Documentation
¶
Overview ¶
Package audit is used to audit the violations of target containers, and send the audit event to subscribers.
Index ¶
Constants ¶
View Source
const ( DeniedAction = 0x00000001 AuditAction = 0x00000002 AllowedAction = 0x00000004 )
Variables ¶
This section is empty.
Functions ¶
func ParseProfileName ¶ added in v0.8.0
Types ¶
type AppArmorEvent ¶
type AppArmorEvent struct {
Version uint32 `json:"version"`
Event uint32 `json:"event"`
PID uint64 `json:"pid"`
PeerPID uint64 `json:"peerPID"`
Task uint64 `json:"task"`
MagicToken uint64 `json:"magicToken"`
Epoch int64 `json:"epoch"`
AuditSubID uint32 `json:"auditSubID"`
BitMask int32 `json:"bitMask"`
AuditID string `json:"auditID"`
Operation string `json:"operation"`
DeniedMask string `json:"deniedMask"`
RequestedMask string `json:"requestedMask"`
Fsuid uint64 `json:"fsuid"`
Ouid uint64 `json:"ouid"`
Profile string `json:"profile"`
PeerProfile string `json:"peerProfile"`
Comm string `json:"comm"`
Name string `json:"name"`
Name2 string `json:"name2"`
Namespace string `json:"namespace"`
Attribute string `json:"attribute"`
Parent uint64 `json:"parent"`
Info string `json:"info"`
PeerInfo string `json:"peerInfo"`
ErrorCode int32 `json:"errorCode"`
ActiveHat string `json:"activeHat"`
NetFamily string `json:"netFamily"`
NetProtocol string `json:"netProtocol"`
NetSockType string `json:"netSockType"`
NetLocalAddr string `json:"netLocalAddr"`
NetLocalPort uint64 `json:"netLocalPort"`
NetForeignAddr string `json:"netForeignAddr"`
NetForeignPort uint64 `json:"netForeignPort"`
DbusBus string `json:"dbusBus"`
DbusPath string `json:"dbusPath"`
DbusInterface string `json:"dbusInterface"`
DbusMember string `json:"dbusMember"`
Signal string `json:"signal"`
Peer string `json:"peer"`
FsType string `json:"fsType"`
Flags string `json:"flags"`
SrcName string `json:"srcName"`
}
func ParseAppArmorEvent ¶ added in v0.7.0
func ParseAppArmorEvent(e string) (*AppArmorEvent, error)
type Auditor ¶
type Auditor struct {
TaskStartCh chan varmortypes.ContainerInfo
TaskDeleteCh chan varmortypes.ContainerInfo
TaskDeleteSyncCh chan bool
// contains filtered or unexported fields
}
func NewAuditor ¶
func NewAuditor(nodeName string, appArmorSupported, bpfLsmSupported, enableBehaviorModeling bool, auditLogPaths string, auditEventMetadata map[string]interface{}, log logr.Logger) (*Auditor, error)
NewAuditor creates an auditor to audit the violations of target containers
func (*Auditor) AddBehaviorEventNotifyChs ¶
func (auditor *Auditor) AddBehaviorEventNotifyChs(subscriber string, auditEventCh *chan string, bpfEventCh *chan BpfEvent)
AddBehaviorEventNotifyChs add the audit event channel and bpf event channel for the subscriber The subscriber parameter is the name of profile
func (*Auditor) DeleteBehaviorEventNotifyCh ¶
DeleteBehaviorEventNotifyCh delete the audit event channel and bpf event channel for the subscriber The subscriber parameter is the name of profile
type BpfCapabilityEvent ¶
type BpfEvent ¶ added in v0.9.0
type BpfEvent struct {
Header BpfEventHeader `json:"header"`
Body interface{} `json:"body"`
}
type BpfEventHeader ¶ added in v0.9.0
type BpfMountEvent ¶
type BpfNetworkEvent ¶ added in v0.9.0
type BpfNetworkEvent struct {
Operation string `json:"operation"`
Type string `json:"type"`
Socket BpfNetworkSocket `json:"socket"`
Address BpfNetworkSockAddr `json:"address"`
}
type BpfNetworkSockAddr ¶ added in v0.9.0
type BpfNetworkSocket ¶ added in v0.9.0
type BpfPathEvent ¶
type BpfPtraceEvent ¶
type SeccompEvent ¶ added in v0.7.0
type SeccompEvent struct {
AuditID string `json:"auditID"`
Epoch uint64 `json:"epoch"`
Subj string `json:"subj"`
PID uint64 `json:"pid"`
Comm string `json:"comm"`
Exe string `json:"exe"`
Syscall string `json:"syscall"`
}
func ParseSeccompAuditEvent ¶ added in v0.7.0
func ParseSeccompAuditEvent(e string) (*SeccompEvent, error)
Click to show internal directories.
Click to hide internal directories.