procmon

package
v0.0.0-...-62bb9e5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2020 License: GPL-3.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MethodFtrace = "ftrace"
	MethodProc   = "proc"
	MethodAudit  = "audit"
)

monitor method supported types

Variables

This section is empty.

Functions

func End 

func End()

End stops the way of parsing new connections.

func GetPIDFromINode 

func GetPIDFromINode(inode int, inodeKey string) int

GetPIDFromINode tries to get the PID from a socket inode follwing these steps: 1. Get the PID from the cache of Inodes. 2. Get the PID from the cache of PIDs. 3. Look for the PID using one of these methods:

  • ftrace: listening processes execs/exits from /sys/kernel/debug/tracing/
  • audit: listening for socket creation from auditd.
  • proc: search /proc

If the PID is not found by one of the 2 first methods, it'll try it using /proc.

func Init 

func Init()

Init starts parsing connections using the method specified.

func IsWatcherAvailable 

func IsWatcherAvailable() bool

IsWatcherAvailable checks if ftrace (debugfs) is

func SetMonitorMethod 

func SetMonitorMethod(newMonitorMethod string)

SetMonitorMethod configures a new method for parsing connections.

func Start 

func Start() (err error)

Start enables the ftrace monitor method. This method configures a kprobe to intercept execve() syscalls. The kernel must have configured and enabled debugfs.

func Stop 

func Stop() error

Stop disables ftrace monitor method, removing configured kprobe.

Types

type Inode 

type Inode struct {
	Pid    int
	FdPath string
}

Inode represents an item of the InodesCache. the key is formed as follow: inode+srcip+srcport+dstip+dstport

type ProcEntry 

type ProcEntry struct {
	Pid         int
	FdPath      string
	Descriptors []string
	Time        time.Time
}

ProcEntry represents an item of the pidsCache

type Process 

type Process struct {
	ID          int
	Path        string
	Args        []string
	Env         map[string]string
	CWD         string
	Descriptors []*procDescriptors
	IOStats     *procIOstats
	Status      string
	Stat        string
	Statm       *procStatm
	Stack       string
	Maps        string
}

Process holds the details of a process.

func FindProcess 

func FindProcess(pid int, interceptUnknown bool) *Process

FindProcess checks if a process exists given a PID. If it exists in /proc, a new Process{} object is returned with the details to identify a process (cmdline, name, environment variables, etc).

func NewProcess 

func NewProcess(pid int, path string) *Process

NewProcess returns a new Process structure.

func (*Process) GetInfo 

func (p *Process) GetInfo() error

GetInfo collects information of a process.

Source Files

View all Source files

Directories

Path Synopsis
Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections.
 Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.