Retracted
Documentation
¶
Index ¶
- Constants
- Variables
- func FindContainerID(s string) string
- func GetEventTypePerCategory() map[EventCategory][]eval.EventType
- func GetHostByteOrder() binary.ByteOrder
- func IsAlphaNumeric(r rune) bool
- func IsPrintable(s string) bool
- func IsPrintableASCII(s string) bool
- func SliceToArray(src []byte, dst unsafe.Pointer)
- func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)
- func UnmarshalString(data []byte, size int) (string, error)
- func UnmarshalStringArray(data []byte) ([]string, error)
- type ArgsEntry
- type ArgsEnvs
- type ArgsEnvsCacheEntry
- type ArgsEnvsEvent
- type BinaryUnmarshaler
- type CapsetEvent
- type ChmodEvent
- type ChmodMode
- type ChownEvent
- type ContainerContext
- type Credentials
- type EnvsEntry
- type Event
- func (e *Event) GetEventType() EventType
- func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)
- func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)
- func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)
- func (e *Event) GetFields() []eval.Field
- func (e *Event) GetPointer() unsafe.Pointer
- func (e *Event) GetTags() []string
- func (e *Event) GetType() string
- func (e *Event) SetFieldValue(field eval.Field, value interface{}) error
- func (e *Event) UnmarshalBinary(data []byte) (int, error)
- type EventCategory
- type EventType
- type ExecEvent
- type FileEvent
- type FileFields
- type InvalidateDentryEvent
- type KernelCapability
- type LinkEvent
- type MkdirEvent
- type Model
- func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)
- func (m *Model) GetEventTypes() []eval.EventType
- func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)
- func (m *Model) NewEvent() eval.Event
- func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error
- type MountEvent
- type MountReleasedEvent
- type OpenEvent
- type OpenFlags
- type Process
- type ProcessAncestorsIterator
- type ProcessCacheEntry
- func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)
- func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
- func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)
- func (e *ProcessCacheEntry) Release()
- func (e *ProcessCacheEntry) Reset()
- func (e *ProcessCacheEntry) Retain()
- func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)
- type ProcessContext
- type RenameEvent
- type RetValError
- type RmdirEvent
- type SELinuxEvent
- type SELinuxEventKind
- type SetXAttrEvent
- type SetgidEvent
- type SetuidEvent
- type SpanContext
- type SyscallEvent
- type UmountEvent
- type UnlinkEvent
- type UnlinkFlags
- type UtimesEvent
Constants ¶
View Source
const ( LowerLayer = 1 << iota UpperLayer )
File flags
View Source
const MaxPathDepth = 1500
MaxPathDepth defines the maximum depth of a path
View Source
const MaxSegmentLength = 255
MaxSegmentLength defines the maximum length of each segment of a path
Variables ¶
View Source
var ( // KernelCapabilityConstants list of kernel capabilities KernelCapabilityConstants = map[string]uint64{ "CAP_AUDIT_CONTROL": 1 << unix.CAP_AUDIT_CONTROL, "CAP_AUDIT_READ": 1 << unix.CAP_AUDIT_READ, "CAP_AUDIT_WRITE": 1 << unix.CAP_AUDIT_WRITE, "CAP_BLOCK_SUSPEND": 1 << unix.CAP_BLOCK_SUSPEND, "CAP_BPF": 1 << unix.CAP_BPF, "CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE, "CAP_CHOWN": 1 << unix.CAP_CHOWN, "CAP_DAC_OVERRIDE": 1 << unix.CAP_DAC_OVERRIDE, "CAP_DAC_READ_SEARCH": 1 << unix.CAP_DAC_READ_SEARCH, "CAP_FOWNER": 1 << unix.CAP_FOWNER, "CAP_FSETID": 1 << unix.CAP_FSETID, "CAP_IPC_LOCK": 1 << unix.CAP_IPC_LOCK, "CAP_IPC_OWNER": 1 << unix.CAP_IPC_OWNER, "CAP_KILL": 1 << unix.CAP_KILL, "CAP_LAST_CAP": 1 << unix.CAP_LAST_CAP, "CAP_LEASE": 1 << unix.CAP_LEASE, "CAP_LINUX_IMMUTABLE": 1 << unix.CAP_LINUX_IMMUTABLE, "CAP_MAC_ADMIN": 1 << unix.CAP_MAC_ADMIN, "CAP_MAC_OVERRIDE": 1 << unix.CAP_MAC_OVERRIDE, "CAP_MKNOD": 1 << unix.CAP_MKNOD, "CAP_NET_ADMIN": 1 << unix.CAP_NET_ADMIN, "CAP_NET_BIND_SERVICE": 1 << unix.CAP_NET_BIND_SERVICE, "CAP_NET_BROADCAST": 1 << unix.CAP_NET_BROADCAST, "CAP_NET_RAW": 1 << unix.CAP_NET_RAW, "CAP_PERFMON": 1 << unix.CAP_PERFMON, "CAP_SETFCAP": 1 << unix.CAP_SETFCAP, "CAP_SETGID": 1 << unix.CAP_SETGID, "CAP_SETPCAP": 1 << unix.CAP_SETPCAP, "CAP_SETUID": 1 << unix.CAP_SETUID, "CAP_SYSLOG": 1 << unix.CAP_SYSLOG, "CAP_SYS_ADMIN": 1 << unix.CAP_SYS_ADMIN, "CAP_SYS_BOOT": 1 << unix.CAP_SYS_BOOT, "CAP_SYS_CHROOT": 1 << unix.CAP_SYS_CHROOT, "CAP_SYS_MODULE": 1 << unix.CAP_SYS_MODULE, "CAP_SYS_NICE": 1 << unix.CAP_SYS_NICE, "CAP_SYS_PACCT": 1 << unix.CAP_SYS_PACCT, "CAP_SYS_PTRACE": 1 << unix.CAP_SYS_PTRACE, "CAP_SYS_RAWIO": 1 << unix.CAP_SYS_RAWIO, "CAP_SYS_RESOURCE": 1 << unix.CAP_SYS_RESOURCE, "CAP_SYS_TIME": 1 << unix.CAP_SYS_TIME, "CAP_SYS_TTY_CONFIG": 1 << unix.CAP_SYS_TTY_CONFIG, "CAP_WAKE_ALARM": 1 << unix.CAP_WAKE_ALARM, } // SECLConstants are constants available in runtime security agent rules SECLConstants = map[string]interface{}{ "true": &eval.BoolEvaluator{Value: true}, "false": &eval.BoolEvaluator{Value: false}, } )
View Source
var ( // ErrNotEnoughData is returned when the buffer is too small to unmarshal the event ErrNotEnoughData = errors.New("not enough data") // ErrStringArrayOverflow returned when there is a string array overflow ErrStringArrayOverflow = errors.New("string array overflow") // ErrNonPrintable returned when a string contains non printable char ErrNonPrintable = errors.New("non printable") )
View Source
var ByteOrder binary.ByteOrder
ByteOrder holds the hosts byte order
View Source
var SECLLegacyAttributes = map[eval.Field]eval.Field{
"chmod.filename": "chmod.file.path",
"chmod.basename": "chmod.file.name",
"chmod.mode": "chmod.file.destination.mode",
"chown.filename": "chown.file.path",
"chown.basename": "chown.file.name",
"chown.uid": "chown.file.destination.uid",
"chown.user": "chown.file.destination.user",
"chown.gid": "chown.file.destination.gid",
"chown.group": "chown.file.destination.group",
"open.filename": "open.file.path",
"open.basename": "open.file.name",
"open.mode": "open.file.destination.mode",
"mkdir.filename": "mkdir.file.path",
"mkdir.basename": "mkdir.file.name",
"mkdir.mode": "mkdir.file.destination.mode",
"rmdir.filename": "rmdir.file.path",
"rmdir.basename": "rmdir.file.name",
"rename.old.filename": "rename.file.path",
"rename.old.basename": "rename.file.name",
"rename.new.filename": "rename.file.destination.path",
"rename.new.basename": "rename.file.destination.name",
"unlink.filename": "unlink.file.path",
"unlink.basename": "unlink.file.name",
"utimes.filename": "utimes.file.path",
"utimes.basename": "utimes.file.name",
"link.source.filename": "link.file.path",
"link.source.basename": "link.file.name",
"link.target.filename": "link.file.destination.path",
"link.target.basename": "link.file.destination.name",
"setxattr.filename": "setxattr.file.path",
"setxattr.basename": "setxattr.file.name",
"setxattr.namespace": "setxattr.file.destination.namespace",
"setxattr.name": "setxattr.file.destination.name",
"removexattr.filename": "removexattr.file.path",
"removexattr.basename": "removexattr.file.name",
"removexattr.namespace": "removexattr.file.destination.namespace",
"removexattr.name": "removexattr.file.destination.name",
"exec.filename": "exec.file.path",
"exec.overlay_numlower": "exec.file.overlay_numlower",
"exec.basename": "exec.file.name",
"exec.name": "exec.comm",
"process.filename": "process.file.path",
"process.basename": "process.file.name",
"process.name": "process.comm",
"process.ancestors.filename": "process.ancestors.file.path",
"process.ancestors.basename": "process.ancestors.file.name",
"process.ancestors.name": "process.ancestors.comm",
}
SECLLegacyAttributes contains the list of the legacy attributes we need to support
Functions ¶
func FindContainerID ¶
FindContainerID extracts the first sub string that matches the pattern of a container ID
func GetEventTypePerCategory ¶
func GetEventTypePerCategory() map[EventCategory][]eval.EventType
GetEventTypePerCategory returns the event types per category
func GetHostByteOrder ¶
GetHostByteOrder guesses the hosts byte order
func IsAlphaNumeric ¶
IsAlphaNumeric returns whether a character is either a digit or a letter
func IsPrintable ¶
IsPrintable returns whether the string does contain only unicode printable
func IsPrintableASCII ¶
IsPrintableASCII returns whether the string does contain only ASCII char
func SliceToArray ¶
SliceToArray copy src bytes to dst. Destination should have enough space
func UnmarshalBinary ¶
func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)
UnmarshalBinary calls a series of BinaryUnmarshaler
func UnmarshalString ¶
UnmarshalString unmarshal string
func UnmarshalStringArray ¶
UnmarshalStringArray extract array of string for array of byte
Types ¶
type ArgsEntry ¶
type ArgsEntry struct {
*ArgsEnvsCacheEntry
Values []string
Truncated bool
// contains filtered or unexported fields
}
ArgsEntry defines a args cache entry
type ArgsEnvsCacheEntry ¶
type ArgsEnvsCacheEntry struct {
ArgsEnvs
// contains filtered or unexported fields
}
ArgsEnvsCacheEntry defines a args/envs base entry
func NewArgsEnvsCacheEntry ¶
func NewArgsEnvsCacheEntry(onRelease func(_ *ArgsEnvsCacheEntry)) *ArgsEnvsCacheEntry
NewArgsEnvsCacheEntry returns a new args/env cache entry
func (*ArgsEnvsCacheEntry) Append ¶
func (p *ArgsEnvsCacheEntry) Append(entry *ArgsEnvsCacheEntry)
Append an entry to the list
func (*ArgsEnvsCacheEntry) Release ¶
func (p *ArgsEnvsCacheEntry) Release()
Release decrement and eventually release the entry
func (*ArgsEnvsCacheEntry) Retain ¶
func (p *ArgsEnvsCacheEntry) Retain()
Retain increment ref counter
type ArgsEnvsEvent ¶
type ArgsEnvsEvent struct {
ArgsEnvs
}
ArgsEnvsEvent defines a args/envs event
func (*ArgsEnvsEvent) UnmarshalBinary ¶
func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type BinaryUnmarshaler ¶
BinaryUnmarshaler interface implemented by every event type
type CapsetEvent ¶
type CapsetEvent struct {
CapEffective uint64 `field:"cap_effective"` // Effective capability set of the process
CapPermitted uint64 `field:"cap_permitted"` // Permitted capability set of the process
}
CapsetEvent represents a capset event
func (*CapsetEvent) UnmarshalBinary ¶
func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type ChmodEvent ¶
type ChmodEvent struct {
SyscallEvent
File FileEvent `field:"file"`
Mode uint32 `field:"file.destination.mode" field:"file.destination.rights"` // New mode/rights of the chmod-ed file
}
ChmodEvent represents a chmod event
func (*ChmodEvent) UnmarshalBinary ¶
func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type ChownEvent ¶
type ChownEvent struct {
SyscallEvent
File FileEvent `field:"file"`
UID uint32 `field:"file.destination.uid"` // New UID of the chown-ed file's owner
User string `field:"file.destination.user,ResolveChownUID"` // New user of the chown-ed file's owner
GID uint32 `field:"file.destination.gid"` // New GID of the chown-ed file's owner
Group string `field:"file.destination.group,ResolveChownGID"` // New group of the chown-ed file's owner
}
ChownEvent represents a chown event
func (*ChownEvent) UnmarshalBinary ¶
func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type ContainerContext ¶
type ContainerContext struct {
ID string `field:"id,ResolveContainerID"` // ID of the container
Tags []string `field:"tags,ResolveContainerTags:9999"` // Tags of the container
}
ContainerContext holds the container context of an event
func (*ContainerContext) UnmarshalBinary ¶
func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type Credentials ¶
type Credentials struct {
UID uint32 `field:"uid"` // UID of the process
GID uint32 `field:"gid"` // GID of the process
User string `field:"user"` // User of the process
Group string `field:"group"` // Group of the process
EUID uint32 `field:"euid"` // Effective UID of the process
EGID uint32 `field:"egid"` // Effective GID of the process
EUser string `field:"euser"` // Effective user of the process
EGroup string `field:"egroup"` // Effective group of the process
FSUID uint32 `field:"fsuid"` // FileSystem-uid of the process
FSGID uint32 `field:"fsgid"` // FileSystem-gid of the process
FSUser string `field:"fsuser"` // FileSystem-user of the process
FSGroup string `field:"fsgroup"` // FileSystem-group of the process
CapEffective uint64 `field:"cap_effective"` // Effective capability set of the process
CapPermitted uint64 `field:"cap_permitted"` // Permitted capability set of the process
}
Credentials represents the kernel credentials of a process
func (*Credentials) UnmarshalBinary ¶
func (e *Credentials) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type EnvsEntry ¶
type EnvsEntry struct {
*ArgsEnvsCacheEntry
Values map[string]string
Truncated bool
// contains filtered or unexported fields
}
EnvsEntry defines a args cache entry
type Event ¶
type Event struct {
ID string `field:"-"`
Type uint64 `field:"-"`
TimestampRaw uint64 `field:"-"`
Timestamp time.Time `field:"timestamp"` // Timestamp of the event
ProcessContext ProcessContext `field:"process" event:"*"`
SpanContext SpanContext `field:"-"`
ContainerContext ContainerContext `field:"container"`
Chmod ChmodEvent `field:"chmod" event:"chmod"` // [7.27] [File] A file’s permissions were changed
Chown ChownEvent `field:"chown" event:"chown"` // [7.27] [File] A file’s owner was changed
Open OpenEvent `field:"open" event:"open"` // [7.27] [File] A file was opened
Mkdir MkdirEvent `field:"mkdir" event:"mkdir"` // [7.27] [File] A directory was created
Rmdir RmdirEvent `field:"rmdir" event:"rmdir"` // [7.27] [File] A directory was removed
Rename RenameEvent `field:"rename" event:"rename"` // [7.27] [File] A file/directory was renamed
Unlink UnlinkEvent `field:"unlink" event:"unlink"` // [7.27] [File] A file was deleted
Utimes UtimesEvent `field:"utimes" event:"utimes"` // [7.27] [File] Change file access/modification times
Link LinkEvent `field:"link" event:"link"` // [7.27] [File] Create a new name/alias for a file
SetXAttr SetXAttrEvent `field:"setxattr" event:"setxattr"` // [7.27] [File] Set exteneded attributes
RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"` // [7.27] [File] Remove extended attributes
Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked
SetUID SetuidEvent `field:"setuid" event:"setuid"` // [7.27] [Process] A process changed its effective uid
SetGID SetgidEvent `field:"setgid" event:"setgid"` // [7.27] [Process] A process changed its effective gid
Capset CapsetEvent `field:"capset" event:"capset"` // [7.27] [Process] A process changed its capacity set
SELinux SELinuxEvent `field:"selinux" event:"selinux"` // [7.30] [Kernel] An SELinux operation was run
Mount MountEvent `field:"-"`
Umount UmountEvent `field:"-"`
InvalidateDentry InvalidateDentryEvent `field:"-"`
ArgsEnvs ArgsEnvsEvent `field:"-"`
MountReleased MountReleasedEvent `field:"-"`
}
Event represents an event sent from the kernel genaccessors
func (*Event) GetEventType ¶
GetEventType returns the event type of the event
func (*Event) GetFieldEventType ¶
func (*Event) GetPointer ¶
GetPointer return an unsafe.Pointer of the Event
func (*Event) SetFieldValue ¶
type EventCategory ¶
type EventCategory = string
EventCategory category type
const ( // FIMCategory FIM events FIMCategory EventCategory = "fim" // RuntimeCategory Process events RuntimeCategory EventCategory = "runtime" )
Event categories
func GetEventTypeCategory ¶
func GetEventTypeCategory(eventType eval.EventType) EventCategory
GetEventTypeCategory returns the category for the given event type
type EventType ¶
type EventType uint64
EventType describes the type of an event sent from the kernel
const ( // UnknownEventType unknow event UnknownEventType EventType = iota // FileOpenEventType File open event FileOpenEventType // FileMkdirEventType Folder creation event FileMkdirEventType // FileLinkEventType Hard link creation event FileLinkEventType // FileRenameEventType File or folder rename event FileRenameEventType // FileUnlinkEventType Unlink event FileUnlinkEventType // FileRmdirEventType Rmdir event FileRmdirEventType // FileChmodEventType Chmod event FileChmodEventType // FileChownEventType Chown event FileChownEventType // FileUtimesEventType Utime event FileUtimesEventType // FileSetXAttrEventType Setxattr event FileSetXAttrEventType // FileRemoveXAttrEventType Removexattr event FileRemoveXAttrEventType // FileMountEventType Mount event FileMountEventType // FileUmountEventType Umount event FileUmountEventType // ForkEventType Fork event ForkEventType // ExecEventType Exec event ExecEventType // ExitEventType Exit event ExitEventType // InvalidateDentryEventType Dentry invalidated event InvalidateDentryEventType // SetuidEventType setuid event SetuidEventType // SetgidEventType setgid event SetgidEventType // CapsetEventType capset event CapsetEventType // ArgsEnvsEventType args and envs event ArgsEnvsEventType // MountReleasedEventType sent when a mount point is released MountReleasedEventType // SELinuxEventType selinux event SELinuxEventType // MaxEventType is used internally to get the maximum number of kernel events. MaxEventType // FirstDiscarderEventType first event that accepts discarders FirstDiscarderEventType = FileOpenEventType // LastDiscarderEventType last event that accepts discarders LastDiscarderEventType = FileRemoveXAttrEventType // CustomLostReadEventType is the custom event used to report lost events detected in user space CustomLostReadEventType EventType = iota // CustomLostWriteEventType is the custom event used to report lost events detected in kernel space CustomLostWriteEventType // CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded CustomRulesetLoadedEventType // CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process CustomNoisyProcessEventType // CustomForkBombEventType is the custom event used to report the detection of a fork bomb CustomForkBombEventType // CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated CustomTruncatedParentsEventType )
func ParseEvalEventType ¶
ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions
type ExecEvent ¶
type ExecEvent struct {
Process
// defined to generate accessors
Args string `field:"args,ResolveExecArgs"` // Arguments of the process (as a string)
Argv []string `field:"argv,ResolveExecArgv" field:"args_flags,ResolveExecArgsFlags" field:"args_options,ResolveExecArgsOptions"` // Arguments of the process (as an array)
ArgsTruncated bool `field:"args_truncated,ResolveExecArgsTruncated"` // Indicator of arguments truncation
Envs []string `field:"envs,ResolveExecEnvs"` // Environment variables of the process
EnvsTruncated bool `field:"envs_truncated,ResolveExecEnvsTruncated"` // Indicator of environment variables truncation
}
ExecEvent represents a exec event
type FileEvent ¶
type FileEvent struct {
FileFields
PathnameStr string `field:"path,ResolveFilePath"` // File's path
BasenameStr string `field:"name,ResolveFileBasename"` // File's basename
Filesytem string `field:"filesystem,ResolveFileFilesystem"` // File's filesystem
PathResolutionError error `field:"-"`
}
FileEvent is the common file event type
func (*FileEvent) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
type FileFields ¶
type FileFields struct {
UID uint32 `field:"uid"` // UID of the file's owner
User string `field:"user,ResolveFileFieldsUser"` // User of the file's owner
GID uint32 `field:"gid"` // GID of the file's owner
Group string `field:"group,ResolveFileFieldsGroup"` // Group of the file's owner
Mode uint16 `field:"mode" field:"rights,ResolveRights"` // Mode/rights of the file
CTime uint64 `field:"change_time"` // Change time of the file
MTime uint64 `field:"modification_time"` // Modification time of the file
MountID uint32 `field:"mount_id"` // Mount ID of the file
Inode uint64 `field:"inode"` // Inode of the file
InUpperLayer bool `field:"in_upper_layer,ResolveFileFieldsInUpperLayer"` // Indicator of the file layer, in an OverlayFS for example
NLink uint32 `field:"-"`
PathID uint32 `field:"-"`
Flags int32 `field:"-"`
}
FileFields holds the information required to identify a file
func (*FileFields) GetInLowerLayer ¶
func (f *FileFields) GetInLowerLayer() bool
GetInLowerLayer returns whether a file is in a lower layer
func (*FileFields) GetInUpperLayer ¶
func (f *FileFields) GetInUpperLayer() bool
GetInUpperLayer returns whether a file is in the upper layer
func (*FileFields) HasHardLinks ¶
func (f *FileFields) HasHardLinks() bool
HasHardLinks returns whether the file has hardlink
func (*FileFields) UnmarshalBinary ¶
func (e *FileFields) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type InvalidateDentryEvent ¶
InvalidateDentryEvent defines a invalidate dentry event
func (*InvalidateDentryEvent) UnmarshalBinary ¶
func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type KernelCapability ¶
type KernelCapability uint64
KernelCapability represents a kernel capability bitmask value
func (KernelCapability) String ¶
func (kc KernelCapability) String() string
func (KernelCapability) StringArray ¶
func (kc KernelCapability) StringArray() []string
StringArray returns the kernel capabilities as an array of strings
type LinkEvent ¶
type LinkEvent struct {
SyscallEvent
Source FileEvent `field:"file"`
Target FileEvent `field:"file.destination"`
}
LinkEvent represents a link event
type MkdirEvent ¶
type MkdirEvent struct {
SyscallEvent
File FileEvent `field:"file"`
Mode uint32 `field:"file.destination.mode" field:"file.destination.rights"` // Mode/rights of the new directory
}
MkdirEvent represents a mkdir event
func (*MkdirEvent) UnmarshalBinary ¶
func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type Model ¶
type Model struct{}
Model describes the data model for the runtime security agent events
func (*Model) GetEvaluator ¶
func (*Model) GetEventTypes ¶
func (*Model) ValidateField ¶
ValidateField validates the value of a field
type MountEvent ¶
type MountEvent struct {
SyscallEvent
MountID uint32
GroupID uint32
Device uint32
ParentMountID uint32
ParentInode uint64
FSType string
MountPointStr string
MountPointPathResolutionError error
RootMountID uint32
RootInode uint64
RootStr string
RootPathResolutionError error
FSTypeRaw [16]byte
}
MountEvent represents a mount event
func (*MountEvent) GetFSType ¶
func (m *MountEvent) GetFSType() string
GetFSType returns the filesystem type of the mountpoint
func (*MountEvent) GetMountPointPathResolutionError ¶
func (m *MountEvent) GetMountPointPathResolutionError() string
GetMountPointPathResolutionError returns the mount point path resolution error as a string if there is one
func (*MountEvent) GetRootPathResolutionError ¶
func (m *MountEvent) GetRootPathResolutionError() string
GetRootPathResolutionError returns the root path resolution error as a string if there is one
func (*MountEvent) IsOverlayFS ¶
func (m *MountEvent) IsOverlayFS() bool
IsOverlayFS returns whether it is an overlay fs
func (*MountEvent) UnmarshalBinary ¶
func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type MountReleasedEvent ¶
MountReleasedEvent defines a mount released event
func (*MountReleasedEvent) UnmarshalBinary ¶
func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type OpenEvent ¶
type OpenEvent struct {
SyscallEvent
File FileEvent `field:"file"`
Flags uint32 `field:"flags"` // Flags used when opening the file
Mode uint32 `field:"file.destination.mode"` // Mode of the created file
}
OpenEvent represents an open event
type OpenFlags ¶
type OpenFlags int
OpenFlags represents an open flags bitmask value
func (OpenFlags) StringArray ¶
StringArray returns the open flags as an array of strings
type Process ¶
type Process struct {
// proc_cache_t
FileFields FileFields `field:"file"`
Pid uint32 `field:"pid"` // Process ID of the process (also called thread group ID)
Tid uint32 `field:"tid"` // Thread ID of the thread
PathnameStr string `field:"file.path"` // Path of the process executable
BasenameStr string `field:"file.name"` // Basename of the path of the process executable
Filesystem string `field:"file.filesystem"` // FileSystem of the process executable
PathResolutionError error `field:"-"`
ContainerID string `field:"container.id"` // Container ID
TTYName string `field:"tty_name"` // Name of the TTY associated with the process
Comm string `field:"comm"` // Comm attribute of the process
// pid_cache_t
ForkTime time.Time `field:"-"`
ExitTime time.Time `field:"-"`
ExecTime time.Time `field:"-"`
CreatedAt uint64 `field:"created_at,ResolveProcessCreatedAt"` // Timestamp of the creation of the process
Cookie uint32 `field:"cookie"` // Cookie of the process
PPid uint32 `field:"ppid"` // Parent process ID
// credentials_t section of pid_cache_t
Credentials
ArgsID uint32 `field:"-"`
EnvsID uint32 `field:"-"`
ArgsEntry *ArgsEntry `field:"-"`
EnvsEntry *EnvsEntry `field:"-"`
EnvsTruncated bool `field:"-"`
ArgsTruncated bool `field:"-"`
}
Process represents a process
func (*Process) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
type ProcessAncestorsIterator ¶
type ProcessAncestorsIterator struct {
// contains filtered or unexported fields
}
ProcessAncestorsIterator defines an iterator of ancestors
func (*ProcessAncestorsIterator) Front ¶
func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer
Front returns the first element
func (*ProcessAncestorsIterator) Next ¶
func (it *ProcessAncestorsIterator) Next() unsafe.Pointer
Next returns the next element
type ProcessCacheEntry ¶
type ProcessCacheEntry struct {
ProcessContext
// contains filtered or unexported fields
}
ProcessCacheEntry this struct holds process context kept in the process tree
func NewProcessCacheEntry ¶
func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry
NewProcessCacheEntry returns a new process cache entry
func (*ProcessCacheEntry) Exec ¶
func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)
Exec replace a process
func (*ProcessCacheEntry) Exit ¶
func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
Exit a process
func (*ProcessCacheEntry) Fork ¶
func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)
Fork returns a copy of the current ProcessCacheEntry
func (*ProcessCacheEntry) Release ¶
func (e *ProcessCacheEntry) Release()
Release decrement and eventually release the entry
func (*ProcessCacheEntry) Retain ¶
func (e *ProcessCacheEntry) Retain()
Retain increment ref counter
func (*ProcessCacheEntry) SetAncestor ¶
func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)
SetAncestor set the ancestor
type ProcessContext ¶
type ProcessContext struct {
Process
Ancestor *ProcessCacheEntry `field:"ancestors,,ProcessAncestorsIterator"`
}
ProcessContext holds the process context of an event
func (*ProcessContext) UnmarshalBinary ¶
func (p *ProcessContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type RenameEvent ¶
type RenameEvent struct {
SyscallEvent
Old FileEvent `field:"file"`
New FileEvent `field:"file.destination"`
DiscarderRevision uint32 `field:"-"`
}
RenameEvent represents a rename event
func (*RenameEvent) UnmarshalBinary ¶
func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type RetValError ¶
type RetValError int
RetValError represents a syscall return error value
func (RetValError) String ¶
func (f RetValError) String() string
type RmdirEvent ¶
type RmdirEvent struct {
SyscallEvent
File FileEvent `field:"file"`
DiscarderRevision uint32 `field:"-"`
}
RmdirEvent represents a rmdir event
func (*RmdirEvent) UnmarshalBinary ¶
func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SELinuxEvent ¶
type SELinuxEvent struct {
File FileEvent `field:"-"`
EventKind SELinuxEventKind `field:"-"`
BoolName string `field:"bool.name,ResolveSELinuxBoolName"` // SELinux boolean name
BoolChangeValue string `field:"bool.state"` // SELinux boolean new value
BoolCommitValue bool `field:"bool_commit.state"` // Indicator of a SELinux boolean commit operation
EnforceStatus string `field:"enforce.status"` // SELinux enforcement status (one of "enforcing", "permissive", "disabled"")
}
SELinuxEvent represents a selinux event
func (*SELinuxEvent) UnmarshalBinary ¶
func (e *SELinuxEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SELinuxEventKind ¶
type SELinuxEventKind uint32
SELinuxEventKind represents the event kind for SELinux events
const ( // SELinuxBoolChangeEventKind represents SELinux boolean change events SELinuxBoolChangeEventKind SELinuxEventKind = iota // SELinuxStatusChangeEventKind represents SELinux status change events SELinuxStatusChangeEventKind // SELinuxBoolCommitEventKind represents SELinux boolean commit events SELinuxBoolCommitEventKind )
type SetXAttrEvent ¶
type SetXAttrEvent struct {
SyscallEvent
File FileEvent `field:"file"`
Namespace string `field:"file.destination.namespace,ResolveXAttrNamespace"` // Namespace of the extended attribute
Name string `field:"file.destination.name,ResolveXAttrName"` // Name of the extended attribute
NameRaw [200]byte
}
SetXAttrEvent represents an extended attributes event
func (*SetXAttrEvent) UnmarshalBinary ¶
func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SetgidEvent ¶
type SetgidEvent struct {
GID uint32 `field:"gid"` // New GID of the process
Group string `field:"group,ResolveSetgidGroup"` // New group of the process
EGID uint32 `field:"egid"` // New effective GID of the process
EGroup string `field:"egroup,ResolveSetgidEGroup"` // New effective group of the process
FSGID uint32 `field:"fsgid"` // New FileSystem GID of the process
FSGroup string `field:"fsgroup,ResolveSetgidFSGroup"` // New FileSystem group of the process
}
SetgidEvent represents a setgid event
func (*SetgidEvent) UnmarshalBinary ¶
func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SetuidEvent ¶
type SetuidEvent struct {
UID uint32 `field:"uid"` // New UID of the process
User string `field:"user,ResolveSetuidUser"` // New user of the process
EUID uint32 `field:"euid"` // New effective UID of the process
EUser string `field:"euser,ResolveSetuidEUser"` // New effective user of the process
FSUID uint32 `field:"fsuid"` // New FileSystem UID of the process
FSUser string `field:"fsuser,ResolveSetuidFSUser"` // New FileSystem user of the process
}
SetuidEvent represents a setuid event
func (*SetuidEvent) UnmarshalBinary ¶
func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SpanContext ¶
SpanContext describes a span context
func (*SpanContext) UnmarshalBinary ¶
func (s *SpanContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SyscallEvent ¶
type SyscallEvent struct {
Retval int64 `field:"retval"` // Return value of the syscall
}
SyscallEvent contains common fields for all the event
func (*SyscallEvent) UnmarshalBinary ¶
func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UmountEvent ¶
type UmountEvent struct {
SyscallEvent
MountID uint32
}
UmountEvent represents an umount event
func (*UmountEvent) UnmarshalBinary ¶
func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UnlinkEvent ¶
type UnlinkEvent struct {
SyscallEvent
File FileEvent `field:"file"`
Flags uint32 `field:"-"`
DiscarderRevision uint32 `field:"-"`
}
UnlinkEvent represents an unlink event
func (*UnlinkEvent) UnmarshalBinary ¶
func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UnlinkFlags ¶
type UnlinkFlags int
UnlinkFlags represents an unlink flags bitmask value
func (UnlinkFlags) String ¶
func (f UnlinkFlags) String() string
func (UnlinkFlags) StringArray ¶
func (f UnlinkFlags) StringArray() []string
StringArray returns the unlink flags as an array of strings
type UtimesEvent ¶
type UtimesEvent struct {
SyscallEvent
File FileEvent `field:"file"`
Atime time.Time `field:"-"`
Mtime time.Time `field:"-"`
}
UtimesEvent represents a utime event
func (*UtimesEvent) UnmarshalBinary ¶
func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
Source Files
Click to show internal directories.
Click to hide internal directories.