Documentation ¶
Index ¶
- Constants
- Variables
- func AllCustomRuleIDs() []string
- func ExtractEventInfo(data []byte) (uint64, uint64, error)
- func GetCapababilities() map[eval.EventType]rules.FieldCapabilities
- func NewProcessCacheEntry() *model.ProcessCacheEntry
- func TTYConstants(probe *Probe) []manager.ConstantEditor
- type AbnormalPathEvent
- type Capabilities
- type Capability
- type CapsetSerializer
- type ContainerContextSerializer
- type ContainerResolver
- type CredentialsSerializer
- type CustomEvent
- func NewAbnormalPathEvent(event *Event, pathResolutionError error) (*rules.Rule, *CustomEvent)
- func NewEventLostReadEvent(mapName string, lost int64) (*rules.Rule, *CustomEvent)
- func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *CustomEvent)
- func NewNoisyProcessEvent(eventType model.EventType, count uint64, threshold int64, ...) (*rules.Rule, *CustomEvent)
- func NewRuleSetLoadedEvent(rs *rules.RuleSet, err *multierror.Error) (*rules.Rule, *CustomEvent)
- type DentryResolver
- func (dr *DentryResolver) DelCacheEntries(mountID uint32)
- func (dr *DentryResolver) DelCacheEntry(mountID uint32, inode uint64)
- func (dr *DentryResolver) GetName(mountID uint32, inode uint64, pathID uint32) string
- func (dr *DentryResolver) GetParent(mountID uint32, inode uint64, pathID uint32) (uint32, uint64, error)
- func (dr *DentryResolver) Resolve(mountID uint32, inode uint64, pathID uint32) (string, error)
- func (dr *DentryResolver) ResolveFromCache(mountID uint32, inode uint64) (filename string, err error)
- func (dr *DentryResolver) ResolveFromMap(mountID uint32, inode uint64, pathID uint32) (string, error)
- func (dr *DentryResolver) Start() error
- type Discarder
- type ERPC
- type ERPCRequest
- type ErrDiscarderNotSupported
- type ErrInvalidKeyPath
- type ErrTruncatedParents
- type ErrTruncatedSegment
- type Event
- func (ev *Event) Clone() Event
- func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)
- func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)
- func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)
- func (e *Event) GetFields() []eval.Field
- func (ev *Event) GetPathResolutionError() error
- func (ev *Event) GetXAttrName(e *model.SetXAttrEvent) string
- func (ev *Event) GetXAttrNamespace(e *model.SetXAttrEvent) string
- func (ev *Event) MarshalJSON() ([]byte, error)
- func (ev *Event) ResolveChownGID(e *model.ChownEvent) string
- func (ev *Event) ResolveChownUID(e *model.ChownEvent) string
- func (ev *Event) ResolveContainerID(e *model.ContainerContext) string
- func (ev *Event) ResolveCredentialsCapEffective(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsCapPermitted(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsEGID(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsEGroup(e *model.Credentials) string
- func (ev *Event) ResolveCredentialsEUID(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsEUser(e *model.Credentials) string
- func (ev *Event) ResolveCredentialsFSGID(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsFSGroup(e *model.Credentials) string
- func (ev *Event) ResolveCredentialsFSUID(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsFSUser(e *model.Credentials) string
- func (ev *Event) ResolveCredentialsGID(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsGroup(e *model.Credentials) string
- func (ev *Event) ResolveCredentialsUID(e *model.Credentials) int
- func (ev *Event) ResolveCredentialsUser(e *model.Credentials) string
- func (ev *Event) ResolveEventTimestamp() time.Time
- func (ev *Event) ResolveExecArgs(e *model.ExecEvent) string
- func (ev *Event) ResolveExecArgsFlags(e *model.ExecEvent) (flags []string)
- func (ev *Event) ResolveExecArgsOptions(e *model.ExecEvent) (options []string)
- func (ev *Event) ResolveExecArgv(e *model.ExecEvent) []string
- func (ev *Event) ResolveExecEnvs(e *model.ExecEvent) []string
- func (ev *Event) ResolveFileBasename(f *model.FileEvent) string
- func (ev *Event) ResolveFileContainerPath(f *model.FileEvent) string
- func (ev *Event) ResolveFileFilesystem(f *model.FileEvent) string
- func (ev *Event) ResolveFileInUpperLayer(f *model.FileEvent) bool
- func (ev *Event) ResolveFileInode(f *model.FileEvent) string
- func (ev *Event) ResolveGroup(e *model.FileFields) string
- func (ev *Event) ResolveMountPoint(e *model.MountEvent) string
- func (ev *Event) ResolveMountRoot(e *model.MountEvent) string
- func (ev *Event) ResolveProcessBasename(e *model.Process) string
- func (ev *Event) ResolveProcessCacheEntry() *model.ProcessCacheEntry
- func (ev *Event) ResolveProcessComm(e *model.Process) string
- func (ev *Event) ResolveProcessContainerPath(e *model.Process) string
- func (ev *Event) ResolveProcessContextGroup(p *model.ProcessContext) string
- func (ev *Event) ResolveProcessContextUser(p *model.ProcessContext) string
- func (ev *Event) ResolveProcessCookie(e *model.Process) int
- func (ev *Event) ResolveProcessFilesystem(e *model.Process) string
- func (ev *Event) ResolveProcessInode(e *model.Process) string
- func (ev *Event) ResolveProcessPPID(e *model.Process) int
- func (ev *Event) ResolveProcessTTY(e *model.Process) string
- func (ev *Event) ResolveRights(e *model.FileFields) int
- func (ev *Event) ResolveSetgidEGroup(e *model.SetgidEvent) string
- func (ev *Event) ResolveSetgidFSGroup(e *model.SetgidEvent) string
- func (ev *Event) ResolveSetgidGroup(e *model.SetgidEvent) string
- func (ev *Event) ResolveSetuidEUser(e *model.SetuidEvent) string
- func (ev *Event) ResolveSetuidFSUser(e *model.SetuidEvent) string
- func (ev *Event) ResolveSetuidUser(e *model.SetuidEvent) string
- func (ev *Event) ResolveUser(e *model.FileFields) string
- func (e *Event) SetFieldValue(field eval.Field, value interface{}) error
- func (ev *Event) SetPathResolutionError(err error)
- func (ev *Event) String() string
- func (ev *Event) UnmarshalProcess(data []byte) (int, error)
- type EventContextSerializer
- type EventHandler
- type EventLostRead
- type EventLostWrite
- type EventSerializer
- type FileEventSerializer
- type FileSerializer
- type FilterPolicy
- type InodeInfo
- type KernelVersion
- type LoadController
- type Model
- type Monitor
- func (m *Monitor) GetPerfBufferMonitor() *PerfBufferMonitor
- func (m *Monitor) GetStats() (map[string]interface{}, error)
- func (m *Monitor) ProcessEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap)
- func (m *Monitor) ProcessLostEvent(count uint64, cpu int, perfMap *manager.PerfMap)
- func (m *Monitor) ReportRuleSetLoaded(ruleSet *rules.RuleSet, err *multierror.Error)
- func (m *Monitor) SendStats() error
- func (m *Monitor) Start(ctx context.Context) error
- type MountResolver
- func (mr *MountResolver) Delete(mountID uint32) error
- func (mr *MountResolver) GetFilesystem(mountID uint32) string
- func (mr *MountResolver) GetMountPath(mountID uint32) (string, string, string, error)
- func (mr *MountResolver) Insert(e model.MountEvent)
- func (mr *MountResolver) IsOverlayFS(mountID uint32) bool
- func (mr *MountResolver) Start(ctx context.Context)
- func (mr *MountResolver) SyncCache(proc *process.Process) error
- type NoisyProcessEvent
- type PathKey
- type PathValue
- type PerfBufferMonitor
- func (pbm *PerfBufferMonitor) CountEvent(eventType model.EventType, timestamp uint64, count uint64, size uint64, ...)
- func (pbm *PerfBufferMonitor) CountLostEvent(count uint64, m *manager.PerfMap, cpu int)
- func (pbm *PerfBufferMonitor) GetAndResetKernelLostCount(perfMap string, cpu int, evtTypes ...model.EventType) uint64
- func (pbm *PerfBufferMonitor) GetAndResetLostCount(perfMap string, cpu int) uint64
- func (pbm *PerfBufferMonitor) GetEventStats(eventType model.EventType, perfMap string, cpu int) PerfMapStats
- func (pbm *PerfBufferMonitor) GetLostCount(perfMap string, cpu int) uint64
- func (pbm *PerfBufferMonitor) SendStats() error
- type PerfMapStats
- type PoliciesIgnored
- type PolicyFlag
- type PolicyLoaded
- type PolicyMode
- type PolicyReport
- type Probe
- func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error
- func (p *Probe) Close() error
- func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *CustomEvent)
- func (p *Probe) DispatchEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap)
- func (p *Probe) FlushDiscarders() error
- func (p *Probe) GetDebugStats() map[string]interface{}
- func (p *Probe) GetMonitor() *Monitor
- func (p *Probe) GetResolvers() *Resolvers
- func (p *Probe) Init(client *statsd.Client) error
- func (p *Probe) Map(name string) (*lib.Map, error)
- func (p *Probe) NewRuleSet(opts *rules.Opts) *rules.RuleSet
- func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, event *Event, field eval.Field, eventType eval.EventType) error
- func (p *Probe) SelectProbes(rs *rules.RuleSet) error
- func (p *Probe) SendStats() error
- func (p *Probe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error
- func (p *Probe) SetEventHandler(handler EventHandler)
- func (p *Probe) Snapshot() error
- func (p *Probe) Start() error
- type ProcessCacheEntrySerializer
- type ProcessContextSerializer
- type ProcessCredentialsSerializer
- type ProcessPath
- type ProcessResolver
- func (p *ProcessResolver) AddExecEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
- func (p *ProcessResolver) AddForkEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
- func (p *ProcessResolver) DeleteEntry(pid uint32, exitTime time.Time)
- func (p *ProcessResolver) Dump() (string, error)
- func (p *ProcessResolver) Get(pid uint32) *model.ProcessCacheEntry
- func (p *ProcessResolver) GetCacheSize() float64
- func (p *ProcessResolver) GetEntryCacheSize() float64
- func (p *ProcessResolver) Resolve(pid, tid uint32) *model.ProcessCacheEntry
- func (p *ProcessResolver) SendStats() error
- func (p *ProcessResolver) SetProcessArgs(pce *model.ProcessCacheEntry)
- func (p *ProcessResolver) SetProcessContainerPath(entry *model.ProcessCacheEntry) string
- func (p *ProcessResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)
- func (p *ProcessResolver) SetProcessPath(entry *model.ProcessCacheEntry) (string, error)
- func (p *ProcessResolver) SetTTY(pce *model.ProcessCacheEntry) string
- func (p *ProcessResolver) Start(ctx context.Context) error
- func (p *ProcessResolver) SyncCache(proc *process.Process) bool
- func (p *ProcessResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)
- func (p *ProcessResolver) UpdateCapset(pid uint32, e *Event)
- func (p *ProcessResolver) UpdateGID(pid uint32, e *Event)
- func (p *ProcessResolver) UpdateUID(pid uint32, e *Event)
- type ProcessResolverOpts
- type ProcessSyscall
- type ReOrderer
- type ReOrdererMetric
- type ReOrdererOpts
- type ReordererMonitor
- type Report
- type Reporter
- type Resolvers
- func (r *Resolvers) ResolveCredentialsEGroup(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsEUser(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsFSGroup(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsFSUser(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsGroup(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsUser(e *model.Credentials) string
- func (r *Resolvers) ResolveGroup(e *model.FileFields) string
- func (r *Resolvers) ResolveInode(e *model.FileEvent) string
- func (r *Resolvers) ResolveProcessContextGroup(p *model.ProcessContext) string
- func (r *Resolvers) ResolveProcessContextUser(p *model.ProcessContext) string
- func (r *Resolvers) ResolveUser(e *model.FileFields) string
- func (r *Resolvers) Snapshot() error
- func (r *Resolvers) Start(ctx context.Context) error
- type RuleIgnored
- type RuleLoaded
- type RuleSetApplier
- type RulesetLoadedEvent
- type SetgidSerializer
- type SetuidSerializer
- type Syscall
- type SyscallMonitor
- type SyscallStats
- type SyscallStatsCollector
- type SyscallStatsdCollector
- type TimeResolver
- type UserContextSerializer
- type UserGroupResolver
Constants ¶
const ( // LostEventsRuleID is the rule ID for the lost_events_* events LostEventsRuleID = "lost_events" // RulesetLoadedRuleID is the rule ID for the ruleset_loaded events RulesetLoadedRuleID = "ruleset_loaded" // NoisyProcessRuleID is the rule ID for the noisy_process events NoisyProcessRuleID = "noisy_process" // AbnormalPathRuleID is the rule ID for the abnormal_path events AbnormalPathRuleID = "abnormal_path" )
const ( // DiscardInodeOp discards an inode DiscardInodeOp = iota + 1 // DiscardPidOp discards a pid DiscardPidOp )
const ( FIMCategory = "File Activity" ProcessActivity = "Process Activity" )
Event categories for JSON serialization
const ( // DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace // pipeline for already deleted file in kernel space. DiscardRetention = 5 * time.Second )
const (
// ERPCMaxDataSize maximum size of data of a request
ERPCMaxDataSize = 256
)
Variables ¶
var ( // DiscarderConstants ebpf constants DiscarderConstants = []manager.ConstantEditor{ { Name: "discarder_retention", Value: uint64(DiscardRetention.Nanoseconds()), }, } )
var ErrEntryNotFound = errors.New("entry not found")
ErrEntryNotFound is thrown when a path key was not found in the cache
var ( // ErrMountNotFound is used when an unknown mount identifier is found ErrMountNotFound = errors.New("unknown mount ID") )
var InvalidDiscarders = map[eval.Field][]interface{}{
"open.file.path": dentryInvalidDiscarder,
"unlink.file.path": dentryInvalidDiscarder,
"chmod.file.path": dentryInvalidDiscarder,
"chown.file.path": dentryInvalidDiscarder,
"mkdir.file.path": dentryInvalidDiscarder,
"rmdir.file.path": dentryInvalidDiscarder,
"rename.file.path": dentryInvalidDiscarder,
"rename.file.destination.path": dentryInvalidDiscarder,
"utimes.file.path": dentryInvalidDiscarder,
"link.file.path": dentryInvalidDiscarder,
"link.file.destination.path": dentryInvalidDiscarder,
"process.file.path": dentryInvalidDiscarder,
"setxattr.file.path": dentryInvalidDiscarder,
"removexattr.file.path": dentryInvalidDiscarder,
}
InvalidDiscarders exposes list of values that are not discarders
var ( // SupportedDiscarders lists all field which supports discarders SupportedDiscarders = make(map[eval.Field]bool) )
Functions ¶
func AllCustomRuleIDs ¶
func AllCustomRuleIDs() []string
AllCustomRuleIDs returns the list of custom rule IDs
func ExtractEventInfo ¶
ExtractEventInfo extracts cpu and timestamp from the raw data event
func GetCapababilities ¶
func GetCapababilities() map[eval.EventType]rules.FieldCapabilities
GetCapababilities returns all the filtering capabilities
func NewProcessCacheEntry ¶
func NewProcessCacheEntry() *model.ProcessCacheEntry
NewProcessCacheEntry returns an empty instance of ProcessCacheEntry
func TTYConstants ¶
func TTYConstants(probe *Probe) []manager.ConstantEditor
TTYConstants returns the tty constants
Types ¶
type AbnormalPathEvent ¶
type AbnormalPathEvent struct { Timestamp time.Time `json:"date"` Event *EventSerializer `json:"triggeringEvent"` PathResolutionError string `json:"pathResolutionError"` }
AbnormalPathEvent is used to report that a path resolution failed for a suspicious reason easyjson:json
func (AbnormalPathEvent) MarshalEasyJSON ¶
func (v AbnormalPathEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (AbnormalPathEvent) MarshalJSON ¶
func (v AbnormalPathEvent) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*AbnormalPathEvent) UnmarshalEasyJSON ¶
func (v *AbnormalPathEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*AbnormalPathEvent) UnmarshalJSON ¶
func (v *AbnormalPathEvent) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type Capabilities ¶
type Capabilities map[eval.Field]Capability
Capabilities represents the filtering capabilities for a set of fields
func (Capabilities) GetFieldCapabilities ¶
func (caps Capabilities) GetFieldCapabilities() rules.FieldCapabilities
GetFieldCapabilities returns the field capabilities for a set of capabilities
func (Capabilities) GetFields ¶
func (caps Capabilities) GetFields() []eval.Field
GetFields returns the fields associated with a set of capabilities
func (Capabilities) GetFlags ¶
func (caps Capabilities) GetFlags() PolicyFlag
GetFlags returns the policy flags for the set of capabilities
type Capability ¶
type Capability struct { PolicyFlags PolicyFlag FieldValueTypes eval.FieldValueType }
Capability represents the type of values we are able to filter kernel side
type CapsetSerializer ¶
type CapsetSerializer struct { CapEffective []string `json:"capEffective,omitempty"` CapPermitted []string `json:"capPermitted,omitempty"` }
CapsetSerializer serializes a capset event easyjson:json
func (CapsetSerializer) MarshalEasyJSON ¶
func (v CapsetSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (CapsetSerializer) MarshalJSON ¶
func (v CapsetSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*CapsetSerializer) UnmarshalEasyJSON ¶
func (v *CapsetSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*CapsetSerializer) UnmarshalJSON ¶
func (v *CapsetSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type ContainerContextSerializer ¶
type ContainerContextSerializer struct {
ID string `json:"id,omitempty"`
}
ContainerContextSerializer serializes a container context to JSON easyjson:json
func (ContainerContextSerializer) MarshalEasyJSON ¶
func (v ContainerContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (ContainerContextSerializer) MarshalJSON ¶
func (v ContainerContextSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*ContainerContextSerializer) UnmarshalEasyJSON ¶
func (v *ContainerContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*ContainerContextSerializer) UnmarshalJSON ¶
func (v *ContainerContextSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type ContainerResolver ¶
type ContainerResolver struct{}
ContainerResolver is used to resolve the container context of the events
func (*ContainerResolver) GetContainerID ¶
func (cr *ContainerResolver) GetContainerID(pid uint32) (utils.ContainerID, error)
GetContainerID returns the container id of the given pid
func (*ContainerResolver) ResolveLabels ¶
func (cr *ContainerResolver) ResolveLabels(containerID string) ([]string, error)
ResolveLabels resolves the label of a container from its container ID
type CredentialsSerializer ¶
type CredentialsSerializer struct { UID int `json:"uid"` User string `json:"user,omitempty"` GID int `json:"gid"` Group string `json:"group,omitempty"` EUID int `json:"euid"` EUser string `json:"euser,omitempty"` EGID int `json:"egid"` EGroup string `json:"egroup,omitempty"` FSUID int `json:"fsuid"` FSUser string `json:"fsuser,omitempty"` FSGID int `json:"fsgid"` FSGroup string `json:"fsgroup,omitempty"` CapEffective []string `json:"capEffective,omitempty"` CapPermitted []string `json:"capPermitted,omitempty"` }
CredentialsSerializer serializes a set credentials to JSON easyjson:json
func (CredentialsSerializer) MarshalEasyJSON ¶
func (v CredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (CredentialsSerializer) MarshalJSON ¶
func (v CredentialsSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*CredentialsSerializer) UnmarshalEasyJSON ¶
func (v *CredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*CredentialsSerializer) UnmarshalJSON ¶
func (v *CredentialsSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type CustomEvent ¶
type CustomEvent struct {
// contains filtered or unexported fields
}
CustomEvent is used to send custom security events to Datadog
func NewAbnormalPathEvent ¶
func NewAbnormalPathEvent(event *Event, pathResolutionError error) (*rules.Rule, *CustomEvent)
NewAbnormalPathEvent returns the rule and a populated custom event for a abnormalPath event
func NewEventLostReadEvent ¶
func NewEventLostReadEvent(mapName string, lost int64) (*rules.Rule, *CustomEvent)
NewEventLostReadEvent returns the rule and a populated custom event for a lost_events_read event
func NewEventLostWriteEvent ¶
func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *CustomEvent)
NewEventLostWriteEvent returns the rule and a populated custom event for a lost_events_write event
func NewNoisyProcessEvent ¶
func NewNoisyProcessEvent(eventType model.EventType, count uint64, threshold int64, controlPeriod time.Duration, discardedUntil time.Time, process *model.ProcessCacheEntry, resolvers *Resolvers, timestamp time.Time) (*rules.Rule, *CustomEvent)
NewNoisyProcessEvent returns the rule and a populated custom event for a noisy_process event
func NewRuleSetLoadedEvent ¶
func NewRuleSetLoadedEvent(rs *rules.RuleSet, err *multierror.Error) (*rules.Rule, *CustomEvent)
NewRuleSetLoadedEvent returns the rule and a populated custom event for a new_rules_loaded event
func (*CustomEvent) Clone ¶
func (ce *CustomEvent) Clone() CustomEvent
Clone returns a copy of the current CustomEvent
func (*CustomEvent) GetEventType ¶
func (ce *CustomEvent) GetEventType() model.EventType
GetEventType returns the event type
func (*CustomEvent) GetTags ¶
func (ce *CustomEvent) GetTags() []string
GetTags returns the tags of the custom event
func (*CustomEvent) GetType ¶
func (ce *CustomEvent) GetType() string
GetType returns the type of the custom event as a string
func (*CustomEvent) MarshalJSON ¶
func (ce *CustomEvent) MarshalJSON() ([]byte, error)
MarshalJSON is the JSON marshaller function of the custom event
func (*CustomEvent) String ¶
func (ce *CustomEvent) String() string
String returns the string representation of a custom event
type DentryResolver ¶
type DentryResolver struct {
// contains filtered or unexported fields
}
DentryResolver resolves inode/mountID to full paths
func NewDentryResolver ¶
func NewDentryResolver(probe *Probe) (*DentryResolver, error)
NewDentryResolver returns a new dentry resolver
func (*DentryResolver) DelCacheEntries ¶
func (dr *DentryResolver) DelCacheEntries(mountID uint32)
DelCacheEntries removes all the entries belonging to a mountID
func (*DentryResolver) DelCacheEntry ¶
func (dr *DentryResolver) DelCacheEntry(mountID uint32, inode uint64)
DelCacheEntry removes an entry from the cache
func (*DentryResolver) GetName ¶
func (dr *DentryResolver) GetName(mountID uint32, inode uint64, pathID uint32) string
GetName resolves a couple of mountID/inode to a path
func (*DentryResolver) GetParent ¶
func (dr *DentryResolver) GetParent(mountID uint32, inode uint64, pathID uint32) (uint32, uint64, error)
GetParent - Return the parent mount_id/inode
func (*DentryResolver) Resolve ¶
Resolve the pathname of a dentry, starting at the pathnameKey in the pathnames table
func (*DentryResolver) ResolveFromCache ¶
func (dr *DentryResolver) ResolveFromCache(mountID uint32, inode uint64) (filename string, err error)
ResolveFromCache resolve from the cache
func (*DentryResolver) ResolveFromMap ¶
func (dr *DentryResolver) ResolveFromMap(mountID uint32, inode uint64, pathID uint32) (string, error)
ResolveFromMap resolves from kernel map
type Discarder ¶
Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules
type ERPC ¶
type ERPC struct {
// contains filtered or unexported fields
}
ERPC defines a krpc object
func (*ERPC) GetConstants ¶
func (k *ERPC) GetConstants() []manager.ConstantEditor
GetConstants returns the ebpf constants
func (*ERPC) Request ¶
func (k *ERPC) Request(req *ERPCRequest) error
Request generates an ioctl syscall with the required request
type ERPCRequest ¶
type ERPCRequest struct { OP uint8 Data [ERPCMaxDataSize]byte }
ERPCRequest defines a EPRC request
type ErrDiscarderNotSupported ¶
type ErrDiscarderNotSupported struct {
Field string
}
ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them
func (ErrDiscarderNotSupported) Error ¶
func (e ErrDiscarderNotSupported) Error() string
type ErrInvalidKeyPath ¶
ErrInvalidKeyPath is returned when inode or mountid are not valid
func (*ErrInvalidKeyPath) Error ¶
func (e *ErrInvalidKeyPath) Error() string
type ErrTruncatedParents ¶
type ErrTruncatedParents struct{}
ErrTruncatedParents is used to notify that some parents of the path are missing
func (ErrTruncatedParents) Error ¶
func (err ErrTruncatedParents) Error() string
type ErrTruncatedSegment ¶
type ErrTruncatedSegment struct{}
ErrTruncatedSegment is used to notify that a segment of the path was truncated because it was too long
func (ErrTruncatedSegment) Error ¶
func (err ErrTruncatedSegment) Error() string
type Event ¶
Event describes a probe event
func NewEvent ¶
func NewEvent(resolvers *Resolvers, scrubber *pconfig.DataScrubber) *Event
NewEvent returns a new event
func (*Event) GetFieldEventType ¶
func (*Event) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
func (*Event) GetXAttrName ¶
func (ev *Event) GetXAttrName(e *model.SetXAttrEvent) string
GetXAttrName returns the string representation of the extended attribute name
func (*Event) GetXAttrNamespace ¶
func (ev *Event) GetXAttrNamespace(e *model.SetXAttrEvent) string
GetXAttrNamespace returns the string representation of the extended attribute namespace
func (*Event) MarshalJSON ¶
MarshalJSON returns the JSON encoding of the event
func (*Event) ResolveChownGID ¶
func (ev *Event) ResolveChownGID(e *model.ChownEvent) string
ResolveChownGID resolves the group id of a chown event to a group name
func (*Event) ResolveChownUID ¶
func (ev *Event) ResolveChownUID(e *model.ChownEvent) string
ResolveChownUID resolves the user id of a chown event to a username
func (*Event) ResolveContainerID ¶
func (ev *Event) ResolveContainerID(e *model.ContainerContext) string
ResolveContainerID resolves the container ID of the event
func (*Event) ResolveCredentialsCapEffective ¶
func (ev *Event) ResolveCredentialsCapEffective(e *model.Credentials) int
ResolveCredentialsCapEffective resolves the cap_effective kernel capability of the process
func (*Event) ResolveCredentialsCapPermitted ¶
func (ev *Event) ResolveCredentialsCapPermitted(e *model.Credentials) int
ResolveCredentialsCapPermitted resolves the cap_permitted kernel capability of the process
func (*Event) ResolveCredentialsEGID ¶
func (ev *Event) ResolveCredentialsEGID(e *model.Credentials) int
ResolveCredentialsEGID resolves the effective group id of the process
func (*Event) ResolveCredentialsEGroup ¶
func (ev *Event) ResolveCredentialsEGroup(e *model.Credentials) string
ResolveCredentialsEGroup resolves the effective group id of the process to a group name
func (*Event) ResolveCredentialsEUID ¶
func (ev *Event) ResolveCredentialsEUID(e *model.Credentials) int
ResolveCredentialsEUID resolves the effective user id of the process
func (*Event) ResolveCredentialsEUser ¶
func (ev *Event) ResolveCredentialsEUser(e *model.Credentials) string
ResolveCredentialsEUser resolves the effective user id of the process to a username
func (*Event) ResolveCredentialsFSGID ¶
func (ev *Event) ResolveCredentialsFSGID(e *model.Credentials) int
ResolveCredentialsFSGID resolves the file-system group id of the process
func (*Event) ResolveCredentialsFSGroup ¶
func (ev *Event) ResolveCredentialsFSGroup(e *model.Credentials) string
ResolveCredentialsFSGroup resolves the file-system group id of the process to a group name
func (*Event) ResolveCredentialsFSUID ¶
func (ev *Event) ResolveCredentialsFSUID(e *model.Credentials) int
ResolveCredentialsFSUID resolves the file-system user id of the process
func (*Event) ResolveCredentialsFSUser ¶
func (ev *Event) ResolveCredentialsFSUser(e *model.Credentials) string
ResolveCredentialsFSUser resolves the file-system user id of the process to a username
func (*Event) ResolveCredentialsGID ¶
func (ev *Event) ResolveCredentialsGID(e *model.Credentials) int
ResolveCredentialsGID resolves the group id of the process
func (*Event) ResolveCredentialsGroup ¶
func (ev *Event) ResolveCredentialsGroup(e *model.Credentials) string
ResolveCredentialsGroup resolves the group id of the process to a group name
func (*Event) ResolveCredentialsUID ¶
func (ev *Event) ResolveCredentialsUID(e *model.Credentials) int
ResolveCredentialsUID resolves the user id of the process
func (*Event) ResolveCredentialsUser ¶
func (ev *Event) ResolveCredentialsUser(e *model.Credentials) string
ResolveCredentialsUser resolves the user id of the process to a username
func (*Event) ResolveEventTimestamp ¶
ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time
func (*Event) ResolveExecArgs ¶
ResolveExecArgs resolves the args of the event
func (*Event) ResolveExecArgsFlags ¶
ResolveExecArgsFlags resolves the arguments flags of the event
func (*Event) ResolveExecArgsOptions ¶
ResolveExecArgsOptions resolves the arguments options of the event
func (*Event) ResolveExecArgv ¶
ResolveExecArgv resolves the args of the event as an array
func (*Event) ResolveExecEnvs ¶
ResolveExecEnvs resolves the envs of the event
func (*Event) ResolveFileBasename ¶
ResolveFileBasename resolves the inode to a full path
func (*Event) ResolveFileContainerPath ¶
ResolveFileContainerPath resolves the inode to a full path
func (*Event) ResolveFileFilesystem ¶
ResolveFileFilesystem resolves the filesystem a file resides in
func (*Event) ResolveFileInUpperLayer ¶
ResolveFileInUpperLayer resolves whether the file is in an upper layer
func (*Event) ResolveFileInode ¶
ResolveFileInode resolves the inode to a full path
func (*Event) ResolveGroup ¶
func (ev *Event) ResolveGroup(e *model.FileFields) string
ResolveGroup resolves the group id of the file to a group name
func (*Event) ResolveMountPoint ¶
func (ev *Event) ResolveMountPoint(e *model.MountEvent) string
ResolveMountPoint resolves the mountpoint to a full path
func (*Event) ResolveMountRoot ¶
func (ev *Event) ResolveMountRoot(e *model.MountEvent) string
ResolveMountRoot resolves the mountpoint to a full path
func (*Event) ResolveProcessBasename ¶
ResolveProcessBasename resolves the inode to a filename
func (*Event) ResolveProcessCacheEntry ¶
func (ev *Event) ResolveProcessCacheEntry() *model.ProcessCacheEntry
ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessCacheEntry of the event
func (*Event) ResolveProcessComm ¶
ResolveProcessComm resolves the comm of the process
func (*Event) ResolveProcessContainerPath ¶
ResolveProcessContainerPath resolves the inode to a path relative to the container
func (*Event) ResolveProcessContextGroup ¶
func (ev *Event) ResolveProcessContextGroup(p *model.ProcessContext) string
ResolveProcessContextGroup resolves the group id of the process to a group name
func (*Event) ResolveProcessContextUser ¶
func (ev *Event) ResolveProcessContextUser(p *model.ProcessContext) string
ResolveProcessContextUser resolves the user id of the process to a username
func (*Event) ResolveProcessCookie ¶
ResolveProcessCookie resolves the cookie of the process
func (*Event) ResolveProcessFilesystem ¶
ResolveProcessFilesystem resolves the filesystem an executable resides in
func (*Event) ResolveProcessInode ¶
ResolveProcessInode resolves the executable inode to a full path
func (*Event) ResolveProcessPPID ¶
ResolveProcessPPID resolves the parent process ID
func (*Event) ResolveProcessTTY ¶
ResolveProcessTTY resolves the name of the process tty
func (*Event) ResolveRights ¶
func (ev *Event) ResolveRights(e *model.FileFields) int
ResolveRights resolves the rights of a file
func (*Event) ResolveSetgidEGroup ¶
func (ev *Event) ResolveSetgidEGroup(e *model.SetgidEvent) string
ResolveSetgidEGroup resolves the effective group of the Setgid event
func (*Event) ResolveSetgidFSGroup ¶
func (ev *Event) ResolveSetgidFSGroup(e *model.SetgidEvent) string
ResolveSetgidFSGroup resolves the file-system group of the Setgid event
func (*Event) ResolveSetgidGroup ¶
func (ev *Event) ResolveSetgidGroup(e *model.SetgidEvent) string
ResolveSetgidGroup resolves the group of the Setgid event
func (*Event) ResolveSetuidEUser ¶
func (ev *Event) ResolveSetuidEUser(e *model.SetuidEvent) string
ResolveSetuidEUser resolves the effective user of the Setuid event
func (*Event) ResolveSetuidFSUser ¶
func (ev *Event) ResolveSetuidFSUser(e *model.SetuidEvent) string
ResolveSetuidFSUser resolves the file-system user of the Setuid event
func (*Event) ResolveSetuidUser ¶
func (ev *Event) ResolveSetuidUser(e *model.SetuidEvent) string
ResolveSetuidUser resolves the user of the Setuid event
func (*Event) ResolveUser ¶
func (ev *Event) ResolveUser(e *model.FileFields) string
ResolveUser resolves the user id of the file to a username
func (*Event) SetFieldValue ¶
func (*Event) SetPathResolutionError ¶
SetPathResolutionError sets the Event.pathResolutionError
type EventContextSerializer ¶
type EventContextSerializer struct { Name string `json:"name,omitempty"` Category string `json:"category,omitempty"` Outcome string `json:"outcome,omitempty"` }
EventContextSerializer serializes an event context to JSON easyjson:json
func (EventContextSerializer) MarshalEasyJSON ¶
func (v EventContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (EventContextSerializer) MarshalJSON ¶
func (v EventContextSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*EventContextSerializer) UnmarshalEasyJSON ¶
func (v *EventContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*EventContextSerializer) UnmarshalJSON ¶
func (v *EventContextSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type EventHandler ¶
type EventHandler interface { HandleEvent(event *Event) HandleCustomEvent(rule *rules.Rule, event *CustomEvent) }
EventHandler represents an handler for the events sent by the probe
type EventLostRead ¶
type EventLostRead struct { Timestamp time.Time `json:"date"` Name string `json:"map"` Lost int64 `json:"lost"` }
EventLostRead is the event used to report lost events detected from user space easyjson:json
func (EventLostRead) MarshalEasyJSON ¶
func (v EventLostRead) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (EventLostRead) MarshalJSON ¶
func (v EventLostRead) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*EventLostRead) UnmarshalEasyJSON ¶
func (v *EventLostRead) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*EventLostRead) UnmarshalJSON ¶
func (v *EventLostRead) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type EventLostWrite ¶
type EventLostWrite struct { Timestamp time.Time `json:"date"` Name string `json:"map"` Lost map[string]uint64 `json:"perEvent"` }
EventLostWrite is the event used to report lost events detected from kernel space easyjson:json
func (EventLostWrite) MarshalEasyJSON ¶
func (v EventLostWrite) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (EventLostWrite) MarshalJSON ¶
func (v EventLostWrite) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*EventLostWrite) UnmarshalEasyJSON ¶
func (v *EventLostWrite) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*EventLostWrite) UnmarshalJSON ¶
func (v *EventLostWrite) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type EventSerializer ¶
type EventSerializer struct { *EventContextSerializer `json:"evt,omitempty"` *FileEventSerializer `json:"file,omitempty"` UserContextSerializer UserContextSerializer `json:"usr,omitempty"` ProcessContextSerializer *ProcessContextSerializer `json:"process,omitempty"` ContainerContextSerializer *ContainerContextSerializer `json:"container,omitempty"` Date time.Time `json:"date,omitempty"` }
EventSerializer serializes an event to JSON easyjson:json
func (EventSerializer) MarshalEasyJSON ¶
func (v EventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (EventSerializer) MarshalJSON ¶
func (v EventSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*EventSerializer) UnmarshalEasyJSON ¶
func (v *EventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*EventSerializer) UnmarshalJSON ¶
func (v *EventSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type FileEventSerializer ¶
type FileEventSerializer struct { FileSerializer `json:",omitempty"` Destination *FileSerializer `json:"destination,omitempty"` // Specific to mount events NewMountID uint32 `json:"newMountId,omitempty"` GroupID uint32 `json:"groupId,omitempty"` Device uint32 `json:"device,omitempty"` FSType string `json:"fstype,omitempty"` }
FileEventSerializer serializes a file event to JSON easyjson:json
func (FileEventSerializer) MarshalEasyJSON ¶
func (v FileEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (FileEventSerializer) MarshalJSON ¶
func (v FileEventSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*FileEventSerializer) UnmarshalEasyJSON ¶
func (v *FileEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*FileEventSerializer) UnmarshalJSON ¶
func (v *FileEventSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type FileSerializer ¶
type FileSerializer struct { Path string `json:"path,omitempty"` Name string `json:"name,omitempty"` ContainerPath string `json:"containerPath,omitempty"` PathResolutionError string `json:"pathResolutionError,omitempty"` Inode *uint64 `json:"inode,omitempty"` Mode *uint32 `json:"mode,omitempty"` InUpperLayer *bool `json:"inUpperLayer,omitempty"` MountID *uint32 `json:"mountId,omitempty"` Filesystem string `json:"filesystem,omitempty"` UID uint32 `json:"uid,omitempty"` GID uint32 `json:"gid,omitempty"` User string `json:"user,omitempty"` Group string `json:"group,omitempty"` XAttrName string `json:"attributeName,omitempty"` XAttrNamespace string `json:"attributeNamespace,omitempty"` Flags []string `json:"flags,omitempty"` Atime *time.Time `json:"accessTime,omitempty"` Mtime *time.Time `json:"modificationTime,omitempty"` Ctime *time.Time `json:"changeTime,omitempty"` }
FileSerializer serializes a file to JSON easyjson:json
func (FileSerializer) MarshalEasyJSON ¶
func (v FileSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (FileSerializer) MarshalJSON ¶
func (v FileSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*FileSerializer) UnmarshalEasyJSON ¶
func (v *FileSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*FileSerializer) UnmarshalJSON ¶
func (v *FileSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type FilterPolicy ¶
type FilterPolicy struct { Mode PolicyMode Flags PolicyFlag }
FilterPolicy describes a filtering policy
func (*FilterPolicy) Bytes ¶
func (f *FilterPolicy) Bytes() ([]byte, error)
Bytes returns the binary representation of a FilterPolicy
type KernelVersion ¶
type KernelVersion struct {
// contains filtered or unexported fields
}
KernelVersion defines a kernel version helper
func NewKernelVersion ¶
func NewKernelVersion() (*KernelVersion, error)
NewKernelVersion returns a new kernel version helper
func (*KernelVersion) IsRH7Kernel ¶
func (k *KernelVersion) IsRH7Kernel() bool
IsRH7Kernel returns whether the kernel is a rh7 kernel
func (*KernelVersion) IsRH8Kernel ¶
func (k *KernelVersion) IsRH8Kernel() bool
IsRH8Kernel returns whether the kernel is a rh8 kernel
func (*KernelVersion) IsSLES12Kernel ¶
func (k *KernelVersion) IsSLES12Kernel() bool
IsSLES12Kernel returns whether the kernel is a sles 12 kernel
func (*KernelVersion) IsSLES15Kernel ¶
func (k *KernelVersion) IsSLES15Kernel() bool
IsSLES15Kernel returns whether the kernel is a sles 15 kernel
func (*KernelVersion) IsSuseKernel ¶
func (k *KernelVersion) IsSuseKernel() bool
IsSuseKernel returns whether the kernel is a suse kernel
type LoadController ¶
type LoadController struct { sync.RWMutex EventsCountThreshold int64 DiscarderTimeout time.Duration ControllerPeriod time.Duration // contains filtered or unexported fields }
LoadController is used to monitor and control the pressure put on the host
func NewLoadController ¶
func NewLoadController(probe *Probe, statsdClient *statsd.Client) (*LoadController, error)
NewLoadController instantiates a new load controller
func (*LoadController) Count ¶
func (lc *LoadController) Count(event *Event)
Count processes the provided events and ensures the load of the provided event type is within the configured limits
func (*LoadController) GenericCount ¶
func (lc *LoadController) GenericCount(event *Event)
GenericCount increments the event counter of the provided event type and pid
func (*LoadController) Start ¶
func (lc *LoadController) Start(ctx context.Context)
Start resets the internal counters periodically
type Model ¶
Model describes the data model for the runtime security agent probe events
func (*Model) GetEvaluator ¶
func (*Model) GetEventTypes ¶
type Monitor ¶
type Monitor struct {
// contains filtered or unexported fields
}
Monitor regroups all the work we want to do to monitor the probes we pushed in the kernel
func NewMonitor ¶
NewMonitor returns a new instance of a ProbeMonitor
func (*Monitor) GetPerfBufferMonitor ¶
func (m *Monitor) GetPerfBufferMonitor() *PerfBufferMonitor
GetPerfBufferMonitor returns the perf buffer monitor
func (*Monitor) ProcessEvent ¶
ProcessEvent processes an event through the various monitors and controllers of the probe
func (*Monitor) ProcessLostEvent ¶
ProcessLostEvent processes a lost event through the various monitors and controllers of the probe
func (*Monitor) ReportRuleSetLoaded ¶
ReportRuleSetLoaded reports to Datadog that new ruleset was loaded
type MountResolver ¶
type MountResolver struct {
// contains filtered or unexported fields
}
MountResolver represents a cache for mountpoints and the corresponding file systems
func NewMountResolver ¶
func NewMountResolver(probe *Probe) *MountResolver
NewMountResolver instantiates a new mount resolver
func (*MountResolver) Delete ¶
func (mr *MountResolver) Delete(mountID uint32) error
Delete a mount from the cache
func (*MountResolver) GetFilesystem ¶
func (mr *MountResolver) GetFilesystem(mountID uint32) string
GetFilesystem returns the name of the filesystem
func (*MountResolver) GetMountPath ¶
GetMountPath returns the path of a mount identified by its mount ID. The first path is the container mount path if it exists
func (*MountResolver) Insert ¶
func (mr *MountResolver) Insert(e model.MountEvent)
Insert a new mount point in the cache
func (*MountResolver) IsOverlayFS ¶
func (mr *MountResolver) IsOverlayFS(mountID uint32) bool
IsOverlayFS returns the type of a mountID
func (*MountResolver) Start ¶
func (mr *MountResolver) Start(ctx context.Context)
Start starts the resolver
type NoisyProcessEvent ¶
type NoisyProcessEvent struct { Timestamp time.Time `json:"date"` Event string `json:"eventType"` Count uint64 `json:"pidCount"` Threshold int64 `json:"threshold"` ControlPeriod time.Duration `json:"controlPeriod"` DiscardedUntil time.Time `json:"discardedUntil"` Process *ProcessContextSerializer `json:"process"` }
NoisyProcessEvent is used to report that a noisy process was temporarily discarded easyjson:json
func (NoisyProcessEvent) MarshalEasyJSON ¶
func (v NoisyProcessEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (NoisyProcessEvent) MarshalJSON ¶
func (v NoisyProcessEvent) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*NoisyProcessEvent) UnmarshalEasyJSON ¶
func (v *NoisyProcessEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*NoisyProcessEvent) UnmarshalJSON ¶
func (v *NoisyProcessEvent) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type PathKey ¶
PathKey identifies an entry in the dentry cache
func (*PathKey) MarshalBinary ¶
MarshalBinary returns the binary representation of a path key
type PathValue ¶
type PathValue struct { Parent PathKey Name [model.MaxSegmentLength + 1]byte }
PathValue describes a value of an entry of the cache
type PerfBufferMonitor ¶
type PerfBufferMonitor struct {
// contains filtered or unexported fields
}
PerfBufferMonitor holds statistics about the number of lost and received events
func NewPerfBufferMonitor ¶
func NewPerfBufferMonitor(p *Probe, client *statsd.Client) (*PerfBufferMonitor, error)
NewPerfBufferMonitor instantiates a new event statistics counter
func (*PerfBufferMonitor) CountEvent ¶
func (pbm *PerfBufferMonitor) CountEvent(eventType model.EventType, timestamp uint64, count uint64, size uint64, m *manager.PerfMap, cpu int)
CountEvent adds `count` to the counter of received events of the specified type
func (*PerfBufferMonitor) CountLostEvent ¶
func (pbm *PerfBufferMonitor) CountLostEvent(count uint64, m *manager.PerfMap, cpu int)
CountLostEvent adds `count` to the counter of lost events
func (*PerfBufferMonitor) GetAndResetKernelLostCount ¶
func (pbm *PerfBufferMonitor) GetAndResetKernelLostCount(perfMap string, cpu int, evtTypes ...model.EventType) uint64
GetAndResetKernelLostCount returns the number of lost events for a given map and cpu. If a cpu of -1 is provided, the function will return the sum of all the lost events of all the cpus.
func (*PerfBufferMonitor) GetAndResetLostCount ¶
func (pbm *PerfBufferMonitor) GetAndResetLostCount(perfMap string, cpu int) uint64
GetAndResetLostCount returns the number of lost events and resets the counter for a given map and cpu. If a cpu of -1 is provided, the function will reset the counters of all the cpus for the provided map, and return the sum of all the lost events of all the cpus of the provided map.
func (*PerfBufferMonitor) GetEventStats ¶
func (pbm *PerfBufferMonitor) GetEventStats(eventType model.EventType, perfMap string, cpu int) PerfMapStats
GetEventStats returns the number of received events of the specified type and resets the counter
func (*PerfBufferMonitor) GetLostCount ¶
func (pbm *PerfBufferMonitor) GetLostCount(perfMap string, cpu int) uint64
GetLostCount returns the number of lost events for a given map and cpu. If a cpu of -1 is provided, the function will return the sum of all the lost events of all the cpus.
func (*PerfBufferMonitor) SendStats ¶
func (pbm *PerfBufferMonitor) SendStats() error
SendStats send event stats using the provided statsd client
type PerfMapStats ¶
PerfMapStats contains the collected metrics for one event and one cpu in a perf buffer statistics map
func (*PerfMapStats) UnmarshalBinary ¶
func (s *PerfMapStats) UnmarshalBinary(data []byte) error
UnmarshalBinary parses a map entry and populates the current PerfMapStats instance
type PoliciesIgnored ¶
type PoliciesIgnored struct {
Errors *multierror.Error
}
PoliciesIgnored holds the errors
func (*PoliciesIgnored) MarshalJSON ¶
func (r *PoliciesIgnored) MarshalJSON() ([]byte, error)
MarshalJSON custom marshaller
func (*PoliciesIgnored) UnmarshalJSON ¶
func (r *PoliciesIgnored) UnmarshalJSON(data []byte) error
UnmarshalJSON empty unmarshaller
type PolicyFlag ¶
type PolicyFlag uint8
PolicyFlag is a bitmask of the active filtering policies
const ( PolicyFlagBasename PolicyFlag = 1 PolicyFlagFlags PolicyFlag = 2 PolicyFlagMode PolicyFlag = 4 // need to be aligned with the kernel size BasenameFilterSize = 255 )
Policy flags
func (PolicyFlag) MarshalJSON ¶
func (f PolicyFlag) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON encoding of the policy flags
type PolicyLoaded ¶
type PolicyLoaded struct { Version string RulesLoaded []*RuleLoaded `json:"rulesLoaded"` RulesIgnored []*RuleIgnored `json:"rulesIgnored,omitempty"` }
PolicyLoaded is used to report policy was loaded easyjson:json
func (PolicyLoaded) MarshalEasyJSON ¶
func (v PolicyLoaded) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (PolicyLoaded) MarshalJSON ¶
func (v PolicyLoaded) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*PolicyLoaded) UnmarshalEasyJSON ¶
func (v *PolicyLoaded) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*PolicyLoaded) UnmarshalJSON ¶
func (v *PolicyLoaded) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type PolicyMode ¶
type PolicyMode uint8
PolicyMode represents the policy mode (accept or deny)
const ( PolicyModeNoFilter PolicyMode = iota PolicyModeAccept PolicyModeDeny )
Policy modes
func (PolicyMode) MarshalJSON ¶
func (m PolicyMode) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON encoding of the policy mode
func (PolicyMode) String ¶
func (m PolicyMode) String() string
type PolicyReport ¶
type PolicyReport struct { Mode PolicyMode Flags PolicyFlag Approvers rules.Approvers }
PolicyReport describes the result of the kernel policy and the approvers for an event type
type Probe ¶
type Probe struct {
// contains filtered or unexported fields
}
Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel
func (*Probe) ApplyFilterPolicy ¶
func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error
ApplyFilterPolicy is called when a passing policy for an event type is applied
func (*Probe) DispatchCustomEvent ¶
func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *CustomEvent)
DispatchCustomEvent sends a custom event to the probe event handler
func (*Probe) DispatchEvent ¶
DispatchEvent sends an event to the probe event handler
func (*Probe) FlushDiscarders ¶
FlushDiscarders removes all the discarders
func (*Probe) GetDebugStats ¶
GetDebugStats returns the debug stats
func (*Probe) GetMonitor ¶
GetMonitor returns the monitor of the probe
func (*Probe) GetResolvers ¶
GetResolvers returns the resolvers of Probe
func (*Probe) NewRuleSet ¶
NewRuleSet returns a new rule set
func (*Probe) OnNewDiscarder ¶
func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, event *Event, field eval.Field, eventType eval.EventType) error
OnNewDiscarder is called when a new discarder is found
func (*Probe) SelectProbes ¶
SelectProbes applies the loaded set of rules and returns a report of the applied approvers for it.
func (*Probe) SetApprovers ¶
SetApprovers applies approvers and removes the unused ones
func (*Probe) SetEventHandler ¶
func (p *Probe) SetEventHandler(handler EventHandler)
SetEventHandler set the probe event handler
type ProcessCacheEntrySerializer ¶
type ProcessCacheEntrySerializer struct { Pid uint32 `json:"pid,omitempty"` PPid uint32 `json:"ppid,omitempty"` Tid uint32 `json:"tid,omitempty"` UID int `json:"uid"` GID int `json:"gid"` User string `json:"user,omitempty"` Group string `json:"group,omitempty"` ContainerPath string `json:"executableContainerPath,omitempty"` Path string `json:"executablePath,omitempty"` PathResolutionError string `json:"pathResolutionError,omitempty"` Comm string `json:"comm,omitempty"` Inode uint64 `json:"executableInode,omitempty"` MountID uint32 `json:"executableMountId,omitempty"` Filesystem string `json:"executableFilesystem,omitempty"` TTY string `json:"tty,omitempty"` ForkTime *time.Time `json:"forkTime,omitempty"` ExecTime *time.Time `json:"execTime,omitempty"` ExitTime *time.Time `json:"exitTime,omitempty"` Credentials *ProcessCredentialsSerializer `json:"credentials,omitempty"` Executable *FileSerializer `json:"executable,omitempty"` Container *ContainerContextSerializer `json:"container,omitempty"` Args []string `json:"args,omitempty"` ArgsTruncated bool `json:"argsTruncated,omitempty"` Envs []string `json:"envs,omitempty"` EnvsTruncated bool `json:"envsTruncated,omitempty"` }
ProcessCacheEntrySerializer serializes a process cache entry to JSON easyjson:json
func (ProcessCacheEntrySerializer) MarshalEasyJSON ¶
func (v ProcessCacheEntrySerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (ProcessCacheEntrySerializer) MarshalJSON ¶
func (v ProcessCacheEntrySerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*ProcessCacheEntrySerializer) UnmarshalEasyJSON ¶
func (v *ProcessCacheEntrySerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*ProcessCacheEntrySerializer) UnmarshalJSON ¶
func (v *ProcessCacheEntrySerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type ProcessContextSerializer ¶
type ProcessContextSerializer struct { *ProcessCacheEntrySerializer Parent *ProcessCacheEntrySerializer `json:"parent,omitempty"` Ancestors []*ProcessCacheEntrySerializer `json:"ancestors,omitempty"` }
ProcessContextSerializer serializes a process context to JSON easyjson:json
func (ProcessContextSerializer) MarshalEasyJSON ¶
func (v ProcessContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (ProcessContextSerializer) MarshalJSON ¶
func (v ProcessContextSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*ProcessContextSerializer) UnmarshalEasyJSON ¶
func (v *ProcessContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*ProcessContextSerializer) UnmarshalJSON ¶
func (v *ProcessContextSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type ProcessCredentialsSerializer ¶
type ProcessCredentialsSerializer struct { *CredentialsSerializer `json:",omitempty"` Destination interface{} `json:"destination,omitempty"` }
ProcessCredentialsSerializer serializes the process credentials to JSON easyjson:json
func (ProcessCredentialsSerializer) MarshalEasyJSON ¶
func (v ProcessCredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (ProcessCredentialsSerializer) MarshalJSON ¶
func (v ProcessCredentialsSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*ProcessCredentialsSerializer) UnmarshalEasyJSON ¶
func (v *ProcessCredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*ProcessCredentialsSerializer) UnmarshalJSON ¶
func (v *ProcessCredentialsSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type ProcessPath ¶
ProcessPath contains a process path as its binary representation
func (*ProcessPath) IsEmpty ¶
func (p *ProcessPath) IsEmpty() bool
IsEmpty returns true if the current instance of ProcessPath is empty
func (*ProcessPath) UnmarshalBinary ¶
func (p *ProcessPath) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshals a binary representation of a ProcessSyscall
type ProcessResolver ¶
ProcessResolver resolved process context
func NewProcessResolver ¶
func NewProcessResolver(probe *Probe, resolvers *Resolvers, client *statsd.Client, opts ProcessResolverOpts) (*ProcessResolver, error)
NewProcessResolver returns a new process resolver
func (*ProcessResolver) AddExecEntry ¶
func (p *ProcessResolver) AddExecEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
AddExecEntry adds an entry to the local cache and returns the newly created entry
func (*ProcessResolver) AddForkEntry ¶
func (p *ProcessResolver) AddForkEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
AddForkEntry adds an entry to the local cache and returns the newly created entry
func (*ProcessResolver) DeleteEntry ¶
func (p *ProcessResolver) DeleteEntry(pid uint32, exitTime time.Time)
DeleteEntry tries to delete an entry in the process cache
func (*ProcessResolver) Dump ¶
func (p *ProcessResolver) Dump() (string, error)
Dump create a temp file and dump the cache
func (*ProcessResolver) Get ¶
func (p *ProcessResolver) Get(pid uint32) *model.ProcessCacheEntry
Get returns the cache entry for a specified pid
func (*ProcessResolver) GetCacheSize ¶
func (p *ProcessResolver) GetCacheSize() float64
GetCacheSize returns the cache size of the process resolver
func (*ProcessResolver) GetEntryCacheSize ¶
func (p *ProcessResolver) GetEntryCacheSize() float64
GetEntryCacheSize returns the cache size of the process resolver
func (*ProcessResolver) Resolve ¶
func (p *ProcessResolver) Resolve(pid, tid uint32) *model.ProcessCacheEntry
Resolve returns the cache entry for the given pid
func (*ProcessResolver) SendStats ¶
func (p *ProcessResolver) SendStats() error
SendStats sends process resolver metrics
func (*ProcessResolver) SetProcessArgs ¶
func (p *ProcessResolver) SetProcessArgs(pce *model.ProcessCacheEntry)
SetProcessArgs set arguments to cache entry
func (*ProcessResolver) SetProcessContainerPath ¶
func (p *ProcessResolver) SetProcessContainerPath(entry *model.ProcessCacheEntry) string
SetProcessContainerPath resolves container path
func (*ProcessResolver) SetProcessEnvs ¶
func (p *ProcessResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)
SetProcessEnvs set environment variables to cache entry
func (*ProcessResolver) SetProcessPath ¶
func (p *ProcessResolver) SetProcessPath(entry *model.ProcessCacheEntry) (string, error)
SetProcessPath resolves process file path
func (*ProcessResolver) SetTTY ¶
func (p *ProcessResolver) SetTTY(pce *model.ProcessCacheEntry) string
SetTTY resolves TTY and cache the result
func (*ProcessResolver) Start ¶
func (p *ProcessResolver) Start(ctx context.Context) error
Start starts the resolver
func (*ProcessResolver) SyncCache ¶
func (p *ProcessResolver) SyncCache(proc *process.Process) bool
SyncCache snapshots /proc for the provided pid. This method returns true if it updated the process cache.
func (*ProcessResolver) UpdateArgsEnvs ¶
func (p *ProcessResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)
UpdateArgsEnvs updates arguments or environment variables of the given id
func (*ProcessResolver) UpdateCapset ¶
func (p *ProcessResolver) UpdateCapset(pid uint32, e *Event)
UpdateCapset updates the credentials of the provided pid
func (*ProcessResolver) UpdateGID ¶
func (p *ProcessResolver) UpdateGID(pid uint32, e *Event)
UpdateGID updates the credentials of the provided pid
func (*ProcessResolver) UpdateUID ¶
func (p *ProcessResolver) UpdateUID(pid uint32, e *Event)
UpdateUID updates the credentials of the provided pid
type ProcessResolverOpts ¶
type ProcessResolverOpts struct {
DebugCacheSize bool
}
ProcessResolverOpts options of resolver
func NewProcessResolverOpts ¶
func NewProcessResolverOpts(debug bool, cookieCacheSize int) ProcessResolverOpts
NewProcessResolverOpts returns a new set of process resolver options
type ProcessSyscall ¶
ProcessSyscall represents a syscall made by a process
func (*ProcessSyscall) IsNull ¶
func (p *ProcessSyscall) IsNull() bool
IsNull returns true if a ProcessSyscall instance is empty
func (*ProcessSyscall) UnmarshalBinary ¶
func (p *ProcessSyscall) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshals a binary representation of a ProcessSyscall
type ReOrderer ¶
type ReOrderer struct { Metrics chan ReOrdererMetric // contains filtered or unexported fields }
ReOrderer defines an event re-orderer
func NewReOrderer ¶
func NewReOrderer(handler func(cpu uint64, data []byte), extractInfo func(data []byte) (uint64, uint64, error), opts ReOrdererOpts) *ReOrderer
NewReOrderer returns a new ReOrderer
type ReOrdererMetric ¶
ReOrdererMetric holds reordering metrics
type ReOrdererOpts ¶
type ReOrdererOpts struct { QueueSize uint64 // size of the chan where the perf data are pushed Rate time.Duration // delay between two time based iterations Retention uint64 // bucket to keep before dequeueing MetricRate time.Duration // delay between two metric samples }
ReOrdererOpts options to pass when creating a new instance of ReOrderer
type ReordererMonitor ¶
type ReordererMonitor struct {
// contains filtered or unexported fields
}
ReordererMonitor represents a reorderer monitor
func NewReOrderMonitor ¶
func NewReOrderMonitor(p *Probe, client *statsd.Client) (*ReordererMonitor, error)
NewReOrderMonitor instantiates a new reorder statistics counter
func (*ReordererMonitor) Start ¶
func (r *ReordererMonitor) Start(ctx context.Context)
Start the reorderer monitor
type Report ¶
type Report struct {
Policies map[string]*PolicyReport
}
Report describes the event types and their associated policy reports
type Reporter ¶
type Reporter struct {
// contains filtered or unexported fields
}
Reporter describes a reporter of policy application
func (*Reporter) SetApprovers ¶
SetApprovers is called when approvers are applied for an event type
func (*Reporter) SetFilterPolicy ¶
func (r *Reporter) SetFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error
SetFilterPolicy is called when a passing policy for an event type is applied
type Resolvers ¶
type Resolvers struct { DentryResolver *DentryResolver MountResolver *MountResolver ContainerResolver *ContainerResolver TimeResolver *TimeResolver ProcessResolver *ProcessResolver UserGroupResolver *UserGroupResolver // contains filtered or unexported fields }
Resolvers holds the list of the event attribute resolvers
func NewResolvers ¶
NewResolvers creates a new instance of Resolvers
func (*Resolvers) ResolveCredentialsEGroup ¶
func (r *Resolvers) ResolveCredentialsEGroup(e *model.Credentials) string
ResolveCredentialsEGroup resolves the effective group id of the process to a group name
func (*Resolvers) ResolveCredentialsEUser ¶
func (r *Resolvers) ResolveCredentialsEUser(e *model.Credentials) string
ResolveCredentialsEUser resolves the effective user id of the process to a username
func (*Resolvers) ResolveCredentialsFSGroup ¶
func (r *Resolvers) ResolveCredentialsFSGroup(e *model.Credentials) string
ResolveCredentialsFSGroup resolves the file-system group id of the process to a group name
func (*Resolvers) ResolveCredentialsFSUser ¶
func (r *Resolvers) ResolveCredentialsFSUser(e *model.Credentials) string
ResolveCredentialsFSUser resolves the file-system user id of the process to a username
func (*Resolvers) ResolveCredentialsGroup ¶
func (r *Resolvers) ResolveCredentialsGroup(e *model.Credentials) string
ResolveCredentialsGroup resolves the group id of the process to a group name
func (*Resolvers) ResolveCredentialsUser ¶
func (r *Resolvers) ResolveCredentialsUser(e *model.Credentials) string
ResolveCredentialsUser resolves the user id of the process to a username
func (*Resolvers) ResolveGroup ¶
func (r *Resolvers) ResolveGroup(e *model.FileFields) string
ResolveGroup resolves the group id of the file to a group name
func (*Resolvers) ResolveInode ¶
ResolveInode resolves the inode to a full path. Returns the path and true if it was entirely resolved
func (*Resolvers) ResolveProcessContextGroup ¶
func (r *Resolvers) ResolveProcessContextGroup(p *model.ProcessContext) string
ResolveProcessContextGroup resolves the group id of the process to a group name
func (*Resolvers) ResolveProcessContextUser ¶
func (r *Resolvers) ResolveProcessContextUser(p *model.ProcessContext) string
ResolveProcessContextUser resolves the user id of the process to a username
func (*Resolvers) ResolveUser ¶
func (r *Resolvers) ResolveUser(e *model.FileFields) string
ResolveUser resolves the user id of the file to a username
type RuleIgnored ¶
type RuleIgnored struct { ID string `json:"id"` Version string `json:"version,omitempty"` Expression string `json:"expression"` Reason string `json:"reason"` }
RuleIgnored defines a ignored easyjson:json
func (RuleIgnored) MarshalEasyJSON ¶
func (v RuleIgnored) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (RuleIgnored) MarshalJSON ¶
func (v RuleIgnored) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*RuleIgnored) UnmarshalEasyJSON ¶
func (v *RuleIgnored) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*RuleIgnored) UnmarshalJSON ¶
func (v *RuleIgnored) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type RuleLoaded ¶
type RuleLoaded struct { ID string `json:"id"` Version string `json:"version,omitempty"` Expression string `json:"expression"` }
RuleLoaded defines a loaded rule easyjson:json
func (RuleLoaded) MarshalEasyJSON ¶
func (v RuleLoaded) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (RuleLoaded) MarshalJSON ¶
func (v RuleLoaded) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*RuleLoaded) UnmarshalEasyJSON ¶
func (v *RuleLoaded) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*RuleLoaded) UnmarshalJSON ¶
func (v *RuleLoaded) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type RuleSetApplier ¶
type RuleSetApplier struct {
// contains filtered or unexported fields
}
RuleSetApplier defines a rule set applier. It applies rules using an Applier
func NewRuleSetApplier ¶
func NewRuleSetApplier(cfg *config.Config, probe *Probe) *RuleSetApplier
NewRuleSetApplier returns a new RuleSetApplier
type RulesetLoadedEvent ¶
type RulesetLoadedEvent struct { Timestamp time.Time `json:"date"` PoliciesLoaded []*PolicyLoaded `json:"policies"` PoliciesIgnored *PoliciesIgnored `json:"policiesIgnored,omitempty"` MacrosLoaded []rules.MacroID `json:"macrosLoaded"` }
RulesetLoadedEvent is used to report that a new ruleset was loaded easyjson:json
func (RulesetLoadedEvent) MarshalEasyJSON ¶
func (v RulesetLoadedEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (RulesetLoadedEvent) MarshalJSON ¶
func (v RulesetLoadedEvent) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*RulesetLoadedEvent) UnmarshalEasyJSON ¶
func (v *RulesetLoadedEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*RulesetLoadedEvent) UnmarshalJSON ¶
func (v *RulesetLoadedEvent) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type SetgidSerializer ¶
type SetgidSerializer struct { GID int `json:"gid"` Group string `json:"group,omitempty"` EGID int `json:"egid"` EGroup string `json:"egroup,omitempty"` FSGID int `json:"fsgid"` FSGroup string `json:"fsgroup,omitempty"` }
SetgidSerializer serializes a setgid event easyjson:json
func (SetgidSerializer) MarshalEasyJSON ¶
func (v SetgidSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (SetgidSerializer) MarshalJSON ¶
func (v SetgidSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*SetgidSerializer) UnmarshalEasyJSON ¶
func (v *SetgidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*SetgidSerializer) UnmarshalJSON ¶
func (v *SetgidSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type SetuidSerializer ¶
type SetuidSerializer struct { UID int `json:"uid"` User string `json:"user,omitempty"` EUID int `json:"euid"` EUser string `json:"euser,omitempty"` FSUID int `json:"fsuid"` FSUser string `json:"fsuser,omitempty"` }
SetuidSerializer serializes a setuid event easyjson:json
func (SetuidSerializer) MarshalEasyJSON ¶
func (v SetuidSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (SetuidSerializer) MarshalJSON ¶
func (v SetuidSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*SetuidSerializer) UnmarshalEasyJSON ¶
func (v *SetuidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*SetuidSerializer) UnmarshalJSON ¶
func (v *SetuidSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type Syscall ¶
type Syscall int
Syscall represents a syscall identifier
const ( SysRead Syscall = iota SysWrite SysOpen SysClose SysStat SysFstat SysLstat SysPoll SysLseek SysMmap SysMprotect SysMunmap SysBrk SysRtSigaction SysRtSigprocmask SysRtSigreturn SysIoctl SysPread64 SysPwrite64 SysReadv SysWritev SysAccess SysPipe SysSelect SysSchedYield SysMremap SysMsync SysMincore SysMadvise SysShmget SysShmat SysShmctl SysDup SysDup2 SysPause SysNanosleep SysGetitimer SysAlarm SysSetitimer SysGetpid SysSendfile SysSocket SysConnect SysAccept SysSendto SysRecvfrom SysSendmsg SysRecvmsg SysShutdown SysBind SysListen SysGetsockname SysGetpeername SysSocketpair SysSetsockopt SysGetsockopt SysClone SysFork SysVfork SysExecve SysExit SysWait4 SysKill SysUname SysSemget SysSemop SysSemctl SysShmdt SysMsgget SysMsgsnd SysMsgrcv SysMsgctl SysFcntl SysFlock SysFsync SysFdatasync SysTruncate SysFtruncate SysGetdents SysGetcwd SysChdir SysFchdir SysRename SysMkdir SysRmdir SysCreat SysLink SysUnlink SysSymlink SysReadlink SysChmod SysFchmod SysChown SysFchown SysLchown SysUmask SysGettimeofday SysGetrlimit SysGetrusage SysSysinfo SysTimes SysPtrace SysGetuid SysSyslog SysGetgid SysSetuid SysSetgid SysGeteuid SysGetegid SysSetpgid SysGetppid SysGetpgrp SysSetsid SysSetreuid SysSetregid SysGetgroups SysSetgroups SysSetresuid SysGetresuid SysSetresgid SysGetresgid SysGetpgid SysSetfsuid SysSetfsgid SysGetsid SysCapget SysCapset SysRtSigpending SysRtSigtimedwait SysRtSigqueueinfo SysRtSigsuspend SysSigaltstack SysUtime SysMknod SysUselib SysPersonality SysUstat SysStatfs SysFstatfs SysSysfs SysGetpriority SysSetpriority SysSchedSetparam SysSchedGetparam SysSchedSetscheduler SysSchedGetscheduler SysSchedGetPriorityMax SysSchedGetPriorityMin SysSchedRrGetInterval SysMlock SysMunlock SysMlockall SysMunlockall SysVhangup SysModifyLdt SysPivotRoot SysSysctl SysPrctl SysArchPrctl SysAdjtimex SysSetrlimit SysChroot SysSync SysAcct SysSettimeofday SysMount SysUmount2 SysSwapon SysSwapoff SysReboot SysSethostname SysSetdomainname SysIopl SysIoperm SysCreateModule SysInitModule SysDeleteModule SysGetKernelSyms SysQueryModule SysQuotactl SysNfsservctl SysGetpmsg SysPutpmsg SysAfsSyscall SysTuxcall SysSecurity SysGettid SysReadahead SysSetxattr SysLsetxattr SysFsetxattr SysGetxattr SysLgetxattr SysFgetxattr SysListxattr SysLlistxattr SysFlistxattr SysRemovexattr SysLremovexattr SysFremovexattr SysTkill SysTime SysFutex SysSchedSetaffinity SysSchedGetaffinity SysSetThreadArea SysIoSetup SysIoDestroy SysIoGetevents SysIoSubmit SysIoCancel SysGetThreadArea SysEpollCreate SysEpollCtlOld SysEpollWaitOld SysRemapFilePages SysGetdents64 SysSetTidAddress SysRestartSyscall SysSemtimedop SysFadvise64 SysTimerCreate SysTimerSettime SysTimersysReadGettime SysTimerGetoverrun SysTimerDelete SysClockSettime SysClockGettime SysClockGetres SysClockNanosleep SysExitGroup SysEpollWait SysEpollCtl SysTgkill SysUtimes SysVserver SysMbind SysSetMempolicy SysGetMempolicy SysMqOpen SysMqUnlink SysMqTimedsend SysMqTimedreceive SysMqNotify SysMqGetsetattr SysKexecLoad SysWaitid SysAddKey SysRequestKey SysKeyctl SysIoprioSet SysIoprioGet SysInotifyInit SysInotifyAddWatch SysInotifyRmWatch SysMigratePages SysOpenat SysMkdirat SysMknodat SysFchownat SysFutimesat SysNewfstatat SysUnlinkat SysRenameat SysLinkat SysSymlinkat SysReadlinkat SysFchmodat SysFaccessat SysPselect6 SysPpoll SysSetRobustList SysGetRobustList SysSplice SysTee SysSyncFileRange SysVmsplice SysMovePages SysUtimensat SysEpollPwait SysSignalfd SysTimerfdCreate SysEventfd SysFallocate SysTimerfdSettime SysTimerfdGettime SysAccept4 SysSignalfd4 SysEventfd2 SysEpollCreate1 SysDup3 SysPipe2 SysInotifyInit1 SysPreadv SysPwritev SysRtTgsigqueueinfo SysPerfEventOpen SysRecvmmsg SysFanotifyInit SysFanotifyMark SysPrlimit64 )
Linux syscall identifiers
func (Syscall) MarshalText ¶
MarshalText maps the syscall identifier to UTF-8-encoded text and returns the result
type SyscallMonitor ¶
type SyscallMonitor struct {
// contains filtered or unexported fields
}
SyscallMonitor monitors syscalls using eBPF maps filled using kernel tracepoints
func NewSyscallMonitor ¶
func NewSyscallMonitor(manager *manager.Manager) (*SyscallMonitor, error)
NewSyscallMonitor instantiates a new syscall monitor
func (*SyscallMonitor) CollectStats ¶
func (sm *SyscallMonitor) CollectStats(collector SyscallStatsCollector) error
CollectStats fetches the syscall statistics from the eBPF maps
func (*SyscallMonitor) GetStats ¶
func (sm *SyscallMonitor) GetStats() (*SyscallStats, error)
GetStats returns the syscall statistics
type SyscallStats ¶
SyscallStats collects syscall statistics and store them in memory
func (*SyscallStats) CountConcurrentSyscalls ¶
func (s *SyscallStats) CountConcurrentSyscalls(count int64) error
CountConcurrentSyscalls counts the number of syscalls that are currently being executed
func (*SyscallStats) CountExec ¶
func (s *SyscallStats) CountExec(process string, count uint64) error
CountExec counts the number times a process was executed
func (*SyscallStats) CountSyscall ¶
func (s *SyscallStats) CountSyscall(process string, syscallID Syscall, count uint64) error
CountSyscall counts the number of calls of a syscall by a process
type SyscallStatsCollector ¶
type SyscallStatsCollector interface { CountSyscall(process string, syscallID Syscall, count uint64) error CountExec(process string, count uint64) error CountConcurrentSyscalls(count int64) error }
SyscallStatsCollector is the interface implemented by an object that collect syscall statistics
type SyscallStatsdCollector ¶
type SyscallStatsdCollector struct {
// contains filtered or unexported fields
}
SyscallStatsdCollector collects syscall statistics and sends them to statsd
func (*SyscallStatsdCollector) CountConcurrentSyscalls ¶
func (s *SyscallStatsdCollector) CountConcurrentSyscalls(count int64) error
CountConcurrentSyscalls counts the number of syscalls that are currently being executed
func (*SyscallStatsdCollector) CountExec ¶
func (s *SyscallStatsdCollector) CountExec(process string, count uint64) error
CountExec counts the number times a process was executed
func (*SyscallStatsdCollector) CountSyscall ¶
func (s *SyscallStatsdCollector) CountSyscall(process string, syscallID Syscall, count uint64) error
CountSyscall counts the number of calls of a syscall by a process
type TimeResolver ¶
type TimeResolver struct {
// contains filtered or unexported fields
}
TimeResolver converts kernel monotonic timestamps to absolute times
func NewTimeResolver ¶
func NewTimeResolver() (*TimeResolver, error)
NewTimeResolver returns a new time resolver
func (*TimeResolver) ComputeMonotonicTimestamp ¶
func (tr *TimeResolver) ComputeMonotonicTimestamp(timestamp time.Time) int64
ComputeMonotonicTimestamp converts an absolute time to a kernel monotonic timestamp
func (*TimeResolver) ResolveMonotonicTimestamp ¶
func (tr *TimeResolver) ResolveMonotonicTimestamp(timestamp uint64) time.Time
ResolveMonotonicTimestamp converts a kernel monotonic timestamp to an absolute time
type UserContextSerializer ¶
type UserContextSerializer struct { User string `json:"id,omitempty"` Group string `json:"group,omitempty"` }
UserContextSerializer serializes a user context to JSON easyjson:json
func (UserContextSerializer) MarshalEasyJSON ¶
func (v UserContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (UserContextSerializer) MarshalJSON ¶
func (v UserContextSerializer) MarshalJSON() ([]byte, error)
MarshalJSON supports json.Marshaler interface
func (*UserContextSerializer) UnmarshalEasyJSON ¶
func (v *UserContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (*UserContextSerializer) UnmarshalJSON ¶
func (v *UserContextSerializer) UnmarshalJSON(data []byte) error
UnmarshalJSON supports json.Unmarshaler interface
type UserGroupResolver ¶
type UserGroupResolver struct {
// contains filtered or unexported fields
}
UserGroupResolver resolves user and group ids to names
func NewUserGroupResolver ¶
func NewUserGroupResolver() (*UserGroupResolver, error)
NewUserGroupResolver instantiates a new user and group resolver
func (*UserGroupResolver) ResolveGroup ¶
func (r *UserGroupResolver) ResolveGroup(gid int) (string, error)
ResolveGroup resolves a group id to a group name
func (*UserGroupResolver) ResolveUser ¶
func (r *UserGroupResolver) ResolveUser(uid int) (string, error)
ResolveUser resolves a user id to a username
Source Files ¶
- accessors.go
- applier.go
- approvers.go
- capabilities.go
- compile_unsupported.go
- container_resolver.go
- custom_events.go
- custom_events_easyjson.go
- dentry_resolver.go
- discarders.go
- erpc.go
- kernel.go
- kfilters.go
- kfilters_bpf.go
- load_controller.go
- model.go
- mount.go
- open.go
- perf_buffer_monitor.go
- policy.go
- probe.go
- probe_monitor.go
- process_resolver.go
- reorderer.go
- reorderer_monitor.go
- report.go
- resolvers.go
- serializers.go
- serializers_easyjson.go
- syscall_stats.go
- syscalls.go
- syscalls_string_linux.go
- time_resolver.go
- user_resolver.go