Documentation ¶
Index ¶
- Constants
- Variables
- func GetEventTypePerCategory() map[EventCategory][]eval.EventType
- func GetHostByteOrder() binary.ByteOrder
- func IsAlphaNumeric(r rune) bool
- func IsPrintable(s string) bool
- func SliceToArray(src []byte, dst unsafe.Pointer)
- func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)
- func UnmarshalStringArray(data []byte) ([]string, error)
- type ArgsEnvsEvent
- type BinaryUnmarshaler
- type CapsetEvent
- type ChmodEvent
- type ChmodMode
- type ChownEvent
- type ContainerContext
- type Credentials
- type Event
- func (e *Event) GetEventType() EventType
- func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)
- func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)
- func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)
- func (e *Event) GetFields() []eval.Field
- func (e *Event) GetPointer() unsafe.Pointer
- func (e *Event) GetTags() []string
- func (e *Event) GetType() string
- func (e *Event) SetFieldValue(field eval.Field, value interface{}) error
- func (e *Event) UnmarshalBinary(data []byte) (int, error)
- type EventCategory
- type EventType
- type ExecEvent
- type FileEvent
- type FileFields
- type InvalidateDentryEvent
- type KernelCapability
- type LinkEvent
- type MkdirEvent
- type Model
- func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)
- func (m *Model) GetEventTypes() []eval.EventType
- func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)
- func (m *Model) NewEvent() eval.Event
- func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error
- type MountEvent
- type MountReleasedEvent
- type OpenEvent
- type OpenFlags
- type Process
- type ProcessAncestorsIterator
- type ProcessCacheEntry
- func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)
- func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
- func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)
- func (pc *ProcessCacheEntry) String() string
- func (pc *ProcessCacheEntry) UnmarshalBinary(data []byte, unmarshalContext bool) (int, error)
- type ProcessContext
- type RenameEvent
- type RetValError
- type RmdirEvent
- type SetXAttrEvent
- type SetgidEvent
- type SetuidEvent
- type SyscallEvent
- type UmountEvent
- type UnlinkEvent
- type UnlinkFlags
- type UtimesEvent
Constants ¶
const ( LowerLayer = 1 << iota UpperLayer )
File flags
const MaxPathDepth = 15
MaxPathDepth defines the maximum depth of a path
const MaxSegmentLength = 127
MaxSegmentLength defines the maximum length of each segment of a path
Variables ¶
var ( // KernelCapabilityConstants list of kernel capabilities KernelCapabilityConstants = map[string]int{ "CAP_AUDIT_CONTROL": 1 << unix.CAP_AUDIT_CONTROL, "CAP_AUDIT_READ": 1 << unix.CAP_AUDIT_READ, "CAP_AUDIT_WRITE": 1 << unix.CAP_AUDIT_WRITE, "CAP_BLOCK_SUSPEND": 1 << unix.CAP_BLOCK_SUSPEND, "CAP_BPF": 1 << unix.CAP_BPF, "CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE, "CAP_CHOWN": 1 << unix.CAP_CHOWN, "CAP_DAC_OVERRIDE": 1 << unix.CAP_DAC_OVERRIDE, "CAP_DAC_READ_SEARCH": 1 << unix.CAP_DAC_READ_SEARCH, "CAP_FOWNER": 1 << unix.CAP_FOWNER, "CAP_FSETID": 1 << unix.CAP_FSETID, "CAP_IPC_LOCK": 1 << unix.CAP_IPC_LOCK, "CAP_IPC_OWNER": 1 << unix.CAP_IPC_OWNER, "CAP_KILL": 1 << unix.CAP_KILL, "CAP_LAST_CAP": 1 << unix.CAP_LAST_CAP, "CAP_LEASE": 1 << unix.CAP_LEASE, "CAP_LINUX_IMMUTABLE": 1 << unix.CAP_LINUX_IMMUTABLE, "CAP_MAC_ADMIN": 1 << unix.CAP_MAC_ADMIN, "CAP_MAC_OVERRIDE": 1 << unix.CAP_MAC_OVERRIDE, "CAP_MKNOD": 1 << unix.CAP_MKNOD, "CAP_NET_ADMIN": 1 << unix.CAP_NET_ADMIN, "CAP_NET_BIND_SERVICE": 1 << unix.CAP_NET_BIND_SERVICE, "CAP_NET_BROADCAST": 1 << unix.CAP_NET_BROADCAST, "CAP_NET_RAW": 1 << unix.CAP_NET_RAW, "CAP_PERFMON": 1 << unix.CAP_PERFMON, "CAP_SETFCAP": 1 << unix.CAP_SETFCAP, "CAP_SETGID": 1 << unix.CAP_SETGID, "CAP_SETPCAP": 1 << unix.CAP_SETPCAP, "CAP_SETUID": 1 << unix.CAP_SETUID, "CAP_SYSLOG": 1 << unix.CAP_SYSLOG, "CAP_SYS_ADMIN": 1 << unix.CAP_SYS_ADMIN, "CAP_SYS_BOOT": 1 << unix.CAP_SYS_BOOT, "CAP_SYS_CHROOT": 1 << unix.CAP_SYS_CHROOT, "CAP_SYS_MODULE": 1 << unix.CAP_SYS_MODULE, "CAP_SYS_NICE": 1 << unix.CAP_SYS_NICE, "CAP_SYS_PACCT": 1 << unix.CAP_SYS_PACCT, "CAP_SYS_PTRACE": 1 << unix.CAP_SYS_PTRACE, "CAP_SYS_RAWIO": 1 << unix.CAP_SYS_RAWIO, "CAP_SYS_RESOURCE": 1 << unix.CAP_SYS_RESOURCE, "CAP_SYS_TIME": 1 << unix.CAP_SYS_TIME, "CAP_SYS_TTY_CONFIG": 1 << unix.CAP_SYS_TTY_CONFIG, "CAP_WAKE_ALARM": 1 << unix.CAP_WAKE_ALARM, } // SECLConstants are constants available in runtime security agent rules SECLConstants = map[string]interface{}{ "true": &eval.BoolEvaluator{Value: true}, "false": &eval.BoolEvaluator{Value: false}, } )
var ByteOrder binary.ByteOrder
ByteOrder holds the hosts byte order
var ErrNotEnoughData = errors.New("not enough data")
ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
var ( // ErrStringArrayOverflow returned when there is a string array overflow ErrStringArrayOverflow = errors.New("string array overflow") )
var SECLLegacyAttributes = map[eval.Field]eval.Field{
"chmod.filename": "chmod.file.path",
"chmod.container_path": "chmod.file.container_path",
"chmod.basename": "chmod.file.name",
"chmod.mode": "chmod.file.destination.mode",
"chown.filename": "chown.file.path",
"chown.container_path": "chown.file.container_path",
"chown.basename": "chown.file.name",
"chown.uid": "chown.file.destination.uid",
"chown.user": "chown.file.destination.user",
"chown.gid": "chown.file.destination.gid",
"chown.group": "chown.file.destination.group",
"open.filename": "open.file.path",
"open.container_path": "open.file.container_path",
"open.basename": "open.file.name",
"open.mode": "open.file.destination.mode",
"mkdir.filename": "mkdir.file.path",
"mkdir.container_path": "mkdir.file.container_path",
"mkdir.basename": "mkdir.file.name",
"mkdir.mode": "mkdir.file.destination.mode",
"rmdir.filename": "rmdir.file.path",
"rmdir.container_path": "rmdir.file.container_path",
"rmdir.basename": "rmdir.file.name",
"rename.old.filename": "rename.file.path",
"rename.old.container_path": "rename.file.container_path",
"rename.old.basename": "rename.file.name",
"rename.new.filename": "rename.file.destination.path",
"rename.new.container_path": "rename.file.destination.container_path",
"rename.new.basename": "rename.file.destination.name",
"unlink.filename": "unlink.file.path",
"unlink.container_path": "unlink.file.container_path",
"unlink.basename": "unlink.file.name",
"utimes.filename": "utimes.file.path",
"utimes.container_path": "utimes.file.container_path",
"utimes.basename": "utimes.file.name",
"link.source.filename": "link.file.path",
"link.source.container_path": "link.file.container_path",
"link.source.basename": "link.file.name",
"link.target.filename": "link.file.destination.path",
"link.target.container_path": "link.file.destination.container_path",
"link.target.basename": "link.file.destination.name",
"setxattr.filename": "setxattr.file.path",
"setxattr.container_path": "setxattr.file.container_path",
"setxattr.basename": "setxattr.file.name",
"setxattr.namespace": "setxattr.file.destination.namespace",
"setxattr.name": "setxattr.file.destination.name",
"removexattr.filename": "removexattr.file.path",
"removexattr.container_path": "removexattr.file.container_path",
"removexattr.basename": "removexattr.file.name",
"removexattr.namespace": "removexattr.file.destination.namespace",
"removexattr.name": "removexattr.file.destination.name",
"exec.filename": "exec.file.path",
"exec.container_path": "exec.file.container_path",
"exec.overlay_numlower": "exec.file.overlay_numlower",
"exec.basename": "exec.file.name",
"exec.name": "exec.comm",
"process.filename": "process.file.path",
"process.container_path": "process.file.container_path",
"process.basename": "process.file.name",
"process.name": "process.comm",
"process.ancestors.filename": "process.ancestors.file.path",
"process.ancestors.container_path": "process.ancestors.file.container_path",
"process.ancestors.basename": "process.ancestors.file.name",
"process.ancestors.name": "process.ancestors.comm",
}
SECLLegacyAttributes contains the list of the legacy attributes we need to support
Functions ¶
func GetEventTypePerCategory ¶
func GetEventTypePerCategory() map[EventCategory][]eval.EventType
GetEventTypePerCategory returns the event types per category
func GetHostByteOrder ¶
GetHostByteOrder guesses the hosts byte order
func IsAlphaNumeric ¶
IsAlphaNumeric returns whether a character is either a digit or a letter
func IsPrintable ¶
IsPrintable returns whether the string does contain only ascii
func SliceToArray ¶
SliceToArray copy src bytes to dst. Destination should have enough space
func UnmarshalBinary ¶
func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)
UnmarshalBinary calls a series of BinaryUnmarshaler
func UnmarshalStringArray ¶
UnmarshalStringArray extract array of string for array of byte
Types ¶
type ArgsEnvsEvent ¶
type ArgsEnvsEvent struct { ID uint32 Size uint32 Values []string ValuesRaw [128]byte IsTruncated bool }
ArgsEnvsEvent defines a args/envs event
func (*ArgsEnvsEvent) UnmarshalBinary ¶
func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type BinaryUnmarshaler ¶
BinaryUnmarshaler interface implemented by every event type
type CapsetEvent ¶
type CapsetEvent struct { CapEffective uint64 `field:"cap_effective"` CapPermitted uint64 `field:"cap_permitted"` }
CapsetEvent represents a capset event
func (*CapsetEvent) UnmarshalBinary ¶
func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type ChmodEvent ¶
type ChmodEvent struct { SyscallEvent File FileEvent `field:"file"` Mode uint32 `field:"file.destination.mode" field:"file.destination.rights"` }
ChmodEvent represents a chmod event
func (*ChmodEvent) UnmarshalBinary ¶
func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type ChownEvent ¶
type ChownEvent struct { SyscallEvent File FileEvent `field:"file"` UID uint32 `field:"file.destination.uid"` User string `field:"file.destination.user,ResolveChownUID"` GID uint32 `field:"file.destination.gid"` Group string `field:"file.destination.group,ResolveChownGID"` }
ChownEvent represents a chown event
func (*ChownEvent) UnmarshalBinary ¶
func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type ContainerContext ¶
type ContainerContext struct {
ID string `field:"id,ResolveContainerID"`
}
ContainerContext holds the container context of an event
func (*ContainerContext) UnmarshalBinary ¶
func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type Credentials ¶
type Credentials struct { UID uint32 `field:"uid,ResolveCredentialsUID"` GID uint32 `field:"gid,ResolveCredentialsGID"` User string `field:"user,ResolveCredentialsUser"` Group string `field:"group,ResolveCredentialsGroup"` EUID uint32 `field:"euid,ResolveCredentialsEUID"` EGID uint32 `field:"egid,ResolveCredentialsEGID"` EUser string `field:"euser,ResolveCredentialsEUser"` EGroup string `field:"egroup,ResolveCredentialsEGroup"` FSUID uint32 `field:"fsuid,ResolveCredentialsFSUID"` FSGID uint32 `field:"fsgid,ResolveCredentialsFSGID"` FSUser string `field:"fsuser,ResolveCredentialsFSUser"` FSGroup string `field:"fsgroup,ResolveCredentialsFSGroup"` CapEffective uint64 `field:"cap_effective,ResolveCredentialsCapEffective"` CapPermitted uint64 `field:"cap_permitted,ResolveCredentialsCapPermitted"` }
Credentials represents the kernel credentials of a process
func (*Credentials) UnmarshalBinary ¶
func (e *Credentials) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type Event ¶
type Event struct { ID string `field:"-"` Type uint64 `field:"-"` TimestampRaw uint64 `field:"-"` Timestamp time.Time `field:"timestamp"` ProcessContext ProcessContext `field:"process" event:"*"` ContainerContext ContainerContext `field:"container"` Chmod ChmodEvent `field:"chmod" event:"chmod"` Chown ChownEvent `field:"chown" event:"chown"` Open OpenEvent `field:"open" event:"open"` Mkdir MkdirEvent `field:"mkdir" event:"mkdir"` Rmdir RmdirEvent `field:"rmdir" event:"rmdir"` Rename RenameEvent `field:"rename" event:"rename"` Unlink UnlinkEvent `field:"unlink" event:"unlink"` Utimes UtimesEvent `field:"utimes" event:"utimes"` Link LinkEvent `field:"link" event:"link"` SetXAttr SetXAttrEvent `field:"setxattr" event:"setxattr"` RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"` Exec ExecEvent `field:"exec" event:"exec"` SetUID SetuidEvent `field:"setuid" event:"setuid"` SetGID SetgidEvent `field:"setgid" event:"setgid"` Capset CapsetEvent `field:"capset" event:"capset"` Mount MountEvent `field:"-"` Umount UmountEvent `field:"-"` InvalidateDentry InvalidateDentryEvent `field:"-"` ArgsEnvs ArgsEnvsEvent `field:"-"` MountReleased MountReleasedEvent `field:"-"` }
Event represents an event sent from the kernel genaccessors
func (*Event) GetEventType ¶
GetEventType returns the event type of the event
func (*Event) GetFieldEventType ¶
func (*Event) GetPointer ¶
GetPointer return an unsafe.Pointer of the Event
func (*Event) SetFieldValue ¶
type EventCategory ¶
type EventCategory = string
EventCategory category type
const ( // FIMCategory FIM events FIMCategory EventCategory = "fim" // RuntimeCategory Process events RuntimeCategory EventCategory = "runtime" )
Event categories
func GetEventTypeCategory ¶
func GetEventTypeCategory(eventType eval.EventType) EventCategory
GetEventTypeCategory returns the category for the given event type
type EventType ¶
type EventType uint64
EventType describes the type of an event sent from the kernel
const ( // UnknownEventType unknow event UnknownEventType EventType = iota // FileOpenEventType File open event FileOpenEventType // FileMkdirEventType Folder creation event FileMkdirEventType // FileLinkEventType Hard link creation event FileLinkEventType // FileRenameEventType File or folder rename event FileRenameEventType // FileUnlinkEventType Unlink event FileUnlinkEventType // FileRmdirEventType Rmdir event FileRmdirEventType // FileChmodEventType Chmod event FileChmodEventType // FileChownEventType Chown event FileChownEventType // FileUtimeEventType Utime event FileUtimeEventType // FileSetXAttrEventType Setxattr event FileSetXAttrEventType // FileRemoveXAttrEventType Removexattr event FileRemoveXAttrEventType // FileMountEventType Mount event FileMountEventType // FileUmountEventType Umount event FileUmountEventType // ForkEventType Fork event ForkEventType // ExecEventType Exec event ExecEventType // ExitEventType Exit event ExitEventType // InvalidateDentryEventType Dentry invalidated event InvalidateDentryEventType // SetuidEventType setuid event SetuidEventType // SetgidEventType setgid event SetgidEventType // CapsetEventType capset event CapsetEventType // ArgsEnvsEventType args and envs event ArgsEnvsEventType // MountReleasedEventType sent when a mount point is released MountReleasedEventType // MaxEventType is used internally to get the maximum number of kernel events. MaxEventType // FirstDiscarderEventType first event that accepts discarders FirstDiscarderEventType = FileOpenEventType // LastDiscarderEventType last event that accepts discarders LastDiscarderEventType = FileRemoveXAttrEventType // CustomLostReadEventType is the custom event used to report lost events detected in user space CustomLostReadEventType EventType = iota // CustomLostWriteEventType is the custom event used to report lost events detected in kernel space CustomLostWriteEventType // CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded CustomRulesetLoadedEventType // CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process CustomNoisyProcessEventType // CustomForkBombEventType is the custom event used to report the detection of a fork bomb CustomForkBombEventType // CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated CustomTruncatedParentsEventType // CustomTruncatedSegmentEventType is the custom event used to report that a segment of a path was truncated CustomTruncatedSegmentEventType )
func ParseEvalEventType ¶
ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions
type ExecEvent ¶
type ExecEvent struct { Process Args string `field:"args,ResolveExecArgs"` Argv []string `field:"argv,ResolveExecArgv" field:"args_flags,ResolveExecArgsFlags" field:"args_options,ResolveExecArgsOptions"` ArgsTruncated bool `field:"args_truncated"` Envs []string `field:"envs,ResolveExecEnvs"` EnvsTruncated bool `field:"envs_truncated"` }
ExecEvent represents a exec event
type FileEvent ¶
type FileEvent struct { FileFields PathnameStr string `field:"path,ResolveFileInode"` ContainerPath string `field:"container_path,ResolveFileContainerPath"` BasenameStr string `field:"name,ResolveFileBasename"` Filesytem string `field:"filesystem,ResolveFileFilesystem"` InUpperLayer bool `field:"in_upper_layer,ResolveFileInUpperLayer"` PathResolutionError error `field:"-"` }
FileEvent is the common file event type
func (*FileEvent) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
type FileFields ¶
type FileFields struct { UID uint32 `field:"uid"` User string `field:"user,ResolveUser"` GID uint32 `field:"gid"` Group string `field:"group,ResolveGroup"` Mode uint16 `field:"mode" field:"rights,ResolveRights"` CTime time.Time `field:"-"` MTime time.Time `field:"-"` MountID uint32 `field:"mount_id"` Inode uint64 `field:"inode"` PathID uint32 `field:"-"` Flags int32 `field:"-"` }
FileFields holds the information required to identify a file
func (*FileFields) GetInLowerLayer ¶
func (f *FileFields) GetInLowerLayer() bool
GetInLowerLayer returns whether a file is in a lower layer
func (*FileFields) GetInUpperLayer ¶
func (f *FileFields) GetInUpperLayer() bool
GetInUpperLayer returns whether a file is in the upper layer
func (*FileFields) UnmarshalBinary ¶
func (e *FileFields) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type InvalidateDentryEvent ¶
InvalidateDentryEvent defines a invalidate dentry event
func (*InvalidateDentryEvent) UnmarshalBinary ¶
func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type KernelCapability ¶
type KernelCapability uint64
KernelCapability represents a kernel capability bitmask value
func (KernelCapability) String ¶
func (kc KernelCapability) String() string
func (KernelCapability) StringArray ¶
func (kc KernelCapability) StringArray() []string
StringArray returns the kernel capabilities as an array of strings
type LinkEvent ¶
type LinkEvent struct { SyscallEvent Source FileEvent `field:"file"` Target FileEvent `field:"file.destination"` }
LinkEvent represents a link event
type MkdirEvent ¶
type MkdirEvent struct { SyscallEvent File FileEvent `field:"file"` Mode uint32 `field:"file.destination.mode" field:"file.destination.rights"` }
MkdirEvent represents a mkdir event
func (*MkdirEvent) UnmarshalBinary ¶
func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type Model ¶
type Model struct{}
Model describes the data model for the runtime security agent events
func (*Model) GetEvaluator ¶
func (*Model) GetEventTypes ¶
func (*Model) ValidateField ¶
ValidateField validates the value of a field
type MountEvent ¶
type MountEvent struct { SyscallEvent MountID uint32 GroupID uint32 Device uint32 ParentMountID uint32 ParentInode uint64 FSType string MountPointStr string MountPointPathResolutionError error RootMountID uint32 RootInode uint64 RootStr string RootPathResolutionError error FSTypeRaw [16]byte }
MountEvent represents a mount event
func (*MountEvent) GetFSType ¶
func (m *MountEvent) GetFSType() string
GetFSType returns the filesystem type of the mountpoint
func (*MountEvent) GetMountPointPathResolutionError ¶
func (m *MountEvent) GetMountPointPathResolutionError() string
GetMountPointPathResolutionError returns the mount point path resolution error as a string if there is one
func (*MountEvent) GetRootPathResolutionError ¶
func (m *MountEvent) GetRootPathResolutionError() string
GetRootPathResolutionError returns the root path resolution error as a string if there is one
func (*MountEvent) IsOverlayFS ¶
func (m *MountEvent) IsOverlayFS() bool
IsOverlayFS returns whether it is an overlay fs
func (*MountEvent) UnmarshalBinary ¶
func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type MountReleasedEvent ¶
MountReleasedEvent defines a mount released event
func (*MountReleasedEvent) UnmarshalBinary ¶
func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type OpenEvent ¶
type OpenEvent struct { SyscallEvent File FileEvent `field:"file"` Flags uint32 `field:"flags"` Mode uint32 `field:"file.destination.mode"` }
OpenEvent represents an open event
type OpenFlags ¶
type OpenFlags int
OpenFlags represents an open flags bitmask value
func (OpenFlags) StringArray ¶
StringArray returns the open flags as an array of strings
type Process ¶
type Process struct { // proc_cache_t // (container context is parsed in Event.Container) FileFields FileFields `field:"file"` PathnameStr string `field:"file.path,ResolveProcessInode"` ContainerPath string `field:"file.container_path,ResolveProcessContainerPath"` BasenameStr string `field:"file.name,ResolveProcessBasename"` Filesystem string `field:"file.filesystem,ResolveProcessFilesystem"` PathResolutionError error `field:"-"` ExecTimestamp uint64 `field:"-"` ExecTime time.Time `field:"-"` TTYName string `field:"tty_name,ResolveProcessTTY"` Comm string `field:"comm,ResolveProcessComm"` // pid_cache_t ForkTimestamp uint64 `field:"-"` ForkTime time.Time `field:"-"` ExitTimestamp uint64 `field:"-"` ExitTime time.Time `field:"-"` Cookie uint32 `field:"cookie,ResolveProcessCookie"` PPid uint32 `field:"ppid,ResolveProcessPPID"` // credentials_t section of pid_cache_t Credentials ArgsArray []string `field:"-"` ArgsTruncated bool `field:"-"` EnvsArray []string `field:"-"` EnvsTruncated bool `field:"-"` ArgsID uint32 `field:"-"` EnvsID uint32 `field:"-"` }
Process represents a process
func (*Process) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
type ProcessAncestorsIterator ¶
type ProcessAncestorsIterator struct {
// contains filtered or unexported fields
}
ProcessAncestorsIterator defines an iterator of ancestors
func (*ProcessAncestorsIterator) Front ¶
func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer
Front returns the first element
func (*ProcessAncestorsIterator) Next ¶
func (it *ProcessAncestorsIterator) Next() unsafe.Pointer
Next returns the next element
type ProcessCacheEntry ¶
type ProcessCacheEntry struct { ContainerContext ProcessContext }
ProcessCacheEntry this structure holds the container context that we keep in kernel for each process
func (*ProcessCacheEntry) Exec ¶
func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)
Exec replace a process
func (*ProcessCacheEntry) Exit ¶
func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
Exit a process
func (*ProcessCacheEntry) Fork ¶
func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)
Fork returns a copy of the current ProcessCacheEntry
func (*ProcessCacheEntry) String ¶
func (pc *ProcessCacheEntry) String() string
func (*ProcessCacheEntry) UnmarshalBinary ¶
func (pc *ProcessCacheEntry) UnmarshalBinary(data []byte, unmarshalContext bool) (int, error)
UnmarshalBinary reads the binary representation of itself
type ProcessContext ¶
type ProcessContext struct { Process Pid uint32 `field:"pid"` Tid uint32 `field:"tid"` Ancestor *ProcessCacheEntry `field:"ancestors,,ProcessAncestorsIterator"` }
ProcessContext holds the process context of an event
func (*ProcessContext) UnmarshalBinary ¶
func (p *ProcessContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type RenameEvent ¶
type RenameEvent struct { SyscallEvent Old FileEvent `field:"file"` New FileEvent `field:"file.destination"` DiscarderRevision uint32 `field:"-"` }
RenameEvent represents a rename event
func (*RenameEvent) UnmarshalBinary ¶
func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type RetValError ¶
type RetValError int
RetValError represents a syscall return error value
func (RetValError) String ¶
func (f RetValError) String() string
type RmdirEvent ¶
type RmdirEvent struct { SyscallEvent File FileEvent `field:"file"` DiscarderRevision uint32 `field:"-"` }
RmdirEvent represents a rmdir event
func (*RmdirEvent) UnmarshalBinary ¶
func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SetXAttrEvent ¶
type SetXAttrEvent struct { SyscallEvent File FileEvent `field:"file"` Namespace string `field:"file.destination.namespace,GetXAttrNamespace"` Name string `field:"file.destination.name,GetXAttrName"` NameRaw [200]byte }
SetXAttrEvent represents an extended attributes event
func (*SetXAttrEvent) UnmarshalBinary ¶
func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SetgidEvent ¶
type SetgidEvent struct { GID uint32 `field:"gid"` Group string `field:"group,ResolveSetgidGroup"` EGID uint32 `field:"egid"` EGroup string `field:"egroup,ResolveSetgidEGroup"` FSGID uint32 `field:"fsgid"` FSGroup string `field:"fsgroup,ResolveSetgidFSGroup"` }
SetgidEvent represents a setgid event
func (*SetgidEvent) UnmarshalBinary ¶
func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SetuidEvent ¶
type SetuidEvent struct { UID uint32 `field:"uid"` User string `field:"user,ResolveSetuidUser"` EUID uint32 `field:"euid"` EUser string `field:"euser,ResolveSetuidEUser"` FSUID uint32 `field:"fsuid"` FSUser string `field:"fsuser,ResolveSetuidFSUser"` }
SetuidEvent represents a setuid event
func (*SetuidEvent) UnmarshalBinary ¶
func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SyscallEvent ¶
type SyscallEvent struct {
Retval int64 `field:"retval"`
}
SyscallEvent contains common fields for all the event
func (*SyscallEvent) UnmarshalBinary ¶
func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UmountEvent ¶
type UmountEvent struct { SyscallEvent MountID uint32 }
UmountEvent represents an umount event
func (*UmountEvent) UnmarshalBinary ¶
func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UnlinkEvent ¶
type UnlinkEvent struct { SyscallEvent File FileEvent `field:"file"` Flags uint32 `field:"-"` DiscarderRevision uint32 `field:"-"` }
UnlinkEvent represents an unlink event
func (*UnlinkEvent) UnmarshalBinary ¶
func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UnlinkFlags ¶
type UnlinkFlags int
UnlinkFlags represents an unlink flags bitmask value
func (UnlinkFlags) String ¶
func (f UnlinkFlags) String() string
func (UnlinkFlags) StringArray ¶
func (f UnlinkFlags) StringArray() []string
StringArray returns the unlink flags as an array of strings
type UtimesEvent ¶
type UtimesEvent struct { SyscallEvent File FileEvent `field:"file"` Atime time.Time `field:"-"` Mtime time.Time `field:"-"` }
UtimesEvent represents a utime event
func (*UtimesEvent) UnmarshalBinary ¶
func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself