model

package
v0.0.0-...-551a65d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 11, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

View Source 
const MaxPathDepth = 1500

MaxPathDepth defines the maximum depth of a path

View Source 
const MaxSegmentLength = 255

MaxSegmentLength defines the maximum length of each segment of a path

Variables

View Source 
var (

	// KernelCapabilityConstants list of kernel capabilities
	KernelCapabilityConstants = map[string]int{
		"CAP_AUDIT_CONTROL":      1 << unix.CAP_AUDIT_CONTROL,
		"CAP_AUDIT_READ":         1 << unix.CAP_AUDIT_READ,
		"CAP_AUDIT_WRITE":        1 << unix.CAP_AUDIT_WRITE,
		"CAP_BLOCK_SUSPEND":      1 << unix.CAP_BLOCK_SUSPEND,
		"CAP_BPF":                1 << unix.CAP_BPF,
		"CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE,
		"CAP_CHOWN":              1 << unix.CAP_CHOWN,
		"CAP_DAC_OVERRIDE":       1 << unix.CAP_DAC_OVERRIDE,
		"CAP_DAC_READ_SEARCH":    1 << unix.CAP_DAC_READ_SEARCH,
		"CAP_FOWNER":             1 << unix.CAP_FOWNER,
		"CAP_FSETID":             1 << unix.CAP_FSETID,
		"CAP_IPC_LOCK":           1 << unix.CAP_IPC_LOCK,
		"CAP_IPC_OWNER":          1 << unix.CAP_IPC_OWNER,
		"CAP_KILL":               1 << unix.CAP_KILL,
		"CAP_LAST_CAP":           1 << unix.CAP_LAST_CAP,
		"CAP_LEASE":              1 << unix.CAP_LEASE,
		"CAP_LINUX_IMMUTABLE":    1 << unix.CAP_LINUX_IMMUTABLE,
		"CAP_MAC_ADMIN":          1 << unix.CAP_MAC_ADMIN,
		"CAP_MAC_OVERRIDE":       1 << unix.CAP_MAC_OVERRIDE,
		"CAP_MKNOD":              1 << unix.CAP_MKNOD,
		"CAP_NET_ADMIN":          1 << unix.CAP_NET_ADMIN,
		"CAP_NET_BIND_SERVICE":   1 << unix.CAP_NET_BIND_SERVICE,
		"CAP_NET_BROADCAST":      1 << unix.CAP_NET_BROADCAST,
		"CAP_NET_RAW":            1 << unix.CAP_NET_RAW,
		"CAP_PERFMON":            1 << unix.CAP_PERFMON,
		"CAP_SETFCAP":            1 << unix.CAP_SETFCAP,
		"CAP_SETGID":             1 << unix.CAP_SETGID,
		"CAP_SETPCAP":            1 << unix.CAP_SETPCAP,
		"CAP_SETUID":             1 << unix.CAP_SETUID,
		"CAP_SYSLOG":             1 << unix.CAP_SYSLOG,
		"CAP_SYS_ADMIN":          1 << unix.CAP_SYS_ADMIN,
		"CAP_SYS_BOOT":           1 << unix.CAP_SYS_BOOT,
		"CAP_SYS_CHROOT":         1 << unix.CAP_SYS_CHROOT,
		"CAP_SYS_MODULE":         1 << unix.CAP_SYS_MODULE,
		"CAP_SYS_NICE":           1 << unix.CAP_SYS_NICE,
		"CAP_SYS_PACCT":          1 << unix.CAP_SYS_PACCT,
		"CAP_SYS_PTRACE":         1 << unix.CAP_SYS_PTRACE,
		"CAP_SYS_RAWIO":          1 << unix.CAP_SYS_RAWIO,
		"CAP_SYS_RESOURCE":       1 << unix.CAP_SYS_RESOURCE,
		"CAP_SYS_TIME":           1 << unix.CAP_SYS_TIME,
		"CAP_SYS_TTY_CONFIG":     1 << unix.CAP_SYS_TTY_CONFIG,
		"CAP_WAKE_ALARM":         1 << unix.CAP_WAKE_ALARM,
	}

	// SECLConstants are constants available in runtime security agent rules
	SECLConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}
)
View Source 
var (
	// ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
	ErrNotEnoughData = errors.New("not enough data")

	// ErrStringArrayOverflow returned when there is a string array overflow
	ErrStringArrayOverflow = errors.New("string array overflow")

	// ErrNonPrintable returned when a string contains non printable char
	ErrNonPrintable = errors.New("non printable")
)
View Source 
var ByteOrder binary.ByteOrder

ByteOrder holds the hosts byte order

View Source 
var SECLLegacyAttributes = map[eval.Field]eval.Field{

	"chmod.filename":       "chmod.file.path",
	"chmod.container_path": "chmod.file.container_path",
	"chmod.basename":       "chmod.file.name",
	"chmod.mode":           "chmod.file.destination.mode",

	"chown.filename":       "chown.file.path",
	"chown.container_path": "chown.file.container_path",
	"chown.basename":       "chown.file.name",
	"chown.uid":            "chown.file.destination.uid",
	"chown.user":           "chown.file.destination.user",
	"chown.gid":            "chown.file.destination.gid",
	"chown.group":          "chown.file.destination.group",

	"open.filename":       "open.file.path",
	"open.container_path": "open.file.container_path",
	"open.basename":       "open.file.name",
	"open.mode":           "open.file.destination.mode",

	"mkdir.filename":       "mkdir.file.path",
	"mkdir.container_path": "mkdir.file.container_path",
	"mkdir.basename":       "mkdir.file.name",
	"mkdir.mode":           "mkdir.file.destination.mode",

	"rmdir.filename":       "rmdir.file.path",
	"rmdir.container_path": "rmdir.file.container_path",
	"rmdir.basename":       "rmdir.file.name",

	"rename.old.filename":       "rename.file.path",
	"rename.old.container_path": "rename.file.container_path",
	"rename.old.basename":       "rename.file.name",
	"rename.new.filename":       "rename.file.destination.path",
	"rename.new.container_path": "rename.file.destination.container_path",
	"rename.new.basename":       "rename.file.destination.name",

	"unlink.filename":       "unlink.file.path",
	"unlink.container_path": "unlink.file.container_path",
	"unlink.basename":       "unlink.file.name",

	"utimes.filename":       "utimes.file.path",
	"utimes.container_path": "utimes.file.container_path",
	"utimes.basename":       "utimes.file.name",

	"link.source.filename":       "link.file.path",
	"link.source.container_path": "link.file.container_path",
	"link.source.basename":       "link.file.name",
	"link.target.filename":       "link.file.destination.path",
	"link.target.container_path": "link.file.destination.container_path",
	"link.target.basename":       "link.file.destination.name",

	"setxattr.filename":       "setxattr.file.path",
	"setxattr.container_path": "setxattr.file.container_path",
	"setxattr.basename":       "setxattr.file.name",
	"setxattr.namespace":      "setxattr.file.destination.namespace",
	"setxattr.name":           "setxattr.file.destination.name",

	"removexattr.filename":       "removexattr.file.path",
	"removexattr.container_path": "removexattr.file.container_path",
	"removexattr.basename":       "removexattr.file.name",
	"removexattr.namespace":      "removexattr.file.destination.namespace",
	"removexattr.name":           "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.container_path":   "exec.file.container_path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":                 "process.file.path",
	"process.container_path":           "process.file.container_path",
	"process.basename":                 "process.file.name",
	"process.name":                     "process.comm",
	"process.ancestors.filename":       "process.ancestors.file.path",
	"process.ancestors.container_path": "process.ancestors.file.container_path",
	"process.ancestors.basename":       "process.ancestors.file.name",
	"process.ancestors.name":           "process.ancestors.comm",
}

SECLLegacyAttributes contains the list of the legacy attributes we need to support

Functions

func GetEventTypePerCategory 

func GetEventTypePerCategory() map[EventCategory][]eval.EventType

GetEventTypePerCategory returns the event types per category

func GetHostByteOrder 

func GetHostByteOrder() binary.ByteOrder

GetHostByteOrder guesses the hosts byte order

func IsAlphaNumeric 

func IsAlphaNumeric(r rune) bool

IsAlphaNumeric returns whether a character is either a digit or a letter

func IsPrintable 

func IsPrintable(s string) bool

IsPrintable returns whether the string does contain only unicode printable

func IsPrintableASCII 

func IsPrintableASCII(s string) bool

IsPrintableASCII returns whether the string does contain only ASCII char

func SliceToArray 

func SliceToArray(src []byte, dst unsafe.Pointer)

SliceToArray copy src bytes to dst. Destination should have enough space

func UnmarshalBinary 

func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)

UnmarshalBinary calls a series of BinaryUnmarshaler

func UnmarshalString 

func UnmarshalString(data []byte, size int) (string, error)

UnmarshalString unmarshal string

func UnmarshalStringArray 

func UnmarshalStringArray(data []byte) ([]string, error)

UnmarshalStringArray extract array of string for array of byte

Types

type ArgsEntry 

type ArgsEntry struct {
	*ArgsEnvsCacheEntry

	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) ToArray 

func (p *ArgsEntry) ToArray() ([]string, bool)

ToArray returns args as array

type ArgsEnvs 

type ArgsEnvs struct {
	ID        uint32
	Size      uint32
	ValuesRaw [256]byte
}

ArgsEnvs raw value for args and envs

type ArgsEnvsCacheEntry 

type ArgsEnvsCacheEntry struct {
	ArgsEnvs
	// contains filtered or unexported fields
}

ArgsEnvsCacheEntry defines a args/envs base entry

func NewArgsEnvsCacheEntry 

func NewArgsEnvsCacheEntry(onRelease func(_ *ArgsEnvsCacheEntry)) *ArgsEnvsCacheEntry

NewArgsEnvsCacheEntry returns a new args/env cache entry

func (*ArgsEnvsCacheEntry) Append 

func (p *ArgsEnvsCacheEntry) Append(entry *ArgsEnvsCacheEntry)

Append an entry to the list

func (*ArgsEnvsCacheEntry) Release 

func (p *ArgsEnvsCacheEntry) Release()

Release decrement and eventually release the entry

func (*ArgsEnvsCacheEntry) Retain 

func (p *ArgsEnvsCacheEntry) Retain()

Retain increment ref counter

type ArgsEnvsEvent 

type ArgsEnvsEvent struct {
	ArgsEnvs
}

ArgsEnvsEvent defines a args/envs event

func (*ArgsEnvsEvent) UnmarshalBinary 

func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type BinaryUnmarshaler 

type BinaryUnmarshaler interface {
	UnmarshalBinary(data []byte) (int, error)
}

BinaryUnmarshaler interface implemented by every event type

type CapsetEvent 

type CapsetEvent struct {
	CapEffective uint64 `field:"cap_effective"`
	CapPermitted uint64 `field:"cap_permitted"`
}

CapsetEvent represents a capset event

func (*CapsetEvent) UnmarshalBinary 

func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ChmodEvent 

type ChmodEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode" field:"file.destination.rights"`
}

ChmodEvent represents a chmod event

func (*ChmodEvent) UnmarshalBinary 

func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ChmodMode 

type ChmodMode int

ChmodMode represent a chmod mode bitmask value

func (ChmodMode) String 

func (m ChmodMode) String() string

type ChownEvent 

type ChownEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	UID   uint32    `field:"file.destination.uid"`
	User  string    `field:"file.destination.user,ResolveChownUID"`
	GID   uint32    `field:"file.destination.gid"`
	Group string    `field:"file.destination.group,ResolveChownGID"`
}

ChownEvent represents a chown event

func (*ChownEvent) UnmarshalBinary 

func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ContainerContext 

type ContainerContext struct {
	ID   string   `field:"id,ResolveContainerID"`
	Tags []string `field:"tags,ResolveContainerTags:9999"`
}

ContainerContext holds the container context of an event

func (*ContainerContext) UnmarshalBinary 

func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type Credentials 

type Credentials struct {
	UID   uint32 `field:"uid"`
	GID   uint32 `field:"gid"`
	User  string `field:"user"`
	Group string `field:"group"`

	EUID   uint32 `field:"euid"`
	EGID   uint32 `field:"egid"`
	EUser  string `field:"euser"`
	EGroup string `field:"egroup"`

	FSUID   uint32 `field:"fsuid"`
	FSGID   uint32 `field:"fsgid"`
	FSUser  string `field:"fsuser"`
	FSGroup string `field:"fsgroup"`

	CapEffective uint64 `field:"cap_effective"`
	CapPermitted uint64 `field:"cap_permitted"`
}

Credentials represents the kernel credentials of a process

func (*Credentials) UnmarshalBinary 

func (e *Credentials) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type EnvsEntry 

type EnvsEntry struct {
	*ArgsEnvsCacheEntry

	Values    map[string]string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Get 

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

func (*EnvsEntry) ToMap 

func (p *EnvsEntry) ToMap() (map[string]string, bool)

ToMap returns envs as map

type Event 

type Event struct {
	ID           string    `field:"-"`
	Type         uint64    `field:"-"`
	TimestampRaw uint64    `field:"-"`
	Timestamp    time.Time `field:"timestamp"`

	ProcessContext   ProcessContext   `field:"process" event:"*"`
	ContainerContext ContainerContext `field:"container"`

	Chmod       ChmodEvent    `field:"chmod" event:"chmod"`
	Chown       ChownEvent    `field:"chown" event:"chown"`
	Open        OpenEvent     `field:"open" event:"open"`
	Mkdir       MkdirEvent    `field:"mkdir" event:"mkdir"`
	Rmdir       RmdirEvent    `field:"rmdir" event:"rmdir"`
	Rename      RenameEvent   `field:"rename" event:"rename"`
	Unlink      UnlinkEvent   `field:"unlink" event:"unlink"`
	Utimes      UtimesEvent   `field:"utimes" event:"utimes"`
	Link        LinkEvent     `field:"link" event:"link"`
	SetXAttr    SetXAttrEvent `field:"setxattr" event:"setxattr"`
	RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"`
	Exec        ExecEvent     `field:"exec" event:"exec"`

	SetUID SetuidEvent `field:"setuid" event:"setuid"`
	SetGID SetgidEvent `field:"setgid" event:"setgid"`
	Capset CapsetEvent `field:"capset" event:"capset"`

	Mount            MountEvent            `field:"-"`
	Umount           UmountEvent           `field:"-"`
	InvalidateDentry InvalidateDentryEvent `field:"-"`
	ArgsEnvs         ArgsEnvsEvent         `field:"-"`
	MountReleased    MountReleasedEvent    `field:"-"`
}

Event represents an event sent from the kernel genaccessors

func (*Event) GetEventType 

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetFieldEventType 

func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)

func (*Event) GetFieldType 

func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)

func (*Event) GetFieldValue 

func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields 

func (e *Event) GetFields() []eval.Field

func (*Event) GetPointer 

func (e *Event) GetPointer() unsafe.Pointer

GetPointer return an unsafe.Pointer of the Event

func (*Event) GetTags 

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetType 

func (e *Event) GetType() string

GetType returns the event type

func (*Event) SetFieldValue 

func (e *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) UnmarshalBinary 

func (e *Event) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type EventCategory 

type EventCategory = string

EventCategory category type 

const (
	// FIMCategory FIM events
	FIMCategory EventCategory = "fim"
	// RuntimeCategory Process events
	RuntimeCategory EventCategory = "runtime"
)

Event categories

func GetEventTypeCategory 

func GetEventTypeCategory(eventType eval.EventType) EventCategory

GetEventTypeCategory returns the category for the given event type

type EventType 

type EventType uint64

EventType describes the type of an event sent from the kernel 

const (
	// UnknownEventType unknow event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimeEventType Utime event
	FileUtimeEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// MaxEventType is used internally to get the maximum number of kernel events.
	MaxEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileRemoveXAttrEventType

	// CustomLostReadEventType is the custom event used to report lost events detected in user space
	CustomLostReadEventType EventType = iota
	// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
	CustomLostWriteEventType
	// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
	CustomRulesetLoadedEventType
	// CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process
	CustomNoisyProcessEventType
	// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
	CustomForkBombEventType
	// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
	CustomTruncatedParentsEventType
)

func ParseEvalEventType 

func ParseEvalEventType(eventType eval.EventType) EventType

ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions

func (EventType) String 

func (t EventType) String() string

type ExecEvent 

type ExecEvent struct {
	Process

	// defined to generate accessors
	Args          string   `field:"args,ResolveExecArgs"`
	Argv          []string `field:"argv,ResolveExecArgv" field:"args_flags,ResolveExecArgsFlags" field:"args_options,ResolveExecArgsOptions"`
	ArgsTruncated bool     `field:"args_truncated,ResolveExecArgsTruncated"`
	Envs          []string `field:"envs,ResolveExecEnvs"`
	EnvsTruncated bool     `field:"envs_truncated,ResolveExecEnvsTruncated"`
}

ExecEvent represents a exec event

func (*ExecEvent) UnmarshalBinary 

func (e *ExecEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type FileEvent 

type FileEvent struct {
	FileFields
	PathnameStr   string `field:"path,ResolveFilePath"`
	ContainerPath string `field:"container_path,ResolveFileContainerPath"`
	BasenameStr   string `field:"name,ResolveFileBasename"`
	Filesytem     string `field:"filesystem,ResolveFileFilesystem"`

	PathResolutionError error `field:"-"`
}

FileEvent is the common file event type

func (*FileEvent) GetPathResolutionError 

func (e *FileEvent) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*FileEvent) UnmarshalBinary 

func (e *FileEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type FileFields 

type FileFields struct {
	UID   uint32    `field:"uid"`
	User  string    `field:"user,ResolveFileFieldsUser"`
	GID   uint32    `field:"gid"`
	Group string    `field:"group,ResolveFileFieldsGroup"`
	Mode  uint16    `field:"mode" field:"rights,ResolveRights"`
	CTime time.Time `field:"-"`
	MTime time.Time `field:"-"`

	MountID      uint32 `field:"mount_id"`
	Inode        uint64 `field:"inode"`
	PathID       uint32 `field:"-"`
	Flags        int32  `field:"-"`
	InUpperLayer bool   `field:"in_upper_layer,ResolveFileFieldsInUpperLayer"`
}

FileFields holds the information required to identify a file

func (*FileFields) GetInLowerLayer 

func (f *FileFields) GetInLowerLayer() bool

GetInLowerLayer returns whether a file is in a lower layer

func (*FileFields) GetInUpperLayer 

func (f *FileFields) GetInUpperLayer() bool

GetInUpperLayer returns whether a file is in the upper layer

func (*FileFields) UnmarshalBinary 

func (e *FileFields) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type InvalidateDentryEvent 

type InvalidateDentryEvent struct {
	Inode             uint64
	MountID           uint32
	DiscarderRevision uint32
}

InvalidateDentryEvent defines a invalidate dentry event

func (*InvalidateDentryEvent) UnmarshalBinary 

func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type KernelCapability 

type KernelCapability uint64

KernelCapability represents a kernel capability bitmask value

func (KernelCapability) String 

func (kc KernelCapability) String() string

func (KernelCapability) StringArray 

func (kc KernelCapability) StringArray() []string

StringArray returns the kernel capabilities as an array of strings

type LinkEvent 

type LinkEvent struct {
	SyscallEvent
	Source FileEvent `field:"file"`
	Target FileEvent `field:"file.destination"`
}

LinkEvent represents a link event

func (*LinkEvent) UnmarshalBinary 

func (e *LinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MkdirEvent 

type MkdirEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode" field:"file.destination.rights"`
}

MkdirEvent represents a mkdir event

func (*MkdirEvent) UnmarshalBinary 

func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type Model 

type Model struct{}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator 

func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes 

func (m *Model) GetEventTypes() []eval.EventType

func (*Model) GetIterator 

func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)

func (*Model) NewEvent 

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) ValidateField 

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type MountEvent 

type MountEvent struct {
	SyscallEvent
	MountID                       uint32
	GroupID                       uint32
	Device                        uint32
	ParentMountID                 uint32
	ParentInode                   uint64
	FSType                        string
	MountPointStr                 string
	MountPointPathResolutionError error
	RootMountID                   uint32
	RootInode                     uint64
	RootStr                       string
	RootPathResolutionError       error

	FSTypeRaw [16]byte
}

MountEvent represents a mount event

func (*MountEvent) GetFSType 

func (m *MountEvent) GetFSType() string

GetFSType returns the filesystem type of the mountpoint

func (*MountEvent) GetMountPointPathResolutionError 

func (m *MountEvent) GetMountPointPathResolutionError() string

GetMountPointPathResolutionError returns the mount point path resolution error as a string if there is one

func (*MountEvent) GetRootPathResolutionError 

func (m *MountEvent) GetRootPathResolutionError() string

GetRootPathResolutionError returns the root path resolution error as a string if there is one

func (*MountEvent) IsOverlayFS 

func (m *MountEvent) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

func (*MountEvent) UnmarshalBinary 

func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MountReleasedEvent 

type MountReleasedEvent struct {
	MountID           uint32
	DiscarderRevision uint32
}

MountReleasedEvent defines a mount released event

func (*MountReleasedEvent) UnmarshalBinary 

func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type OpenEvent 

type OpenEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"`
	Mode  uint32    `field:"file.destination.mode"`
}

OpenEvent represents an open event

func (*OpenEvent) UnmarshalBinary 

func (e *OpenEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type OpenFlags 

type OpenFlags int

OpenFlags represents an open flags bitmask value

func (OpenFlags) String 

func (f OpenFlags) String() string

func (OpenFlags) StringArray 

func (f OpenFlags) StringArray() []string

StringArray returns the open flags as an array of strings

type Process 

type Process struct {
	// proc_cache_t
	FileFields FileFields `field:"file"`

	Pid uint32 `field:"pid"`
	Tid uint32 `field:"tid"`

	PathnameStr         string `field:"file.path"`
	ContainerPath       string `field:"file.container_path"`
	BasenameStr         string `field:"file.name"`
	Filesystem          string `field:"file.filesystem"`
	PathResolutionError error  `field:"-"`

	ContainerID string `field:"container.id"`

	TTYName string `field:"tty_name"`
	Comm    string `field:"comm"`

	// pid_cache_t
	ForkTime time.Time `field:"-"`
	ExitTime time.Time `field:"-"`
	ExecTime time.Time `field:"-"`

	CreatedAt uint64 `field:"created_at,ResolveProcessCreatedAt"`

	Cookie uint32 `field:"cookie"`
	PPid   uint32 `field:"ppid"`

	// credentials_t section of pid_cache_t
	Credentials

	ArgsID uint32 `field:"-"`
	EnvsID uint32 `field:"-"`

	ArgsEntry     *ArgsEntry `field:"-"`
	EnvsEntry     *EnvsEntry `field:"-"`
	EnvsTruncated bool       `field:"-"`
	ArgsTruncated bool       `field:"-"`
}

Process represents a process

func (*Process) GetPathResolutionError 

func (e *Process) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*Process) UnmarshalBinary 

func (e *Process) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ProcessAncestorsIterator 

type ProcessAncestorsIterator struct {
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) Front 

func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer

Front returns the first element

func (*ProcessAncestorsIterator) Next 

func (it *ProcessAncestorsIterator) Next() unsafe.Pointer

Next returns the next element

type ProcessCacheEntry 

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func NewProcessCacheEntry 

func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) Exec 

func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)

Exec replace a process

func (*ProcessCacheEntry) Exit 

func (pc *ProcessCacheEntry) Exit(exitTime time.Time)

Exit a process

func (*ProcessCacheEntry) Fork 

func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)

Fork returns a copy of the current ProcessCacheEntry

func (*ProcessCacheEntry) Release 

func (e *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset 

func (e *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain 

func (e *ProcessCacheEntry) Retain()

Retain increment ref counter

func (*ProcessCacheEntry) SetAncestor 

func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)

SetAncestor set the ancestor

type ProcessContext 

type ProcessContext struct {
	Process

	Ancestor *ProcessCacheEntry `field:"ancestors,,ProcessAncestorsIterator"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) UnmarshalBinary 

func (p *ProcessContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type RenameEvent 

type RenameEvent struct {
	SyscallEvent
	Old               FileEvent `field:"file"`
	New               FileEvent `field:"file.destination"`
	DiscarderRevision uint32    `field:"-"`
}

RenameEvent represents a rename event

func (*RenameEvent) UnmarshalBinary 

func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type RetValError 

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String 

func (f RetValError) String() string

type RmdirEvent 

type RmdirEvent struct {
	SyscallEvent
	File              FileEvent `field:"file"`
	DiscarderRevision uint32    `field:"-"`
}

RmdirEvent represents a rmdir event

func (*RmdirEvent) UnmarshalBinary 

func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SetXAttrEvent 

type SetXAttrEvent struct {
	SyscallEvent
	File      FileEvent `field:"file"`
	Namespace string    `field:"file.destination.namespace,ResolveXAttrNamespace"`
	Name      string    `field:"file.destination.name,ResolveXAttrName"`

	NameRaw [200]byte
}

SetXAttrEvent represents an extended attributes event

func (*SetXAttrEvent) UnmarshalBinary 

func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SetgidEvent 

type SetgidEvent struct {
	GID     uint32 `field:"gid"`
	Group   string `field:"group,ResolveSetgidGroup"`
	EGID    uint32 `field:"egid"`
	EGroup  string `field:"egroup,ResolveSetgidEGroup"`
	FSGID   uint32 `field:"fsgid"`
	FSGroup string `field:"fsgroup,ResolveSetgidFSGroup"`
}

SetgidEvent represents a setgid event

func (*SetgidEvent) UnmarshalBinary 

func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SetuidEvent 

type SetuidEvent struct {
	UID    uint32 `field:"uid"`
	User   string `field:"user,ResolveSetuidUser"`
	EUID   uint32 `field:"euid"`
	EUser  string `field:"euser,ResolveSetuidEUser"`
	FSUID  uint32 `field:"fsuid"`
	FSUser string `field:"fsuser,ResolveSetuidFSUser"`
}

SetuidEvent represents a setuid event

func (*SetuidEvent) UnmarshalBinary 

func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SyscallEvent 

type SyscallEvent struct {
	Retval int64 `field:"retval"`
}

SyscallEvent contains common fields for all the event

func (*SyscallEvent) UnmarshalBinary 

func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UmountEvent 

type UmountEvent struct {
	SyscallEvent
	MountID uint32
}

UmountEvent represents an umount event

func (*UmountEvent) UnmarshalBinary 

func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UnlinkEvent 

type UnlinkEvent struct {
	SyscallEvent
	File              FileEvent `field:"file"`
	Flags             uint32    `field:"-"`
	DiscarderRevision uint32    `field:"-"`
}

UnlinkEvent represents an unlink event

func (*UnlinkEvent) UnmarshalBinary 

func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UnlinkFlags 

type UnlinkFlags int

UnlinkFlags represents an unlink flags bitmask value

func (UnlinkFlags) String 

func (f UnlinkFlags) String() string

func (UnlinkFlags) StringArray 

func (f UnlinkFlags) StringArray() []string

StringArray returns the unlink flags as an array of strings

type UtimesEvent 

type UtimesEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Atime time.Time `field:"-"`
	Mtime time.Time `field:"-"`
}

UtimesEvent represents a utime event

func (*UtimesEvent) UnmarshalBinary 

func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.