Documentation
¶
Overview ¶
Package model holds model related files
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds the security profile data model ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files
Index ¶
- Constants
- Variables
- func EventTypeDependsOnInterfaceTracking(eventType eval.EventType) bool
- func FilterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string
- func GetDefaultLegacyFields(field eval.Field) (eval.Field, bool)
- func GetDefaultLegacyFieldsKeys() []eval.Field
- func GetEventTypePerCategory(categories ...EventCategory) map[EventCategory][]eval.EventType
- func IsAlphaNumeric(r rune) bool
- func IsPrintable(s string) bool
- func IsPrintableASCII(s string) bool
- func NullTerminatedBytes(d []byte) []byte
- func NullTerminatedString(d []byte) string
- func SECLConstants() map[string]interface{}
- func SSHAuthMethodToString(t usersession.AuthType) string
- func SetDefaultLegacyFields(legacyFields map[eval.Field]eval.Field)
- func SliceToArray(src []byte, dst []byte)
- func UnmarshalPrintableString(data []byte, size int) (string, error)
- func UnmarshalString(data []byte, size int) (string, error)
- func UnmarshalStringArray(data []byte) ([]string, error)
- func UserSessionTypeToString(t usersession.Type) string
- type ABI
- type AWSIMDSEvent
- type AWSSecurityCredentials
- type ActionReport
- type AddressFamily
- type Architecture
- type ArgsEntry
- type ArgsEnvs
- type BaseEvent
- type BaseExtraFieldHandlers
- type CompressionType
- type ContainerContext
- type DNSEvent
- type DNSQuestion
- type DNSResponse
- type DelayabledEvent
- type EnvsEntry
- type ErrInvalidKeyPath
- type ErrProcessBrokenLineage
- type ErrProcessIncompleteLineage
- type ErrProcessMissingParentNode
- type ErrProcessWrongParentNode
- type EventCategory
- type EventFilteringProfileState
- type EventSource
- type EventType
- type ExitEvent
- type FailedDNSEvent
- type FileMetadata
- type FileType
- type HashAlgorithm
- type HashState
- type IMDSEvent
- type IPPortContext
- type Iterator
- type K8SSessionContext
- type L3Protocol
- type L4Protocol
- type LinkageType
- type MatchedRule
- type Model
- type NetworkContext
- type NetworkDirection
- type NetworkProtocolType
- type ProcessAncestorsIterator
- func (it *ProcessAncestorsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) *ProcessCacheEntry
- func (it *ProcessAncestorsIterator) Front(_ *eval.Context) *ProcessCacheEntry
- func (it *ProcessAncestorsIterator) Len(ctx *eval.Context) int
- func (it *ProcessAncestorsIterator) Next(_ *eval.Context) *ProcessCacheEntry
- type ProcessCacheEntry
- type ProcessContext
- type QClass
- type QType
- type Releasable
- type RetValError
- type RuleContext
- type SSHSessionContext
- type SecurityProfileContext
- type SnapshottedBoundSocket
- type SnapshottedMmapedFile
- type SpanContext
- type Syscall
- type SyscallDriftEventReason
- type TLSContext
- type TLSVersion
- type UserSessionContext
Constants ¶
View Source
const ( // MaxSegmentLength defines the maximum length of each segment of a path MaxSegmentLength = 255 // MaxPathDepth defines the maximum depth of a path // see pkg/security/ebpf/c/dentry_resolver.h: DR_MAX_TAIL_CALL * DR_MAX_ITERATION_DEPTH MaxPathDepth = 1189 // MaxBpfObjName defines the maximum length of a Bpf object name MaxBpfObjName = 16 // PathSuffix defines the suffix used for path fields PathSuffix = ".path" // NameSuffix defines the suffix used for name fields NameSuffix = ".name" // ContainerIDLen defines the length of a container ID ContainerIDLen = sha256.Size * 2 // MaxSymlinks maximum symlinks captured MaxSymlinks = 2 // MaxTracedCgroupsCount hard limit for the count of traced cgroups MaxTracedCgroupsCount = 128 )
View Source
const ( // EventFlagsAsync async event EventFlagsAsync = 1 << iota // EventFlagsSavedByAD saved by ad EventFlagsSavedByAD // EventFlagsActivityDumpSample an AD sample EventFlagsActivityDumpSample // EventFlagsSecurityProfileInProfile true if the event was found in a profile EventFlagsSecurityProfileInProfile // EventFlagsAnomalyDetectionEvent true if the event is marked as being an anomaly EventFlagsAnomalyDetectionEvent // EventFlagsHasActiveActivityDump true if the event has an active activity dump associated to it EventFlagsHasActiveActivityDump // EventFlagsFromReplay is true if the event is generated from a replay EventFlagsFromReplay )
View Source
const ( // IMDSRequestType is used to specify that the event is an IDMS request event IMDSRequestType = "request" // IMDSResponseType is used to specify that the event is an IMDS response event IMDSResponseType = "response" // IMDSAWSCloudProvider is used to report that the IMDS event is for AWS IMDSAWSCloudProvider = "aws" // IMDSGCPCloudProvider is used to report that the IMDS event is for GCP IMDSGCPCloudProvider = "gcp" // IMDSAzureCloudProvider is used to report that the IMDS event is for Azure IMDSAzureCloudProvider = "azure" // IMDSIBMCloudProvider is used to report that the IMDS event is for ibm IMDSIBMCloudProvider = "ibm" // IMDSOracleCloudProvider is used to report that the IMDS event is for Oracle IMDSOracleCloudProvider = "oracle" )
View Source
const ( LowerLayer = 1 << iota UpperLayer )
File flags
Variables ¶
View Source
var ( // DNSQTypeConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml // generate_constants:DNS qtypes,DNS qtypes are the supported DNS query types. DNSQTypeConstants = map[string]int{ "None": 0, "A": 1, "NS": 2, "MD": 3, "MF": 4, "CNAME": 5, "SOA": 6, "MB": 7, "MG": 8, "MR": 9, "NULL": 10, "PTR": 12, "HINFO": 13, "MINFO": 14, "MX": 15, "TXT": 16, "RP": 17, "AFSDB": 18, "X25": 19, "ISDN": 20, "RT": 21, "NSAPPTR": 23, "SIG": 24, "KEY": 25, "PX": 26, "GPOS": 27, "AAAA": 28, "LOC": 29, "NXT": 30, "EID": 31, "NIMLOC": 32, "SRV": 33, "ATMA": 34, "NAPTR": 35, "KX": 36, "CERT": 37, "DNAME": 39, "OPT": 41, "APL": 42, "DS": 43, "SSHFP": 44, "RRSIG": 46, "NSEC": 47, "DNSKEY": 48, "DHCID": 49, "NSEC3": 50, "NSEC3PARAM": 51, "TLSA": 52, "SMIMEA": 53, "HIP": 55, "NINFO": 56, "RKEY": 57, "TALINK": 58, "CDS": 59, "CDNSKEY": 60, "OPENPGPKEY": 61, "CSYNC": 62, "ZONEMD": 63, "SVCB": 64, "HTTPS": 65, "SPF": 99, "UINFO": 100, "UID": 101, "GID": 102, "UNSPEC": 103, "NID": 104, "L32": 105, "L64": 106, "LP": 107, "EUI48": 108, "EUI64": 109, "URI": 256, "CAA": 257, "AVC": 258, "TKEY": 249, "TSIG": 250, "IXFR": 251, "AXFR": 252, "MAILB": 253, "MAILA": 254, "ANY": 255, "TA": 32768, "DLV": 32769, "Reserved": 65535, } // DNSQClassConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml // generate_constants:DNS qclasses,DNS qclasses are the supported DNS query classes. DNSQClassConstants = map[string]int{ "CLASS_INET": 1, "CLASS_CSNET": 2, "CLASS_CHAOS": 3, "CLASS_HESIOD": 4, "CLASS_NONE": 254, "CLASS_ANY": 255, } // DNSResponseCodeConstants see https://datatracker.ietf.org/doc/html/rfc2929 // generate_constants:DNS Responses,DNS Responses are the supported response codes DNSResponseCodeConstants = map[string]int{ "NOERROR": 0, "FORMERR": 1, "SERVFAIL": 2, "NXDOMAIN": 3, "NOTIMP": 4, "REFUSED": 5, "YXDOMAIN": 6, "YXRRSET": 7, "NXRRSET": 8, "NOTAUTH": 9, "NOTZONE": 10, "BADVERS": 16, "BADSIG": 16, "BADKEY": 17, "BADTIME": 18, "BADMODE": 19, "BADNAME": 20, "BADALG": 21, } // BooleanConstants holds the evaluator for boolean constants // generate_constants:Boolean constants,Boolean constants are the supported boolean constants. BooleanConstants = map[string]interface{}{ "true": &eval.BoolEvaluator{Value: true}, "false": &eval.BoolEvaluator{Value: false}, } // L3ProtocolConstants is the list of supported L3 protocols // generate_constants:L3 protocols,L3 protocols are the supported Layer 3 protocols. L3ProtocolConstants = map[string]L3Protocol{ "ETH_P_LOOP": EthPLOOP, "ETH_P_PUP": EthPPUP, "ETH_P_PUPAT": EthPPUPAT, "ETH_P_TSN": EthPTSN, "ETH_P_IP": EthPIP, "ETH_P_X25": EthPX25, "ETH_P_ARP": EthPARP, "ETH_P_BPQ": EthPBPQ, "ETH_P_IEEEPUP": EthPIEEEPUP, "ETH_P_IEEEPUPAT": EthPIEEEPUPAT, "ETH_P_BATMAN": EthPBATMAN, "ETH_P_DEC": EthPDEC, "ETH_P_DNADL": EthPDNADL, "ETH_P_DNARC": EthPDNARC, "ETH_P_DNART": EthPDNART, "ETH_P_LAT": EthPLAT, "ETH_P_DIAG": EthPDIAG, "ETH_P_CUST": EthPCUST, "ETH_P_SCA": EthPSCA, "ETH_P_TEB": EthPTEB, "ETH_P_RARP": EthPRARP, "ETH_P_ATALK": EthPATALK, "ETH_P_AARP": EthPAARP, "ETH_P_8021_Q": EthP8021Q, "ETH_P_ERSPAN": EthPERSPAN, "ETH_P_IPX": EthPIPX, "ETH_P_IPV6": EthPIPV6, "ETH_P_PAUSE": EthPPAUSE, "ETH_P_SLOW": EthPSLOW, "ETH_P_WCCP": EthPWCCP, "ETH_P_MPLSUC": EthPMPLSUC, "ETH_P_MPLSMC": EthPMPLSMC, "ETH_P_ATMMPOA": EthPATMMPOA, "ETH_P_PPPDISC": EthPPPPDISC, "ETH_P_PPPSES": EthPPPPSES, "ETH_P__LINK_CTL": EthPLinkCTL, "ETH_P_ATMFATE": EthPATMFATE, "ETH_P_PAE": EthPPAE, "ETH_P_AOE": EthPAOE, "ETH_P_8021_AD": EthP8021AD, "ETH_P_802_EX1": EthP802EX1, "ETH_P_TIPC": EthPTIPC, "ETH_P_MACSEC": EthPMACSEC, "ETH_P_8021_AH": EthP8021AH, "ETH_P_MVRP": EthPMVRP, "ETH_P_1588": EthP1588, "ETH_P_NCSI": EthPNCSI, "ETH_P_PRP": EthPPRP, "ETH_P_FCOE": EthPFCOE, "ETH_P_IBOE": EthPIBOE, "ETH_P_TDLS": EthPTDLS, "ETH_P_FIP": EthPFIP, "ETH_P_80221": EthP80221, "ETH_P_HSR": EthPHSR, "ETH_P_NSH": EthPNSH, "ETH_P_LOOPBACK": EthPLOOPBACK, "ETH_P_QINQ1": EthPQINQ1, "ETH_P_QINQ2": EthPQINQ2, "ETH_P_QINQ3": EthPQINQ3, "ETH_P_EDSA": EthPEDSA, "ETH_P_IFE": EthPIFE, "ETH_P_AFIUCV": EthPAFIUCV, "ETH_P_8023_MIN": EthP8023MIN, "ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop, "ETH_P_8023": EthP8023, "ETH_P_AX25": EthPAX25, "ETH_P_ALL": EthPALL, "ETH_P_8022": EthP8022, "ETH_P_SNAP": EthPSNAP, "ETH_P_DDCMP": EthPDDCMP, "ETH_P_WANPPP": EthPWANPPP, "ETH_P_PPPMP": EthPPPPMP, "ETH_P_LOCALTALK": EthPLOCALTALK, "ETH_P_CAN": EthPCAN, "ETH_P_CANFD": EthPCANFD, "ETH_P_PPPTALK": EthPPPPTALK, "ETH_P_TR8022": EthPTR8022, "ETH_P_MOBITEX": EthPMOBITEX, "ETH_P_CONTROL": EthPCONTROL, "ETH_P_IRDA": EthPIRDA, "ETH_P_ECONET": EthPECONET, "ETH_P_HDLC": EthPHDLC, "ETH_P_ARCNET": EthPARCNET, "ETH_P_DSA": EthPDSA, "ETH_P_TRAILER": EthPTRAILER, "ETH_P_PHONET": EthPPHONET, "ETH_P_IEEE802154": EthPIEEE802154, "ETH_P_CAIF": EthPCAIF, "ETH_P_XDSA": EthPXDSA, "ETH_P_MAP": EthPMAP, } // L4ProtocolConstants is the list of supported L4 protocols // generate_constants:L4 protocols,L4 protocols are the supported Layer 4 protocols. L4ProtocolConstants = map[string]L4Protocol{ "IP_PROTO_IP": IPProtoIP, "IP_PROTO_ICMP": IPProtoICMP, "IP_PROTO_IGMP": IPProtoIGMP, "IP_PROTO_IPIP": IPProtoIPIP, "IP_PROTO_TCP": IPProtoTCP, "IP_PROTO_EGP": IPProtoEGP, "IP_PROTO_IGP": IPProtoIGP, "IP_PROTO_PUP": IPProtoPUP, "IP_PROTO_UDP": IPProtoUDP, "IP_PROTO_IDP": IPProtoIDP, "IP_PROTO_TP": IPProtoTP, "IP_PROTO_DCCP": IPProtoDCCP, "IP_PROTO_IPV6": IPProtoIPV6, "IP_PROTO_RSVP": IPProtoRSVP, "IP_PROTO_GRE": IPProtoGRE, "IP_PROTO_ESP": IPProtoESP, "IP_PROTO_AH": IPProtoAH, "IP_PROTO_ICMPV6": IPProtoICMPV6, "IP_PROTO_MTP": IPProtoMTP, "IP_PROTO_BEETPH": IPProtoBEETPH, "IP_PROTO_ENCAP": IPProtoENCAP, "IP_PROTO_PIM": IPProtoPIM, "IP_PROTO_COMP": IPProtoCOMP, "IP_PROTO_SCTP": IPProtoSCTP, "IP_PROTO_UDPLITE": IPProtoUDPLITE, "IP_PROTO_MPLS": IPProtoMPLS, "IP_PROTO_RAW": IPProtoRAW, } // NetworkProtocolTypeConstants is the list of supported network protocol specific types // generate_constants:Network Protocol Types,Types of specific network protocols. NetworkProtocolTypeConstants = map[string]NetworkProtocolType{ "ICMP_ECHO_REQUEST": ICMPTypeEchoRequest, "ICMP_ECHO_REPLY": ICMPTypeEchoReply, "ICMP_ROUTER_SOLICITATION": ICMPTypeRouterSolicitation, "ICMP_ROUTER_ADVERTISEMENT": ICMPTypeRouterAdvertisement, "ICMP_NEIGHBOR_SOLICITATION": ICMPTypeNeighborSolicitation, "ICMP_NEIGHBOR_ADVERTISEMENT": ICMPTypeNeighborAdvertisement, "ICMP_V6_ECHO_REQUEST": ICMPv6TypeEchoRequest, "ICMP_V6_ECHO_REPLY": ICMPv6TypeEchoReply, "ICMP_V6_ROUTER_SOLICITATION": ICMPv6TypeRouterSolicitation, "ICMP_V6_ROUTER_ADVERTISEMENT": ICMPv6TypeRouterAdvertisement, "ICMP_V6_NEIGHBOR_SOLICITATION": ICMPv6TypeNeighborSolicitation, "ICMP_V6_NEIGHBOR_ADVERTISEMENT": ICMPv6TypeNeighborAdvertisement, } // NetworkDirectionConstants is the list of supported network directions // generate_constants:Network directions,Network directions are the supported directions of network packets. NetworkDirectionConstants = map[string]NetworkDirection{ "INGRESS": Ingress, "EGRESS": Egress, } // ABIConstants defines ABI constants // generate_constants:ABI,ABI used for binary compilation. ABIConstants = map[string]ABI{ "BIT32": Bit32, "BIT64": Bit64, "UNKNOWN_ABI": UnknownABI, } // ArchitectureConstants defines architecture constants // generate_constants:Architecture,Architecture of the binary. ArchitectureConstants = map[string]Architecture{ "X86": X86, "X86_64": X8664, "ARM": ARM, "ARM64": ARM64, "UNKNOWN_ARCHITECTURE": UnknownArch, } // CompressionTypeConstants defines compression type constants // generate_constants:CompressionType,Compression algorithm. CompressionTypeConstants = map[string]CompressionType{ "NONE": NoCompression, "GZIP": GZip, "ZIP": Zip, "ZSTD": Zstd, "7Z": SevenZip, "BZIP2": BZip2, "XZ": XZ, } // FileTypeConstants defines file type constants // generate_constants:FileType,File types. FileTypeConstants = map[string]FileType{ "EMPTY": Empty, "SHELL_SCRIPT": ShellScript, "TEXT": Text, "COMPRESSED": Compressed, "ENCRYPTED": Encrypted, "BINARY": Binary, "LINUX_EXECUTABLE": ELFExecutable, "WINDOWS_EXECUTABLE": PEExecutable, "MACOS_EXECUTABLE": MachOExecutable, "FILE_LESS": FileLess, } // LinkageTypeConstants defines linkage type constants // generate_constants:LinkageType,Linkage types. LinkageTypeConstants = map[string]LinkageType{ "NONE": None, "STATIC": Static, "DYNAMIC": Dynamic, } // UserSessionTypes are the supported user session types // generate_constants:UserSessionTypes,UserSessionTypes are the supported user session types. UserSessionTypes = map[string]usersession.Type{ "unknown": usersession.UserSessionTypeUnknown, "k8s": usersession.UserSessionTypeK8S, "ssh": usersession.UserSessionTypeSSH, } // SSHAuthMethodConstants are the supported SSH authentication methods // generate_constants:SSHAuthMethod,SSH authentication methods. SSHAuthMethodConstants = map[string]usersession.AuthType{ "password": usersession.SSHAuthMethodPassword, "public_key": usersession.SSHAuthMethodPublicKey, "unknown": usersession.SSHAuthMethodUnknown, } )
View Source
var ( // ErrNotEnoughData is returned when the buffer is too small to unmarshal the event ErrNotEnoughData = errors.New("not enough data") // ErrNotEnoughSpace is returned when the provided buffer is too small to marshal the event ErrNotEnoughSpace = errors.New("not enough space") // ErrStringArrayOverflow returned when there is a string array overflow ErrStringArrayOverflow = errors.New("string array overflow") // ErrNonPrintable returned when a string contains non printable char ErrNonPrintable = errors.New("non printable") // ErrIncorrectDataSize is returned when the data read size doesn't correspond to the expected one ErrIncorrectDataSize = errors.New("incorrect data size") // ErrNoUsefulData returned when there is no useful data ErrNoUsefulData = errors.New("no useful data") )
View Source
var AllEventFilteringProfileState = []EventFilteringProfileState{NoProfile, ProfileAtMaxSize, UnstableEventType, StableEventType, AutoLearning, WorkloadWarmup}
AllEventFilteringProfileState is the list of all EventFilteringProfileState
View Source
var ErrCycleInProcessLineage = errors.New("cycle detected in process lineage")
ErrCycleInProcessLineage is returned when a cycle is detected in the process lineage
View Source
var ErrFailedDNSPacketDecoding = errors.New("dns packet couldn't be decoded")
ErrFailedDNSPacketDecoding defines a dns packet that failed to be decoded
View Source
var ErrNoProcessContext = errors.New("process context not resolved")
ErrNoProcessContext defines an error for event without process context
View Source
var PacketFilterMatching = &eval.OpOverrides{ StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) { if a.IsStatic() || b.IsStatic() { return &eval.BoolEvaluator{ Value: false, }, nil } return nil, errorNonStaticPacketFilterField(a, b) }, StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) { return nil, errorNonStaticPacketFilterField(a, b) }, StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) { return nil, errorNonStaticPacketFilterField(a, b) }, StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) { return nil, errorNonStaticPacketFilterField(a, b) }, }
PacketFilterMatching is a set of overrides for packet filter fields, it only supports matching a single static value
View Source
var SECLLegacyFields = map[eval.Field]eval.Field{
"async": "event.async",
"container.id": "process.container.id",
"container.created_at": "process.container.created_at",
"container.tags": "process.container.tags",
"cgroup.id": "process.cgroup.id",
"cgroup.version": "process.cgroup.version",
"cgroup.file.inode": "process.cgroup.file.inode",
"cgroup.file.mount_id": "process.cgroup.file.mount_id",
"chmod.filename": "chmod.file.path",
"chmod.basename": "chmod.file.name",
"chmod.mode": "chmod.file.destination.mode",
"chown.filename": "chown.file.path",
"chown.basename": "chown.file.name",
"chown.uid": "chown.file.destination.uid",
"chown.user": "chown.file.destination.user",
"chown.gid": "chown.file.destination.gid",
"chown.group": "chown.file.destination.group",
"open.filename": "open.file.path",
"open.basename": "open.file.name",
"open.mode": "open.file.destination.mode",
"mkdir.filename": "mkdir.file.path",
"mkdir.basename": "mkdir.file.name",
"mkdir.mode": "mkdir.file.destination.mode",
"rmdir.filename": "rmdir.file.path",
"rmdir.basename": "rmdir.file.name",
"rename.old.filename": "rename.file.path",
"rename.old.basename": "rename.file.name",
"rename.new.filename": "rename.file.destination.path",
"rename.new.basename": "rename.file.destination.name",
"unlink.filename": "unlink.file.path",
"unlink.basename": "unlink.file.name",
"utimes.filename": "utimes.file.path",
"utimes.basename": "utimes.file.name",
"link.source.filename": "link.file.path",
"link.source.basename": "link.file.name",
"link.target.filename": "link.file.destination.path",
"link.target.basename": "link.file.destination.name",
"setxattr.filename": "setxattr.file.path",
"setxattr.basename": "setxattr.file.name",
"setxattr.namespace": "setxattr.file.destination.namespace",
"setxattr.name": "setxattr.file.destination.name",
"removexattr.filename": "removexattr.file.path",
"removexattr.basename": "removexattr.file.name",
"removexattr.namespace": "removexattr.file.destination.namespace",
"removexattr.name": "removexattr.file.destination.name",
"exec.filename": "exec.file.path",
"exec.overlay_numlower": "exec.file.overlay_numlower",
"exec.basename": "exec.file.name",
"exec.name": "exec.comm",
"process.filename": "process.file.path",
"process.basename": "process.file.name",
"process.name": "process.comm",
"process.ancestors.filename": "process.ancestors.file.path",
"process.ancestors.basename": "process.ancestors.file.name",
"process.ancestors.name": "process.ancestors.comm",
}
SECLLegacyFields contains the list of the legacy attributes we need to support
View Source
var ( // SECLVariables set of variables SECLVariables = map[string]eval.SECLVariable{ "process.pid": eval.NewScopedIntVariable(func(ctx *eval.Context, _ bool) (int, bool) { pc := ctx.Event.(*Event).ProcessContext if pc == nil { return 0, false } return int(pc.Process.Pid), true }, nil), "builtins.uuid4": eval.NewScopedStringVariable(func(_ *eval.Context, _ bool) (string, bool) { return uuid.New().String(), true }, nil), } )
View Source
var UnknownCategory = EventCategory(-1)
UnknownCategory for everything without a clear category
Functions ¶
func EventTypeDependsOnInterfaceTracking ¶ added in v0.72.0
EventTypeDependsOnInterfaceTracking returns all event types that have a dependency on our internal interface tracking mechanism
func FilterEnvs ¶ added in v0.51.0
FilterEnvs returns an array of environment variable key value pairs matching the desired keys
func GetDefaultLegacyFields ¶ added in v0.73.0
GetDefaultLegacyFields returns the field mapped from a legacy field if it exists
func GetDefaultLegacyFieldsKeys ¶ added in v0.73.0
GetDefaultLegacyFieldsKeys returns all legacy field keys
func GetEventTypePerCategory ¶ added in v0.34.0
func GetEventTypePerCategory(categories ...EventCategory) map[EventCategory][]eval.EventType
GetEventTypePerCategory returns the event types per category
func IsAlphaNumeric ¶
IsAlphaNumeric returns whether a character is either a digit or a letter
func IsPrintable ¶
IsPrintable returns whether the string does contain only unicode printable
func IsPrintableASCII ¶
IsPrintableASCII returns whether the string does contain only ASCII char
func NullTerminatedBytes ¶ added in v0.77.0
NullTerminatedBytes returns null-terminated []byte
func NullTerminatedString ¶ added in v0.41.0
NullTerminatedString returns null-terminated string
func SECLConstants ¶ added in v0.34.0
func SECLConstants() map[string]interface{}
SECLConstants returns the constants supported in runtime security agent rules, initializing these constants during the first call
func SSHAuthMethodToString ¶ added in v0.74.1
func SSHAuthMethodToString(t usersession.AuthType) string
func SetDefaultLegacyFields ¶ added in v0.73.0
SetDefaultLegacyFields sets the default legacy field mapping used by the accessors
func SliceToArray ¶
SliceToArray copy src bytes to dst. Destination should have enough space
func UnmarshalPrintableString ¶
UnmarshalPrintableString unmarshal printable string
func UnmarshalString ¶
UnmarshalString unmarshal string
func UnmarshalStringArray ¶
UnmarshalStringArray extract array of string for array of byte
func UserSessionTypeToString ¶ added in v0.74.1
func UserSessionTypeToString(t usersession.Type) string
UserSessionTypeToString converts a usersession.Type to its string representation
Types ¶
type AWSIMDSEvent ¶ added in v0.55.0
type AWSIMDSEvent struct {
IsIMDSv2 bool `field:"is_imds_v2"` // SECLDoc[is_imds_v2] Definition:`a boolean which specifies if the IMDS event follows IMDSv1 or IMDSv2 conventions`
SecurityCredentials AWSSecurityCredentials `field:"security_credentials"` // SECLDoc[credentials] Definition:`the security credentials in the IMDS answer`
}
AWSIMDSEvent holds data from an AWS IMDS event
type AWSSecurityCredentials ¶ added in v0.55.0
type AWSSecurityCredentials struct {
Code string `field:"-" json:"Code"`
Type string `field:"type" json:"Type"` // SECLDoc[type] Definition:`the security credentials type`
AccessKeyID string `field:"-" json:"AccessKeyId"`
LastUpdated string `field:"-" json:"LastUpdated"`
Expiration time.Time `field:"-"`
ExpirationRaw string `field:"-" json:"Expiration"`
}
AWSSecurityCredentials is used to parse the fields that are none to be free of credentials or secrets
type ActionReport ¶ added in v0.52.0
type ActionReport interface {
DelayabledEvent
ToJSON() ([]byte, error)
IsMatchingRule(ruleID eval.RuleID) bool
}
ActionReport defines an action report
type AddressFamily ¶ added in v0.37.0
type AddressFamily int
AddressFamily represents a family address (AF_INET, AF_INET6, AF_UNIX etc)
func (AddressFamily) String ¶ added in v0.37.0
func (af AddressFamily) String() string
type Architecture ¶ added in v0.68.0
type Architecture int
Architecture represents the CPU architecture
const ( // UnknownArch when arch is unknown UnknownArch Architecture = iota // X86 arch X86 // X8664 represents X86_64 arch, but with a "nicer" naming to pass CI linters X8664 // ARM arch ARM // ARM64 arch ARM64 )
func (Architecture) String ¶ added in v0.68.0
func (a Architecture) String() string
type ArgsEnvs ¶ added in v0.34.0
type ArgsEnvs struct {
ID uint64
Size uint32
ValuesRaw [sharedconsts.MaxArgEnvSize]byte
}
ArgsEnvs raw value for args and envs
type BaseEvent ¶ added in v0.48.0
type BaseEvent struct {
ID string `field:"-"`
Type uint32 `field:"-"`
Flags uint32 `field:"-"`
TimestampRaw uint64 `field:"event.timestamp,handler:ResolveEventTimestamp"` // SECLDoc[event.timestamp] Definition:`Timestamp of the event`
Timestamp time.Time `field:"timestamp,opts:getters_only|gen_getters,handler:ResolveEventTime"`
Rules []*MatchedRule `field:"-"`
RuleContext RuleContext `field:"-"`
ActionReports []ActionReport `field:"-"`
Os string `field:"event.os"` // SECLDoc[event.os] Definition:`Operating system of the event`
Origin string `field:"event.origin"` // SECLDoc[event.origin] Definition:`Origin of the event`
Service string `field:"event.service,handler:ResolveService,opts:skip_ad|gen_getters"` // SECLDoc[event.service] Definition:`Service associated with the event`
Hostname string `field:"event.hostname,handler:ResolveHostname"` // SECLDoc[event.hostname] Definition:`Hostname associated with the event`
RuleTags []string `field:"event.rule.tags"` // SECLDoc[event.rule.tags] Definition:`Tags associated with the rule that's used to evaluate the event`
Source string `field:"event.source,handler:ResolveSource"` // SECLDoc[event.source] Definition:`[Experimental] Source of the event. Can be either 'runtime' or 'snapshot'.`
// context shared with all event types
ProcessContext *ProcessContext `field:"process"`
SecurityProfileContext SecurityProfileContext `field:"-"`
// internal usage
PIDContext PIDContext `field:"-"`
ProcessCacheEntry *ProcessCacheEntry `field:"-"`
// mark event with having error
Error error `field:"-"`
// field resolution
FieldHandlers FieldHandlers `field:"-"`
}
BaseEvent represents an event sent from the kernel
type BaseExtraFieldHandlers ¶ added in v0.50.0
type BaseExtraFieldHandlers interface {
ResolveProcessCacheEntry(ev *Event, newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)
ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry
}
BaseExtraFieldHandlers handlers not hold by any field
type CompressionType ¶ added in v0.68.0
type CompressionType int
CompressionType represents the type of compression used
const ( // NoCompression When there is no compression NoCompression CompressionType = iota // GZip compression GZip // Zip compression Zip // Zstd compression Zstd // SevenZip compression SevenZip // BZip2 compression BZip2 // XZ compression XZ )
func (CompressionType) String ¶ added in v0.68.0
func (ct CompressionType) String() string
type ContainerContext ¶ added in v0.34.0
type ContainerContext struct {
*Releasable
ContainerID containerutils.ContainerID `field:"id,opts:gen_getters"` // SECLDoc[id] Definition:`ID of the container`
CreatedAt uint64 `field:"created_at,opts:gen_getters"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the container“
Tags []string `field:"tags,handler:ResolveContainerTags,opts:skip_ad,weight:9999"` // SECLDoc[tags] Definition:`Tags of the container`
}
ContainerContext holds the container context of an event
func (*ContainerContext) Hash ¶ added in v0.65.0
func (c *ContainerContext) Hash() eval.ScopeHashKey
Hash returns a unique key for the entity
func (*ContainerContext) IsNull ¶ added in v0.76.0
func (c *ContainerContext) IsNull() bool
IsNull returns true if the container context is null
func (*ContainerContext) ParentScope ¶ added in v0.68.0
func (c *ContainerContext) ParentScope() (eval.VariableScope, bool)
ParentScope returns the parent entity scope
func (*ContainerContext) UnixCreatedAt ¶ added in v0.77.0
func (c *ContainerContext) UnixCreatedAt() time.Time
UnixCreatedAt returns the creation time of the container
type DNSEvent ¶ added in v0.36.0
type DNSEvent struct {
ID uint16 `field:"id"` // SECLDoc[id] Definition:`[Experimental] the DNS request ID`
Question DNSQuestion `field:"question"`
Response *DNSResponse `field:"response,check:HasResponse"`
}
DNSEvent represents a DNS request event
func (*DNSEvent) HasResponse ¶ added in v0.67.0
HasResponse returns whether the DNS event has a response
type DNSQuestion ¶ added in v0.67.0
type DNSQuestion struct {
Name string `field:"name,opts:length|root_domain" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`the queried domain name`
Type uint16 `field:"type"` // SECLDoc[type] Definition:`a two octet code which specifies the DNS question type` Constants:`DNS qtypes`
Class uint16 `field:"class"` // SECLDoc[class] Definition:`the class looked up by the DNS question` Constants:`DNS qclasses`
Size uint16 `field:"length"` // SECLDoc[length] Definition:`the total DNS request size in bytes`
Count uint16 `field:"count"` // SECLDoc[count] Definition:`the total count of questions in the DNS request`
}
DNSQuestion represents the dns question
type DNSResponse ¶ added in v0.67.0
type DNSResponse struct {
ResponseCode uint8 `field:"code"` // SECLDoc[code] Definition:`Response code of the DNS response according to RFC 1035` Constants:`DNS Responses`
}
DNSResponse represents a DNS response event
type DelayabledEvent ¶ added in v0.77.0
type EnvsEntry ¶ added in v0.34.0
EnvsEntry defines a args cache entry
func (*EnvsEntry) FilterEnvs ¶ added in v0.39.0
FilterEnvs returns an array of envs, only the name of each variable is returned unless the variable name is part of the provided filter
type ErrInvalidKeyPath ¶ added in v0.44.0
ErrInvalidKeyPath is returned when inode or mountid are not valid
func (*ErrInvalidKeyPath) Error ¶ added in v0.44.0
func (e *ErrInvalidKeyPath) Error() string
type ErrProcessBrokenLineage ¶ added in v0.50.0
type ErrProcessBrokenLineage struct {
Err error
}
ErrProcessBrokenLineage returned when a process lineage is broken
func (*ErrProcessBrokenLineage) Error ¶ added in v0.50.0
func (e *ErrProcessBrokenLineage) Error() string
Error implements the error interface
func (*ErrProcessBrokenLineage) Unwrap ¶ added in v0.50.0
func (e *ErrProcessBrokenLineage) Unwrap() error
Unwrap implements the error interface
type ErrProcessIncompleteLineage ¶ added in v0.50.0
ErrProcessIncompleteLineage used when the lineage is incorrect in term of pid/ppid
func (*ErrProcessIncompleteLineage) Error ¶ added in v0.50.0
func (e *ErrProcessIncompleteLineage) Error() string
type ErrProcessMissingParentNode ¶ added in v0.50.0
ErrProcessMissingParentNode used when the lineage is incorrect in term of pid/ppid
func (*ErrProcessMissingParentNode) Error ¶ added in v0.50.0
func (e *ErrProcessMissingParentNode) Error() string
type ErrProcessWrongParentNode ¶ added in v0.50.0
ErrProcessWrongParentNode used when the lineage is correct in term of pid/ppid but an exec parent is missing
func (*ErrProcessWrongParentNode) Error ¶ added in v0.50.0
func (e *ErrProcessWrongParentNode) Error() string
type EventCategory ¶ added in v0.34.0
type EventCategory int
EventCategory category type
const ( // FIMCategory FIM events FIMCategory EventCategory = iota // ProcessCategory process events ProcessCategory // KernelCategory Kernel events KernelCategory // NetworkCategory network events NetworkCategory // InternalCategory internal events InternalCategory )
Event categories
func GetAllCategories ¶ added in v0.34.0
func GetAllCategories() []EventCategory
GetAllCategories returns all categories
func GetEventTypeCategory ¶ added in v0.34.0
func GetEventTypeCategory(eventType eval.EventType) EventCategory
GetEventTypeCategory returns the category for the given event type
func (EventCategory) String ¶ added in v0.72.0
func (t EventCategory) String() string
type EventFilteringProfileState ¶ added in v0.55.0
type EventFilteringProfileState uint8
EventFilteringProfileState is used to compute metrics for the event filtering feature
const ( // NoProfile is used to count the events for which we didn't have a profile NoProfile EventFilteringProfileState = iota // ProfileAtMaxSize is used to count the events that didn't make it into a profile because their matching profile // reached the max size threshold ProfileAtMaxSize // UnstableEventType is used to count the events that didn't make it into a profile because their matching profile was // unstable for their event type UnstableEventType // StableEventType is used to count the events linked to a stable profile for their event type StableEventType // AutoLearning is used to count the event during the auto learning phase AutoLearning // WorkloadWarmup is used to count the learned events due to workload warm up time WorkloadWarmup )
func (EventFilteringProfileState) String ¶ added in v0.55.0
func (efr EventFilteringProfileState) String() string
String returns the string representation of the EventFilteringProfileState
func (EventFilteringProfileState) ToTag ¶ added in v0.55.0
func (efr EventFilteringProfileState) ToTag() string
ToTag returns the tag representation of the EventFilteringProfileState
type EventSource ¶ added in v0.74.0
type EventSource = string
EventSource is the source of the event
const ( // EventSourceRuntime is used to report that the event is generated from a runtime EventSourceRuntime EventSource = "runtime" // EventSourceReplay is used to report that the event is generated from a replay EventSourceReplay EventSource = "replay" // EventSourceRelated is used to report that the event is generated from a related event EventSourceRelated EventSource = "related" )
type EventType ¶
type EventType uint32
EventType describes the type of an event sent from the kernel
const ( // UnknownEventType unknown event UnknownEventType EventType = iota // FileOpenEventType File open event FileOpenEventType // FileMkdirEventType Folder creation event FileMkdirEventType // FileLinkEventType Hard link creation event FileLinkEventType // FileRenameEventType File or folder rename event FileRenameEventType // FileUnlinkEventType Unlink event FileUnlinkEventType // FileRmdirEventType Rmdir event FileRmdirEventType // FileChmodEventType Chmod event FileChmodEventType // FileChownEventType Chown event FileChownEventType // FileUtimesEventType Utime event FileUtimesEventType // MMapEventType MMap event MMapEventType // MProtectEventType MProtect event MProtectEventType // SpliceEventType Splice event SpliceEventType // FileSetXAttrEventType Setxattr event FileSetXAttrEventType // FileRemoveXAttrEventType Removexattr event FileRemoveXAttrEventType // FileChdirEventType chdir event FileChdirEventType // BPFEventType bpf event BPFEventType // SysCtlEventType sysctl event SysCtlEventType // ConnectEventType Connect event ConnectEventType // PrCtlEventType is sent when a prctl event is captured PrCtlEventType // SetSockOptEventType is sent when a socket option is set SetSockOptEventType // FileMountEventType Mount event FileMountEventType // FileUmountEventType Umount event FileUmountEventType // ForkEventType Fork event ForkEventType // ExecEventType Exec event ExecEventType // ExitEventType Exit event ExitEventType // InvalidateDentryEventType Dentry invalidated event (DEPRECATED) InvalidateDentryEventType // SetuidEventType setuid event SetuidEventType // SetgidEventType setgid event SetgidEventType // CapsetEventType capset event CapsetEventType // ArgsEnvsEventType args and envs event ArgsEnvsEventType // MountReleasedEventType sent when a mount point is released MountReleasedEventType // SELinuxEventType selinux event SELinuxEventType // PTraceEventType PTrace event PTraceEventType // LoadModuleEventType LoadModule event LoadModuleEventType // UnloadModuleEventType UnloadModule evnt UnloadModuleEventType // SignalEventType Signal event SignalEventType // CgroupTracingEventType is sent when a new cgroup is being traced CgroupTracingEventType // DNSEventType DNS event DNSEventType // ShortDNSResponseEventType DNS Response event ShortDNSResponseEventType // FullDNSResponseEventType DNS Response event FullDNSResponseEventType // NetDeviceEventType is sent for events on net devices NetDeviceEventType // VethPairEventType is sent when a new veth pair is created VethPairEventType // VethPairNsEventType is sent when a veth pair is moved to a new network namespace VethPairNsEventType // AcceptEventType Accept event AcceptEventType // BindEventType Bind event BindEventType UnshareMountNsEventType // SyscallsEventType Syscalls event SyscallsEventType // IMDSEventType is sent when an IMDS request or answer is captured IMDSEventType // OnDemandEventType is sent for on-demand events OnDemandEventType // LoginUIDWriteEventType is sent for login_uid write events LoginUIDWriteEventType // CgroupWriteEventType is sent when a new cgroup was created CgroupWriteEventType // RawPacketFilterEventType raw packet filter event RawPacketFilterEventType // NetworkFlowMonitorEventType is sent to monitor network activity NetworkFlowMonitorEventType // StatEventType stat event (used kernel side only) StatEventType // SetrlimitEventType setrlimit event SetrlimitEventType // FileFsmountEventType Mount event FileFsmountEventType // FileOpenTreeEventType Open Tree event FileOpenTreeEventType // RawPacketActionEventType raw packet action event RawPacketActionEventType // CapabilitiesEventType is used to track capabilities usage CapabilitiesEventType // FileMoveMountEventType Move Mount even FileMoveMountEventType // FailedDNSEventType Failed DNS FailedDNSEventType // TracerMemfdCreateEventType memfd_create event (used kernel side only) TracerMemfdCreateEventType // TracerMemfdSealEventType Tracer memfd seal event TracerMemfdSealEventType // PivotRootEventType is sent when pivot_root completes successfully PivotRootEventType // NopEventType nop event NopEventType // MaxKernelEventType is used internally to get the maximum number of kernel events. MaxKernelEventType // FirstEventType is the first valid event type FirstEventType = FileOpenEventType // LastEventType is the last valid event type LastEventType = SyscallsEventType // FirstDiscarderEventType first event that accepts discarders FirstDiscarderEventType = FileOpenEventType // LastDiscarderEventType last event that accepts discarders LastDiscarderEventType = FileChdirEventType // LastApproverEventType is the last event that accepts approvers LastApproverEventType = SetSockOptEventType // CustomEventType represents a custom event type CustomEventType EventType = iota // CreateNewFileEventType event CreateNewFileEventType EventType = iota // DeleteFileEventType event DeleteFileEventType // WriteFileEventType event WriteFileEventType // CreateRegistryKeyEventType event CreateRegistryKeyEventType // OpenRegistryKeyEventType event OpenRegistryKeyEventType // SetRegistryKeyValueEventType event SetRegistryKeyValueEventType // DeleteRegistryKeyEventType event DeleteRegistryKeyEventType // ChangePermissionEventType event ChangePermissionEventType // FirstWindowsEventType is the first Windows event type FirstWindowsEventType = CreateNewFileEventType // LastWindowsEventType is the last Windows event type LastWindowsEventType = ChangePermissionEventType // MaxAllEventType is used internally to get the maximum number of events. MaxAllEventType )
func ParseEvalEventType ¶
ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions
type ExitEvent ¶ added in v0.38.0
type ExitEvent struct {
*Process
Cause uint32 `field:"cause"` // SECLDoc[cause] Definition:`Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)`
Code uint32 `field:"code,opts:gen_getters"` // SECLDoc[code] Definition:`Exit code of the process or number of the signal that caused the process to terminate`
}
ExitEvent represents a process exit event
type FailedDNSEvent ¶ added in v0.73.0
type FailedDNSEvent struct {
Payload []byte `field:"-"`
}
FailedDNSEvent represents a DNS packet that was failed to be decoded (inbound or outbound)
type FileMetadata ¶ added in v0.68.0
type FileMetadata struct {
Size int64 `field:"size,handler:ResolveFileMetadataSize,opts:skip_ad,weight:999"` // SECLDoc[size] Definition:`[Experimental] Size of the file`
Type int `field:"type,handler:ResolveFileMetadataType,opts:skip_ad,weight:999"` // SECLDoc[type] Definition:`[Experimental] Type of the file` Constants:`FileType`
IsExecutable bool `field:"is_executable,handler:ResolveFileMetadataIsExecutable,opts:skip_ad,weight:999"` // SECLDoc[is_executable] Definition:`[Experimental] Tells if the file is executable or not`
Architecture int `field:"architecture,handler:ResolveFileMetadataArchitecture,opts:skip_ad,weight:999"` // SECLDoc[architecture] Definition:`[Experimental] Architecture of the file (only for executable files)` Constants:`Architecture`
ABI int `field:"abi,handler:ResolveFileMetadataABI,opts:skip_ad,weight:999"` // SECLDoc[abi] Definition:`[Experimental] ABI of the file (only for executable files)` Constants:`ABI`
IsUPXPacked bool `field:"is_upx_packed,handler:ResolveFileMetadataIsUPXPacked,opts:skip_ad,weight:999"` // SECLDoc[is_upx_packed] Definition:`[Experimental] Tells if the binary has been packed using UPX`
Compression int `field:"compression,handler:ResolveFileMetadataCompression,opts:skip_ad,weight:999"` // SECLDoc[compression] Definition:`[Experimental] Compression type of the file (only for compressed files)` Constants:`CompressionType`
IsGarbleObfuscated bool `field:"is_garble_obfuscated,handler:ResolveFileMetadataIsGarbleObfuscated,opts:skip_ad,weight:999"` // SECLDoc[is_garble_obfuscated] Definition:`[Experimental] Tells if the binary has been obfuscated using garble`
Linkage int `field:"-"`
Resolved bool `field:"-"`
}
FileMetadata represents file metadata
type FileType ¶ added in v0.68.0
type FileType int
FileType represents the type of the analyzed file
const ( // Empty file Empty FileType = iota // ShellScript file ShellScript // Text file Text // Compressed file Compressed // Encrypted file Encrypted // Binary file Binary // ELFExecutable file ELFExecutable // PEExecutable file PEExecutable // MachOExecutable file MachOExecutable // FileLess file FileLess )
type HashAlgorithm ¶ added in v0.47.0
type HashAlgorithm int
HashAlgorithm is used to configure the hash algorithms of the hash resolver
const ( // SHA1 is used to identify a SHA1 hash SHA1 HashAlgorithm = iota // SHA256 is used to identify a SHA256 hash SHA256 // MD5 is used to identify a MD5 hash MD5 // SSDEEP is used to identify a SSDEEP hash SSDEEP // MaxHashAlgorithm is used for initializations MaxHashAlgorithm )
func (HashAlgorithm) String ¶ added in v0.47.0
func (ha HashAlgorithm) String() string
type HashState ¶ added in v0.47.0
type HashState int
HashState is used to prevent the hash resolver from retrying to hash a file
const ( // NoHash means that computing a hash hasn't been attempted NoHash HashState = iota // Done means that the hashes were already computed Done // FileNotFound means that the underlying file is not longer available to compute the hash FileNotFound // PathnameResolutionError means that the underlying file wasn't properly resolved PathnameResolutionError // FileTooBig means that the underlying file is larger than the hash resolver file size limit FileTooBig // FileEmpty means that the underlying file is empty FileEmpty // FileOpenError is a generic hash state to say that we couldn't open the file FileOpenError // EventTypeNotConfigured means that the event type prevents a hash from being computed EventTypeNotConfigured // HashWasRateLimited means that the hash will be tried again later, it was rate limited HashWasRateLimited // HashFailed means that the hashing failed HashFailed // MaxHashState is used for initializations MaxHashState )
type IMDSEvent ¶ added in v0.55.0
type IMDSEvent struct {
Type string `field:"type"` // SECLDoc[type] Definition:`the type of IMDS event`
CloudProvider string `field:"cloud_provider"` // SECLDoc[cloud_provider] Definition:`the intended cloud provider of the IMDS event`
URL string `field:"url"` // SECLDoc[url] Definition:`the queried IMDS URL`
Host string `field:"host"` // SECLDoc[host] Definition:`the host of the HTTP protocol`
UserAgent string `field:"user_agent"` // SECLDoc[user_agent] Definition:`the user agent of the HTTP client`
Server string `field:"server"` // SECLDoc[server] Definition:`the server header of a response`
// The fields below are optional and cloud specific fields
AWS AWSIMDSEvent `field:"aws"` // SECLDoc[aws] Definition:`the AWS specific data parsed from the IMDS event`
}
IMDSEvent represents an IMDS event
type IPPortContext ¶ added in v0.36.0
type IPPortContext struct {
IPNet net.IPNet `field:"ip"` // SECLDoc[ip] Definition:`IP address`
Port uint16 `field:"port"` // SECLDoc[port] Definition:`Port number`
IsPublic bool `field:"is_public,handler:ResolveIsIPPublic,opts:skip_ad"` // SECLDoc[is_public] Definition:`Whether the IP address belongs to a public network`
IsPublicResolved bool `field:"-"`
}
IPPortContext is used to hold an IP and Port
func (*IPPortContext) GetComparable ¶ added in v0.63.0
func (ipc *IPPortContext) GetComparable() netip.AddrPort
GetComparable returns a comparable version of IPPortContext
type Iterator ¶ added in v0.64.0
type Iterator[T any] interface { Front(ctx *eval.Context) T Next(ctx *eval.Context) T At(ctx *eval.Context, regID eval.RegisterID, pos int) T Len(ctx *eval.Context) int }
Iterator is a generic interface that iterators must implement
type K8SSessionContext ¶ added in v0.74.0
type K8SSessionContext struct {
K8SSessionID uint64 `field:"k8s_session_id" json:"k8s_session_id,omitempty"` // SECLDoc[k8s_session_id] Definition:`Unique identifier of the kubernetes session`
K8SUsername string `field:"k8s_username,handler:ResolveK8SUsername" json:"username,omitempty"` // SECLDoc[k8s_username] Definition:`Kubernetes username of the user that executed the process`
K8SUID string `field:"k8s_uid,handler:ResolveK8SUID" json:"uid,omitempty"` // SECLDoc[k8s_uid] Definition:`Kubernetes UID of the user that executed the process`
K8SGroups []string `field:"k8s_groups,handler:ResolveK8SGroups" json:"groups,omitempty"` // SECLDoc[k8s_groups] Definition:`Kubernetes groups of the user that executed the process`
K8SExtra map[string][]string `json:"extra,omitempty"`
K8SResolved bool `field:"-"`
}
K8SSessionContext describes the kubernetes session context Disclaimer: the `json` tags are used to parse K8s credentials from cws-instrumentation
type L3Protocol ¶ added in v0.36.0
type L3Protocol uint16
L3Protocol Network protocols
const ( // EthPLOOP Ethernet Loopback packet EthPLOOP L3Protocol = 0x0060 // EthPPUP Xerox PUP packet EthPPUP L3Protocol = 0x0200 // EthPPUPAT Xerox PUP Addr Trans packet EthPPUPAT L3Protocol = 0x0201 // EthPTSN TSN (IEEE 1722) packet EthPTSN L3Protocol = 0x22F0 // EthPIP Internet Protocol packet EthPIP L3Protocol = 0x0800 // EthPX25 CCITT X.25 EthPX25 L3Protocol = 0x0805 // EthPARP Address Resolution packet EthPARP L3Protocol = 0x0806 // EthPBPQ G8BPQ AX.25 Ethernet Packet [ NOT AN OFFICIALLY REGISTERED ID ] EthPBPQ L3Protocol = 0x08FF // EthPIEEEPUP Xerox IEEE802.3 PUP packet EthPIEEEPUP L3Protocol = 0x0a00 // EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet EthPIEEEPUPAT L3Protocol = 0x0a01 // EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ] EthPBATMAN L3Protocol = 0x4305 // EthPDEC DEC Assigned proto EthPDEC L3Protocol = 0x6000 // EthPDNADL DEC DNA Dump/Load EthPDNADL L3Protocol = 0x6001 // EthPDNARC DEC DNA Remote Console EthPDNARC L3Protocol = 0x6002 // EthPDNART DEC DNA Routing EthPDNART L3Protocol = 0x6003 // EthPLAT DEC LAT EthPLAT L3Protocol = 0x6004 // EthPDIAG DEC Diagnostics EthPDIAG L3Protocol = 0x6005 // EthPCUST DEC Customer use EthPCUST L3Protocol = 0x6006 // EthPSCA DEC Systems Comms Arch EthPSCA L3Protocol = 0x6007 // EthPTEB Trans Ether Bridging EthPTEB L3Protocol = 0x6558 // EthPRARP Reverse Addr Res packet EthPRARP L3Protocol = 0x8035 // EthPATALK Appletalk DDP EthPATALK L3Protocol = 0x809B // EthPAARP Appletalk AARP EthPAARP L3Protocol = 0x80F3 // EthP8021Q 802.1Q VLAN Extended Header EthP8021Q L3Protocol = 0x8100 // EthPERSPAN ERSPAN type II EthPERSPAN L3Protocol = 0x88BE // EthPIPX IPX over DIX EthPIPX L3Protocol = 0x8137 // EthPIPV6 IPv6 over bluebook EthPIPV6 L3Protocol = 0x86DD // EthPPAUSE IEEE Pause frames. See 802.3 31B EthPPAUSE L3Protocol = 0x8808 // EthPSLOW Slow Protocol. See 802.3ad 43B EthPSLOW L3Protocol = 0x8809 // EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt EthPWCCP L3Protocol = 0x883E // EthPMPLSUC MPLS Unicast traffic EthPMPLSUC L3Protocol = 0x8847 // EthPMPLSMC MPLS Multicast traffic EthPMPLSMC L3Protocol = 0x8848 // EthPATMMPOA MultiProtocol Over ATM EthPATMMPOA L3Protocol = 0x884c // EthPPPPDISC PPPoE discovery messages EthPPPPDISC L3Protocol = 0x8863 // EthPPPPSES PPPoE session messages EthPPPPSES L3Protocol = 0x8864 // EthPLinkCTL HPNA, wlan link local tunnel EthPLinkCTL L3Protocol = 0x886c // EthPATMFATE Frame-based ATM Transport over Ethernet EthPATMFATE L3Protocol = 0x8884 // EthPPAE Port Access Entity (IEEE 802.1X) EthPPAE L3Protocol = 0x888E // EthPAOE ATA over Ethernet EthPAOE L3Protocol = 0x88A2 // EthP8021AD 802.1ad Service VLAN EthP8021AD L3Protocol = 0x88A8 // EthP802EX1 802.1 Local Experimental 1. EthP802EX1 L3Protocol = 0x88B5 // EthPTIPC TIPC EthPTIPC L3Protocol = 0x88CA // EthPMACSEC 802.1ae MACsec EthPMACSEC L3Protocol = 0x88E5 // EthP8021AH 802.1ah Backbone Service Tag EthP8021AH L3Protocol = 0x88E7 // EthPMVRP 802.1Q MVRP EthPMVRP L3Protocol = 0x88F5 // EthP1588 IEEE 1588 Timesync EthP1588 L3Protocol = 0x88F7 // EthPNCSI NCSI protocol EthPNCSI L3Protocol = 0x88F8 // EthPPRP IEC 62439-3 PRP/HSRv0 EthPPRP L3Protocol = 0x88FB // EthPFCOE Fibre Channel over Ethernet EthPFCOE L3Protocol = 0x8906 // EthPIBOE Infiniband over Ethernet EthPIBOE L3Protocol = 0x8915 // EthPTDLS TDLS EthPTDLS L3Protocol = 0x890D // EthPFIP FCoE Initialization Protocol EthPFIP L3Protocol = 0x8914 // EthP80221 IEEE 802.21 Media Independent Handover Protocol EthP80221 L3Protocol = 0x8917 // EthPHSR IEC 62439-3 HSRv1 EthPHSR L3Protocol = 0x892F // EthPNSH Network Service Header EthPNSH L3Protocol = 0x894F // EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3 EthPLOOPBACK L3Protocol = 0x9000 // EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ1 L3Protocol = 0x9100 // EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ2 L3Protocol = 0x9200 // EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ3 L3Protocol = 0x9300 // EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ] EthPEDSA L3Protocol = 0xDADA // EthPIFE ForCES inter-FE LFB type EthPIFE L3Protocol = 0xED3E // EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ] EthPAFIUCV L3Protocol = 0xFBFB // EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3 EthP8023MIN L3Protocol = 0x0600 // EthPIPV6HopByHop IPv6 Hop by hop option EthPIPV6HopByHop L3Protocol = 0x000 // EthP8023 Dummy type for 802.3 frames EthP8023 L3Protocol = 0x0001 // EthPAX25 Dummy protocol id for AX.25 EthPAX25 L3Protocol = 0x0002 // EthPALL Every packet (be careful!!!) EthPALL L3Protocol = 0x0003 // EthP8022 802.2 frames EthP8022 L3Protocol = 0x0004 // EthPSNAP Internal only EthPSNAP L3Protocol = 0x0005 // EthPDDCMP DEC DDCMP: Internal only EthPDDCMP L3Protocol = 0x0006 // EthPWANPPP Dummy type for WAN PPP frames*/ EthPWANPPP L3Protocol = 0x0007 // EthPPPPMP Dummy type for PPP MP frames EthPPPPMP L3Protocol = 0x0008 // EthPLOCALTALK Localtalk pseudo type EthPLOCALTALK L3Protocol = 0x0009 // EthPCAN CAN: Controller Area Network EthPCAN L3Protocol = 0x000C // EthPCANFD CANFD: CAN flexible data rate*/ EthPCANFD L3Protocol = 0x000D // EthPPPPTALK Dummy type for Atalk over PPP*/ EthPPPPTALK L3Protocol = 0x0010 // EthPTR8022 802.2 frames EthPTR8022 L3Protocol = 0x0011 // EthPMOBITEX Mobitex (kaz@cafe.net) EthPMOBITEX L3Protocol = 0x0015 // EthPCONTROL Card specific control frames EthPCONTROL L3Protocol = 0x0016 // EthPIRDA Linux-IrDA EthPIRDA L3Protocol = 0x0017 // EthPECONET Acorn Econet EthPECONET L3Protocol = 0x0018 // EthPHDLC HDLC frames EthPHDLC L3Protocol = 0x0019 // EthPARCNET 1A for ArcNet :-) EthPARCNET L3Protocol = 0x001A // EthPDSA Distributed Switch Arch. EthPDSA L3Protocol = 0x001B // EthPTRAILER Trailer switch tagging EthPTRAILER L3Protocol = 0x001C // EthPPHONET Nokia Phonet frames EthPPHONET L3Protocol = 0x00F5 // EthPIEEE802154 IEEE802.15.4 frame EthPIEEE802154 L3Protocol = 0x00F6 // EthPCAIF ST-Ericsson CAIF protocol EthPCAIF L3Protocol = 0x00F7 // EthPXDSA Multiplexed DSA protocol EthPXDSA L3Protocol = 0x00F8 // EthPMAP Qualcomm multiplexing and aggregation protocol EthPMAP L3Protocol = 0x00F9 )
func (L3Protocol) String ¶ added in v0.36.0
func (proto L3Protocol) String() string
type L4Protocol ¶ added in v0.36.0
type L4Protocol uint16
L4Protocol transport protocols
const ( // IPProtoIP Dummy protocol for TCP IPProtoIP L4Protocol = 0 // IPProtoICMP Internet Control Message Protocol (IPv4) IPProtoICMP L4Protocol = 1 // IPProtoIGMP Internet Group Management Protocol IPProtoIGMP L4Protocol = 2 // IPProtoIPIP IPIP tunnels (older KA9Q tunnels use 94) IPProtoIPIP L4Protocol = 4 // IPProtoTCP Transmission Control Protocol IPProtoTCP L4Protocol = 6 // IPProtoEGP Exterior Gateway Protocol IPProtoEGP L4Protocol = 8 // IPProtoIGP Interior Gateway Protocol (any private interior gateway (used by Cisco for their IGRP)) IPProtoIGP L4Protocol = 9 // IPProtoPUP PUP protocol IPProtoPUP L4Protocol = 12 // IPProtoUDP User Datagram Protocol IPProtoUDP L4Protocol = 17 // IPProtoIDP XNS IDP protocol IPProtoIDP L4Protocol = 22 // IPProtoTP SO Transport Protocol Class 4 IPProtoTP L4Protocol = 29 // IPProtoDCCP Datagram Congestion Control Protocol IPProtoDCCP L4Protocol = 33 // IPProtoIPV6 IPv6-in-IPv4 tunnelling IPProtoIPV6 L4Protocol = 41 // IPProtoRSVP RSVP Protocol IPProtoRSVP L4Protocol = 46 // IPProtoGRE Cisco GRE tunnels (rfc 1701,1702) IPProtoGRE L4Protocol = 47 // IPProtoESP Encapsulation Security Payload protocol IPProtoESP L4Protocol = 50 // IPProtoAH Authentication Header protocol IPProtoAH L4Protocol = 51 // IPProtoICMPV6 Internet Control Message Protocol (IPv6) IPProtoICMPV6 L4Protocol = 58 // IPProtoMTP Multicast Transport Protocol IPProtoMTP L4Protocol = 92 // IPProtoBEETPH IP option pseudo header for BEET IPProtoBEETPH L4Protocol = 94 // IPProtoENCAP Encapsulation Header IPProtoENCAP L4Protocol = 98 // IPProtoPIM Protocol Independent Multicast IPProtoPIM L4Protocol = 103 // IPProtoCOMP Compression Header Protocol IPProtoCOMP L4Protocol = 108 // IPProtoSCTP Stream Control Transport Protocol IPProtoSCTP L4Protocol = 132 // IPProtoUDPLITE UDP-Lite (RFC 3828) IPProtoUDPLITE L4Protocol = 136 // IPProtoMPLS MPLS in IP (RFC 4023) IPProtoMPLS L4Protocol = 137 // IPProtoRAW Raw IP packets IPProtoRAW L4Protocol = 255 )
func (L4Protocol) String ¶ added in v0.36.0
func (proto L4Protocol) String() string
type LinkageType ¶ added in v0.68.0
type LinkageType int
LinkageType represents the type of linkage used in the binary
const ( // None when unknown or for non-binary files None LinkageType = iota // Static linked executables Static // Dynamic linked executables Dynamic )
func (LinkageType) String ¶ added in v0.68.0
func (l LinkageType) String() string
type MatchedRule ¶ added in v0.44.0
type MatchedRule struct {
RuleID string
RuleVersion string
RuleTags map[string]string
PolicyName string
PolicyVersion string
}
MatchedRule contains the identification of one rule that has match
func AppendMatchedRule ¶ added in v0.44.0
func AppendMatchedRule(list []*MatchedRule, toAdd []*MatchedRule) []*MatchedRule
AppendMatchedRule appends two lists, but avoiding duplicates
func NewMatchedRule ¶ added in v0.44.0
func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule
NewMatchedRule return a new MatchedRule instance
func (*MatchedRule) Match ¶ added in v0.44.0
func (mr *MatchedRule) Match(mr2 *MatchedRule) bool
Match returns true if the rules are equal
type Model ¶ added in v0.34.0
type Model struct {
ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
ExtraValidateRule func(rule *eval.Rule) error
// contains filtered or unexported fields
}
Model describes the data model for the runtime security agent events
type NetworkContext ¶ added in v0.36.0
type NetworkContext struct {
Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured
L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
Source IPPortContext `field:"source"` // source of the network packet
Destination IPPortContext `field:"destination"` // destination of the network packet
NetworkDirection uint32 `field:"network_direction"` // SECLDoc[network_direction] Definition:`Network direction of the network packet` Constants:`Network directions`
Size uint32 `field:"size"` // SECLDoc[size] Definition:`Size in bytes of the network packet`
Type uint32 `field:"type"` // SECLDoc[type] Definition:`Type of the network packet` Constants:`Network Protocol Types`
}
NetworkContext represents the network context of the event
func (*NetworkContext) IsZero ¶ added in v0.59.0
func (nc *NetworkContext) IsZero() bool
IsZero returns if there is a network context
type NetworkDirection ¶ added in v0.63.0
type NetworkDirection uint32
NetworkDirection is used to identify the network direction of a flow
const ( // Egress is used to identify egress traffic Egress NetworkDirection = iota + 1 // Ingress is used to identify ingress traffic Ingress )
func (NetworkDirection) String ¶ added in v0.63.0
func (direction NetworkDirection) String() string
type NetworkProtocolType ¶ added in v0.71.0
type NetworkProtocolType uint16
NetworkProtocolType is the type of the protocol of the network event
const ( // UnspecType is the default type UnspecType NetworkProtocolType = math.MaxUint16 // ICMPTypeEchoRequest is the type for ICMP echo requests ICMPTypeEchoRequest NetworkProtocolType = 8 // ICMPTypeEchoReply is the type for ICMP echo replies ICMPTypeEchoReply NetworkProtocolType = 0 // ICMPTypeRouterSolicitation is the type for ICMP router solicitation ICMPTypeRouterSolicitation NetworkProtocolType = 9 // ICMPTypeRouterAdvertisement is the type for ICMP router advertisement ICMPTypeRouterAdvertisement NetworkProtocolType = 10 // ICMPTypeNeighborSolicitation is the type for ICMP neighbor solicitation ICMPTypeNeighborSolicitation NetworkProtocolType = 135 // ICMPTypeNeighborAdvertisement is the type for ICMP neighbor advertisement ICMPTypeNeighborAdvertisement NetworkProtocolType = 136 // ICMPv6TypeEchoRequest is the type for ICMPv6 echo requests ICMPv6TypeEchoRequest NetworkProtocolType = 128 // ICMPv6TypeEchoReply is the type for ICMPv6 echo replies ICMPv6TypeEchoReply NetworkProtocolType = 129 // ICMPv6TypeRouterSolicitation is the type for ICMPv6 router solicitation ICMPv6TypeRouterSolicitation NetworkProtocolType = 133 // ICMPv6TypeRouterAdvertisement is the type for ICMPv6 router advertisement ICMPv6TypeRouterAdvertisement NetworkProtocolType = 134 // ICMPv6TypeNeighborSolicitation is the type for ICMPv6 neighbor solicitation ICMPv6TypeNeighborSolicitation NetworkProtocolType = 137 // ICMPv6TypeNeighborAdvertisement is the type for ICMPv6 neighbor advertisement ICMPv6TypeNeighborAdvertisement NetworkProtocolType = 138 )
func (NetworkProtocolType) String ¶ added in v0.71.0
func (proto NetworkProtocolType) String() string
type ProcessAncestorsIterator ¶ added in v0.34.0
type ProcessAncestorsIterator struct {
Root *ProcessCacheEntry
// contains filtered or unexported fields
}
ProcessAncestorsIterator defines an iterator of ancestors
func (*ProcessAncestorsIterator) At ¶ added in v0.60.0
func (it *ProcessAncestorsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) *ProcessCacheEntry
At returns the element at the given position
func (*ProcessAncestorsIterator) Front ¶ added in v0.34.0
func (it *ProcessAncestorsIterator) Front(_ *eval.Context) *ProcessCacheEntry
Front returns the first element
func (*ProcessAncestorsIterator) Len ¶ added in v0.60.0
func (it *ProcessAncestorsIterator) Len(ctx *eval.Context) int
Len returns the len
func (*ProcessAncestorsIterator) Next ¶ added in v0.34.0
func (it *ProcessAncestorsIterator) Next(_ *eval.Context) *ProcessCacheEntry
Next returns the next element
type ProcessCacheEntry ¶ added in v0.34.0
type ProcessCacheEntry struct {
ProcessContext
}
ProcessCacheEntry this struct holds process context kept in the process tree
func NewProcessCacheEntry ¶ added in v0.34.0
func NewProcessCacheEntry() *ProcessCacheEntry
NewProcessCacheEntry returns a new process cache entry
func (*ProcessCacheEntry) AppendReleaseCallback ¶ added in v0.56.0
func (pc *ProcessCacheEntry) AppendReleaseCallback(callback func())
AppendReleaseCallback set the callback called when the entry is released
func (*ProcessCacheEntry) IsContainerRoot ¶ added in v0.44.0
func (pc *ProcessCacheEntry) IsContainerRoot() bool
IsContainerRoot returns whether this is a top level process in the container ID
func (*ProcessCacheEntry) Reset ¶ added in v0.34.0
func (pc *ProcessCacheEntry) Reset()
Reset the entry
type ProcessContext ¶ added in v0.34.0
type ProcessContext struct {
Process
Parent *Process `field:"parent,opts:exposed_at_event_root_only,check:HasParent"`
Ancestor *ProcessCacheEntry `field:"ancestors,iterator:ProcessAncestorsIterator,check:IsNotKworker"`
}
ProcessContext holds the process context of an event
func (*ProcessContext) HasParent ¶ added in v0.42.0
func (p *ProcessContext) HasParent() bool
HasParent returns whether the process has a parent
type QClass ¶ added in v0.36.0
type QClass uint32
QClass is used to declare the qclass field of a DNS request
type QType ¶ added in v0.36.0
type QType uint32
QType is used to declare the qtype field of a DNS request
type Releasable ¶ added in v0.46.0
type Releasable struct {
// contains filtered or unexported fields
}
Releasable represents an object than can be released
func (*Releasable) AppendReleaseCallback ¶ added in v0.56.0
func (r *Releasable) AppendReleaseCallback(callback func())
AppendReleaseCallback sets a callback to be called when the cache entry is released
func (*Releasable) CallReleaseCallback ¶ added in v0.46.0
func (r *Releasable) CallReleaseCallback()
CallReleaseCallback calls the on-release callback
type RetValError ¶ added in v0.34.0
type RetValError int
RetValError represents a syscall return error value
func (RetValError) String ¶ added in v0.34.0
func (f RetValError) String() string
type RuleContext ¶ added in v0.66.0
type RuleContext struct {
Expression string `field:"-"`
MatchingSubExprs eval.MatchingSubExprs `field:"-"`
}
RuleContext defines a rule context
type SSHSessionContext ¶ added in v0.74.0
type SSHSessionContext struct {
SSHSessionID uint64 `field:"ssh_session_id" json:"ssh_session_id,omitempty"` // SECLDoc[ssh_session_id] Definition:`Unique identifier of the SSH user session on the host`
SSHClientPort int `field:"ssh_client_port" json:"client_port,omitempty"` // SECLDoc[ssh_client_port] Definition:`SSH client port of the user that executed the process`
SSHClientIP net.IPNet `field:"ssh_client_ip" json:"client_ip,omitempty"` // SECLDoc[ssh_client_ip] Definition:`SSH client IP of the user that executed the process`
SSHAuthMethod int `field:"ssh_auth_method" json:"auth_method,omitempty"` // SECLDoc[ssh_auth_method] Definition:`SSH authentication method used by the user` Constants:`SSHAuthMethod`
SSHPublicKey string `field:"ssh_public_key" json:"public_key,omitempty"` // SECLDoc[ssh_public_key] Definition:`SSH public key used for authentication (if applicable)`
SSHDPid uint32 `field:"-" json:"-"` // Internal field
}
SSHSessionContext describes the SSH session context
type SecurityProfileContext ¶ added in v0.45.0
type SecurityProfileContext struct {
Name string `field:"name"` // SECLDoc[name] Definition:`Name of the security profile`
Version string `field:"version"` // SECLDoc[version] Definition:`Version of the security profile`
Tags []string `field:"tags"` // SECLDoc[tags] Definition:`Tags of the security profile`
EventTypes []EventType `field:"event_types"` // SECLDoc[event_types] Definition:`Event types enabled for the security profile`
EventTypeState EventFilteringProfileState `field:"-"` // State of the event type in this profile
}
SecurityProfileContext holds the security context of the profile
type SnapshottedBoundSocket ¶ added in v0.78.0
SnapshottedBoundSocket represents a snapshotted bound socket
type SnapshottedMmapedFile ¶ added in v0.78.0
type SnapshottedMmapedFile struct {
Path string
}
SnapshottedMmapedFile represents a snapshotted memory-mapped file
type SpanContext ¶ added in v0.34.0
SpanContext describes a span context
type SyscallDriftEventReason ¶ added in v0.57.0
type SyscallDriftEventReason uint64
SyscallDriftEventReason describes why a syscall drift event was sent
const ( // SyscallMonitorPeriodReason means that the event was sent because the syscall cache entry was dirty for longer than syscall_monitor.period SyscallMonitorPeriodReason SyscallDriftEventReason = iota + 1 // ExitReason means that the event was sent because a pid that was about to exit had a dirty cache entry ExitReason // ExecveReason means that the event was sent because an execve syscall was detected on a pid with a dirty cache entry ExecveReason )
func (SyscallDriftEventReason) String ¶ added in v0.57.0
func (r SyscallDriftEventReason) String() string
type TLSContext ¶ added in v0.60.0
type TLSContext struct {
Version uint16 `field:"version"` // SECLDoc[version] Definition:`TLS version`
}
TLSContext represents a tls context
type TLSVersion ¶ added in v0.60.0
type TLSVersion uint16
TLSVersion tls version
func (TLSVersion) String ¶ added in v0.60.0
func (tls TLSVersion) String() string
type UserSessionContext ¶ added in v0.50.0
type UserSessionContext struct {
SessionType int `field:"session_type,handler:ResolveSessionType" json:"session_type,omitempty"` // SECLDoc[session_type] Definition:`Type of the user session`
ID string `field:"id,handler:ResolveSessionID" json:"id,omitempty"` // SECLDoc[id] Definition:`Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type`
Identity string `field:"identity,handler:ResolveSessionIdentity" json:"identity,omitempty"` // SECLDoc[identity] Definition:`User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type`
K8SSessionContext
SSHSessionContext
}
UserSessionContext describes the user session context
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package main holds main related files
|
Package main holds main related files |
|
Package sharedconsts holds model related shared constants
|
Package sharedconsts holds model related shared constants |
|
Package usersession holds model related to the user session context
|
Package usersession holds model related to the user session context |
|
Package utils holds utility related to the model
|
Package utils holds utility related to the model |
Click to show internal directories.
Click to hide internal directories.