Versions in this module Expand all Collapse all v0 v0.9.0 Oct 20, 2021retracted Changes in this version + const AbnormalPathRuleID — linux/amd64 + const DiscardInodeOp — linux/amd64 + const DiscardPidOp — linux/amd64 + const DiscardRetention — linux/amd64 + const ERPCMaxDataSize — linux/amd64 + const FIMCategory — linux/amd64 + const KernelActivity — linux/amd64 + const LostEventsRuleID — linux/amd64 + const NoisyProcessRuleID — linux/amd64 + const ProcessActivity — linux/amd64 + const RegisterSpanTLSOP — linux/amd64 + const ResolveParentOp — linux/amd64 + const ResolvePathOp — linux/amd64 + const ResolveSegmentOp — linux/amd64 + const RulesetLoadedRuleID — linux/amd64 + const SELinuxStatusDisableKey — linux/amd64 + const SELinuxStatusEnforceKey — linux/amd64 + const ServiceEnvVar — linux/amd64 + var DiscarderConstants = []manager.ConstantEditor — linux/amd64 + var ErrEntryNotFound = errors.New("entry not found") — linux/amd64 + var ErrMountNotFound = errors.New("unknown mount ID") — linux/amd64 + var InvalidDiscarders = map[eval.Field][]interface — linux/amd64 + var SupportedDiscarders = make(map[eval.Field]bool) — linux/amd64 + func AllCustomRuleIDs() []string — linux/amd64 + func ExtractEventInfo(data []byte) (uint64, uint64, error) — linux/amd64 + func GetCapababilities() map[eval.EventType]rules.FieldCapabilities — linux/amd64 + func IsFakeInode(inode uint64) bool — linux/amd64 + func TTYConstants(probe *Probe) []manager.ConstantEditor — linux/amd64 + type AbnormalPathEvent struct — linux/amd64 + Event *EventSerializer + PathResolutionError string + Timestamp time.Time + func (v *AbnormalPathEvent) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *AbnormalPathEvent) UnmarshalJSON(data []byte) error + func (v AbnormalPathEvent) MarshalEasyJSON(w *jwriter.Writer) + func (v AbnormalPathEvent) MarshalJSON() ([]byte, error) + type ArgsEnvsPool struct — linux/amd64 + func NewArgsEnvsPool() *ArgsEnvsPool + func (a *ArgsEnvsPool) Get() *model.ArgsEnvsCacheEntry + func (a *ArgsEnvsPool) GetFrom(event *model.ArgsEnvsEvent) *model.ArgsEnvsCacheEntry + func (a *ArgsEnvsPool) Put(entry *model.ArgsEnvsCacheEntry) + type Capabilities map[eval.Field]Capability — linux/amd64 + func (caps Capabilities) GetFieldCapabilities() rules.FieldCapabilities + func (caps Capabilities) GetFields() []eval.Field + func (caps Capabilities) GetFlags() PolicyFlag + type Capability struct — linux/amd64 + FieldValueTypes eval.FieldValueType + PolicyFlags PolicyFlag + ValidateFnc func(value rules.FilterValue) bool + type CapsetSerializer struct — linux/amd64 + CapEffective JStringArray + CapPermitted JStringArray + func (v *CapsetSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *CapsetSerializer) UnmarshalJSON(data []byte) error + func (v CapsetSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v CapsetSerializer) MarshalJSON() ([]byte, error) + type ContainerContextSerializer struct — linux/amd64 + ID string + func (v *ContainerContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *ContainerContextSerializer) UnmarshalJSON(data []byte) error + func (v ContainerContextSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v ContainerContextSerializer) MarshalJSON() ([]byte, error) + type ContainerResolver struct — linux/amd64 + func (cr *ContainerResolver) GetContainerID(pid uint32) (utils.ContainerID, error) + type CredentialsSerializer struct — linux/amd64 + CapEffective JStringArray + CapPermitted JStringArray + EGID int + EGroup string + EUID int + EUser string + FSGID int + FSGroup string + FSUID int + FSUser string + GID int + Group string + UID int + User string + func (v *CredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *CredentialsSerializer) UnmarshalJSON(data []byte) error + func (v CredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v CredentialsSerializer) MarshalJSON() ([]byte, error) + type CustomEvent struct — linux/amd64 + func NewAbnormalPathEvent(event *Event, pathResolutionError error) (*rules.Rule, *CustomEvent) + func NewEventLostReadEvent(mapName string, lost float64) (*rules.Rule, *CustomEvent) + func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *CustomEvent) + func NewNoisyProcessEvent(count uint64, threshold int64, controlPeriod time.Duration, ...) (*rules.Rule, *CustomEvent) + func NewRuleSetLoadedEvent(rs *rules.RuleSet, err *multierror.Error) (*rules.Rule, *CustomEvent) + func (ce *CustomEvent) Clone() CustomEvent + func (ce *CustomEvent) GetEventType() model.EventType + func (ce *CustomEvent) GetTags() []string + func (ce *CustomEvent) GetType() string + func (ce *CustomEvent) MarshalJSON() ([]byte, error) + func (ce *CustomEvent) String() string + type DDContextSerializer struct — linux/amd64 + SpanID uint64 + TraceID uint64 + func (v *DDContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *DDContextSerializer) UnmarshalJSON(data []byte) error + func (v DDContextSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v DDContextSerializer) MarshalJSON() ([]byte, error) + type DentryResolver struct — linux/amd64 + func NewDentryResolver(probe *Probe) (*DentryResolver, error) + func (dr *DentryResolver) BumpCacheGenerations() + func (dr *DentryResolver) Close() error + func (dr *DentryResolver) DelCacheEntries(mountID uint32) + func (dr *DentryResolver) DelCacheEntry(mountID uint32, inode uint64) + func (dr *DentryResolver) GetName(mountID uint32, inode uint64, pathID uint32) string + func (dr *DentryResolver) GetNameFromERPC(mountID uint32, inode uint64, pathID uint32) (string, error) + func (dr *DentryResolver) GetNameFromMap(mountID uint32, inode uint64, pathID uint32) (string, error) + func (dr *DentryResolver) GetParent(mountID uint32, inode uint64, pathID uint32) (uint32, uint64, error) + func (dr *DentryResolver) Resolve(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error) + func (dr *DentryResolver) ResolveFromCache(mountID uint32, inode uint64) (string, error) + func (dr *DentryResolver) ResolveFromERPC(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error) + func (dr *DentryResolver) ResolveFromMap(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error) + func (dr *DentryResolver) SendStats() error + func (dr *DentryResolver) Start(probe *Probe) error + type Discarder struct — linux/amd64 + Field eval.Field + type ERPC struct — linux/amd64 + func NewERPC() (*ERPC, error) + func (k *ERPC) Request(req *ERPCRequest) error + type ERPCRequest struct — linux/amd64 + Data [ERPCMaxDataSize]byte + OP uint8 + type ErrDentryPathKeyNotFound struct — linux/amd64 + func (err ErrDentryPathKeyNotFound) Error() string + type ErrDiscarderNotSupported struct — linux/amd64 + Field string + func (e ErrDiscarderNotSupported) Error() string + type ErrERPCRequestNotProcessed struct — linux/amd64 + func (err ErrERPCRequestNotProcessed) Error() string + type ErrERPCResolution struct — linux/amd64 + func (err ErrERPCResolution) Error() string + type ErrInvalidKeyPath struct — linux/amd64 + Inode uint64 + MountID uint32 + func (e *ErrInvalidKeyPath) Error() string + type ErrKernelMapResolution struct — linux/amd64 + func (err ErrKernelMapResolution) Error() string + type ErrTruncatedParents struct — linux/amd64 + func (err ErrTruncatedParents) Error() string + type ErrTruncatedParentsERPC struct — linux/amd64 + func (err ErrTruncatedParentsERPC) Error() string + type Event struct — linux/amd64 + func NewEvent(resolvers *Resolvers, scrubber *pconfig.DataScrubber) *Event + func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) + func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error) + func (e *Event) GetFieldValue(field eval.Field) (interface{}, error) + func (e *Event) GetFields() []eval.Field + func (e *Event) SetFieldValue(field eval.Field, value interface{}) error + func (ev *Event) GetPathResolutionError() error + func (ev *Event) GetProcessServiceTag() string + func (ev *Event) MarshalJSON() ([]byte, error) + func (ev *Event) Release() + func (ev *Event) ResolveChownGID(e *model.ChownEvent) string + func (ev *Event) ResolveChownUID(e *model.ChownEvent) string + func (ev *Event) ResolveContainerID(e *model.ContainerContext) string + func (ev *Event) ResolveContainerTags(e *model.ContainerContext) []string + func (ev *Event) ResolveEventTimestamp() time.Time + func (ev *Event) ResolveExecArgs(e *model.ExecEvent) string + func (ev *Event) ResolveExecArgsFlags(e *model.ExecEvent) (flags []string) + func (ev *Event) ResolveExecArgsOptions(e *model.ExecEvent) (options []string) + func (ev *Event) ResolveExecArgsTruncated(e *model.ExecEvent) bool + func (ev *Event) ResolveExecArgv(e *model.ExecEvent) []string + func (ev *Event) ResolveExecEnvs(e *model.ExecEvent) []string + func (ev *Event) ResolveExecEnvsTruncated(e *model.ExecEvent) bool + func (ev *Event) ResolveFileBasename(f *model.FileEvent) string + func (ev *Event) ResolveFileFieldsGroup(e *model.FileFields) string + func (ev *Event) ResolveFileFieldsInUpperLayer(f *model.FileFields) bool + func (ev *Event) ResolveFileFieldsUser(e *model.FileFields) string + func (ev *Event) ResolveFileFilesystem(f *model.FileEvent) string + func (ev *Event) ResolveFilePath(f *model.FileEvent) string + func (ev *Event) ResolveMountPoint(e *model.MountEvent) string + func (ev *Event) ResolveMountRoot(e *model.MountEvent) string + func (ev *Event) ResolveProcessCacheEntry() *model.ProcessCacheEntry + func (ev *Event) ResolveProcessCreatedAt(e *model.Process) uint64 + func (ev *Event) ResolveRights(e *model.FileFields) int + func (ev *Event) ResolveSELinuxBoolName(e *model.SELinuxEvent) string + func (ev *Event) ResolveSetgidEGroup(e *model.SetgidEvent) string + func (ev *Event) ResolveSetgidFSGroup(e *model.SetgidEvent) string + func (ev *Event) ResolveSetgidGroup(e *model.SetgidEvent) string + func (ev *Event) ResolveSetuidEUser(e *model.SetuidEvent) string + func (ev *Event) ResolveSetuidFSUser(e *model.SetuidEvent) string + func (ev *Event) ResolveSetuidUser(e *model.SetuidEvent) string + func (ev *Event) ResolveXAttrName(e *model.SetXAttrEvent) string + func (ev *Event) ResolveXAttrNamespace(e *model.SetXAttrEvent) string + func (ev *Event) Retain() Event + func (ev *Event) SetMountPoint(e *model.MountEvent) + func (ev *Event) SetMountRoot(e *model.MountEvent) + func (ev *Event) SetPathResolutionError(err error) + func (ev *Event) String() string + func (ev *Event) UnmarshalProcess(data []byte) (int, error) + type EventContextSerializer struct — linux/amd64 + Category string + Name string + Outcome string + func (v *EventContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *EventContextSerializer) UnmarshalJSON(data []byte) error + func (v EventContextSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v EventContextSerializer) MarshalJSON() ([]byte, error) + type EventHandler interface — linux/amd64 + HandleCustomEvent func(rule *rules.Rule, event *CustomEvent) + HandleEvent func(event *Event) + type EventLostRead struct — linux/amd64 + Lost float64 + Name string + Timestamp time.Time + func (v *EventLostRead) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *EventLostRead) UnmarshalJSON(data []byte) error + func (v EventLostRead) MarshalEasyJSON(w *jwriter.Writer) + func (v EventLostRead) MarshalJSON() ([]byte, error) + type EventLostWrite struct — linux/amd64 + Lost map[string]uint64 + Name string + Timestamp time.Time + func (v *EventLostWrite) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *EventLostWrite) UnmarshalJSON(data []byte) error + func (v EventLostWrite) MarshalEasyJSON(w *jwriter.Writer) + func (v EventLostWrite) MarshalJSON() ([]byte, error) + type EventSerializer struct — linux/amd64 + ContainerContextSerializer *ContainerContextSerializer + DDContextSerializer *DDContextSerializer + Date time.Time + ProcessContextSerializer *ProcessContextSerializer + UserContextSerializer UserContextSerializer + func NewEventSerializer(event *Event) *EventSerializer + func (v *EventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *EventSerializer) UnmarshalJSON(data []byte) error + func (v EventSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v EventSerializer) MarshalJSON() ([]byte, error) + type FileEventSerializer struct — linux/amd64 + Destination *FileSerializer + Device uint32 + FSType string + GroupID uint32 + NewMountID uint32 + func (v *FileEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *FileEventSerializer) UnmarshalJSON(data []byte) error + func (v FileEventSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v FileEventSerializer) MarshalJSON() ([]byte, error) + type FileSerializer struct — linux/amd64 + Atime *time.Time + Ctime *time.Time + Filesystem string + Flags []string + GID uint32 + Group string + InUpperLayer *bool + Inode *uint64 + Mode *uint32 + MountID *uint32 + Mtime *time.Time + Name string + Path string + PathResolutionError string + UID uint32 + User string + XAttrName string + XAttrNamespace string + func (v *FileSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *FileSerializer) UnmarshalJSON(data []byte) error + func (v FileSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v FileSerializer) MarshalJSON() ([]byte, error) + type FilterPolicy struct — linux/amd64 + Flags PolicyFlag + Mode PolicyMode + func (f *FilterPolicy) Bytes() ([]byte, error) + type JStringArray []string — linux/amd64 + func (j *JStringArray) MarshalJSON() ([]byte, error) + type LoadController struct — linux/amd64 + ControllerPeriod time.Duration + DiscarderTimeout time.Duration + EventsCountThreshold int64 + func NewLoadController(probe *Probe, statsdClient *statsd.Client) (*LoadController, error) + func (lc *LoadController) Count(event *Event) + func (lc *LoadController) GenericCount(event *Event) + func (lc *LoadController) SendStats() error + func (lc *LoadController) Start(ctx context.Context, wg *sync.WaitGroup) + type Model struct — linux/amd64 + func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) + func (m *Model) GetEventTypes() []eval.EventType + func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) + func (m *Model) NewEvent() eval.Event + type Monitor struct — linux/amd64 + func NewMonitor(p *Probe, client *statsd.Client) (*Monitor, error) + func (m *Monitor) GetPerfBufferMonitor() *PerfBufferMonitor + func (m *Monitor) GetStats() (map[string]interface{}, error) + func (m *Monitor) PrepareRuleSetLoadedReport(ruleSet *rules.RuleSet, err *multierror.Error) RuleSetLoadedReport + func (m *Monitor) ProcessEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap) + func (m *Monitor) ProcessLostEvent(count uint64, cpu int, perfMap *manager.PerfMap) + func (m *Monitor) ReportRuleSetLoaded(report RuleSetLoadedReport) + func (m *Monitor) SendStats() error + func (m *Monitor) Start(ctx context.Context, wg *sync.WaitGroup) error + type MountResolver struct — linux/amd64 + func NewMountResolver(probe *Probe) *MountResolver + func (mr *MountResolver) Delete(mountID uint32) error + func (mr *MountResolver) GetFilesystem(mountID uint32) string + func (mr *MountResolver) GetMountPath(mountID uint32) (string, string, string, error) + func (mr *MountResolver) Insert(e model.MountEvent) error + func (mr *MountResolver) IsOverlayFS(mountID uint32) bool + func (mr *MountResolver) Start(ctx context.Context) + func (mr *MountResolver) SyncCache(proc *process.Process) error + type NoisyProcessEvent struct — linux/amd64 + ControlPeriod time.Duration + Count uint64 + DiscardedUntil time.Time + Process *ProcessContextSerializer + Threshold int64 + Timestamp time.Time + func (v *NoisyProcessEvent) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *NoisyProcessEvent) UnmarshalJSON(data []byte) error + func (v NoisyProcessEvent) MarshalEasyJSON(w *jwriter.Writer) + func (v NoisyProcessEvent) MarshalJSON() ([]byte, error) + type PathEntry struct — linux/amd64 + Generation uint64 + Name string + Parent PathKey + type PathKey struct — linux/amd64 + Inode uint64 + MountID uint32 + PathID uint32 + func (p *PathKey) IsNull() bool + func (p *PathKey) MarshalBinary() ([]byte, error) + func (p *PathKey) String() string + func (p *PathKey) Write(buffer []byte) + type PathLeaf struct — linux/amd64 + Len uint16 + Name [model.MaxSegmentLength + 1]byte + Parent PathKey + func (pv *PathLeaf) GetName() string + type PerfBufferMonitor struct — linux/amd64 + func NewPerfBufferMonitor(p *Probe, client *statsd.Client) (*PerfBufferMonitor, error) + func (pbm *PerfBufferMonitor) CountEvent(eventType model.EventType, timestamp uint64, count uint64, size uint64, ...) + func (pbm *PerfBufferMonitor) CountLostEvent(count uint64, m *manager.PerfMap, cpu int) + func (pbm *PerfBufferMonitor) GetAndResetKernelLostCount(perfMap string, cpu int, evtTypes ...model.EventType) uint64 + func (pbm *PerfBufferMonitor) GetAndResetLostCount(perfMap string, cpu int) uint64 + func (pbm *PerfBufferMonitor) GetEventStats(eventType model.EventType, perfMap string, cpu int) PerfMapStats + func (pbm *PerfBufferMonitor) GetLostCount(perfMap string, cpu int) uint64 + func (pbm *PerfBufferMonitor) SendStats() error + type PerfMapStats struct — linux/amd64 + Bytes uint64 + Count uint64 + Lost uint64 + func (s *PerfMapStats) UnmarshalBinary(data []byte) error + type PoliciesIgnored struct — linux/amd64 + Errors *multierror.Error + func (r *PoliciesIgnored) MarshalJSON() ([]byte, error) + func (r *PoliciesIgnored) UnmarshalJSON(data []byte) error + type PolicyFlag uint8 — linux/amd64 + const BasenameFilterSize + const PolicyFlagBasename + const PolicyFlagFlags + const PolicyFlagMode + func (f PolicyFlag) MarshalJSON() ([]byte, error) + type PolicyLoaded struct — linux/amd64 + RulesIgnored []*RuleIgnored + RulesLoaded []*RuleLoaded + Version string + func (v *PolicyLoaded) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *PolicyLoaded) UnmarshalJSON(data []byte) error + func (v PolicyLoaded) MarshalEasyJSON(w *jwriter.Writer) + func (v PolicyLoaded) MarshalJSON() ([]byte, error) + type PolicyMode uint8 — linux/amd64 + const PolicyModeAccept + const PolicyModeDeny + const PolicyModeNoFilter + func (m PolicyMode) MarshalJSON() ([]byte, error) + func (m PolicyMode) String() string + type PolicyReport struct — linux/amd64 + Approvers rules.Approvers + Flags PolicyFlag + Mode PolicyMode + type Probe struct — linux/amd64 + func NewProbe(config *config.Config, client *statsd.Client) (*Probe, error) + func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error + func (p *Probe) Close() error + func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *CustomEvent) + func (p *Probe) DispatchEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap) + func (p *Probe) FlushDiscarders() error + func (p *Probe) GetDebugStats() map[string]interface{} + func (p *Probe) GetMonitor() *Monitor + func (p *Probe) GetResolvers() *Resolvers + func (p *Probe) Init(client *statsd.Client) error + func (p *Probe) Map(name string) (*lib.Map, error) + func (p *Probe) NewRuleSet(opts *rules.Opts) *rules.RuleSet + func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, event *Event, field eval.Field, eventType eval.EventType) error + func (p *Probe) OnRuleMatch(rule *rules.Rule, event *Event) + func (p *Probe) SelectProbes(rs *rules.RuleSet) error + func (p *Probe) SendStats() error + func (p *Probe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error + func (p *Probe) SetEventHandler(handler EventHandler) + func (p *Probe) Snapshot() error + func (p *Probe) Start() error + func (p *Probe) VerifyOSVersion() error + type ProcessCacheEntryPool struct — linux/amd64 + func NewProcessCacheEntryPool(p *ProcessResolver) *ProcessCacheEntryPool + func (p *ProcessCacheEntryPool) Get() *model.ProcessCacheEntry + func (p *ProcessCacheEntryPool) Put(pce *model.ProcessCacheEntry) + type ProcessCacheEntrySerializer struct — linux/amd64 + Args []string + ArgsTruncated bool + Comm string + Container *ContainerContextSerializer + Credentials *ProcessCredentialsSerializer + Envs []string + EnvsTruncated bool + ExecTime *time.Time + Executable *FileSerializer + ExitTime *time.Time + ForkTime *time.Time + GID int + Group string + PPid uint32 + PathResolutionError string + Pid uint32 + TTY string + Tid uint32 + UID int + User string + func (v *ProcessCacheEntrySerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *ProcessCacheEntrySerializer) UnmarshalJSON(data []byte) error + func (v ProcessCacheEntrySerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v ProcessCacheEntrySerializer) MarshalJSON() ([]byte, error) + type ProcessContextSerializer struct — linux/amd64 + Ancestors []*ProcessCacheEntrySerializer + Parent *ProcessCacheEntrySerializer + func (v *ProcessContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *ProcessContextSerializer) UnmarshalJSON(data []byte) error + func (v ProcessContextSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v ProcessContextSerializer) MarshalJSON() ([]byte, error) + type ProcessCredentialsSerializer struct — linux/amd64 + Destination interface{} + func (v *ProcessCredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *ProcessCredentialsSerializer) UnmarshalJSON(data []byte) error + func (v ProcessCredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v ProcessCredentialsSerializer) MarshalJSON() ([]byte, error) + type ProcessPath struct — linux/amd64 + Path string + PathRaw [256]byte + func (p *ProcessPath) IsEmpty() bool + func (p *ProcessPath) UnmarshalBinary(data []byte) error + type ProcessResolver struct — linux/amd64 + func NewProcessResolver(probe *Probe, resolvers *Resolvers, client *statsd.Client, ...) (*ProcessResolver, error) + func (p *ProcessResolver) AddExecEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry + func (p *ProcessResolver) AddForkEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry + func (p *ProcessResolver) ApplyBootTime(entry *model.ProcessCacheEntry) + func (p *ProcessResolver) DeleteEntry(pid uint32, exitTime time.Time) + func (p *ProcessResolver) DequeueExited() + func (p *ProcessResolver) Dump() (string, error) + func (p *ProcessResolver) Get(pid uint32) *model.ProcessCacheEntry + func (p *ProcessResolver) GetCacheSize() float64 + func (p *ProcessResolver) GetEntryCacheSize() float64 + func (p *ProcessResolver) GetProcessArgv(pr *model.Process) ([]string, bool) + func (p *ProcessResolver) GetProcessEnvs(pr *model.Process) (map[string]string, bool) + func (p *ProcessResolver) NewProcessCacheEntry() *model.ProcessCacheEntry + func (p *ProcessResolver) Resolve(pid, tid uint32) *model.ProcessCacheEntry + func (p *ProcessResolver) SendStats() error + func (p *ProcessResolver) SetProcessArgs(pce *model.ProcessCacheEntry) + func (p *ProcessResolver) SetProcessEnvs(pce *model.ProcessCacheEntry) + func (p *ProcessResolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) string + func (p *ProcessResolver) SetProcessPath(entry *model.ProcessCacheEntry) (string, error) + func (p *ProcessResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string + func (p *ProcessResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry) + func (p *ProcessResolver) SetState(state int64) + func (p *ProcessResolver) Start(ctx context.Context) error + func (p *ProcessResolver) SyncCache(proc *process.Process) bool + func (p *ProcessResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent) + func (p *ProcessResolver) UpdateCapset(pid uint32, e *Event) + func (p *ProcessResolver) UpdateGID(pid uint32, e *Event) + func (p *ProcessResolver) UpdateUID(pid uint32, e *Event) + type ProcessResolverOpts struct — linux/amd64 + func NewProcessResolverOpts(cookieCacheSize int) ProcessResolverOpts + type ProcessSyscall struct — linux/amd64 + ID uint32 + Pid uint32 + Process string + func (p *ProcessSyscall) IsNull() bool + func (p *ProcessSyscall) UnmarshalBinary(data []byte) error + type ReOrderer struct — linux/amd64 + Metrics chan ReOrdererMetric + func NewReOrderer(ctx context.Context, handler func(cpu uint64, data []byte), ...) *ReOrderer + func (r *ReOrderer) HandleEvent(CPU int, data []byte, perfMap *manager.PerfMap, manager *manager.Manager) + func (r *ReOrderer) Start(wg *sync.WaitGroup) + type ReOrdererMetric struct — linux/amd64 + QueueSize uint64 + TotalDepth uint64 + TotalOp uint64 + type ReOrdererOpts struct — linux/amd64 + MetricRate time.Duration + QueueSize uint64 + Rate time.Duration + Retention uint64 + type ReordererMonitor struct — linux/amd64 + func NewReOrderMonitor(p *Probe, client *statsd.Client) (*ReordererMonitor, error) + func (r *ReordererMonitor) Start(ctx context.Context, wg *sync.WaitGroup) + type Report struct — linux/amd64 + Policies map[string]*PolicyReport + func NewReport() *Report + type Reporter struct — linux/amd64 + func NewReporter() *Reporter + func (r *Reporter) GetReport() *Report + func (r *Reporter) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error + func (r *Reporter) SetFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error + type Resolvers struct — linux/amd64 + ContainerResolver *ContainerResolver + DentryResolver *DentryResolver + MountResolver *MountResolver + ProcessResolver *ProcessResolver + TagsResolver *TagsResolver + TimeResolver *TimeResolver + UserGroupResolver *UserGroupResolver + func NewResolvers(config *config.Config, probe *Probe) (*Resolvers, error) + func (r *Resolvers) Close() error + func (r *Resolvers) ResolveCredentialsEGroup(e *model.Credentials) string + func (r *Resolvers) ResolveCredentialsEUser(e *model.Credentials) string + func (r *Resolvers) ResolveCredentialsFSGroup(e *model.Credentials) string + func (r *Resolvers) ResolveCredentialsFSUser(e *model.Credentials) string + func (r *Resolvers) ResolveCredentialsGroup(e *model.Credentials) string + func (r *Resolvers) ResolveCredentialsUser(e *model.Credentials) string + func (r *Resolvers) ResolveFileFieldsGroup(e *model.FileFields) string + func (r *Resolvers) ResolveFileFieldsUser(e *model.FileFields) string + func (r *Resolvers) Snapshot() error + func (r *Resolvers) Start(ctx context.Context) error + type RuleIgnored struct — linux/amd64 + Expression string + ID string + Reason string + Version string + func (v *RuleIgnored) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *RuleIgnored) UnmarshalJSON(data []byte) error + func (v RuleIgnored) MarshalEasyJSON(w *jwriter.Writer) + func (v RuleIgnored) MarshalJSON() ([]byte, error) + type RuleLoaded struct — linux/amd64 + Expression string + ID string + Version string + func (v *RuleLoaded) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *RuleLoaded) UnmarshalJSON(data []byte) error + func (v RuleLoaded) MarshalEasyJSON(w *jwriter.Writer) + func (v RuleLoaded) MarshalJSON() ([]byte, error) + type RuleSetApplier struct — linux/amd64 + func NewRuleSetApplier(cfg *config.Config, probe *Probe) *RuleSetApplier + func (rsa *RuleSetApplier) Apply(rs *rules.RuleSet, approvers map[eval.EventType]rules.Approvers) (*Report, error) + type RuleSetLoadedReport struct — linux/amd64 + Event *CustomEvent + Rule *rules.Rule + type RulesetLoadedEvent struct — linux/amd64 + MacrosLoaded []rules.MacroID + PoliciesIgnored *PoliciesIgnored + PoliciesLoaded []*PolicyLoaded + Timestamp time.Time + func (v *RulesetLoadedEvent) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *RulesetLoadedEvent) UnmarshalJSON(data []byte) error + func (v RulesetLoadedEvent) MarshalEasyJSON(w *jwriter.Writer) + func (v RulesetLoadedEvent) MarshalJSON() ([]byte, error) + type SELinuxEventSerializer struct — linux/amd64 + BoolChange *selinuxBoolChangeSerializer + BoolCommit *selinuxBoolCommitSerializer + EnforceStatus *selinuxEnforceStatusSerializer + func (v *SELinuxEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *SELinuxEventSerializer) UnmarshalJSON(data []byte) error + func (v SELinuxEventSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v SELinuxEventSerializer) MarshalJSON() ([]byte, error) + type SetgidSerializer struct — linux/amd64 + EGID int + EGroup string + FSGID int + FSGroup string + GID int + Group string + func (v *SetgidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *SetgidSerializer) UnmarshalJSON(data []byte) error + func (v SetgidSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v SetgidSerializer) MarshalJSON() ([]byte, error) + type SetuidSerializer struct — linux/amd64 + EUID int + EUser string + FSUID int + FSUser string + UID int + User string + func (v *SetuidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *SetuidSerializer) UnmarshalJSON(data []byte) error + func (v SetuidSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v SetuidSerializer) MarshalJSON() ([]byte, error) + type Syscall int — linux/amd64 + const SysAccept + const SysAccept4 + const SysAccess + const SysAcct + const SysAddKey + const SysAdjtimex + const SysAfsSyscall + const SysAlarm + const SysArchPrctl + const SysBind + const SysBpf + const SysBrk + const SysCapget + const SysCapset + const SysChdir + const SysChmod + const SysChown + const SysChroot + const SysClockAdjtime + const SysClockGetres + const SysClockGettime + const SysClockNanosleep + const SysClockSettime + const SysClone + const SysClone3 + const SysClose + const SysCloseRange + const SysConnect + const SysCopyFileRange + const SysCreat + const SysCreateModule + const SysDeleteModule + const SysDup + const SysDup2 + const SysDup3 + const SysEpollCreate + const SysEpollCreate1 + const SysEpollCtl + const SysEpollCtlOld + const SysEpollPwait + const SysEpollPwait2 + const SysEpollWait + const SysEpollWaitOld + const SysEventfd + const SysEventfd2 + const SysExecve + const SysExecveat + const SysExit + const SysExitGroup + const SysFaccessat + const SysFaccessat2 + const SysFadvise64 + const SysFallocate + const SysFanotifyInit + const SysFanotifyMark + const SysFchdir + const SysFchmod + const SysFchmodat + const SysFchown + const SysFchownat + const SysFcntl + const SysFdatasync + const SysFgetxattr + const SysFinitModule + const SysFlistxattr + const SysFlock + const SysFork + const SysFremovexattr + const SysFsconfig + const SysFsetxattr + const SysFsmount + const SysFsopen + const SysFspick + const SysFstat + const SysFstatfs + const SysFsync + const SysFtruncate + const SysFutex + const SysFutimesat + const SysGetKernelSyms + const SysGetMempolicy + const SysGetRobustList + const SysGetThreadArea + const SysGetcpu + const SysGetcwd + const SysGetdents + const SysGetdents64 + const SysGetegid + const SysGeteuid + const SysGetgid + const SysGetgroups + const SysGetitimer + const SysGetpeername + const SysGetpgid + const SysGetpgrp + const SysGetpid + const SysGetpmsg + const SysGetppid + const SysGetpriority + const SysGetrandom + const SysGetresgid + const SysGetresuid + const SysGetrlimit + const SysGetrusage + const SysGetsid + const SysGetsockname + const SysGetsockopt + const SysGettid + const SysGettimeofday + const SysGetuid + const SysGetxattr + const SysInitModule + const SysInotifyAddWatch + const SysInotifyInit + const SysInotifyInit1 + const SysInotifyRmWatch + const SysIoCancel + const SysIoDestroy + const SysIoGetevents + const SysIoPgetevents + const SysIoSetup + const SysIoSubmit + const SysIoUringEnter + const SysIoUringRegister + const SysIoUringSetup + const SysIoctl + const SysIoperm + const SysIopl + const SysIoprioGet + const SysIoprioSet + const SysKcmp + const SysKexecFileLoad + const SysKexecLoad + const SysKeyctl + const SysKill + const SysLandlockAddRule + const SysLandlockCreateRuleset + const SysLandlockRestrictSelf + const SysLchown + const SysLgetxattr + const SysLink + const SysLinkat + const SysListen + const SysListxattr + const SysLlistxattr + const SysLookupDcookie + const SysLremovexattr + const SysLseek + const SysLsetxattr + const SysLstat + const SysMadvise + const SysMbind + const SysMembarrier + const SysMemfdCreate + const SysMemfdSecret + const SysMigratePages + const SysMincore + const SysMkdir + const SysMkdirat + const SysMknod + const SysMknodat + const SysMlock + const SysMlock2 + const SysMlockall + const SysMmap + const SysModifyLdt + const SysMount + const SysMountSetattr + const SysMoveMount + const SysMovePages + const SysMprotect + const SysMqGetsetattr + const SysMqNotify + const SysMqOpen + const SysMqTimedreceive + const SysMqTimedsend + const SysMqUnlink + const SysMremap + const SysMsgctl + const SysMsgget + const SysMsgrcv + const SysMsgsnd + const SysMsync + const SysMunlock + const SysMunlockall + const SysMunmap + const SysNameToHandleAt + const SysNanosleep + const SysNewfstatat + const SysNfsservctl + const SysOpen + const SysOpenByHandleAt + const SysOpenTree + const SysOpenat + const SysOpenat2 + const SysPause + const SysPerfEventOpen + const SysPersonality + const SysPidfdGetfd + const SysPidfdOpen + const SysPidfdSendSignal + const SysPipe + const SysPipe2 + const SysPivotRoot + const SysPkeyAlloc + const SysPkeyFree + const SysPkeyMprotect + const SysPoll + const SysPpoll + const SysPrctl + const SysPread64 + const SysPreadv + const SysPreadv2 + const SysPrlimit64 + const SysProcessMadvise + const SysProcessVmReadv + const SysProcessVmWritev + const SysPselect6 + const SysPtrace + const SysPutpmsg + const SysPwrite64 + const SysPwritev + const SysPwritev2 + const SysQueryModule + const SysQuotactl + const SysQuotactlFd + const SysRead + const SysReadahead + const SysReadlink + const SysReadlinkat + const SysReadv + const SysReboot + const SysRecvfrom + const SysRecvmmsg + const SysRecvmsg + const SysRemapFilePages + const SysRemovexattr + const SysRename + const SysRenameat + const SysRenameat2 + const SysRequestKey + const SysRestartSyscall + const SysRmdir + const SysRseq + const SysRtSigaction + const SysRtSigpending + const SysRtSigprocmask + const SysRtSigqueueinfo + const SysRtSigreturn + const SysRtSigsuspend + const SysRtSigtimedwait + const SysRtTgsigqueueinfo + const SysSchedGetPriorityMax + const SysSchedGetPriorityMin + const SysSchedGetaffinity + const SysSchedGetattr + const SysSchedGetparam + const SysSchedGetscheduler + const SysSchedRrGetInterval + const SysSchedSetaffinity + const SysSchedSetattr + const SysSchedSetparam + const SysSchedSetscheduler + const SysSchedYield + const SysSeccomp + const SysSecurity + const SysSelect + const SysSemctl + const SysSemget + const SysSemop + const SysSemtimedop + const SysSendfile + const SysSendmmsg + const SysSendmsg + const SysSendto + const SysSetMempolicy + const SysSetRobustList + const SysSetThreadArea + const SysSetTidAddress + const SysSetdomainname + const SysSetfsgid + const SysSetfsuid + const SysSetgid + const SysSetgroups + const SysSethostname + const SysSetitimer + const SysSetns + const SysSetpgid + const SysSetpriority + const SysSetregid + const SysSetresgid + const SysSetresuid + const SysSetreuid + const SysSetrlimit + const SysSetsid + const SysSetsockopt + const SysSettimeofday + const SysSetuid + const SysSetxattr + const SysShmat + const SysShmctl + const SysShmdt + const SysShmget + const SysShutdown + const SysSigaltstack + const SysSignalfd + const SysSignalfd4 + const SysSocket + const SysSocketpair + const SysSplice + const SysStat + const SysStatfs + const SysStatx + const SysSwapoff + const SysSwapon + const SysSymlink + const SysSymlinkat + const SysSync + const SysSyncFileRange + const SysSyncfs + const SysSysctl + const SysSysfs + const SysSysinfo + const SysSyslog + const SysTee + const SysTgkill + const SysTime + const SysTimerCreate + const SysTimerDelete + const SysTimerGetoverrun + const SysTimerGettime + const SysTimerSettime + const SysTimerfdCreate + const SysTimerfdGettime + const SysTimerfdSettime + const SysTimes + const SysTkill + const SysTruncate + const SysTuxcall + const SysUmask + const SysUmount2 + const SysUname + const SysUnlink + const SysUnlinkat + const SysUnshare + const SysUselib + const SysUserfaultfd + const SysUstat + const SysUtime + const SysUtimensat + const SysUtimes + const SysVfork + const SysVhangup + const SysVmsplice + const SysVserver + const SysWait4 + const SysWaitid + const SysWrite + const SysWritev + func (i Syscall) String() string + func (s Syscall) MarshalText() ([]byte, error) + type SyscallMonitor struct — linux/amd64 + func NewSyscallMonitor(manager *manager.Manager) (*SyscallMonitor, error) + func (sm *SyscallMonitor) CollectStats(collector SyscallStatsCollector) error + func (sm *SyscallMonitor) GetStats() (*SyscallStats, error) + func (sm *SyscallMonitor) SendStats(statsdClient *statsd.Client) error + type SyscallStats map[Syscall]map[string]uint64 — linux/amd64 + func (s *SyscallStats) CountConcurrentSyscalls(count int64) error + func (s *SyscallStats) CountExec(process string, count uint64) error + func (s *SyscallStats) CountSyscall(process string, syscallID Syscall, count uint64) error + type SyscallStatsCollector interface — linux/amd64 + CountConcurrentSyscalls func(count int64) error + CountExec func(process string, count uint64) error + CountSyscall func(process string, syscallID Syscall, count uint64) error + type SyscallStatsdCollector struct — linux/amd64 + func (s *SyscallStatsdCollector) CountConcurrentSyscalls(count int64) error + func (s *SyscallStatsdCollector) CountExec(process string, count uint64) error + func (s *SyscallStatsdCollector) CountSyscall(process string, syscallID Syscall, count uint64) error + type Tagger interface — linux/amd64 + Init func() error + Stop func() error + Tag func(entity string, cardinality collectors.TagCardinality) ([]string, error) + type TagsResolver struct — linux/amd64 + func NewTagsResolver(config *config.Config) *TagsResolver + func (t *TagsResolver) GetValue(id string, tag string) string + func (t *TagsResolver) Resolve(id string) []string + func (t *TagsResolver) Start(ctx context.Context) error + func (t *TagsResolver) Stop() error + type TimeResolver struct — linux/amd64 + func NewTimeResolver() (*TimeResolver, error) + func (tr *TimeResolver) ApplyBootTime(timestamp time.Time) time.Time + func (tr *TimeResolver) ComputeMonotonicTimestamp(timestamp time.Time) int64 + func (tr *TimeResolver) ResolveMonotonicTimestamp(timestamp uint64) time.Time + type UserContextSerializer struct — linux/amd64 + Group string + User string + func (v *UserContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) + func (v *UserContextSerializer) UnmarshalJSON(data []byte) error + func (v UserContextSerializer) MarshalEasyJSON(w *jwriter.Writer) + func (v UserContextSerializer) MarshalJSON() ([]byte, error) + type UserGroupResolver struct — linux/amd64 + func NewUserGroupResolver() (*UserGroupResolver, error) + func (r *UserGroupResolver) ResolveGroup(gid int) (string, error) + func (r *UserGroupResolver) ResolveUser(uid int) (string, error)