:"tty_name"`
	Comm    string `field:"comm"`

	// pid_cache_t
	ForkTime time.Time `field:"-"`
	ExitTime time.Time `field:"-"`
	ExecTime time.Time `field:"-"`

	CreatedAt uint64 `field:"created_at,ResolveProcessCreatedAt"`

	Cookie uint32 `field:"cookie"`
	PPid   uint32 `field:"ppid"`

	// credentials_t section of pid_cache_t
	Credentials

	ArgsID uint32 `field:"-"`
	EnvsID uint32 `field:"-"`

	ArgsEntry     *ArgsEntry `field:"-"`
	EnvsEntry     *EnvsEntry `field:"-"`
	EnvsTruncated bool       `field:"-"`
	ArgsTruncated bool       `field:"-"`
}

Process represents a process

func (*Process) GetPathResolutionError

func (e *Process) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*Process) UnmarshalBinary

func (e *Process) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ProcessAncestorsIterator

type ProcessAncestorsIterator struct {
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) Front

Front returns the first element

func (*ProcessAncestorsIterator) Next

Next returns the next element

type ProcessCacheEntry

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func NewProcessCacheEntry

func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) Exec

func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)

Exec replace a process

func (*ProcessCacheEntry) Exit

func (pc *ProcessCacheEntry) Exit(exitTime time.Time)

Exit a process

func (*ProcessCacheEntry) Fork

func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)

Fork returns a copy of the current ProcessCacheEntry

func (*ProcessCacheEntry) Release

func (e *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset

func (e *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain

func (e *ProcessCacheEntry) Retain()

Retain increment ref counter

func (*ProcessCacheEntry) SetAncestor

func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)

SetAncestor set the ancestor

type ProcessContext

type ProcessContext struct {
	Process

	Ancestor *ProcessCacheEntry `field:"ancestors,,ProcessAncestorsIterator"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) UnmarshalBinary

func (p *ProcessContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type RenameEvent

type RenameEvent struct {
	SyscallEvent
	Old               FileEvent `field:"file"`
	New               FileEvent `field:"file.destination"`
	DiscarderRevision uint32    `field:"-"`
}

RenameEvent represents a rename event

func (*RenameEvent) UnmarshalBinary

func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type RetValError

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String

func (f RetValError) String() string

type RmdirEvent

type RmdirEvent struct {
	SyscallEvent
	File              FileEvent `field:"file"`
	DiscarderRevision uint32    `field:"-"`
}

RmdirEvent represents a rmdir event

func (*RmdirEvent) UnmarshalBinary

func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SELinuxEvent

type SELinuxEvent struct {
	File            FileEvent        `field:"-"`
	EventKind       SELinuxEventKind `field:"-"`
	BoolName        string           `field:"bool.name,ResolveSELinuxBoolName"`
	BoolChangeValue string           `field:"bool.state"`
	BoolCommitValue bool             `field:"bool_commit.state"`
	EnforceStatus   string           `field:"enforce.status"`
}

SELinuxEvent represents a selinux event

func (*SELinuxEvent) UnmarshalBinary

func (e *SELinuxEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SELinuxEventKind

type SELinuxEventKind uint32

SELinuxEventKind represents the event kind for SELinux events

const (
	// SELinuxBoolChangeEventKind represents SELinux boolean change events
	SELinuxBoolChangeEventKind SELinuxEventKind = iota
	// SELinuxStatusChangeEventKind represents SELinux status change events
	SELinuxStatusChangeEventKind
	// SELinuxBoolCommitEventKind represents SELinux boolean commit events
	SELinuxBoolCommitEventKind
)

type SetXAttrEvent

type SetXAttrEvent struct {
	SyscallEvent
	File      FileEvent `field:"file"`
	Namespace string    `field:"file.destination.namespace,ResolveXAttrNamespace"`
	Name      string    `field:"file.destination.name,ResolveXAttrName"`

	NameRaw [200]byte
}

SetXAttrEvent represents an extended attributes event

func (*SetXAttrEvent) UnmarshalBinary

func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SetgidEvent

type SetgidEvent struct {
	GID     uint32 `field:"gid"`
	Group   string `field:"group,ResolveSetgidGroup"`
	EGID    uint32 `field:"egid"`
	EGroup  string `field:"egroup,ResolveSetgidEGroup"`
	FSGID   uint32 `field:"fsgid"`
	FSGroup string `field:"fsgroup,ResolveSetgidFSGroup"`
}

SetgidEvent represents a setgid event

func (*SetgidEvent) UnmarshalBinary

func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SetuidEvent

type SetuidEvent struct {
	UID    uint32 `field:"uid"`
	User   string `field:"user,ResolveSetuidUser"`
	EUID   uint32 `field:"euid"`
	EUser  string `field:"euser,ResolveSetuidEUser"`
	FSUID  uint32 `field:"fsuid"`
	FSUser string `field:"fsuser,ResolveSetuidFSUser"`
}

SetuidEvent represents a setuid event

func (*SetuidEvent) UnmarshalBinary

func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SyscallEvent

type SyscallEvent struct {
	Retval int64 `field:"retval"`
}

SyscallEvent contains common fields for all the event

func (*SyscallEvent) UnmarshalBinary

func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UmountEvent

type UmountEvent struct {
	SyscallEvent
	MountID uint32
}

UmountEvent represents an umount event

func (*UmountEvent) UnmarshalBinary

func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UnlinkEvent

type UnlinkEvent struct {
	SyscallEvent
	File              FileEvent `field:"file"`
	Flags             uint32    `field:"-"`
	DiscarderRevision uint32    `field:"-"`
}

UnlinkEvent represents an unlink event

func (*UnlinkEvent) UnmarshalBinary

func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UnlinkFlags

type UnlinkFlags int

UnlinkFlags represents an unlink flags bitmask value

func (UnlinkFlags) String

func (f UnlinkFlags) String() string

func (UnlinkFlags) StringArray

func (f UnlinkFlags) StringArray() []string

StringArray returns the unlink flags as an array of strings

type UtimesEvent

type UtimesEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Atime time.Time `field:"-"`
	Mtime time.Time `field:"-"`
}

UtimesEvent represents a utime event

func (*UtimesEvent) UnmarshalBinary

func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL