model

package
v0.74.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 6, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package model holds model related files

Package model holds the security profile data model

Index

Constants

View Source 
const (
	// MaxSegmentLength defines the maximum length of each segment of a path
	MaxSegmentLength = 255

	// MaxPathDepth defines the maximum depth of a path
	// see pkg/security/ebpf/c/dentry_resolver.h: DR_MAX_TAIL_CALL * DR_MAX_ITERATION_DEPTH
	MaxPathDepth = 1363

	// MaxBpfObjName defines the maximum length of a Bpf object name
	MaxBpfObjName = 16

	// PathSuffix defines the suffix used for path fields
	PathSuffix = ".path"

	// NameSuffix defines the suffix used for name fields
	NameSuffix = ".name"

	// ContainerIDLen defines the length of a container ID
	ContainerIDLen = sha256.Size * 2

	// MaxSymlinks maximum symlinks captured
	MaxSymlinks = 2

	// MaxTracedCgroupsCount hard limit for the count of traced cgroups
	MaxTracedCgroupsCount = 128
)
View Source 
const (
	// EventFlagsAsync async event
	EventFlagsAsync = 1 << iota

	// EventFlagsSavedByAD saved by ad
	EventFlagsSavedByAD

	// EventFlagsActivityDumpSample an AD sample
	EventFlagsActivityDumpSample

	// EventFlagsSecurityProfileInProfile true if the event was found in a profile
	EventFlagsSecurityProfileInProfile

	// EventFlagsAnomalyDetectionEvent true if the event is marked as being an anomaly
	EventFlagsAnomalyDetectionEvent

	// EventFlagsHasActiveActivityDump true if the event has an active activity dump associated to it
	EventFlagsHasActiveActivityDump

	// EventFlagsFromReplay is true if the event is generated from a replay
	EventFlagsFromReplay
)
View Source 
const (
	// IMDSRequestType is used to specify that the event is an IDMS request event
	IMDSRequestType = "request"
	// IMDSResponseType is used to specify that the event is an IMDS response event
	IMDSResponseType = "response"
	// IMDSAWSCloudProvider is used to report that the IMDS event is for AWS
	IMDSAWSCloudProvider = "aws"
	// IMDSGCPCloudProvider is used to report that the IMDS event is for GCP
	IMDSGCPCloudProvider = "gcp"
	// IMDSAzureCloudProvider is used to report that the IMDS event is for Azure
	IMDSAzureCloudProvider = "azure"
	// IMDSIBMCloudProvider is used to report that the IMDS event is for ibm
	IMDSIBMCloudProvider = "ibm"
	// IMDSOracleCloudProvider is used to report that the IMDS event is for Oracle
	IMDSOracleCloudProvider = "oracle"
)
View Source 
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

View Source 
const (
	// SIGKILL id for the kill action
	SIGKILL = iota + 1
)

Variables

View Source 
var (
	// DNSQTypeConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qtypes,DNS qtypes are the supported DNS query types.
	DNSQTypeConstants = map[string]int{
		"None":       0,
		"A":          1,
		"NS":         2,
		"MD":         3,
		"MF":         4,
		"CNAME":      5,
		"SOA":        6,
		"MB":         7,
		"MG":         8,
		"MR":         9,
		"NULL":       10,
		"PTR":        12,
		"HINFO":      13,
		"MINFO":      14,
		"MX":         15,
		"TXT":        16,
		"RP":         17,
		"AFSDB":      18,
		"X25":        19,
		"ISDN":       20,
		"RT":         21,
		"NSAPPTR":    23,
		"SIG":        24,
		"KEY":        25,
		"PX":         26,
		"GPOS":       27,
		"AAAA":       28,
		"LOC":        29,
		"NXT":        30,
		"EID":        31,
		"NIMLOC":     32,
		"SRV":        33,
		"ATMA":       34,
		"NAPTR":      35,
		"KX":         36,
		"CERT":       37,
		"DNAME":      39,
		"OPT":        41,
		"APL":        42,
		"DS":         43,
		"SSHFP":      44,
		"RRSIG":      46,
		"NSEC":       47,
		"DNSKEY":     48,
		"DHCID":      49,
		"NSEC3":      50,
		"NSEC3PARAM": 51,
		"TLSA":       52,
		"SMIMEA":     53,
		"HIP":        55,
		"NINFO":      56,
		"RKEY":       57,
		"TALINK":     58,
		"CDS":        59,
		"CDNSKEY":    60,
		"OPENPGPKEY": 61,
		"CSYNC":      62,
		"ZONEMD":     63,
		"SVCB":       64,
		"HTTPS":      65,
		"SPF":        99,
		"UINFO":      100,
		"UID":        101,
		"GID":        102,
		"UNSPEC":     103,
		"NID":        104,
		"L32":        105,
		"L64":        106,
		"LP":         107,
		"EUI48":      108,
		"EUI64":      109,
		"URI":        256,
		"CAA":        257,
		"AVC":        258,
		"TKEY":       249,
		"TSIG":       250,
		"IXFR":       251,
		"AXFR":       252,
		"MAILB":      253,
		"MAILA":      254,
		"ANY":        255,
		"TA":         32768,
		"DLV":        32769,
		"Reserved":   65535,
	}

	// DNSQClassConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qclasses,DNS qclasses are the supported DNS query classes.
	DNSQClassConstants = map[string]int{
		"CLASS_INET":   1,
		"CLASS_CSNET":  2,
		"CLASS_CHAOS":  3,
		"CLASS_HESIOD": 4,
		"CLASS_NONE":   254,
		"CLASS_ANY":    255,
	}

	// DNSResponseCodeConstants see https://datatracker.ietf.org/doc/html/rfc2929
	// generate_constants:DNS Responses,DNS Responses are the supported response codes
	DNSResponseCodeConstants = map[string]int{
		"NOERROR":  0,
		"FORMERR":  1,
		"SERVFAIL": 2,
		"NXDOMAIN": 3,
		"NOTIMP":   4,
		"REFUSED":  5,
		"YXDOMAIN": 6,
		"YXRRSET":  7,
		"NXRRSET":  8,
		"NOTAUTH":  9,
		"NOTZONE":  10,
		"BADVERS":  16,
		"BADSIG":   16,
		"BADKEY":   17,
		"BADTIME":  18,
		"BADMODE":  19,
		"BADNAME":  20,
		"BADALG":   21,
	}

	// BooleanConstants holds the evaluator for boolean constants
	// generate_constants:Boolean constants,Boolean constants are the supported boolean constants.
	BooleanConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}

	// L3ProtocolConstants is the list of supported L3 protocols
	// generate_constants:L3 protocols,L3 protocols are the supported Layer 3 protocols.
	L3ProtocolConstants = map[string]L3Protocol{
		"ETH_P_LOOP":            EthPLOOP,
		"ETH_P_PUP":             EthPPUP,
		"ETH_P_PUPAT":           EthPPUPAT,
		"ETH_P_TSN":             EthPTSN,
		"ETH_P_IP":              EthPIP,
		"ETH_P_X25":             EthPX25,
		"ETH_P_ARP":             EthPARP,
		"ETH_P_BPQ":             EthPBPQ,
		"ETH_P_IEEEPUP":         EthPIEEEPUP,
		"ETH_P_IEEEPUPAT":       EthPIEEEPUPAT,
		"ETH_P_BATMAN":          EthPBATMAN,
		"ETH_P_DEC":             EthPDEC,
		"ETH_P_DNADL":           EthPDNADL,
		"ETH_P_DNARC":           EthPDNARC,
		"ETH_P_DNART":           EthPDNART,
		"ETH_P_LAT":             EthPLAT,
		"ETH_P_DIAG":            EthPDIAG,
		"ETH_P_CUST":            EthPCUST,
		"ETH_P_SCA":             EthPSCA,
		"ETH_P_TEB":             EthPTEB,
		"ETH_P_RARP":            EthPRARP,
		"ETH_P_ATALK":           EthPATALK,
		"ETH_P_AARP":            EthPAARP,
		"ETH_P_8021_Q":          EthP8021Q,
		"ETH_P_ERSPAN":          EthPERSPAN,
		"ETH_P_IPX":             EthPIPX,
		"ETH_P_IPV6":            EthPIPV6,
		"ETH_P_PAUSE":           EthPPAUSE,
		"ETH_P_SLOW":            EthPSLOW,
		"ETH_P_WCCP":            EthPWCCP,
		"ETH_P_MPLSUC":          EthPMPLSUC,
		"ETH_P_MPLSMC":          EthPMPLSMC,
		"ETH_P_ATMMPOA":         EthPATMMPOA,
		"ETH_P_PPPDISC":         EthPPPPDISC,
		"ETH_P_PPPSES":          EthPPPPSES,
		"ETH_P__LINK_CTL":       EthPLinkCTL,
		"ETH_P_ATMFATE":         EthPATMFATE,
		"ETH_P_PAE":             EthPPAE,
		"ETH_P_AOE":             EthPAOE,
		"ETH_P_8021_AD":         EthP8021AD,
		"ETH_P_802_EX1":         EthP802EX1,
		"ETH_P_TIPC":            EthPTIPC,
		"ETH_P_MACSEC":          EthPMACSEC,
		"ETH_P_8021_AH":         EthP8021AH,
		"ETH_P_MVRP":            EthPMVRP,
		"ETH_P_1588":            EthP1588,
		"ETH_P_NCSI":            EthPNCSI,
		"ETH_P_PRP":             EthPPRP,
		"ETH_P_FCOE":            EthPFCOE,
		"ETH_P_IBOE":            EthPIBOE,
		"ETH_P_TDLS":            EthPTDLS,
		"ETH_P_FIP":             EthPFIP,
		"ETH_P_80221":           EthP80221,
		"ETH_P_HSR":             EthPHSR,
		"ETH_P_NSH":             EthPNSH,
		"ETH_P_LOOPBACK":        EthPLOOPBACK,
		"ETH_P_QINQ1":           EthPQINQ1,
		"ETH_P_QINQ2":           EthPQINQ2,
		"ETH_P_QINQ3":           EthPQINQ3,
		"ETH_P_EDSA":            EthPEDSA,
		"ETH_P_IFE":             EthPIFE,
		"ETH_P_AFIUCV":          EthPAFIUCV,
		"ETH_P_8023_MIN":        EthP8023MIN,
		"ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop,
		"ETH_P_8023":            EthP8023,
		"ETH_P_AX25":            EthPAX25,
		"ETH_P_ALL":             EthPALL,
		"ETH_P_8022":            EthP8022,
		"ETH_P_SNAP":            EthPSNAP,
		"ETH_P_DDCMP":           EthPDDCMP,
		"ETH_P_WANPPP":          EthPWANPPP,
		"ETH_P_PPPMP":           EthPPPPMP,
		"ETH_P_LOCALTALK":       EthPLOCALTALK,
		"ETH_P_CAN":             EthPCAN,
		"ETH_P_CANFD":           EthPCANFD,
		"ETH_P_PPPTALK":         EthPPPPTALK,
		"ETH_P_TR8022":          EthPTR8022,
		"ETH_P_MOBITEX":         EthPMOBITEX,
		"ETH_P_CONTROL":         EthPCONTROL,
		"ETH_P_IRDA":            EthPIRDA,
		"ETH_P_ECONET":          EthPECONET,
		"ETH_P_HDLC":            EthPHDLC,
		"ETH_P_ARCNET":          EthPARCNET,
		"ETH_P_DSA":             EthPDSA,
		"ETH_P_TRAILER":         EthPTRAILER,
		"ETH_P_PHONET":          EthPPHONET,
		"ETH_P_IEEE802154":      EthPIEEE802154,
		"ETH_P_CAIF":            EthPCAIF,
		"ETH_P_XDSA":            EthPXDSA,
		"ETH_P_MAP":             EthPMAP,
	}

	// L4ProtocolConstants is the list of supported L4 protocols
	// generate_constants:L4 protocols,L4 protocols are the supported Layer 4 protocols.
	L4ProtocolConstants = map[string]L4Protocol{
		"IP_PROTO_IP":      IPProtoIP,
		"IP_PROTO_ICMP":    IPProtoICMP,
		"IP_PROTO_IGMP":    IPProtoIGMP,
		"IP_PROTO_IPIP":    IPProtoIPIP,
		"IP_PROTO_TCP":     IPProtoTCP,
		"IP_PROTO_EGP":     IPProtoEGP,
		"IP_PROTO_IGP":     IPProtoIGP,
		"IP_PROTO_PUP":     IPProtoPUP,
		"IP_PROTO_UDP":     IPProtoUDP,
		"IP_PROTO_IDP":     IPProtoIDP,
		"IP_PROTO_TP":      IPProtoTP,
		"IP_PROTO_DCCP":    IPProtoDCCP,
		"IP_PROTO_IPV6":    IPProtoIPV6,
		"IP_PROTO_RSVP":    IPProtoRSVP,
		"IP_PROTO_GRE":     IPProtoGRE,
		"IP_PROTO_ESP":     IPProtoESP,
		"IP_PROTO_AH":      IPProtoAH,
		"IP_PROTO_ICMPV6":  IPProtoICMPV6,
		"IP_PROTO_MTP":     IPProtoMTP,
		"IP_PROTO_BEETPH":  IPProtoBEETPH,
		"IP_PROTO_ENCAP":   IPProtoENCAP,
		"IP_PROTO_PIM":     IPProtoPIM,
		"IP_PROTO_COMP":    IPProtoCOMP,
		"IP_PROTO_SCTP":    IPProtoSCTP,
		"IP_PROTO_UDPLITE": IPProtoUDPLITE,
		"IP_PROTO_MPLS":    IPProtoMPLS,
		"IP_PROTO_RAW":     IPProtoRAW,
	}

	// NetworkProtocolTypeConstants is the list of supported network protocol specific types
	// generate_constants:Network Protocol Types,Types of specific network protocols.
	NetworkProtocolTypeConstants = map[string]NetworkProtocolType{
		"ICMP_ECHO_REQUEST":              ICMPTypeEchoRequest,
		"ICMP_ECHO_REPLY":                ICMPTypeEchoReply,
		"ICMP_ROUTER_SOLICITATION":       ICMPTypeRouterSolicitation,
		"ICMP_ROUTER_ADVERTISEMENT":      ICMPTypeRouterAdvertisement,
		"ICMP_NEIGHBOR_SOLICITATION":     ICMPTypeNeighborSolicitation,
		"ICMP_NEIGHBOR_ADVERTISEMENT":    ICMPTypeNeighborAdvertisement,
		"ICMP_V6_ECHO_REQUEST":           ICMPv6TypeEchoRequest,
		"ICMP_V6_ECHO_REPLY":             ICMPv6TypeEchoReply,
		"ICMP_V6_ROUTER_SOLICITATION":    ICMPv6TypeRouterSolicitation,
		"ICMP_V6_ROUTER_ADVERTISEMENT":   ICMPv6TypeRouterAdvertisement,
		"ICMP_V6_NEIGHBOR_SOLICITATION":  ICMPv6TypeNeighborSolicitation,
		"ICMP_V6_NEIGHBOR_ADVERTISEMENT": ICMPv6TypeNeighborAdvertisement,
	}

	// NetworkDirectionConstants is the list of supported network directions
	// generate_constants:Network directions,Network directions are the supported directions of network packets.
	NetworkDirectionConstants = map[string]NetworkDirection{
		"INGRESS": Ingress,
		"EGRESS":  Egress,
	}

	// ABIConstants defines ABI constants
	// generate_constants:ABI,ABI used for binary compilation.
	ABIConstants = map[string]ABI{
		"BIT32":       Bit32,
		"BIT64":       Bit64,
		"UNKNOWN_ABI": UnknownABI,
	}

	// ArchitectureConstants defines architecture constants
	// generate_constants:Architecture,Architecture of the binary.
	ArchitectureConstants = map[string]Architecture{
		"X86":                  X86,
		"X86_64":               X8664,
		"ARM":                  ARM,
		"ARM64":                ARM64,
		"UNKNOWN_ARCHITECTURE": UnknownArch,
	}

	// CompressionTypeConstants defines compression type constants
	// generate_constants:CompressionType,Compression algorithm.
	CompressionTypeConstants = map[string]CompressionType{
		"NONE":  NoCompression,
		"GZIP":  GZip,
		"ZIP":   Zip,
		"ZSTD":  Zstd,
		"7Z":    SevenZip,
		"BZIP2": BZip2,
		"XZ":    XZ,
	}

	// FileTypeConstants defines file type constants
	// generate_constants:FileType,File types.
	FileTypeConstants = map[string]FileType{
		"EMPTY":              Empty,
		"SHELL_SCRIPT":       ShellScript,
		"TEXT":               Text,
		"COMPRESSED":         Compressed,
		"ENCRYPTED":          Encrypted,
		"BINARY":             Binary,
		"LINUX_EXECUTABLE":   ELFExecutable,
		"WINDOWS_EXECUTABLE": PEExecutable,
		"MACOS_EXECUTABLE":   MachOExecutable,
		"FILE_LESS":          FileLess,
	}

	// LinkageTypeConstants defines linkage type constants
	// generate_constants:LinkageType,Linkage types.
	LinkageTypeConstants = map[string]LinkageType{
		"NONE":    None,
		"STATIC":  Static,
		"DYNAMIC": Dynamic,
	}

	// UserSessionTypes are the supported user session types
	// generate_constants:UserSessionTypes,UserSessionTypes are the supported user session types.
	UserSessionTypes = map[string]usersession.Type{
		"unknown": usersession.UserSessionTypeUnknown,
		"k8s":     usersession.UserSessionTypeK8S,
		"ssh":     usersession.UserSessionTypeSSH,
	}

	// SSHAuthMethodConstants are the supported SSH authentication methods
	// generate_constants:SSHAuthMethod,SSH authentication methods.
	SSHAuthMethodConstants = map[string]usersession.AuthType{
		"password":   usersession.SSHAuthMethodPassword,
		"public_key": usersession.SSHAuthMethodPublicKey,
		"unknown":    usersession.SSHAuthMethodUnknown,
	}
)
View Source 
var (

	// UserSessionTypeStrings are the supported user session types
	UserSessionTypeStrings = map[usersession.Type]string{}
	// SSHAuthMethodStrings are the supported SSH authentication methods
	SSHAuthMethodStrings = map[usersession.AuthType]string{}
)
View Source 
var AllEventFilteringProfileState = []EventFilteringProfileState{NoProfile, ProfileAtMaxSize, UnstableEventType, StableEventType, AutoLearning, WorkloadWarmup}

AllEventFilteringProfileState is the list of all EventFilteringProfileState

View Source 
var SECLLegacyFields = map[eval.Field]eval.Field{

	"async":                "event.async",
	"container.id":         "process.container.id",
	"container.created_at": "process.container.created_at",
	"container.tags":       "process.container.tags",
	"cgroup.id":            "process.cgroup.id",
	"cgroup.version":       "process.cgroup.version",
	"cgroup.file.inode":    "process.cgroup.file.inode",
	"cgroup.file.mount_id": "process.cgroup.file.mount_id",

	"chmod.filename": "chmod.file.path",
	"chmod.basename": "chmod.file.name",
	"chmod.mode":     "chmod.file.destination.mode",

	"chown.filename": "chown.file.path",
	"chown.basename": "chown.file.name",
	"chown.uid":      "chown.file.destination.uid",
	"chown.user":     "chown.file.destination.user",
	"chown.gid":      "chown.file.destination.gid",
	"chown.group":    "chown.file.destination.group",

	"open.filename": "open.file.path",
	"open.basename": "open.file.name",
	"open.mode":     "open.file.destination.mode",

	"mkdir.filename": "mkdir.file.path",
	"mkdir.basename": "mkdir.file.name",
	"mkdir.mode":     "mkdir.file.destination.mode",

	"rmdir.filename": "rmdir.file.path",
	"rmdir.basename": "rmdir.file.name",

	"rename.old.filename": "rename.file.path",
	"rename.old.basename": "rename.file.name",
	"rename.new.filename": "rename.file.destination.path",
	"rename.new.basename": "rename.file.destination.name",

	"unlink.filename": "unlink.file.path",
	"unlink.basename": "unlink.file.name",

	"utimes.filename": "utimes.file.path",
	"utimes.basename": "utimes.file.name",

	"link.source.filename": "link.file.path",
	"link.source.basename": "link.file.name",
	"link.target.filename": "link.file.destination.path",
	"link.target.basename": "link.file.destination.name",

	"setxattr.filename":  "setxattr.file.path",
	"setxattr.basename":  "setxattr.file.name",
	"setxattr.namespace": "setxattr.file.destination.namespace",
	"setxattr.name":      "setxattr.file.destination.name",

	"removexattr.filename":  "removexattr.file.path",
	"removexattr.basename":  "removexattr.file.name",
	"removexattr.namespace": "removexattr.file.destination.namespace",
	"removexattr.name":      "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":           "process.file.path",
	"process.basename":           "process.file.name",
	"process.name":               "process.comm",
	"process.ancestors.filename": "process.ancestors.file.path",
	"process.ancestors.basename": "process.ancestors.file.name",
	"process.ancestors.name":     "process.ancestors.comm",
}

SECLLegacyFields contains the list of the legacy attributes we need to support

View Source 
var (

	// SignalConstants list of signals
	SignalConstants = map[string]int{
		"SIGKILL": SIGKILL,
	}
)

Functions

func FilterEnvs 

func FilterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string

FilterEnvs returns an array of environment variable key value pairs matching the desired keys

func GetDefaultLegacyFields added in v0.73.0 

func GetDefaultLegacyFields(field eval.Field) (eval.Field, bool)

GetDefaultLegacyFields returns the field mapped from a legacy field if it exists

func GetDefaultLegacyFieldsKeys added in v0.73.0 

func GetDefaultLegacyFieldsKeys() []eval.Field

GetDefaultLegacyFieldsKeys returns all legacy field keys

func InitSSHAuthMethodConstants added in v0.74.0 

func InitSSHAuthMethodConstants()

InitSSHAuthMethodConstants initialize the constants for SSH auth methods

func InitUserSessionTypes added in v0.74.0 

func InitUserSessionTypes()

InitUserSessionTypes initialize the constants for user session types

func NewEventZeroer added in v0.72.0 

func NewEventZeroer() func(*Event)

NewEventZeroer returns a function that can be used to zero an Event

func SECLConstants 

func SECLConstants() map[string]interface{}

SECLConstants returns the constants supported in runtime security agent rules, initializing these constants during the first call

func SetAncestorFields added in v0.64.0 

func SetAncestorFields(_ *ProcessCacheEntry, _ string, _ interface{}) (bool, error)

SetAncestorFields force the process cache entry to be valid

func SetDefaultLegacyFields added in v0.73.0 

func SetDefaultLegacyFields(legacyFields map[eval.Field]eval.Field)

SetDefaultLegacyFields sets the default legacy field mapping used by the accessors

Types

type ABI added in v0.68.0 

type ABI int

ABI represents the Application Binary Interface type 

const (
	// UnknownABI when ABI is unknown
	UnknownABI ABI = iota
	// Bit32 represents 32 bits ABI
	Bit32
	// Bit64 represents 64 bits ABI
	Bit64
)

func (ABI) String added in v0.68.0 

func (a ABI) String() string

type AWSIMDSEvent added in v0.55.0 

type AWSIMDSEvent struct {
	IsIMDSv2            bool                   `field:"is_imds_v2"`           // SECLDoc[is_imds_v2] Definition:`a boolean which specifies if the IMDS event follows IMDSv1 or IMDSv2 conventions`
	SecurityCredentials AWSSecurityCredentials `field:"security_credentials"` // SECLDoc[credentials] Definition:`the security credentials in the IMDS answer`
}

AWSIMDSEvent holds data from an AWS IMDS event

type AWSSecurityCredentials added in v0.55.0 

type AWSSecurityCredentials struct {
	Code        string    `field:"-" json:"Code"`
	Type        string    `field:"type" json:"Type"` // SECLDoc[type] Definition:`the security credentials type`
	AccessKeyID string    `field:"-" json:"AccessKeyId"`
	LastUpdated string    `field:"-" json:"LastUpdated"`
	Expiration  time.Time `field:"-"`

	ExpirationRaw string `field:"-" json:"Expiration"`
}

AWSSecurityCredentials is used to parse the fields that are none to be free of credentials or secrets

type ActionReport 

type ActionReport interface {
	ToJSON() ([]byte, error)
	IsMatchingRule(ruleID eval.RuleID) bool
	IsResolved() error
}

ActionReport defines an action report

type AddressFamily 

type AddressFamily int

AddressFamily represents a family address (AF_INET, AF_INET6, AF_UNIX etc)

func (AddressFamily) String 

func (af AddressFamily) String() string

type Architecture added in v0.68.0 

type Architecture int

Architecture represents the CPU architecture 

const (
	// UnknownArch when arch is unknown
	UnknownArch Architecture = iota
	// X86 arch
	X86
	// X8664 represents X86_64 arch, but with a "nicer" naming to pass CI linters
	X8664
	// ARM arch
	ARM
	// ARM64 arch
	ARM64
)

func (Architecture) String added in v0.68.0 

func (a Architecture) String() string

type ArgsEntry 

type ArgsEntry struct {
	sync.Mutex

	Values           []string
	Truncated        bool
	ScrubbedResolved bool
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) Equals 

func (p *ArgsEntry) Equals(o *ArgsEntry) bool

Equals compares two ArgsEntry

type ArgsEnvs 

type ArgsEnvs struct {
	ID        uint64
	Size      uint32
	ValuesRaw [sharedconsts.MaxArgEnvSize]byte
}

ArgsEnvs raw value for args and envs

type BaseEvent 

type BaseEvent struct {
	ID            string         `field:"-"`
	Type          uint32         `field:"-"`
	Flags         uint32         `field:"-"`
	TimestampRaw  uint64         `field:"event.timestamp,handler:ResolveEventTimestamp"` // SECLDoc[event.timestamp] Definition:`Timestamp of the event`
	Timestamp     time.Time      `field:"timestamp,opts:getters_only|gen_getters,handler:ResolveEventTime"`
	Rules         []*MatchedRule `field:"-"`
	RuleContext   RuleContext    `field:"-"`
	ActionReports []ActionReport `field:"-"`
	Os            string         `field:"event.os"`                                                      // SECLDoc[event.os] Definition:`Operating system of the event`
	Origin        string         `field:"event.origin"`                                                  // SECLDoc[event.origin] Definition:`Origin of the event`
	Service       string         `field:"event.service,handler:ResolveService,opts:skip_ad|gen_getters"` // SECLDoc[event.service] Definition:`Service associated with the event`
	Hostname      string         `field:"event.hostname,handler:ResolveHostname"`                        // SECLDoc[event.hostname] Definition:`Hostname associated with the event`
	RuleTags      []string       `field:"event.rule.tags"`                                               // SECLDoc[event.rule.tags] Definition:`Tags associated with the rule that's used to evaluate the event`
	Source        string         `field:"event.source,handler:ResolveSource"`                            // SECLDoc[event.source] Definition:`[Experimental] Source of the event. Can be either 'runtime' or 'snapshot'.`

	// context shared with all event types
	ProcessContext         *ProcessContext        `field:"process"`
	SecurityProfileContext SecurityProfileContext `field:"-"`

	// internal usage
	PIDContext        PIDContext         `field:"-"`
	ProcessCacheEntry *ProcessCacheEntry `field:"-"`

	// mark event with having error
	Error error `field:"-"`

	// field resolution
	FieldHandlers FieldHandlers `field:"-"`
}

BaseEvent represents an event sent from the kernel

type BaseExtraFieldHandlers 

type BaseExtraFieldHandlers interface {
	ResolveProcessCacheEntry(ev *Event, newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)
	ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry
	ResolveContainerContext(ev *Event) (*ContainerContext, bool)
}

BaseExtraFieldHandlers handlers not hold by any field

type ChangePermissionEvent added in v0.55.0 

type ChangePermissionEvent struct {
	UserName   string `field:"username"`                                    // SECLDoc[username] Definition:`Username of the permission change author`
	UserDomain string `field:"user_domain"`                                 // SECLDoc[user_domain] Definition:`Domain name of the permission change author`
	ObjectName string `field:"path"`                                        // SECLDoc[path] Definition:`Name of the object of which permission was changed`
	ObjectType string `field:"type"`                                        // SECLDoc[type] Definition:`Type of the object of which permission was changed`
	OldSd      string `field:"old_sd,handler:ResolveOldSecurityDescriptor"` // SECLDoc[old_sd] Definition:`Original Security Descriptor of the object of which permission was changed`
	NewSd      string `field:"new_sd,handler:ResolveNewSecurityDescriptor"` // SECLDoc[new_sd] Definition:`New Security Descriptor of the object of which permission was changed`
}

ChangePermissionEvent defines object permission change

type CompressionType added in v0.68.0 

type CompressionType int

CompressionType represents the type of compression used 

const (
	// NoCompression When there is no compression
	NoCompression CompressionType = iota
	// GZip compression
	GZip
	// Zip compression
	Zip
	// Zstd compression
	Zstd
	// SevenZip compression
	SevenZip
	// BZip2 compression
	BZip2
	// XZ compression
	XZ
)

func (CompressionType) String added in v0.68.0 

func (ct CompressionType) String() string

type ContainerContext 

type ContainerContext struct {
	Releasable
	ContainerID containerutils.ContainerID `field:"id,handler:ResolveContainerID,opts:gen_getters"`                // SECLDoc[id] Definition:`ID of the container`
	CreatedAt   uint64                     `field:"created_at,handler:ResolveContainerCreatedAt,opts:gen_getters"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the container“
	Tags        []string                   `field:"tags,handler:ResolveContainerTags,opts:skip_ad,weight:9999"`    // SECLDoc[tags] Definition:`Tags of the container`
	Resolved    bool                       `field:"-"`
}

ContainerContext holds the container context of an event

func (*ContainerContext) Hash added in v0.65.0 

func (c *ContainerContext) Hash() string

Hash returns a unique key for the entity

func (*ContainerContext) ParentScope added in v0.68.0 

func (c *ContainerContext) ParentScope() (eval.VariableScope, bool)

ParentScope returns the parent entity scope

type CreateNewFileEvent 

type CreateNewFileEvent struct {
	File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}

CreateNewFileEvent defines file creation

type CreateRegistryKeyEvent 

type CreateRegistryKeyEvent struct {
	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}

CreateRegistryKeyEvent defines registry key creation

type DNSEvent 

type DNSEvent struct {
	ID       uint16       `field:"id"` // SECLDoc[id] Definition:`[Experimental] the DNS request ID`
	Question DNSQuestion  `field:"question"`
	Response *DNSResponse `field:"response,check:HasResponse"`
}

DNSEvent represents a DNS request event

func (*DNSEvent) HasResponse added in v0.67.0 

func (de *DNSEvent) HasResponse() bool

HasResponse returns whether the DNS event has a response

func (*DNSEvent) Matches added in v0.54.0 

func (de *DNSEvent) Matches(new *DNSEvent) bool

Matches returns true if the two DNS events matches

type DNSQuestion added in v0.67.0 

type DNSQuestion struct {
	Name  string `field:"name,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`the queried domain name`
	Type  uint16 `field:"type"`                                                   // SECLDoc[type] Definition:`a two octet code which specifies the DNS question type` Constants:`DNS qtypes`
	Class uint16 `field:"class"`                                                  // SECLDoc[class] Definition:`the class looked up by the DNS question` Constants:`DNS qclasses`
	Size  uint16 `field:"length"`                                                 // SECLDoc[length] Definition:`the total DNS request size in bytes`
	Count uint16 `field:"count"`                                                  // SECLDoc[count] Definition:`the total count of questions in the DNS request`
}

DNSQuestion represents the dns question

type DNSResponse added in v0.67.0 

type DNSResponse struct {
	ResponseCode uint8 `field:"code"` // SECLDoc[code] Definition:`Response code of the DNS response according to RFC 1035` Constants:`DNS Responses`
}

DNSResponse represents a DNS response event

type DeleteFileEvent added in v0.54.0 

type DeleteFileEvent struct {
	File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}

DeleteFileEvent represents an unlink event

type DeleteRegistryKeyEvent 

type DeleteRegistryKeyEvent struct {
	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}

DeleteRegistryKeyEvent defines registry key deletion

type EnvsEntry 

type EnvsEntry struct {
	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Equals 

func (p *EnvsEntry) Equals(o *EnvsEntry) bool

Equals compares two EnvsEntry

func (*EnvsEntry) FilterEnvs 

func (p *EnvsEntry) FilterEnvs(envsWithValue map[string]bool) ([]string, bool)

FilterEnvs returns an array of envs, only the name of each variable is returned unless the variable name is part of the provided filter

func (*EnvsEntry) Get 

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

type Event 

type Event struct {
	BaseEvent

	// process events
	Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked
	Exit ExitEvent `field:"exit" event:"exit"` // [7.38] [Process] A process was terminated

	// FIM
	CreateNewFile CreateNewFileEvent `field:"create" event:"create"` // [7.52] [File] A file was created
	RenameFile    RenameFileEvent    `field:"rename" event:"rename"` // [7.54] [File] A file was renamed
	DeleteFile    DeleteFileEvent    `field:"delete" event:"delete"` // [7.54] [File] A file was deleted
	WriteFile     WriteFileEvent     `field:"write" event:"write"`   // [7.54] [File] A file was written

	// Registries
	CreateRegistryKey   CreateRegistryKeyEvent   `field:"create_key;create" event:"create_key" `   // [7.52] [Registry] A registry key was created
	OpenRegistryKey     OpenRegistryKeyEvent     `field:"open_key;open" event:"open_key"`          // [7.52] [Registry] A registry key was opened
	SetRegistryKeyValue SetRegistryKeyValueEvent `field:"set_key_value;set" event:"set_key_value"` // [7.52] [Registry] A registry key value was set
	DeleteRegistryKey   DeleteRegistryKeyEvent   `field:"delete_key;delete" event:"delete_key"`    // [7.52] [Registry] A registry key was deleted

	ChangePermission ChangePermissionEvent `field:"change_permission" event:"change_permission" ` // [7.55] [Registry] A permission change was made
}

Event represents an event sent from the kernel genaccessors gengetter: GetEventService gengetter: GetExecFilePath gengetter: GetExitCode gengetter: GetProcessEnvp gengetter: GetProcessExecTime gengetter: GetProcessExitTime gengetter: GetProcessPid gengetter: GetProcessPpid gengetter: GetTimestamp

func NewFakeEvent 

func NewFakeEvent() *Event

NewFakeEvent returns a new event using the default field handlers

func (*Event) AddToFlags 

func (e *Event) AddToFlags(flag uint32)

AddToFlags adds a flag to the event

func (*Event) GetActionReports 

func (e *Event) GetActionReports() []ActionReport

GetActionReports returns the triggred action reports

func (*Event) GetContainerID added in v0.73.0 

func (e *Event) GetContainerID() string

GetContainerID returns event's process container ID if any

func (*Event) GetEventType 

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetFieldMetadata added in v0.63.0 

func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kind, string, bool, error)

func (*Event) GetFieldValue 

func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error)

GetFieldValue retrieves the value of a field from the event using the evaluator.

func (*Event) GetFields 

func (ev *Event) GetFields() []eval.Field

func (*Event) GetProcessTracerTags added in v0.73.0 

func (e *Event) GetProcessTracerTags() []string

GetProcessTracerTags returns the value of the field, resolving if necessary

func (*Event) GetTags 

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetType 

func (e *Event) GetType() string

GetType returns the event type

func (*Event) GetWorkloadID 

func (e *Event) GetWorkloadID() string

GetWorkloadID returns an ID that represents the workload

func (*Event) HasActiveActivityDump 

func (e *Event) HasActiveActivityDump() bool

HasActiveActivityDump returns true if the event has an active activity dump associated to it

func (*Event) Init 

func (e *Event) Init()

Init initialize the event

func (*Event) IsActivityDumpSample 

func (e *Event) IsActivityDumpSample() bool

IsActivityDumpSample return whether AD sample

func (*Event) IsAnomalyDetectionEvent 

func (e *Event) IsAnomalyDetectionEvent() bool

IsAnomalyDetectionEvent returns true if the current event is an anomaly detection event (kernel or user space)

func (*Event) IsEventFromReplay added in v0.74.0 

func (e *Event) IsEventFromReplay() bool

IsEventFromReplay returns true if the event is generated from a replay

func (*Event) IsInProfile 

func (e *Event) IsInProfile() bool

IsInProfile return true if the event was found in the profile

func (*Event) IsSavedByActivityDumps 

func (e *Event) IsSavedByActivityDumps() bool

IsSavedByActivityDumps return whether saved by AD

func (*Event) RemoveFromFlags 

func (e *Event) RemoveFromFlags(flag uint32)

RemoveFromFlags remove a flag to the event

func (*Event) ResetAnomalyDetectionEvent added in v0.61.0 

func (e *Event) ResetAnomalyDetectionEvent()

ResetAnomalyDetectionEvent removes the anomaly detection event flag

func (*Event) ResolveEventTime 

func (e *Event) ResolveEventTime() time.Time

ResolveEventTime uses the field handler

func (*Event) ResolveFields 

func (ev *Event) ResolveFields()

ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveFieldsForAD 

func (ev *Event) ResolveFieldsForAD()

ResolveFieldsForAD resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveProcessCacheEntry 

func (e *Event) ResolveProcessCacheEntry(newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry uses the field handler

func (*Event) ResolveService 

func (e *Event) ResolveService() string

ResolveService uses the field handler

func (*Event) SetFieldValue 

func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error

type EventFilteringProfileState added in v0.55.0 

type EventFilteringProfileState uint8

EventFilteringProfileState is used to compute metrics for the event filtering feature 

const (
	// NoProfile is used to count the events for which we didn't have a profile
	NoProfile EventFilteringProfileState = iota
	// ProfileAtMaxSize is used to count the events that didn't make it into a profile because their matching profile
	// reached the max size threshold
	ProfileAtMaxSize
	// UnstableEventType is used to count the events that didn't make it into a profile because their matching profile was
	// unstable for their event type
	UnstableEventType
	// StableEventType is used to count the events linked to a stable profile for their event type
	StableEventType
	// AutoLearning is used to count the event during the auto learning phase
	AutoLearning
	// WorkloadWarmup is used to count the learned events due to workload warm up time
	WorkloadWarmup
)

func (EventFilteringProfileState) String added in v0.55.0 

func (efr EventFilteringProfileState) String() string

String returns the string representation of the EventFilteringProfileState

func (EventFilteringProfileState) ToTag added in v0.55.0 

func (efr EventFilteringProfileState) ToTag() string

ToTag returns the tag representation of the EventFilteringProfileState

type EventSource added in v0.74.0 

type EventSource = string

EventSource is the source of the event 

const (
	// EventSourceRuntime is used to report that the event is generated from a runtime
	EventSourceRuntime EventSource = "runtime"
	// EventSourceReplay is used to report that the event is generated from a replay
	EventSourceReplay EventSource = "replay"
)

type EventType 

type EventType uint32

EventType describes the type of an event sent from the kernel 

const (
	// UnknownEventType unknown event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimesEventType Utime event
	FileUtimesEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileChdirEventType chdir event
	FileChdirEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event (DEPRECATED)
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// SELinuxEventType selinux event
	SELinuxEventType
	// BPFEventType bpf event
	BPFEventType
	// PTraceEventType PTrace event
	PTraceEventType
	// MMapEventType MMap event
	MMapEventType
	// MProtectEventType MProtect event
	MProtectEventType
	// LoadModuleEventType LoadModule event
	LoadModuleEventType
	// UnloadModuleEventType UnloadModule evnt
	UnloadModuleEventType
	// SignalEventType Signal event
	SignalEventType
	// SpliceEventType Splice event
	SpliceEventType
	// CgroupTracingEventType is sent when a new cgroup is being traced
	CgroupTracingEventType
	// DNSEventType DNS event
	DNSEventType
	// ShortDNSResponseEventType DNS Response event
	ShortDNSResponseEventType
	// FullDNSResponseEventType DNS Response event
	FullDNSResponseEventType
	// NetDeviceEventType is sent for events on net devices
	NetDeviceEventType
	// VethPairEventType is sent when a new veth pair is created
	VethPairEventType
	// VethPairNsEventType is sent when a veth pair is moved to a new network namespace
	VethPairNsEventType
	// AcceptEventType Accept event
	AcceptEventType
	// BindEventType Bind event
	BindEventType
	// ConnectEventType Connect event
	ConnectEventType
	// UnshareMountNsEventType is sent when a new mount is created from a mount namespace copy
	UnshareMountNsEventType
	// SyscallsEventType Syscalls event
	SyscallsEventType
	// IMDSEventType is sent when an IMDS request or answer is captured
	IMDSEventType
	// OnDemandEventType is sent for on-demand events
	OnDemandEventType
	// LoginUIDWriteEventType is sent for login_uid write events
	LoginUIDWriteEventType
	// CgroupWriteEventType is sent when a new cgroup was created
	CgroupWriteEventType
	// RawPacketFilterEventType raw packet filter event
	RawPacketFilterEventType
	// NetworkFlowMonitorEventType is sent to monitor network activity
	NetworkFlowMonitorEventType
	// PrCtlEventType is sent when a prctl event is captured
	PrCtlEventType
	// StatEventType stat event (used kernel side only)
	StatEventType
	// SysCtlEventType sysctl event
	SysCtlEventType
	// SetrlimitEventType setrlimit event
	SetrlimitEventType
	// SetSockOptEventType is sent when a socket option is set
	SetSockOptEventType
	// FileFsmountEventType Mount event
	FileFsmountEventType
	// FileOpenTreeEventType Open Tree event
	FileOpenTreeEventType
	// RawPacketActionEventType raw packet action event
	RawPacketActionEventType
	// CapabilitiesEventType is used to track capabilities usage
	CapabilitiesEventType
	// FileMoveMountEventType Move Mount even
	FileMoveMountEventType
	// FailedDNSEventType Failed DNS
	FailedDNSEventType
	// TracerMemfdCreateEventType memfd_create event (used kernel side only)
	TracerMemfdCreateEventType
	// TracerMemfdSealEventType Tracer memfd seal event
	TracerMemfdSealEventType
	// MaxKernelEventType is used internally to get the maximum number of kernel events.
	MaxKernelEventType

	// FirstEventType is the first valid event type
	FirstEventType = FileOpenEventType

	// LastEventType is the last valid event type
	LastEventType = SyscallsEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileChdirEventType

	// LastApproverEventType is the last event that accepts approvers
	LastApproverEventType = SpliceEventType

	// CustomEventType represents a custom event type
	CustomEventType EventType = iota

	// CreateNewFileEventType event
	CreateNewFileEventType EventType = iota
	// DeleteFileEventType event
	DeleteFileEventType
	// WriteFileEventType event
	WriteFileEventType
	// CreateRegistryKeyEventType event
	CreateRegistryKeyEventType
	// OpenRegistryKeyEventType event
	OpenRegistryKeyEventType
	// SetRegistryKeyValueEventType event
	SetRegistryKeyValueEventType
	// DeleteRegistryKeyEventType event
	DeleteRegistryKeyEventType
	// ChangePermissionEventType event
	ChangePermissionEventType

	// FirstWindowsEventType is the first Windows event type
	FirstWindowsEventType = CreateNewFileEventType
	// LastWindowsEventType is the last Windows event type
	LastWindowsEventType = ChangePermissionEventType

	// MaxAllEventType is used internally to get the maximum number of events.
	MaxAllEventType
)

func ParseEvalEventType added in v0.70.0 

func ParseEvalEventType(eventType eval.EventType) (EventType, error)

ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions

func (EventType) String 

func (t EventType) String() string

type ExecEvent 

type ExecEvent struct {
	*Process
}

ExecEvent represents a exec event

type ExitEvent 

type ExitEvent struct {
	*Process
	Cause uint32 `field:"cause"`                 // SECLDoc[cause] Definition:`Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)`
	Code  uint32 `field:"code,opts:gen_getters"` // SECLDoc[code] Definition:`Exit code of the process or number of the signal that caused the process to terminate`
}

ExitEvent represents a process exit event

type ExtraFieldHandlers 

type ExtraFieldHandlers interface {
	BaseExtraFieldHandlers
}

ExtraFieldHandlers handlers not hold by any field

type FailedDNSEvent added in v0.73.0 

type FailedDNSEvent struct {
	Payload []byte `field:"-"`
}

FailedDNSEvent represents a DNS packet that was failed to be decoded (inbound or outbound)

type FakeFieldHandlers 

type FakeFieldHandlers struct{}

func (*FakeFieldHandlers) ResolveContainerContext 

func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool)

ResolveContainerContext stub implementation

func (*FakeFieldHandlers) ResolveContainerCreatedAt 

func (dfh *FakeFieldHandlers) ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int

func (*FakeFieldHandlers) ResolveContainerID 

func (dfh *FakeFieldHandlers) ResolveContainerID(ev *Event, e *ContainerContext) string

func (*FakeFieldHandlers) ResolveContainerTags 

func (dfh *FakeFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string

func (*FakeFieldHandlers) ResolveEventTime 

func (dfh *FakeFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time

func (*FakeFieldHandlers) ResolveEventTimestamp 

func (dfh *FakeFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int

func (*FakeFieldHandlers) ResolveFileBasename 

func (dfh *FakeFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveFileExtension added in v0.70.0 

func (dfh *FakeFieldHandlers) ResolveFileExtension(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveFilePath 

func (dfh *FakeFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveFileUserPath added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveFileUserPath(ev *Event, e *FimFileEvent) string

func (*FakeFieldHandlers) ResolveFimFileBasename added in v0.54.0 

func (dfh *FakeFieldHandlers) ResolveFimFileBasename(ev *Event, e *FimFileEvent) string

func (*FakeFieldHandlers) ResolveFimFileExtension added in v0.70.0 

func (dfh *FakeFieldHandlers) ResolveFimFileExtension(ev *Event, e *FimFileEvent) string

func (*FakeFieldHandlers) ResolveFimFilePath added in v0.54.0 

func (dfh *FakeFieldHandlers) ResolveFimFilePath(ev *Event, e *FimFileEvent) string

func (*FakeFieldHandlers) ResolveHostname added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveHostname(ev *Event, e *BaseEvent) string

func (*FakeFieldHandlers) ResolveNewSecurityDescriptor added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveNewSecurityDescriptor(ev *Event, e *ChangePermissionEvent) string

func (*FakeFieldHandlers) ResolveOldSecurityDescriptor added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveOldSecurityDescriptor(ev *Event, e *ChangePermissionEvent) string

func (*FakeFieldHandlers) ResolveProcessCacheEntry 

func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(ev *Event, _ func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry stub implementation

func (*FakeFieldHandlers) ResolveProcessCacheEntryFromPID added in v0.68.0 

func (fh *FakeFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry

ResolveProcessCacheEntryFromPID stub implementation

func (*FakeFieldHandlers) ResolveProcessCmdLine 

func (dfh *FakeFieldHandlers) ResolveProcessCmdLine(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessCmdLineScrubbed 

func (dfh *FakeFieldHandlers) ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessCreatedAt 

func (dfh *FakeFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int

func (*FakeFieldHandlers) ResolveProcessEnvp 

func (dfh *FakeFieldHandlers) ResolveProcessEnvp(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessEnvs 

func (dfh *FakeFieldHandlers) ResolveProcessEnvs(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveService 

func (dfh *FakeFieldHandlers) ResolveService(ev *Event, e *BaseEvent) string

func (*FakeFieldHandlers) ResolveSource added in v0.71.0 

func (dfh *FakeFieldHandlers) ResolveSource(ev *Event, e *BaseEvent) string

func (*FakeFieldHandlers) ResolveUser 

func (dfh *FakeFieldHandlers) ResolveUser(ev *Event, e *Process) string

type FieldHandlers 

type FieldHandlers interface {
	ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
	ResolveContainerID(ev *Event, e *ContainerContext) string
	ResolveContainerTags(ev *Event, e *ContainerContext) []string
	ResolveEventTime(ev *Event, e *BaseEvent) time.Time
	ResolveEventTimestamp(ev *Event, e *BaseEvent) int
	ResolveFileBasename(ev *Event, e *FileEvent) string
	ResolveFileExtension(ev *Event, e *FileEvent) string
	ResolveFilePath(ev *Event, e *FileEvent) string
	ResolveFileUserPath(ev *Event, e *FimFileEvent) string
	ResolveFimFileBasename(ev *Event, e *FimFileEvent) string
	ResolveFimFileExtension(ev *Event, e *FimFileEvent) string
	ResolveFimFilePath(ev *Event, e *FimFileEvent) string
	ResolveHostname(ev *Event, e *BaseEvent) string
	ResolveNewSecurityDescriptor(ev *Event, e *ChangePermissionEvent) string
	ResolveOldSecurityDescriptor(ev *Event, e *ChangePermissionEvent) string
	ResolveProcessCmdLine(ev *Event, e *Process) string
	ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string
	ResolveProcessCreatedAt(ev *Event, e *Process) int
	ResolveProcessEnvp(ev *Event, e *Process) []string
	ResolveProcessEnvs(ev *Event, e *Process) []string
	ResolveService(ev *Event, e *BaseEvent) string
	ResolveSource(ev *Event, e *BaseEvent) string
	ResolveUser(ev *Event, e *Process) string
	// custom handlers not tied to any fields
	ExtraFieldHandlers
}

type FileEvent 

type FileEvent struct {
	FileObject  uint64 `field:"-"`                                                                                      // handle numeric value
	PathnameStr string `field:"path,handler:ResolveFilePath,opts:length|gen_getters" op_override:"eval.WindowsPathCmp"` // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "c:\cmd.bat"` Description:`Matches the execution of the file located at c:\cmd.bat`
	BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"`     // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "cmd.bat"` Description:`Matches the execution of any file named cmd.bat.`
	Extension   string `field:"extension,handler:ResolveFileExtension" op_override:"eval.CaseInsensitiveCmp"`           // SECLDoc[extension] Definition:`File's extension`
}

FileEvent is the common file event type

type FileMetadata added in v0.68.0 

type FileMetadata struct {
	Size               int64 `field:"size,handler:ResolveFileMetadataSize,opts:skip_ad,weight:999"`                               // SECLDoc[size] Definition:`[Experimental] Size of the file`
	Type               int   `field:"type,handler:ResolveFileMetadataType,opts:skip_ad,weight:999"`                               // SECLDoc[type] Definition:`[Experimental] Type of the file` Constants:`FileType`
	IsExecutable       bool  `field:"is_executable,handler:ResolveFileMetadataIsExecutable,opts:skip_ad,weight:999"`              // SECLDoc[is_executable] Definition:`[Experimental] Tells if the file is executable or not`
	Architecture       int   `field:"architecture,handler:ResolveFileMetadataArchitecture,opts:skip_ad,weight:999"`               // SECLDoc[architecture] Definition:`[Experimental] Architecture of the file (only for executable files)` Constants:`Architecture`
	ABI                int   `field:"abi,handler:ResolveFileMetadataABI,opts:skip_ad,weight:999"`                                 // SECLDoc[abi] Definition:`[Experimental] ABI of the file (only for executable files)` Constants:`ABI`
	IsUPXPacked        bool  `field:"is_upx_packed,handler:ResolveFileMetadataIsUPXPacked,opts:skip_ad,weight:999"`               // SECLDoc[is_upx_packed] Definition:`[Experimental] Tells if the binary has been packed using UPX`
	Compression        int   `field:"compression,handler:ResolveFileMetadataCompression,opts:skip_ad,weight:999"`                 // SECLDoc[compression] Definition:`[Experimental] Compression type of the file (only for compressed files)` Constants:`CompressionType`
	IsGarbleObfuscated bool  `field:"is_garble_obfuscated,handler:ResolveFileMetadataIsGarbleObfuscated,opts:skip_ad,weight:999"` // SECLDoc[is_garble_obfuscated] Definition:`[Experimental] Tells if the binary has been obfuscated using garble`
	Linkage            int   `field:"-"`
	Resolved           bool  `field:"-"`
}

FileMetadata represents file metadata

type FileType added in v0.68.0 

type FileType int

FileType represents the type of the analyzed file 

const (
	// Empty file
	Empty FileType = iota
	// ShellScript file
	ShellScript
	// Text file
	Text
	// Compressed file
	Compressed
	// Encrypted file
	Encrypted
	// Binary file
	Binary
	// ELFExecutable file
	ELFExecutable
	// PEExecutable file
	PEExecutable
	// MachOExecutable file
	MachOExecutable
	// FileLess file
	FileLess
)

func (FileType) String added in v0.68.0 

func (ft FileType) String() string

type FimFileEvent added in v0.54.0 

type FimFileEvent struct {
	FileObject      uint64 `field:"-"`                                                                                     // handle numeric value
	PathnameStr     string `field:"device_path,handler:ResolveFimFilePath,opts:length" op_override:"eval.WindowsPathCmp"`  // SECLDoc[device_path] Definition:`File's path` Example:`create.file.device_path == "\device\harddisk1\cmd.bat"` Description:`Matches the creation of the file located at c:\cmd.bat`
	UserPathnameStr string `field:"path,handler:ResolveFileUserPath,opts:length" op_override:"eval.WindowsPathCmp"`        // SECLDoc[path] Definition:`File's path` Example:`create.file.path == "c:\cmd.bat"` Description:`Matches the creation of the file located at c:\cmd.bat`
	BasenameStr     string `field:"name,handler:ResolveFimFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`File's basename` Example:`create.file.name == "cmd.bat"` Description:`Matches the creation of any file named cmd.bat.`
	Extension       string `field:"extension,handler:ResolveFimFileExtension" op_override:"eval.CaseInsensitiveCmp"`       // SECLDoc[extension] Definition:`File's extension`
}

FimFileEvent is the common file event type

type HashAlgorithm 

type HashAlgorithm int

HashAlgorithm is used to configure the hash algorithms of the hash resolver 

const (
	// SHA1 is used to identify a SHA1 hash
	SHA1 HashAlgorithm = iota
	// SHA256 is used to identify a SHA256 hash
	SHA256
	// MD5 is used to identify a MD5 hash
	MD5
	// SSDEEP is used to identify a SSDEEP hash
	SSDEEP
	// MaxHashAlgorithm is used for initializations
	MaxHashAlgorithm
)

func (HashAlgorithm) String 

func (ha HashAlgorithm) String() string

type HashState 

type HashState int

HashState is used to prevent the hash resolver from retrying to hash a file 

const (
	// NoHash means that computing a hash hasn't been attempted
	NoHash HashState = iota
	// Done means that the hashes were already computed
	Done
	// FileNotFound means that the underlying file is not longer available to compute the hash
	FileNotFound
	// PathnameResolutionError means that the underlying file wasn't properly resolved
	PathnameResolutionError
	// FileTooBig means that the underlying file is larger than the hash resolver file size limit
	FileTooBig
	// FileEmpty means that the underlying file is empty
	FileEmpty
	// FileOpenError is a generic hash state to say that we couldn't open the file
	FileOpenError
	// EventTypeNotConfigured means that the event type prevents a hash from being computed
	EventTypeNotConfigured
	// HashWasRateLimited means that the hash will be tried again later, it was rate limited
	HashWasRateLimited
	// HashFailed means that the hashing failed
	HashFailed
	// MaxHashState is used for initializations
	MaxHashState
)

type IMDSEvent added in v0.55.0 

type IMDSEvent struct {
	Type          string `field:"type"`           // SECLDoc[type] Definition:`the type of IMDS event`
	CloudProvider string `field:"cloud_provider"` // SECLDoc[cloud_provider] Definition:`the intended cloud provider of the IMDS event`
	URL           string `field:"url"`            // SECLDoc[url] Definition:`the queried IMDS URL`
	Host          string `field:"host"`           // SECLDoc[host] Definition:`the host of the HTTP protocol`
	UserAgent     string `field:"user_agent"`     // SECLDoc[user_agent] Definition:`the user agent of the HTTP client`
	Server        string `field:"server"`         // SECLDoc[server] Definition:`the server header of a response`

	// The fields below are optional and cloud specific fields
	AWS AWSIMDSEvent `field:"aws"` // SECLDoc[aws] Definition:`the AWS specific data parsed from the IMDS event`
}

IMDSEvent represents an IMDS event

type IPPortContext 

type IPPortContext struct {
	IPNet            net.IPNet `field:"ip"`                                               // SECLDoc[ip] Definition:`IP address`
	Port             uint16    `field:"port"`                                             // SECLDoc[port] Definition:`Port number`
	IsPublic         bool      `field:"is_public,handler:ResolveIsIPPublic,opts:skip_ad"` // SECLDoc[is_public] Definition:`Whether the IP address belongs to a public network`
	IsPublicResolved bool      `field:"-"`
}

IPPortContext is used to hold an IP and Port

func (*IPPortContext) GetComparable added in v0.63.0 

func (ipc *IPPortContext) GetComparable() netip.AddrPort

GetComparable returns a comparable version of IPPortContext

type Iterator added in v0.64.0 

type Iterator[T any] interface {
	Front(ctx *eval.Context) T
	Next(ctx *eval.Context) T
	At(ctx *eval.Context, regID eval.RegisterID, pos int) T
	Len(ctx *eval.Context) int
}

Iterator is a generic interface that iterators must implement

type K8SSessionContext added in v0.74.0 

type K8SSessionContext struct {
	K8SSessionID uint64              `field:"k8s_session_id" json:"k8s_session_id,omitempty"`                    // SECLDoc[k8s_session_id] Definition:`Unique identifier of the kubernetes session`
	K8SUsername  string              `field:"k8s_username,handler:ResolveK8SUsername" json:"username,omitempty"` // SECLDoc[k8s_username] Definition:`Kubernetes username of the user that executed the process`
	K8SUID       string              `field:"k8s_uid,handler:ResolveK8SUID" json:"uid,omitempty"`                // SECLDoc[k8s_uid] Definition:`Kubernetes UID of the user that executed the process`
	K8SGroups    []string            `field:"k8s_groups,handler:ResolveK8SGroups" json:"groups,omitempty"`       // SECLDoc[k8s_groups] Definition:`Kubernetes groups of the user that executed the process`
	K8SExtra     map[string][]string `json:"extra,omitempty"`
	K8SResolved  bool                `field:"-"`
}

K8SSessionContext describes the kubernetes session context Disclaimer: the `json` tags are used to parse K8s credentials from cws-instrumentation

type L3Protocol 

type L3Protocol uint16

L3Protocol Network protocols 

const (
	// EthPLOOP Ethernet Loopback packet
	EthPLOOP L3Protocol = 0x0060
	// EthPPUP Xerox PUP packet
	EthPPUP L3Protocol = 0x0200
	// EthPPUPAT Xerox PUP Addr Trans packet
	EthPPUPAT L3Protocol = 0x0201
	// EthPTSN TSN (IEEE 1722) packet
	EthPTSN L3Protocol = 0x22F0
	// EthPIP Internet Protocol packet
	EthPIP L3Protocol = 0x0800
	// EthPX25 CCITT X.25
	EthPX25 L3Protocol = 0x0805
	// EthPARP Address Resolution packet
	EthPARP L3Protocol = 0x0806
	// EthPBPQ G8BPQ AX.25 Ethernet Packet    [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBPQ L3Protocol = 0x08FF
	// EthPIEEEPUP Xerox IEEE802.3 PUP packet
	EthPIEEEPUP L3Protocol = 0x0a00
	// EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet
	EthPIEEEPUPAT L3Protocol = 0x0a01
	// EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBATMAN L3Protocol = 0x4305
	// EthPDEC DEC Assigned proto
	EthPDEC L3Protocol = 0x6000
	// EthPDNADL DEC DNA Dump/Load
	EthPDNADL L3Protocol = 0x6001
	// EthPDNARC DEC DNA Remote Console
	EthPDNARC L3Protocol = 0x6002
	// EthPDNART DEC DNA Routing
	EthPDNART L3Protocol = 0x6003
	// EthPLAT DEC LAT
	EthPLAT L3Protocol = 0x6004
	// EthPDIAG DEC Diagnostics
	EthPDIAG L3Protocol = 0x6005
	// EthPCUST DEC Customer use
	EthPCUST L3Protocol = 0x6006
	// EthPSCA DEC Systems Comms Arch
	EthPSCA L3Protocol = 0x6007
	// EthPTEB Trans Ether Bridging
	EthPTEB L3Protocol = 0x6558
	// EthPRARP Reverse Addr Res packet
	EthPRARP L3Protocol = 0x8035
	// EthPATALK Appletalk DDP
	EthPATALK L3Protocol = 0x809B
	// EthPAARP Appletalk AARP
	EthPAARP L3Protocol = 0x80F3
	// EthP8021Q 802.1Q VLAN Extended Header
	EthP8021Q L3Protocol = 0x8100
	// EthPERSPAN ERSPAN type II
	EthPERSPAN L3Protocol = 0x88BE
	// EthPIPX IPX over DIX
	EthPIPX L3Protocol = 0x8137
	// EthPIPV6 IPv6 over bluebook
	EthPIPV6 L3Protocol = 0x86DD
	// EthPPAUSE IEEE Pause frames. See 802.3 31B
	EthPPAUSE L3Protocol = 0x8808
	// EthPSLOW Slow Protocol. See 802.3ad 43B
	EthPSLOW L3Protocol = 0x8809
	// EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt
	EthPWCCP L3Protocol = 0x883E
	// EthPMPLSUC MPLS Unicast traffic
	EthPMPLSUC L3Protocol = 0x8847
	// EthPMPLSMC MPLS Multicast traffic
	EthPMPLSMC L3Protocol = 0x8848
	// EthPATMMPOA MultiProtocol Over ATM
	EthPATMMPOA L3Protocol = 0x884c
	// EthPPPPDISC PPPoE discovery messages
	EthPPPPDISC L3Protocol = 0x8863
	// EthPPPPSES PPPoE session messages
	EthPPPPSES L3Protocol = 0x8864
	// EthPLinkCTL HPNA, wlan link local tunnel
	EthPLinkCTL L3Protocol = 0x886c
	// EthPATMFATE Frame-based ATM Transport over Ethernet
	EthPATMFATE L3Protocol = 0x8884
	// EthPPAE Port Access Entity (IEEE 802.1X)
	EthPPAE L3Protocol = 0x888E
	// EthPAOE ATA over Ethernet
	EthPAOE L3Protocol = 0x88A2
	// EthP8021AD 802.1ad Service VLAN
	EthP8021AD L3Protocol = 0x88A8
	// EthP802EX1 802.1 Local Experimental 1.
	EthP802EX1 L3Protocol = 0x88B5
	// EthPTIPC TIPC
	EthPTIPC L3Protocol = 0x88CA
	// EthPMACSEC 802.1ae MACsec
	EthPMACSEC L3Protocol = 0x88E5
	// EthP8021AH 802.1ah Backbone Service Tag
	EthP8021AH L3Protocol = 0x88E7
	// EthPMVRP 802.1Q MVRP
	EthPMVRP L3Protocol = 0x88F5
	// EthP1588 IEEE 1588 Timesync
	EthP1588 L3Protocol = 0x88F7
	// EthPNCSI NCSI protocol
	EthPNCSI L3Protocol = 0x88F8
	// EthPPRP IEC 62439-3 PRP/HSRv0
	EthPPRP L3Protocol = 0x88FB
	// EthPFCOE Fibre Channel over Ethernet
	EthPFCOE L3Protocol = 0x8906
	// EthPIBOE Infiniband over Ethernet
	EthPIBOE L3Protocol = 0x8915
	// EthPTDLS TDLS
	EthPTDLS L3Protocol = 0x890D
	// EthPFIP FCoE Initialization Protocol
	EthPFIP L3Protocol = 0x8914
	// EthP80221 IEEE 802.21 Media Independent Handover Protocol
	EthP80221 L3Protocol = 0x8917
	// EthPHSR IEC 62439-3 HSRv1
	EthPHSR L3Protocol = 0x892F
	// EthPNSH Network Service Header
	EthPNSH L3Protocol = 0x894F
	// EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3
	EthPLOOPBACK L3Protocol = 0x9000
	// EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ1 L3Protocol = 0x9100
	// EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ2 L3Protocol = 0x9200
	// EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ3 L3Protocol = 0x9300
	// EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPEDSA L3Protocol = 0xDADA
	// EthPIFE ForCES inter-FE LFB type
	EthPIFE L3Protocol = 0xED3E
	// EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPAFIUCV L3Protocol = 0xFBFB
	// EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3
	EthP8023MIN L3Protocol = 0x0600
	// EthPIPV6HopByHop IPv6 Hop by hop option
	EthPIPV6HopByHop L3Protocol = 0x000
	// EthP8023 Dummy type for 802.3 frames
	EthP8023 L3Protocol = 0x0001
	// EthPAX25 Dummy protocol id for AX.25
	EthPAX25 L3Protocol = 0x0002
	// EthPALL Every packet (be careful!!!)
	EthPALL L3Protocol = 0x0003
	// EthP8022 802.2 frames
	EthP8022 L3Protocol = 0x0004
	// EthPSNAP Internal only
	EthPSNAP L3Protocol = 0x0005
	// EthPDDCMP DEC DDCMP: Internal only
	EthPDDCMP L3Protocol = 0x0006
	// EthPWANPPP Dummy type for WAN PPP frames*/
	EthPWANPPP L3Protocol = 0x0007
	// EthPPPPMP Dummy type for PPP MP frames
	EthPPPPMP L3Protocol = 0x0008
	// EthPLOCALTALK Localtalk pseudo type
	EthPLOCALTALK L3Protocol = 0x0009
	// EthPCAN CAN: Controller Area Network
	EthPCAN L3Protocol = 0x000C
	// EthPCANFD CANFD: CAN flexible data rate*/
	EthPCANFD L3Protocol = 0x000D
	// EthPPPPTALK Dummy type for Atalk over PPP*/
	EthPPPPTALK L3Protocol = 0x0010
	// EthPTR8022 802.2 frames
	EthPTR8022 L3Protocol = 0x0011
	// EthPMOBITEX Mobitex (kaz@cafe.net)
	EthPMOBITEX L3Protocol = 0x0015
	// EthPCONTROL Card specific control frames
	EthPCONTROL L3Protocol = 0x0016
	// EthPIRDA Linux-IrDA
	EthPIRDA L3Protocol = 0x0017
	// EthPECONET Acorn Econet
	EthPECONET L3Protocol = 0x0018
	// EthPHDLC HDLC frames
	EthPHDLC L3Protocol = 0x0019
	// EthPARCNET 1A for ArcNet :-)
	EthPARCNET L3Protocol = 0x001A
	// EthPDSA Distributed Switch Arch.
	EthPDSA L3Protocol = 0x001B
	// EthPTRAILER Trailer switch tagging
	EthPTRAILER L3Protocol = 0x001C
	// EthPPHONET Nokia Phonet frames
	EthPPHONET L3Protocol = 0x00F5
	// EthPIEEE802154 IEEE802.15.4 frame
	EthPIEEE802154 L3Protocol = 0x00F6
	// EthPCAIF ST-Ericsson CAIF protocol
	EthPCAIF L3Protocol = 0x00F7
	// EthPXDSA Multiplexed DSA protocol
	EthPXDSA L3Protocol = 0x00F8
	// EthPMAP Qualcomm multiplexing and aggregation protocol
	EthPMAP L3Protocol = 0x00F9
)

func (L3Protocol) String 

func (proto L3Protocol) String() string

type L4Protocol 

type L4Protocol uint16

L4Protocol transport protocols 

const (
	// IPProtoIP Dummy protocol for TCP
	IPProtoIP L4Protocol = 0
	// IPProtoICMP Internet Control Message Protocol (IPv4)
	IPProtoICMP L4Protocol = 1
	// IPProtoIGMP Internet Group Management Protocol
	IPProtoIGMP L4Protocol = 2
	// IPProtoIPIP IPIP tunnels (older KA9Q tunnels use 94)
	IPProtoIPIP L4Protocol = 4
	// IPProtoTCP Transmission Control Protocol
	IPProtoTCP L4Protocol = 6
	// IPProtoEGP Exterior Gateway Protocol
	IPProtoEGP L4Protocol = 8
	// IPProtoIGP Interior Gateway Protocol (any private interior gateway (used by Cisco for their IGRP))
	IPProtoIGP L4Protocol = 9
	// IPProtoPUP PUP protocol
	IPProtoPUP L4Protocol = 12
	// IPProtoUDP User Datagram Protocol
	IPProtoUDP L4Protocol = 17
	// IPProtoIDP XNS IDP protocol
	IPProtoIDP L4Protocol = 22
	// IPProtoTP SO Transport Protocol Class 4
	IPProtoTP L4Protocol = 29
	// IPProtoDCCP Datagram Congestion Control Protocol
	IPProtoDCCP L4Protocol = 33
	// IPProtoIPV6 IPv6-in-IPv4 tunnelling
	IPProtoIPV6 L4Protocol = 41
	// IPProtoRSVP RSVP Protocol
	IPProtoRSVP L4Protocol = 46
	// IPProtoGRE Cisco GRE tunnels (rfc 1701,1702)
	IPProtoGRE L4Protocol = 47
	// IPProtoESP Encapsulation Security Payload protocol
	IPProtoESP L4Protocol = 50
	// IPProtoAH Authentication Header protocol
	IPProtoAH L4Protocol = 51
	// IPProtoICMPV6 Internet Control Message Protocol (IPv6)
	IPProtoICMPV6 L4Protocol = 58
	// IPProtoMTP Multicast Transport Protocol
	IPProtoMTP L4Protocol = 92
	// IPProtoBEETPH IP option pseudo header for BEET
	IPProtoBEETPH L4Protocol = 94
	// IPProtoENCAP Encapsulation Header
	IPProtoENCAP L4Protocol = 98
	// IPProtoPIM Protocol Independent Multicast
	IPProtoPIM L4Protocol = 103
	// IPProtoCOMP Compression Header Protocol
	IPProtoCOMP L4Protocol = 108
	// IPProtoSCTP Stream Control Transport Protocol
	IPProtoSCTP L4Protocol = 132
	// IPProtoUDPLITE UDP-Lite (RFC 3828)
	IPProtoUDPLITE L4Protocol = 136
	// IPProtoMPLS MPLS in IP (RFC 4023)
	IPProtoMPLS L4Protocol = 137
	// IPProtoRAW Raw IP packets
	IPProtoRAW L4Protocol = 255
)

func (L4Protocol) String 

func (proto L4Protocol) String() string

type LinkageType added in v0.68.0 

type LinkageType int

LinkageType represents the type of linkage used in the binary 

const (
	// None when unknown or for non-binary files
	None LinkageType = iota
	// Static linked executables
	Static
	// Dynamic linked executables
	Dynamic
)

func (LinkageType) String added in v0.68.0 

func (l LinkageType) String() string

type MatchedRule 

type MatchedRule struct {
	RuleID        string
	RuleVersion   string
	RuleTags      map[string]string
	PolicyName    string
	PolicyVersion string
}

MatchedRule contains the identification of one rule that has match

func AppendMatchedRule 

func AppendMatchedRule(list []*MatchedRule, toAdd []*MatchedRule) []*MatchedRule

AppendMatchedRule appends two lists, but avoiding duplicates

func NewMatchedRule 

func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule

NewMatchedRule return a new MatchedRule instance

func (*MatchedRule) Match 

func (mr *MatchedRule) Match(mr2 *MatchedRule) bool

Match returns true if the rules are equal

type Model 

type Model struct {
	ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
	// contains filtered or unexported fields
}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator 

func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID, offset int) (eval.Evaluator, error)

func (*Model) GetEventTypes 

func (_ *Model) GetEventTypes() []eval.EventType

func (*Model) GetFieldRestrictions added in v0.57.0 

func (_ *Model) GetFieldRestrictions(field eval.Field) []eval.EventType

func (*Model) NewEvent 

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) SetLegacyFields added in v0.73.0 

func (m *Model) SetLegacyFields(legacyFields map[eval.Field]eval.Field)

SetLegacyFields sets the legacy field mapping for backwards compatibility

func (*Model) ValidateField 

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type NetworkContext 

type NetworkContext struct {
	Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured

	L3Protocol       uint16        `field:"l3_protocol"`       // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
	L4Protocol       uint16        `field:"l4_protocol"`       // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
	Source           IPPortContext `field:"source"`            // source of the network packet
	Destination      IPPortContext `field:"destination"`       // destination of the network packet
	NetworkDirection uint32        `field:"network_direction"` // SECLDoc[network_direction] Definition:`Network direction of the network packet` Constants:`Network directions`
	Size             uint32        `field:"size"`              // SECLDoc[size] Definition:`Size in bytes of the network packet`
	Type             uint32        `field:"type"`              // SECLDoc[type] Definition:`Type of the network packet` Constants:`Network Protocol Types`
}

NetworkContext represents the network context of the event

func (*NetworkContext) IsZero added in v0.59.0 

func (nc *NetworkContext) IsZero() bool

IsZero returns if there is a network context

type NetworkDeviceContext 

type NetworkDeviceContext struct{}

NetworkDeviceContext defines a network device context

type NetworkDirection added in v0.63.0 

type NetworkDirection uint32

NetworkDirection is used to identify the network direction of a flow 

const (
	// Egress is used to identify egress traffic
	Egress NetworkDirection = iota + 1
	// Ingress is used to identify ingress traffic
	Ingress
)

func (NetworkDirection) String added in v0.63.0 

func (direction NetworkDirection) String() string

type NetworkProtocolType added in v0.71.0 

type NetworkProtocolType uint16

NetworkProtocolType is the type of the protocol of the network event 

const (
	// UnspecType is the default type
	UnspecType NetworkProtocolType = math.MaxUint16

	// ICMPTypeEchoRequest is the type for ICMP echo requests
	ICMPTypeEchoRequest NetworkProtocolType = 8
	// ICMPTypeEchoReply is the type for ICMP echo replies
	ICMPTypeEchoReply NetworkProtocolType = 0
	// ICMPTypeRouterSolicitation is the type for ICMP router solicitation
	ICMPTypeRouterSolicitation NetworkProtocolType = 9
	// ICMPTypeRouterAdvertisement is the type for ICMP router advertisement
	ICMPTypeRouterAdvertisement NetworkProtocolType = 10
	// ICMPTypeNeighborSolicitation is the type for ICMP neighbor solicitation
	ICMPTypeNeighborSolicitation NetworkProtocolType = 135
	// ICMPTypeNeighborAdvertisement is the type for ICMP neighbor advertisement
	ICMPTypeNeighborAdvertisement NetworkProtocolType = 136

	// ICMPv6TypeEchoRequest is the type for ICMPv6 echo requests
	ICMPv6TypeEchoRequest NetworkProtocolType = 128
	// ICMPv6TypeEchoReply is the type for ICMPv6 echo replies
	ICMPv6TypeEchoReply NetworkProtocolType = 129
	// ICMPv6TypeRouterSolicitation is the type for ICMPv6 router solicitation
	ICMPv6TypeRouterSolicitation NetworkProtocolType = 133
	// ICMPv6TypeRouterAdvertisement is the type for ICMPv6 router advertisement
	ICMPv6TypeRouterAdvertisement NetworkProtocolType = 134
	// ICMPv6TypeNeighborSolicitation is the type for ICMPv6 neighbor solicitation
	ICMPv6TypeNeighborSolicitation NetworkProtocolType = 137
	// ICMPv6TypeNeighborAdvertisement is the type for ICMPv6 neighbor advertisement
	ICMPv6TypeNeighborAdvertisement NetworkProtocolType = 138
)

func (NetworkProtocolType) String added in v0.71.0 

func (proto NetworkProtocolType) String() string

type OpenRegistryKeyEvent 

type OpenRegistryKeyEvent struct {
	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}

OpenRegistryKeyEvent defines registry key opening

type PIDContext 

type PIDContext struct {
	Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)`
}

PIDContext holds the process context of an kernel event

type Process 

type Process struct {
	PIDContext

	FileEvent FileEvent `field:"file"`

	ContainerContext ContainerContext `field:"container"` // SECLDoc[container] Definition:`Container`

	ExitTime time.Time `field:"exit_time,opts:getters_only|gen_getters"`
	ExecTime time.Time `field:"exec_time,opts:getters_only|gen_getters"`

	CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process`

	PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID`

	TracerTags []string `field:"-"` // Tags from APM tracer instrumentation

	ArgsEntry *ArgsEntry `field:"-"`
	EnvsEntry *EnvsEntry `field:"-"`

	CmdLine         string `field:"cmdline,handler:ResolveProcessCmdLine,weight:200" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[cmdline] Definition:`Command line of the process` Example:`exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.cmdline =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
	CmdLineScrubbed string `field:"cmdline_scrubbed,handler:ResolveProcessCmdLineScrubbed,weight:500,opts:getters_only"`

	OwnerSidString string `field:"user_sid"`                 // SECLDoc[user_sid] Definition:`Sid of the user of the process`
	User           string `field:"user,handler:ResolveUser"` // SECLDoc[user] Definition:`User name`

	Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process`
	Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process`                                                                                                                         // SECLDoc[envp] Definition:`Environment variables of the process`

	// cache version
	ScrubbedCmdLineResolved bool `field:"-"`
}

Process represents a process

type ProcessAncestorsIterator 

type ProcessAncestorsIterator struct {
	Root *ProcessCacheEntry
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) At added in v0.60.0 

func (it *ProcessAncestorsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) *ProcessCacheEntry

At returns the element at the given position

func (*ProcessAncestorsIterator) Front 

func (it *ProcessAncestorsIterator) Front(_ *eval.Context) *ProcessCacheEntry

Front returns the first element

func (*ProcessAncestorsIterator) Len added in v0.60.0 

func (it *ProcessAncestorsIterator) Len(ctx *eval.Context) int

Len returns the len

func (*ProcessAncestorsIterator) Next 

func (it *ProcessAncestorsIterator) Next(_ *eval.Context) *ProcessCacheEntry

Next returns the next element

type ProcessCacheEntry 

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func GetPlaceholderProcessCacheEntry added in v0.68.0 

func GetPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry

GetPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions

func NewProcessCacheEntry 

func NewProcessCacheEntry(coreRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) AppendReleaseCallback added in v0.56.0 

func (pc *ProcessCacheEntry) AppendReleaseCallback(callback func())

AppendReleaseCallback set the callback called when the entry is released

func (*ProcessCacheEntry) Hash added in v0.65.0 

func (pc *ProcessCacheEntry) Hash() string

Hash returns a unique key for the entity

func (*ProcessCacheEntry) IsContainerRoot 

func (pc *ProcessCacheEntry) IsContainerRoot() bool

IsContainerRoot returns whether this is a top level process in the container ID

func (*ProcessCacheEntry) ParentScope added in v0.68.0 

func (pc *ProcessCacheEntry) ParentScope() (eval.VariableScope, bool)

ParentScope returns the parent entity scope

func (*ProcessCacheEntry) Release 

func (pc *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset 

func (pc *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain 

func (pc *ProcessCacheEntry) Retain()

Retain increment ref counter

type ProcessContext 

type ProcessContext struct {
	Process

	Parent   *Process           `field:"parent,opts:exposed_at_event_root_only,check:HasParent"`
	Ancestor *ProcessCacheEntry `field:"ancestors,iterator:ProcessAncestorsIterator,check:IsNotKworker"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) HasParent 

func (p *ProcessContext) HasParent() bool

HasParent returns whether the process has a parent

type QClass 

type QClass uint32

QClass is used to declare the qclass field of a DNS request

func (QClass) String 

func (qc QClass) String() string

type QType 

type QType uint32

QType is used to declare the qtype field of a DNS request

func (QType) String 

func (qt QType) String() string

type RegistryEvent 

type RegistryEvent struct {
	KeyName string `field:"key_name,opts:length"`                                       // SECLDoc[key_name] Definition:`Registry's name`
	KeyPath string `field:"key_path,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[key_path] Definition:`Registry's path`
}

RegistryEvent is the common registry event type

type Releasable 

type Releasable struct {
	// contains filtered or unexported fields
}

Releasable represents an object than can be released

func (*Releasable) AppendReleaseCallback added in v0.56.0 

func (r *Releasable) AppendReleaseCallback(callback func())

AppendReleaseCallback sets a callback to be called when the cache entry is released

func (*Releasable) CallReleaseCallback 

func (r *Releasable) CallReleaseCallback()

CallReleaseCallback calls the on-release callback

type RenameFileEvent added in v0.54.0 

type RenameFileEvent struct {
	Old FimFileEvent `field:"file"`             // SECLDoc[file] Definition:`File Event`
	New FimFileEvent `field:"file.destination"` // SECLDoc[file] Definition:`File Event`
}

RenameFileEvent defines file renaming

type RetValError 

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String 

func (f RetValError) String() string

type RuleContext added in v0.66.0 

type RuleContext struct {
	Expression       string                `field:"-"`
	MatchingSubExprs eval.MatchingSubExprs `field:"-"`
}

RuleContext defines a rule context

type SSHSessionContext added in v0.74.0 

type SSHSessionContext struct {
	SSHSessionID  uint64    `field:"ssh_session_id" json:"ssh_session_id,omitempty"` // SECLDoc[ssh_session_id] Definition:`Unique identifier of the SSH user session on the host`
	SSHClientPort int       `field:"ssh_client_port" json:"client_port,omitempty"`   // SECLDoc[ssh_client_port] Definition:`SSH client port of the user that executed the process`
	SSHClientIP   net.IPNet `field:"ssh_client_ip" json:"client_ip,omitempty"`       // SECLDoc[ssh_client_ip] Definition:`SSH client IP of the user that executed the process`
	SSHAuthMethod int       `field:"ssh_auth_method" json:"auth_method,omitempty"`   // SECLDoc[ssh_auth_method] Definition:`SSH authentication method used by the user` Constants:`SSHAuthMethod`
	SSHPublicKey  string    `field:"ssh_public_key" json:"public_key,omitempty"`     // SECLDoc[ssh_public_key] Definition:`SSH public key used for authentication (if applicable)`
}

SSHSessionContext describes the SSH session context

type SecurityProfileContext 

type SecurityProfileContext struct {
	Name           string                     `field:"name"`        // SECLDoc[name] Definition:`Name of the security profile`
	Version        string                     `field:"version"`     // SECLDoc[version] Definition:`Version of the security profile`
	Tags           []string                   `field:"tags"`        // SECLDoc[tags] Definition:`Tags of the security profile`
	EventTypes     []EventType                `field:"event_types"` // SECLDoc[event_types] Definition:`Event types enabled for the security profile`
	EventTypeState EventFilteringProfileState `field:"-"`           // State of the event type in this profile
}

SecurityProfileContext holds the security context of the profile

type SetRegistryKeyValueEvent 

type SetRegistryKeyValueEvent struct {
	Registry  RegistryEvent `field:"registry"`                                   // SECLDoc[registry] Definition:`Registry Event`
	ValueName string        `field:"value_name;registry.value_name,opts:length"` // SECLDoc[value_name] Definition:`Registry's value name` SECLDoc[registry.value_name] Definition:`Registry's value name`
}

SetRegistryKeyValueEvent defines the event of setting up a value of a registry key

type SpanContext 

type SpanContext struct {
	SpanID  uint64        `field:"-"`
	TraceID utils.TraceID `field:"-"`
}

SpanContext describes a span context

type SyscallDriftEventReason added in v0.57.0 

type SyscallDriftEventReason uint64

SyscallDriftEventReason describes why a syscall drift event was sent 

const (
	// SyscallMonitorPeriodReason means that the event was sent because the syscall cache entry was dirty for longer than syscall_monitor.period
	SyscallMonitorPeriodReason SyscallDriftEventReason = iota + 1
	// ExitReason means that the event was sent because a pid that was about to exit had a dirty cache entry
	ExitReason
	// ExecveReason means that the event was sent because an execve syscall was detected on a pid with a dirty cache entry
	ExecveReason
)

func (SyscallDriftEventReason) String added in v0.57.0 

func (r SyscallDriftEventReason) String() string

type TLSContext added in v0.60.0 

type TLSContext struct {
	Version uint16 `field:"version"` // SECLDoc[version] Definition:`TLS version`
}

TLSContext represents a tls context

type TLSVersion added in v0.60.0 

type TLSVersion uint16

TLSVersion tls version

func (TLSVersion) String added in v0.60.0 

func (tls TLSVersion) String() string

type UserSessionContext 

type UserSessionContext struct {
	SessionType int    `field:"session_type,handler:ResolveSessionType" json:"session_type,omitempty"` // SECLDoc[session_type] Definition:`Type of the user session`
	ID          string `field:"id,handler:ResolveSessionID" json:"id,omitempty"`                       // SECLDoc[id] Definition:`Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type`
	Identity    string `field:"identity,handler:ResolveSessionIdentity" json:"identity,omitempty"`     // SECLDoc[identity] Definition:`User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type`
	K8SSessionContext
	SSHSessionContext
}

UserSessionContext describes the user session context

type WriteFileEvent added in v0.54.0 

type WriteFileEvent struct {
	File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}

WriteFileEvent represents a write event

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.