model

package
v0.47.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 21, 2023 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MaxSegmentLength defines the maximum length of each segment of a path
	MaxSegmentLength = 255

	// MaxPathDepth defines the maximum depth of a path
	// see pkg/security/ebpf/c/dentry_resolver.h: DR_MAX_TAIL_CALL * DR_MAX_ITERATION_DEPTH
	MaxPathDepth = 1363

	// MaxBpfObjName defines the maximum length of a Bpf object name
	MaxBpfObjName = 16

	// PathSuffix defines the suffix used for path fields
	PathSuffix = ".path"

	// NameSuffix defines the suffix used for name fields
	NameSuffix = ".name"

	// ContainerIDLen defines the length of a container ID
	ContainerIDLen = sha256.Size * 2

	// MaxSymlinks maximum symlinks captured
	MaxSymlinks = 2

	// MaxTracedCgroupsCount hard limit for the count of traced cgroups
	MaxTracedCgroupsCount = 128
)
View Source 
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

View Source 
const (
	// OverlayFS overlay filesystem
	OverlayFS = "overlay"
	// TmpFS tmpfs
	TmpFS = "tmpfs"
	// UnknownFS unknow filesystem
	UnknownFS = "unknown"
)
View Source 
const (
	ProcessCacheEntryFromUnknown = iota
	ProcessCacheEntryFromEvent
	ProcessCacheEntryFromKernelMap
	ProcessCacheEntryFromProcFS
	ProcessCacheEntryFromSnapshot
)
View Source 
const (
	// EventFlagsAsync async event
	EventFlagsAsync = 1 << iota
	// EventFlagsSavedByAD saved by ad
	EventFlagsSavedByAD
	// EventFlagsActivityDumpSample an AD sample
	EventFlagsActivityDumpSample
	// InProfile true if the event was found in a profile
	EventFlagsSecurityProfileInProfile
)
View Source 
const DNS_PREALLOC_SIZE = 256
View Source 
const (
	// MaxArgEnvSize maximum size of one argument or environment variable
	MaxArgEnvSize = 256
)
View Source 
const PathKeySize = 16
View Source 
const PathLeafSize = PathKeySize + MaxSegmentLength + 1 + 2 + 6 // path_key + name + len + padding

PathLeafSize defines path_leaf struct size

Variables

View Source 
var (

	// BPFCmdConstants is the list of BPF commands
	// generate_constants:BPF commands,BPF commands are used to specify a command to a bpf syscall.
	BPFCmdConstants = map[string]BPFCmd{
		"BPF_MAP_CREATE":                  BpfMapCreateCmd,
		"BPF_MAP_LOOKUP_ELEM":             BpfMapLookupElemCmd,
		"BPF_MAP_UPDATE_ELEM":             BpfMapUpdateElemCmd,
		"BPF_MAP_DELETE_ELEM":             BpfMapDeleteElemCmd,
		"BPF_MAP_GET_NEXT_KEY":            BpfMapGetNextKeyCmd,
		"BPF_PROG_LOAD":                   BpfProgLoadCmd,
		"BPF_OBJ_PIN":                     BpfObjPinCmd,
		"BPF_OBJ_GET":                     BpfObjGetCmd,
		"BPF_PROG_ATTACH":                 BpfProgAttachCmd,
		"BPF_PROG_DETACH":                 BpfProgDetachCmd,
		"BPF_PROG_TEST_RUN":               BpfProgTestRunCmd,
		"BPF_PROG_RUN":                    BpfProgTestRunCmd,
		"BPF_PROG_GET_NEXT_ID":            BpfProgGetNextIDCmd,
		"BPF_MAP_GET_NEXT_ID":             BpfMapGetNextIDCmd,
		"BPF_PROG_GET_FD_BY_ID":           BpfProgGetFdByIDCmd,
		"BPF_MAP_GET_FD_BY_ID":            BpfMapGetFdByIDCmd,
		"BPF_OBJ_GET_INFO_BY_FD":          BpfObjGetInfoByFdCmd,
		"BPF_PROG_QUERY":                  BpfProgQueryCmd,
		"BPF_RAW_TRACEPOINT_OPEN":         BpfRawTracepointOpenCmd,
		"BPF_BTF_LOAD":                    BpfBtfLoadCmd,
		"BPF_BTF_GET_FD_BY_ID":            BpfBtfGetFdByIDCmd,
		"BPF_TASK_FD_QUERY":               BpfTaskFdQueryCmd,
		"BPF_MAP_LOOKUP_AND_DELETE_ELEM":  BpfMapLookupAndDeleteElemCmd,
		"BPF_MAP_FREEZE":                  BpfMapFreezeCmd,
		"BPF_BTF_GET_NEXT_ID":             BpfBtfGetNextIDCmd,
		"BPF_MAP_LOOKUP_BATCH":            BpfMapLookupBatchCmd,
		"BPF_MAP_LOOKUP_AND_DELETE_BATCH": BpfMapLookupAndDeleteBatchCmd,
		"BPF_MAP_UPDATE_BATCH":            BpfMapUpdateBatchCmd,
		"BPF_MAP_DELETE_BATCH":            BpfMapDeleteBatchCmd,
		"BPF_LINK_CREATE":                 BpfLinkCreateCmd,
		"BPF_LINK_UPDATE":                 BpfLinkUpdateCmd,
		"BPF_LINK_GET_FD_BY_ID":           BpfLinkGetFdByIDCmd,
		"BPF_LINK_GET_NEXT_ID":            BpfLinkGetNextIDCmd,
		"BPF_ENABLE_STATS":                BpfEnableStatsCmd,
		"BPF_ITER_CREATE":                 BpfIterCreateCmd,
		"BPF_LINK_DETACH":                 BpfLinkDetachCmd,
		"BPF_PROG_BIND_MAP":               BpfProgBindMapCmd,
	}

	// BPFHelperFuncConstants is the list of BPF helper func constants
	// generate_constants:BPF helper functions,BPF helper functions are the supported BPF helper functions.
	BPFHelperFuncConstants = map[string]BPFHelperFunc{}/* 166 elements not displayed */

	// BPFMapTypeConstants is the list of BPF map type constants
	// generate_constants:BPF map types,BPF map types are the supported eBPF map types.
	BPFMapTypeConstants = map[string]BPFMapType{
		"BPF_MAP_TYPE_UNSPEC":                BpfMapTypeUnspec,
		"BPF_MAP_TYPE_HASH":                  BpfMapTypeHash,
		"BPF_MAP_TYPE_ARRAY":                 BpfMapTypeArray,
		"BPF_MAP_TYPE_PROG_ARRAY":            BpfMapTypeProgArray,
		"BPF_MAP_TYPE_PERF_EVENT_ARRAY":      BpfMapTypePerfEventArray,
		"BPF_MAP_TYPE_PERCPU_HASH":           BpfMapTypePercpuHash,
		"BPF_MAP_TYPE_PERCPU_ARRAY":          BpfMapTypePercpuArray,
		"BPF_MAP_TYPE_STACK_TRACE":           BpfMapTypeStackTrace,
		"BPF_MAP_TYPE_CGROUP_ARRAY":          BpfMapTypeCgroupArray,
		"BPF_MAP_TYPE_LRU_HASH":              BpfMapTypeLruHash,
		"BPF_MAP_TYPE_LRU_PERCPU_HASH":       BpfMapTypeLruPercpuHash,
		"BPF_MAP_TYPE_LPM_TRIE":              BpfMapTypeLpmTrie,
		"BPF_MAP_TYPE_ARRAY_OF_MAPS":         BpfMapTypeArrayOfMaps,
		"BPF_MAP_TYPE_HASH_OF_MAPS":          BpfMapTypeHashOfMaps,
		"BPF_MAP_TYPE_DEVMAP":                BpfMapTypeDevmap,
		"BPF_MAP_TYPE_SOCKMAP":               BpfMapTypeSockmap,
		"BPF_MAP_TYPE_CPUMAP":                BpfMapTypeCPUmap,
		"BPF_MAP_TYPE_XSKMAP":                BpfMapTypeXskmap,
		"BPF_MAP_TYPE_SOCKHASH":              BpfMapTypeSockhash,
		"BPF_MAP_TYPE_CGROUP_STORAGE":        BpfMapTypeCgroupStorage,
		"BPF_MAP_TYPE_REUSEPORT_SOCKARRAY":   BpfMapTypeReuseportSockarray,
		"BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE": BpfMapTypePercpuCgroupStorage,
		"BPF_MAP_TYPE_QUEUE":                 BpfMapTypeQueue,
		"BPF_MAP_TYPE_STACK":                 BpfMapTypeStack,
		"BPF_MAP_TYPE_SK_STORAGE":            BpfMapTypeSkStorage,
		"BPF_MAP_TYPE_DEVMAP_HASH":           BpfMapTypeDevmapHash,
		"BPF_MAP_TYPE_STRUCT_OPS":            BpfMapTypeStructOps,
		"BPF_MAP_TYPE_RINGBUF":               BpfMapTypeRingbuf,
		"BPF_MAP_TYPE_INODE_STORAGE":         BpfMapTypeInodeStorage,
		"BPF_MAP_TYPE_TASK_STORAGE":          BpfMapTypeTaskStorage,
	}

	// BPFProgramTypeConstants is the list of BPF program type constants
	// generate_constants:BPF program types,BPF program types are the supported eBPF program types.
	BPFProgramTypeConstants = map[string]BPFProgramType{
		"BPF_PROG_TYPE_UNSPEC":                  BpfProgTypeUnspec,
		"BPF_PROG_TYPE_SOCKET_FILTER":           BpfProgTypeSocketFilter,
		"BPF_PROG_TYPE_KPROBE":                  BpfProgTypeKprobe,
		"BPF_PROG_TYPE_SCHED_CLS":               BpfProgTypeSchedCls,
		"BPF_PROG_TYPE_SCHED_ACT":               BpfProgTypeSchedAct,
		"BPF_PROG_TYPE_TRACEPOINT":              BpfProgTypeTracepoint,
		"BPF_PROG_TYPE_XDP":                     BpfProgTypeXdp,
		"BPF_PROG_TYPE_PERF_EVENT":              BpfProgTypePerfEvent,
		"BPF_PROG_TYPE_CGROUP_SKB":              BpfProgTypeCgroupSkb,
		"BPF_PROG_TYPE_CGROUP_SOCK":             BpfProgTypeCgroupSock,
		"BPF_PROG_TYPE_LWT_IN":                  BpfProgTypeLwtIn,
		"BPF_PROG_TYPE_LWT_OUT":                 BpfProgTypeLwtOut,
		"BPF_PROG_TYPE_LWT_XMIT":                BpfProgTypeLwtXmit,
		"BPF_PROG_TYPE_SOCK_OPS":                BpfProgTypeSockOps,
		"BPF_PROG_TYPE_SK_SKB":                  BpfProgTypeSkSkb,
		"BPF_PROG_TYPE_CGROUP_DEVICE":           BpfProgTypeCgroupDevice,
		"BPF_PROG_TYPE_SK_MSG":                  BpfProgTypeSkMsg,
		"BPF_PROG_TYPE_RAW_TRACEPOINT":          BpfProgTypeRawTracepoint,
		"BPF_PROG_TYPE_CGROUP_SOCK_ADDR":        BpfProgTypeCgroupSockAddr,
		"BPF_PROG_TYPE_LWT_SEG6LOCAL":           BpfProgTypeLwtSeg6local,
		"BPF_PROG_TYPE_LIRC_MODE2":              BpfProgTypeLircMode2,
		"BPF_PROG_TYPE_SK_REUSEPORT":            BpfProgTypeSkReuseport,
		"BPF_PROG_TYPE_FLOW_DISSECTOR":          BpfProgTypeFlowDissector,
		"BPF_PROG_TYPE_CGROUP_SYSCTL":           BpfProgTypeCgroupSysctl,
		"BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE": BpfProgTypeRawTracepointWritable,
		"BPF_PROG_TYPE_CGROUP_SOCKOPT":          BpfProgTypeCgroupSockopt,
		"BPF_PROG_TYPE_TRACING":                 BpfProgTypeTracing,
		"BPF_PROG_TYPE_STRUCT_OPS":              BpfProgTypeStructOps,
		"BPF_PROG_TYPE_EXT":                     BpfProgTypeExt,
		"BPF_PROG_TYPE_LSM":                     BpfProgTypeLsm,
		"BPF_PROG_TYPE_SK_LOOKUP":               BpfProgTypeSkLookup,
	}

	// BPFAttachTypeConstants is the list of BPF attach type constants
	// generate_constants:BPF attach types,BPF attach types are the supported eBPF program attach types.
	BPFAttachTypeConstants = map[string]BPFAttachType{
		"BPF_CGROUP_INET_INGRESS":      BpfCgroupInetIngress,
		"BPF_CGROUP_INET_EGRESS":       BpfCgroupInetEgress,
		"BPF_CGROUP_INET_SOCK_CREATE":  BpfCgroupInetSockCreate,
		"BPF_CGROUP_SOCK_OPS":          BpfCgroupSockOps,
		"BPF_SK_SKB_STREAM_PARSER":     BpfSkSkbStreamParser,
		"BPF_SK_SKB_STREAM_VERDICT":    BpfSkSkbStreamVerdict,
		"BPF_CGROUP_DEVICE":            BpfCgroupDevice,
		"BPF_SK_MSG_VERDICT":           BpfSkMsgVerdict,
		"BPF_CGROUP_INET4_BIND":        BpfCgroupInet4Bind,
		"BPF_CGROUP_INET6_BIND":        BpfCgroupInet6Bind,
		"BPF_CGROUP_INET4_CONNECT":     BpfCgroupInet4Connect,
		"BPF_CGROUP_INET6_CONNECT":     BpfCgroupInet6Connect,
		"BPF_CGROUP_INET4_POST_BIND":   BpfCgroupInet4PostBind,
		"BPF_CGROUP_INET6_POST_BIND":   BpfCgroupInet6PostBind,
		"BPF_CGROUP_UDP4_SENDMSG":      BpfCgroupUDP4Sendmsg,
		"BPF_CGROUP_UDP6_SENDMSG":      BpfCgroupUDP6Sendmsg,
		"BPF_LIRC_MODE2":               BpfLircMode2,
		"BPF_FLOW_DISSECTOR":           BpfFlowDissector,
		"BPF_CGROUP_SYSCTL":            BpfCgroupSysctl,
		"BPF_CGROUP_UDP4_RECVMSG":      BpfCgroupUDP4Recvmsg,
		"BPF_CGROUP_UDP6_RECVMSG":      BpfCgroupUDP6Recvmsg,
		"BPF_CGROUP_GETSOCKOPT":        BpfCgroupGetsockopt,
		"BPF_CGROUP_SETSOCKOPT":        BpfCgroupSetsockopt,
		"BPF_TRACE_RAW_TP":             BpfTraceRawTp,
		"BPF_TRACE_FENTRY":             BpfTraceFentry,
		"BPF_TRACE_FEXIT":              BpfTraceFexit,
		"BPF_MODIFY_RETURN":            BpfModifyReturn,
		"BPF_LSM_MAC":                  BpfLsmMac,
		"BPF_TRACE_ITER":               BpfTraceIter,
		"BPF_CGROUP_INET4_GETPEERNAME": BpfCgroupInet4Getpeername,
		"BPF_CGROUP_INET6_GETPEERNAME": BpfCgroupInet6Getpeername,
		"BPF_CGROUP_INET4_GETSOCKNAME": BpfCgroupInet4Getsockname,
		"BPF_CGROUP_INET6_GETSOCKNAME": BpfCgroupInet6Getsockname,
		"BPF_XDP_DEVMAP":               BpfXdpDevmap,
		"BPF_CGROUP_INET_SOCK_RELEASE": BpfCgroupInetSockRelease,
		"BPF_XDP_CPUMAP":               BpfXdpCPUmap,
		"BPF_SK_LOOKUP":                BpfSkLookup,
		"BPF_XDP":                      BpfXdp,
		"BPF_SK_SKB_VERDICT":           BpfSkSkbVerdict,
	}

	// PipeBufFlagConstants is the list of pipe buffer flags
	// generate_constants:Pipe buffer flags,Pipe buffer flags are the supported flags for a pipe buffer.
	PipeBufFlagConstants = map[string]PipeBufFlag{
		"PIPE_BUF_FLAG_LRU":       PipeBufFlagLRU,
		"PIPE_BUF_FLAG_ATOMIC":    PipeBufFlagAtomic,
		"PIPE_BUF_FLAG_GIFT":      PipeBufFlagGift,
		"PIPE_BUF_FLAG_PACKET":    PipeBufFlagPacket,
		"PIPE_BUF_FLAG_CAN_MERGE": PipeBufFlagCanMerge,
		"PIPE_BUF_FLAG_WHOLE":     PipeBufFlagWhole,
		"PIPE_BUF_FLAG_LOSS":      PipeBufFlagLoss,
	}

	// DNSQTypeConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qtypes,DNS qtypes are the supported DNS query types.
	DNSQTypeConstants = map[string]int{
		"None":       0,
		"A":          1,
		"NS":         2,
		"MD":         3,
		"MF":         4,
		"CNAME":      5,
		"SOA":        6,
		"MB":         7,
		"MG":         8,
		"MR":         9,
		"NULL":       10,
		"PTR":        12,
		"HINFO":      13,
		"MINFO":      14,
		"MX":         15,
		"TXT":        16,
		"RP":         17,
		"AFSDB":      18,
		"X25":        19,
		"ISDN":       20,
		"RT":         21,
		"NSAPPTR":    23,
		"SIG":        24,
		"KEY":        25,
		"PX":         26,
		"GPOS":       27,
		"AAAA":       28,
		"LOC":        29,
		"NXT":        30,
		"EID":        31,
		"NIMLOC":     32,
		"SRV":        33,
		"ATMA":       34,
		"NAPTR":      35,
		"KX":         36,
		"CERT":       37,
		"DNAME":      39,
		"OPT":        41,
		"APL":        42,
		"DS":         43,
		"SSHFP":      44,
		"RRSIG":      46,
		"NSEC":       47,
		"DNSKEY":     48,
		"DHCID":      49,
		"NSEC3":      50,
		"NSEC3PARAM": 51,
		"TLSA":       52,
		"SMIMEA":     53,
		"HIP":        55,
		"NINFO":      56,
		"RKEY":       57,
		"TALINK":     58,
		"CDS":        59,
		"CDNSKEY":    60,
		"OPENPGPKEY": 61,
		"CSYNC":      62,
		"ZONEMD":     63,
		"SVCB":       64,
		"HTTPS":      65,
		"SPF":        99,
		"UINFO":      100,
		"UID":        101,
		"GID":        102,
		"UNSPEC":     103,
		"NID":        104,
		"L32":        105,
		"L64":        106,
		"LP":         107,
		"EUI48":      108,
		"EUI64":      109,
		"URI":        256,
		"CAA":        257,
		"AVC":        258,
		"TKEY":       249,
		"TSIG":       250,
		"IXFR":       251,
		"AXFR":       252,
		"MAILB":      253,
		"MAILA":      254,
		"ANY":        255,
		"TA":         32768,
		"DLV":        32769,
		"Reserved":   65535,
	}

	// DNSQClassConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qclasses,DNS qclasses are the supported DNS query classes.
	DNSQClassConstants = map[string]int{
		"CLASS_INET":   1,
		"CLASS_CSNET":  2,
		"CLASS_CHAOS":  3,
		"CLASS_HESIOD": 4,
		"CLASS_NONE":   254,
		"CLASS_ANY":    255,
	}

	// SECLConstants are constants supported in runtime security agent rules
	// generate_constants:SecL constants,SecL constants are the supported generic SecL constants.
	SECLConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}

	// L3ProtocolConstants is the list of supported L3 protocols
	// generate_constants:L3 protocols,L3 protocols are the supported Layer 3 protocols.
	L3ProtocolConstants = map[string]L3Protocol{
		"ETH_P_LOOP":            EthPLOOP,
		"ETH_P_PUP":             EthPPUP,
		"ETH_P_PUPAT":           EthPPUPAT,
		"ETH_P_TSN":             EthPTSN,
		"ETH_P_IP":              EthPIP,
		"ETH_P_X25":             EthPX25,
		"ETH_P_ARP":             EthPARP,
		"ETH_P_BPQ":             EthPBPQ,
		"ETH_P_IEEEPUP":         EthPIEEEPUP,
		"ETH_P_IEEEPUPAT":       EthPIEEEPUPAT,
		"ETH_P_BATMAN":          EthPBATMAN,
		"ETH_P_DEC":             EthPDEC,
		"ETH_P_DNADL":           EthPDNADL,
		"ETH_P_DNARC":           EthPDNARC,
		"ETH_P_DNART":           EthPDNART,
		"ETH_P_LAT":             EthPLAT,
		"ETH_P_DIAG":            EthPDIAG,
		"ETH_P_CUST":            EthPCUST,
		"ETH_P_SCA":             EthPSCA,
		"ETH_P_TEB":             EthPTEB,
		"ETH_P_RARP":            EthPRARP,
		"ETH_P_ATALK":           EthPATALK,
		"ETH_P_AARP":            EthPAARP,
		"ETH_P_8021_Q":          EthP8021Q,
		"ETH_P_ERSPAN":          EthPERSPAN,
		"ETH_P_IPX":             EthPIPX,
		"ETH_P_IPV6":            EthPIPV6,
		"ETH_P_PAUSE":           EthPPAUSE,
		"ETH_P_SLOW":            EthPSLOW,
		"ETH_P_WCCP":            EthPWCCP,
		"ETH_P_MPLSUC":          EthPMPLSUC,
		"ETH_P_MPLSMC":          EthPMPLSMC,
		"ETH_P_ATMMPOA":         EthPATMMPOA,
		"ETH_P_PPPDISC":         EthPPPPDISC,
		"ETH_P_PPPSES":          EthPPPPSES,
		"ETH_P__LINK_CTL":       EthPLinkCTL,
		"ETH_P_ATMFATE":         EthPATMFATE,
		"ETH_P_PAE":             EthPPAE,
		"ETH_P_AOE":             EthPAOE,
		"ETH_P_8021_AD":         EthP8021AD,
		"ETH_P_802_EX1":         EthP802EX1,
		"ETH_P_TIPC":            EthPTIPC,
		"ETH_P_MACSEC":          EthPMACSEC,
		"ETH_P_8021_AH":         EthP8021AH,
		"ETH_P_MVRP":            EthPMVRP,
		"ETH_P_1588":            EthP1588,
		"ETH_P_NCSI":            EthPNCSI,
		"ETH_P_PRP":             EthPPRP,
		"ETH_P_FCOE":            EthPFCOE,
		"ETH_P_IBOE":            EthPIBOE,
		"ETH_P_TDLS":            EthPTDLS,
		"ETH_P_FIP":             EthPFIP,
		"ETH_P_80221":           EthP80221,
		"ETH_P_HSR":             EthPHSR,
		"ETH_P_NSH":             EthPNSH,
		"ETH_P_LOOPBACK":        EthPLOOPBACK,
		"ETH_P_QINQ1":           EthPQINQ1,
		"ETH_P_QINQ2":           EthPQINQ2,
		"ETH_P_QINQ3":           EthPQINQ3,
		"ETH_P_EDSA":            EthPEDSA,
		"ETH_P_IFE":             EthPIFE,
		"ETH_P_AFIUCV":          EthPAFIUCV,
		"ETH_P_8023_MIN":        EthP8023MIN,
		"ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop,
		"ETH_P_8023":            EthP8023,
		"ETH_P_AX25":            EthPAX25,
		"ETH_P_ALL":             EthPALL,
		"ETH_P_8022":            EthP8022,
		"ETH_P_SNAP":            EthPSNAP,
		"ETH_P_DDCMP":           EthPDDCMP,
		"ETH_P_WANPPP":          EthPWANPPP,
		"ETH_P_PPPMP":           EthPPPPMP,
		"ETH_P_LOCALTALK":       EthPLOCALTALK,
		"ETH_P_CAN":             EthPCAN,
		"ETH_P_CANFD":           EthPCANFD,
		"ETH_P_PPPTALK":         EthPPPPTALK,
		"ETH_P_TR8022":          EthPTR8022,
		"ETH_P_MOBITEX":         EthPMOBITEX,
		"ETH_P_CONTROL":         EthPCONTROL,
		"ETH_P_IRDA":            EthPIRDA,
		"ETH_P_ECONET":          EthPECONET,
		"ETH_P_HDLC":            EthPHDLC,
		"ETH_P_ARCNET":          EthPARCNET,
		"ETH_P_DSA":             EthPDSA,
		"ETH_P_TRAILER":         EthPTRAILER,
		"ETH_P_PHONET":          EthPPHONET,
		"ETH_P_IEEE802154":      EthPIEEE802154,
		"ETH_P_CAIF":            EthPCAIF,
		"ETH_P_XDSA":            EthPXDSA,
		"ETH_P_MAP":             EthPMAP,
	}

	// L4ProtocolConstants is the list of supported L4 protocols
	// generate_constants:L4 protocols,L4 protocols are the supported Layer 4 protocols.
	L4ProtocolConstants = map[string]L4Protocol{
		"IP_PROTO_IP":      IPProtoIP,
		"IP_PROTO_ICMP":    IPProtoICMP,
		"IP_PROTO_IGMP":    IPProtoIGMP,
		"IP_PROTO_IPIP":    IPProtoIPIP,
		"IP_PROTO_TCP":     IPProtoTCP,
		"IP_PROTO_EGP":     IPProtoEGP,
		"IP_PROTO_IGP":     IPProtoIGP,
		"IP_PROTO_PUP":     IPProtoPUP,
		"IP_PROTO_UDP":     IPProtoUDP,
		"IP_PROTO_IDP":     IPProtoIDP,
		"IP_PROTO_TP":      IPProtoTP,
		"IP_PROTO_DCCP":    IPProtoDCCP,
		"IP_PROTO_IPV6":    IPProtoIPV6,
		"IP_PROTO_RSVP":    IPProtoRSVP,
		"IP_PROTO_GRE":     IPProtoGRE,
		"IP_PROTO_ESP":     IPProtoESP,
		"IP_PROTO_AH":      IPProtoAH,
		"IP_PROTO_ICMPV6":  IPProtoICMPV6,
		"IP_PROTO_MTP":     IPProtoMTP,
		"IP_PROTO_BEETPH":  IPProtoBEETPH,
		"IP_PROTO_ENCAP":   IPProtoENCAP,
		"IP_PROTO_PIM":     IPProtoPIM,
		"IP_PROTO_COMP":    IPProtoCOMP,
		"IP_PROTO_SCTP":    IPProtoSCTP,
		"IP_PROTO_UDPLITE": IPProtoUDPLITE,
		"IP_PROTO_MPLS":    IPProtoMPLS,
		"IP_PROTO_RAW":     IPProtoRAW,
	}
)
View Source 
var (
	// ErrDNSNamePointerNotSupported reported because pointer compression is not supported
	ErrDNSNamePointerNotSupported = errors.New("dns name pointer compression is not supported")
	// ErrDNSNameOutOfBounds reported because name out of bound
	ErrDNSNameOutOfBounds = errors.New("dns name out of bound")
	// ErrDNSNameNonPrintableASCII reported because name non-printable ascii
	ErrDNSNameNonPrintableASCII = errors.New("dns name non-printable ascii")
	// ErrDNSNameMalformatted reported because name mal formatted (too short, missing dots, etc)
	ErrDNSNameMalformatted = errors.New("dns name mal-formatted")
)
View Source 
var (
	// ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
	ErrNotEnoughData = errors.New("not enough data")

	// ErrNotEnoughSpace is returned when the provided buffer is too small to marshal the event
	ErrNotEnoughSpace = errors.New("not enough space")

	// ErrStringArrayOverflow returned when there is a string array overflow
	ErrStringArrayOverflow = errors.New("string array overflow")

	// ErrNonPrintable returned when a string contains non printable char
	ErrNonPrintable = errors.New("non printable")

	// ErrIncorrectDataSize is returned when the data read size doesn't correspond to the expected one
	ErrIncorrectDataSize = errors.New("incorrect data size")
)
View Source 
var (

	// ProcessSymlinkPathname handles symlink for process enrtries
	ProcessSymlinkPathname = &eval.OpOverrides{
		StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.GlobCmp.StringEquals(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.path" || a.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[0](a.Field), b, state)
				if err != nil {
					return nil, err
				}

				se2, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[1](a.Field), b, state)
				if err != nil {
					return nil, err
				}

				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			} else if b.Field == "exec.file.path" || b.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[0](b.Field), a, state)
				if err != nil {
					return nil, err
				}

				se2, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[1](b.Field), a, state)
				if err != nil {
					return nil, err
				}

				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			}

			return path, nil
		},
		StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.GlobCmp.StringValuesContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.path" || a.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringValuesContains(symlinkPathnameEvaluators[0](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				se2, err := eval.GlobCmp.StringValuesContains(symlinkPathnameEvaluators[1](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			}

			return path, nil
		},
		StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.GlobCmp.StringArrayContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.path" || a.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringArrayContains(symlinkPathnameEvaluators[0](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				se2, err := eval.GlobCmp.StringArrayContains(symlinkPathnameEvaluators[1](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			}

			return path, nil
		},
		StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			return eval.GlobCmp.StringArrayMatches(a, b, state)
		},
	}

	// ProcessSymlinkBasename handles symlink for process enrtries
	ProcessSymlinkBasename = &eval.OpOverrides{
		StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.StringEquals(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.name" || a.Field == "process.file.name" {
				symlink, err := eval.StringEquals(symlinkBasenameEvaluator(a.Field), b, state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			} else if b.Field == "exec.file.name" || b.Field == "process.file.name" {
				symlink, err := eval.StringEquals(a, symlinkBasenameEvaluator(b.Field), state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			}

			return path, nil
		},
		StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.StringValuesContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.name" || a.Field == "process.file.name" {
				symlink, err := eval.StringValuesContains(symlinkBasenameEvaluator(a.Field), b, state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			}

			return path, nil
		},
		StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.StringArrayContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.name" || a.Field == "process.file.name" {
				symlink, err := eval.StringArrayContains(symlinkBasenameEvaluator(a.Field), b, state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			}

			return path, nil
		},
		StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			return eval.StringArrayMatches(a, b, state)
		},
	}
)
View Source 
var ByteOrder binary.ByteOrder

ByteOrder holds the hosts byte order

View Source 
var ContainerIDPatternStr = fmt.Sprintf(`([[:xdigit:]]{%v})`, sha256.Size*2)

ContainerIDPatternStr is the pattern of a container ID

View Source 
var (

	// KernelCapabilityConstants list of kernel capabilities
	// generate_constants:Kernel Capability constants,Kernel Capability constants are the supported Linux Kernel Capability.
	KernelCapabilityConstants = map[string]uint64{
		"CAP_AUDIT_CONTROL":      1 << unix.CAP_AUDIT_CONTROL,
		"CAP_AUDIT_READ":         1 << unix.CAP_AUDIT_READ,
		"CAP_AUDIT_WRITE":        1 << unix.CAP_AUDIT_WRITE,
		"CAP_BLOCK_SUSPEND":      1 << unix.CAP_BLOCK_SUSPEND,
		"CAP_BPF":                1 << unix.CAP_BPF,
		"CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE,
		"CAP_CHOWN":              1 << unix.CAP_CHOWN,
		"CAP_DAC_OVERRIDE":       1 << unix.CAP_DAC_OVERRIDE,
		"CAP_DAC_READ_SEARCH":    1 << unix.CAP_DAC_READ_SEARCH,
		"CAP_FOWNER":             1 << unix.CAP_FOWNER,
		"CAP_FSETID":             1 << unix.CAP_FSETID,
		"CAP_IPC_LOCK":           1 << unix.CAP_IPC_LOCK,
		"CAP_IPC_OWNER":          1 << unix.CAP_IPC_OWNER,
		"CAP_KILL":               1 << unix.CAP_KILL,
		"CAP_LEASE":              1 << unix.CAP_LEASE,
		"CAP_LINUX_IMMUTABLE":    1 << unix.CAP_LINUX_IMMUTABLE,
		"CAP_MAC_ADMIN":          1 << unix.CAP_MAC_ADMIN,
		"CAP_MAC_OVERRIDE":       1 << unix.CAP_MAC_OVERRIDE,
		"CAP_MKNOD":              1 << unix.CAP_MKNOD,
		"CAP_NET_ADMIN":          1 << unix.CAP_NET_ADMIN,
		"CAP_NET_BIND_SERVICE":   1 << unix.CAP_NET_BIND_SERVICE,
		"CAP_NET_BROADCAST":      1 << unix.CAP_NET_BROADCAST,
		"CAP_NET_RAW":            1 << unix.CAP_NET_RAW,
		"CAP_PERFMON":            1 << unix.CAP_PERFMON,
		"CAP_SETFCAP":            1 << unix.CAP_SETFCAP,
		"CAP_SETGID":             1 << unix.CAP_SETGID,
		"CAP_SETPCAP":            1 << unix.CAP_SETPCAP,
		"CAP_SETUID":             1 << unix.CAP_SETUID,
		"CAP_SYSLOG":             1 << unix.CAP_SYSLOG,
		"CAP_SYS_ADMIN":          1 << unix.CAP_SYS_ADMIN,
		"CAP_SYS_BOOT":           1 << unix.CAP_SYS_BOOT,
		"CAP_SYS_CHROOT":         1 << unix.CAP_SYS_CHROOT,
		"CAP_SYS_MODULE":         1 << unix.CAP_SYS_MODULE,
		"CAP_SYS_NICE":           1 << unix.CAP_SYS_NICE,
		"CAP_SYS_PACCT":          1 << unix.CAP_SYS_PACCT,
		"CAP_SYS_PTRACE":         1 << unix.CAP_SYS_PTRACE,
		"CAP_SYS_RAWIO":          1 << unix.CAP_SYS_RAWIO,
		"CAP_SYS_RESOURCE":       1 << unix.CAP_SYS_RESOURCE,
		"CAP_SYS_TIME":           1 << unix.CAP_SYS_TIME,
		"CAP_SYS_TTY_CONFIG":     1 << unix.CAP_SYS_TTY_CONFIG,
		"CAP_WAKE_ALARM":         1 << unix.CAP_WAKE_ALARM,
	}
)
View Source 
var ProcessSources = [...]string{
	"unknown",
	"event",
	"map",
	"procfs_fallback",
	"procfs_snapshot",
}
View Source 
var SECLLegacyFields = map[eval.Field]eval.Field{

	"async": "event.async",

	"chmod.filename": "chmod.file.path",
	"chmod.basename": "chmod.file.name",
	"chmod.mode":     "chmod.file.destination.mode",

	"chown.filename": "chown.file.path",
	"chown.basename": "chown.file.name",
	"chown.uid":      "chown.file.destination.uid",
	"chown.user":     "chown.file.destination.user",
	"chown.gid":      "chown.file.destination.gid",
	"chown.group":    "chown.file.destination.group",

	"open.filename": "open.file.path",
	"open.basename": "open.file.name",
	"open.mode":     "open.file.destination.mode",

	"mkdir.filename": "mkdir.file.path",
	"mkdir.basename": "mkdir.file.name",
	"mkdir.mode":     "mkdir.file.destination.mode",

	"rmdir.filename": "rmdir.file.path",
	"rmdir.basename": "rmdir.file.name",

	"rename.old.filename": "rename.file.path",
	"rename.old.basename": "rename.file.name",
	"rename.new.filename": "rename.file.destination.path",
	"rename.new.basename": "rename.file.destination.name",

	"unlink.filename": "unlink.file.path",
	"unlink.basename": "unlink.file.name",

	"utimes.filename": "utimes.file.path",
	"utimes.basename": "utimes.file.name",

	"link.source.filename": "link.file.path",
	"link.source.basename": "link.file.name",
	"link.target.filename": "link.file.destination.path",
	"link.target.basename": "link.file.destination.name",

	"setxattr.filename":  "setxattr.file.path",
	"setxattr.basename":  "setxattr.file.name",
	"setxattr.namespace": "setxattr.file.destination.namespace",
	"setxattr.name":      "setxattr.file.destination.name",

	"removexattr.filename":  "removexattr.file.path",
	"removexattr.basename":  "removexattr.file.name",
	"removexattr.namespace": "removexattr.file.destination.namespace",
	"removexattr.name":      "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":           "process.file.path",
	"process.basename":           "process.file.name",
	"process.name":               "process.comm",
	"process.ancestors.filename": "process.ancestors.file.path",
	"process.ancestors.basename": "process.ancestors.file.name",
	"process.ancestors.name":     "process.ancestors.comm",
}

SECLLegacyFields contains the list of the legacy attributes we need to support

View Source 
var (
	// SECLVariables set of variables
	SECLVariables = map[string]eval.VariableValue{
		"process.pid": eval.NewIntVariable(func(ctx *eval.Context) int {
			pc := ctx.Event.(*Event).ProcessContext
			if pc == nil {
				return 0
			}
			return int(pc.Process.Pid)
		}, nil),
	}
)

Functions

func FindContainerID 

func FindContainerID(s string) string

FindContainerID extracts the first sub string that matches the pattern of a container ID

func GetEventTypePerCategory 

func GetEventTypePerCategory() map[EventCategory][]eval.EventType

GetEventTypePerCategory returns the event types per category

func GetHostByteOrder 

func GetHostByteOrder() binary.ByteOrder

GetHostByteOrder guesses the hosts byte order

func IsAlphaNumeric 

func IsAlphaNumeric(r rune) bool

IsAlphaNumeric returns whether a character is either a digit or a letter

func IsPrintable 

func IsPrintable(s string) bool

IsPrintable returns whether the string does contain only unicode printable

func IsPrintableASCII 

func IsPrintableASCII(s string) bool

IsPrintableASCII returns whether the string does contain only ASCII char

func MarshalBinary added in v0.36.0 

func MarshalBinary(data []byte, binaryMarshalers ...BinaryMarshaler) (int, error)

MarshalBinary calls a series of BinaryMarshaler

func NewDefaultEvent added in v0.43.0 

func NewDefaultEvent() eval.Event

NewDefaultEvent returns a new event using the default field handlers

func NullTerminatedString added in v0.41.0 

func NullTerminatedString(d []byte) string

func ProcessSourceToString added in v0.46.0 

func ProcessSourceToString(source uint64) string

func SliceToArray 

func SliceToArray(src []byte, dst []byte)

SliceToArray copy src bytes to dst. Destination should have enough space

func StringifyHelpersList 

func StringifyHelpersList(input []uint32) []string

StringifyHelpersList returns a string list representation of a list of helpers

func UnmarshalBinary 

func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)

UnmarshalBinary calls a series of BinaryUnmarshaler

func UnmarshalPrintableString 

func UnmarshalPrintableString(data []byte, size int) (string, error)

UnmarshalPrintableString unmarshal printable string

func UnmarshalString 

func UnmarshalString(data []byte, size int) (string, error)

UnmarshalString unmarshal string

func UnmarshalStringArray 

func UnmarshalStringArray(data []byte) ([]string, error)

UnmarshalStringArray extract array of string for array of byte

Types

type ActivityDumpLoadConfig added in v0.40.0 

type ActivityDumpLoadConfig struct {
	TracedEventTypes     []EventType
	Timeout              time.Duration
	WaitListTimestampRaw uint64
	StartTimestampRaw    uint64
	EndTimestampRaw      uint64
	Rate                 uint32 // max number of events per sec
	Paused               uint32
}

ActivityDumpLoadConfig represents the load configuration of an activity dump

func (*ActivityDumpLoadConfig) EventUnmarshalBinary added in v0.40.0 

func (adlc *ActivityDumpLoadConfig) EventUnmarshalBinary(data []byte) (int, error)

EventUnmarshalBinary unmarshals a binary representation of itself

func (*ActivityDumpLoadConfig) MarshalBinary added in v0.40.0 

func (adlc *ActivityDumpLoadConfig) MarshalBinary() ([]byte, error)

MarshalBinary marshals a binary representation of itself

func (*ActivityDumpLoadConfig) SetTimeout added in v0.40.0 

func (adlc *ActivityDumpLoadConfig) SetTimeout(duration time.Duration)

SetTimeout updates the timeout of an activity dump

func (*ActivityDumpLoadConfig) UnmarshalBinary added in v0.40.0 

func (adlc *ActivityDumpLoadConfig) UnmarshalBinary(data []byte) error

UnmarshalBinary unmarshals a binary representation of itself

type AddressFamily added in v0.37.0 

type AddressFamily int

AddressFamily represents a family address (AF_INET, AF_INET6, AF_UNIX etc)

func (AddressFamily) String added in v0.37.0 

func (af AddressFamily) String() string

type AnomalyDetectionSyscallEvent added in v0.45.0 

type AnomalyDetectionSyscallEvent struct {
	SyscallID Syscall
}

AnomalyDetectionSyscallEvent represents an anomaly detection for a syscall event

func (*AnomalyDetectionSyscallEvent) UnmarshalBinary added in v0.45.0 

func (e *AnomalyDetectionSyscallEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ArgsEntry 

type ArgsEntry struct {
	Values    []string
	Truncated bool
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) Equals added in v0.36.0 

func (p *ArgsEntry) Equals(o *ArgsEntry) bool

Equals compares two ArgsEntry

type ArgsEnvs 

type ArgsEnvs struct {
	ID        uint32
	Size      uint32
	ValuesRaw [MaxArgEnvSize]byte
}

ArgsEnvs raw value for args and envs

type ArgsEnvsEvent 

type ArgsEnvsEvent struct {
	ArgsEnvs
}

ArgsEnvsEvent defines a args/envs event

func (*ArgsEnvsEvent) UnmarshalBinary 

func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFAttachType 

type BPFAttachType uint32

BPFAttachType is used to define attach type constants 

const (
	// BpfCgroupInetIngress attach type
	BpfCgroupInetIngress BPFAttachType = iota + 1
	// BpfCgroupInetEgress attach type
	BpfCgroupInetEgress
	// BpfCgroupInetSockCreate attach type
	BpfCgroupInetSockCreate
	// BpfCgroupSockOps attach type
	BpfCgroupSockOps
	// BpfSkSkbStreamParser attach type
	BpfSkSkbStreamParser
	// BpfSkSkbStreamVerdict attach type
	BpfSkSkbStreamVerdict
	// BpfCgroupDevice attach type
	BpfCgroupDevice
	// BpfSkMsgVerdict attach type
	BpfSkMsgVerdict
	// BpfCgroupInet4Bind attach type
	BpfCgroupInet4Bind
	// BpfCgroupInet6Bind attach type
	BpfCgroupInet6Bind
	// BpfCgroupInet4Connect attach type
	BpfCgroupInet4Connect
	// BpfCgroupInet6Connect attach type
	BpfCgroupInet6Connect
	// BpfCgroupInet4PostBind attach type
	BpfCgroupInet4PostBind
	// BpfCgroupInet6PostBind attach type
	BpfCgroupInet6PostBind
	// BpfCgroupUDP4Sendmsg attach type
	BpfCgroupUDP4Sendmsg
	// BpfCgroupUDP6Sendmsg attach type
	BpfCgroupUDP6Sendmsg
	// BpfLircMode2 attach type
	BpfLircMode2
	// BpfFlowDissector attach type
	BpfFlowDissector
	// BpfCgroupSysctl attach type
	BpfCgroupSysctl
	// BpfCgroupUDP4Recvmsg attach type
	BpfCgroupUDP4Recvmsg
	// BpfCgroupUDP6Recvmsg attach type
	BpfCgroupUDP6Recvmsg
	// BpfCgroupGetsockopt attach type
	BpfCgroupGetsockopt
	// BpfCgroupSetsockopt attach type
	BpfCgroupSetsockopt
	// BpfTraceRawTp attach type
	BpfTraceRawTp
	// BpfTraceFentry attach type
	BpfTraceFentry
	// BpfTraceFexit attach type
	BpfTraceFexit
	// BpfModifyReturn attach type
	BpfModifyReturn
	// BpfLsmMac attach type
	BpfLsmMac
	// BpfTraceIter attach type
	BpfTraceIter
	// BpfCgroupInet4Getpeername attach type
	BpfCgroupInet4Getpeername
	// BpfCgroupInet6Getpeername attach type
	BpfCgroupInet6Getpeername
	// BpfCgroupInet4Getsockname attach type
	BpfCgroupInet4Getsockname
	// BpfCgroupInet6Getsockname attach type
	BpfCgroupInet6Getsockname
	// BpfXdpDevmap attach type
	BpfXdpDevmap
	// BpfCgroupInetSockRelease attach type
	BpfCgroupInetSockRelease
	// BpfXdpCPUmap attach type
	BpfXdpCPUmap
	// BpfSkLookup attach type
	BpfSkLookup
	// BpfXdp attach type
	BpfXdp
	// BpfSkSkbVerdict attach type
	BpfSkSkbVerdict
)

func (BPFAttachType) String 

func (t BPFAttachType) String() string

type BPFCmd 

type BPFCmd uint64

BPFCmd represents a BPF command 

const (
	// BpfMapCreateCmd command
	BpfMapCreateCmd BPFCmd = iota
	// BpfMapLookupElemCmd command
	BpfMapLookupElemCmd
	// BpfMapUpdateElemCmd command
	BpfMapUpdateElemCmd
	// BpfMapDeleteElemCmd command
	BpfMapDeleteElemCmd
	// BpfMapGetNextKeyCmd command
	BpfMapGetNextKeyCmd
	// BpfProgLoadCmd command
	BpfProgLoadCmd
	// BpfObjPinCmd command
	BpfObjPinCmd
	// BpfObjGetCmd command
	BpfObjGetCmd
	// BpfProgAttachCmd command
	BpfProgAttachCmd
	// BpfProgDetachCmd command
	BpfProgDetachCmd
	// BpfProgTestRunCmd command
	BpfProgTestRunCmd
	// BpfProgGetNextIDCmd command
	BpfProgGetNextIDCmd
	// BpfMapGetNextIDCmd command
	BpfMapGetNextIDCmd
	// BpfProgGetFdByIDCmd command
	BpfProgGetFdByIDCmd
	// BpfMapGetFdByIDCmd command
	BpfMapGetFdByIDCmd
	// BpfObjGetInfoByFdCmd command
	BpfObjGetInfoByFdCmd
	// BpfProgQueryCmd command
	BpfProgQueryCmd
	// BpfRawTracepointOpenCmd command
	BpfRawTracepointOpenCmd
	// BpfBtfLoadCmd command
	BpfBtfLoadCmd
	// BpfBtfGetFdByIDCmd command
	BpfBtfGetFdByIDCmd
	// BpfTaskFdQueryCmd command
	BpfTaskFdQueryCmd
	// BpfMapLookupAndDeleteElemCmd command
	BpfMapLookupAndDeleteElemCmd
	// BpfMapFreezeCmd command
	BpfMapFreezeCmd
	// BpfBtfGetNextIDCmd command
	BpfBtfGetNextIDCmd
	// BpfMapLookupBatchCmd command
	BpfMapLookupBatchCmd
	// BpfMapLookupAndDeleteBatchCmd command
	BpfMapLookupAndDeleteBatchCmd
	// BpfMapUpdateBatchCmd command
	BpfMapUpdateBatchCmd
	// BpfMapDeleteBatchCmd command
	BpfMapDeleteBatchCmd
	// BpfLinkCreateCmd command
	BpfLinkCreateCmd
	// BpfLinkUpdateCmd command
	BpfLinkUpdateCmd
	// BpfLinkGetFdByIDCmd command
	BpfLinkGetFdByIDCmd
	// BpfLinkGetNextIDCmd command
	BpfLinkGetNextIDCmd
	// BpfEnableStatsCmd command
	BpfEnableStatsCmd
	// BpfIterCreateCmd command
	BpfIterCreateCmd
	// BpfLinkDetachCmd command
	BpfLinkDetachCmd
	// BpfProgBindMapCmd command
	BpfProgBindMapCmd
)

func (BPFCmd) String 

func (cmd BPFCmd) String() string

type BPFEvent 

type BPFEvent struct {
	SyscallEvent

	Map     BPFMap     `field:"map"`  // eBPF map involved in the BPF command
	Program BPFProgram `field:"prog"` // eBPF program involved in the BPF command
	Cmd     uint32     `field:"cmd"`  // SECLDoc[cmd] Definition:`BPF command name` Constants:`BPF commands`
}

BPFEvent represents a BPF event

func (*BPFEvent) UnmarshalBinary 

func (e *BPFEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFHelperFunc 

type BPFHelperFunc uint32

BPFHelperFunc represents a BPF helper function 

const (
	// BpfUnspec helper function
	BpfUnspec BPFHelperFunc = iota
	// BpfMapLookupElem helper function
	BpfMapLookupElem
	// BpfMapUpdateElem helper function
	BpfMapUpdateElem
	// BpfMapDeleteElem helper function
	BpfMapDeleteElem
	// BpfProbeRead helper function
	BpfProbeRead
	// BpfKtimeGetNs helper function
	BpfKtimeGetNs
	// BpfTracePrintk helper function
	BpfTracePrintk
	// BpfGetPrandomU32 helper function
	BpfGetPrandomU32
	// BpfGetSmpProcessorID helper function
	BpfGetSmpProcessorID
	// BpfSkbStoreBytes helper function
	BpfSkbStoreBytes
	// BpfL3CsumReplace helper function
	BpfL3CsumReplace
	// BpfL4CsumReplace helper function
	BpfL4CsumReplace
	// BpfTailCall helper function
	BpfTailCall
	// BpfCloneRedirect helper function
	BpfCloneRedirect
	// BpfGetCurrentPidTgid helper function
	BpfGetCurrentPidTgid
	// BpfGetCurrentUIDGid helper function
	BpfGetCurrentUIDGid
	// BpfGetCurrentComm helper function
	BpfGetCurrentComm
	// BpfGetCgroupClassid helper function
	BpfGetCgroupClassid
	// BpfSkbVlanPush helper function
	BpfSkbVlanPush
	// BpfSkbVlanPop helper function
	BpfSkbVlanPop
	// BpfSkbGetTunnelKey helper function
	BpfSkbGetTunnelKey
	// BpfSkbSetTunnelKey helper function
	BpfSkbSetTunnelKey
	// BpfPerfEventRead helper function
	BpfPerfEventRead
	// BpfRedirect helper function
	BpfRedirect
	// BpfGetRouteRealm helper function
	BpfGetRouteRealm
	// BpfPerfEventOutput helper function
	BpfPerfEventOutput
	// BpfSkbLoadBytes helper function
	BpfSkbLoadBytes
	// BpfGetStackid helper function
	BpfGetStackid
	// BpfCsumDiff helper function
	BpfCsumDiff
	// BpfSkbGetTunnelOpt helper function
	BpfSkbGetTunnelOpt
	// BpfSkbSetTunnelOpt helper function
	BpfSkbSetTunnelOpt
	// BpfSkbChangeProto helper function
	BpfSkbChangeProto
	// BpfSkbChangeType helper function
	BpfSkbChangeType
	// BpfSkbUnderCgroup helper function
	BpfSkbUnderCgroup
	// BpfGetHashRecalc helper function
	BpfGetHashRecalc
	// BpfGetCurrentTask helper function
	BpfGetCurrentTask
	// BpfProbeWriteUser helper function
	BpfProbeWriteUser
	// BpfCurrentTaskUnderCgroup helper function
	BpfCurrentTaskUnderCgroup
	// BpfSkbChangeTail helper function
	BpfSkbChangeTail
	// BpfSkbPullData helper function
	BpfSkbPullData
	// BpfCsumUpdate helper function
	BpfCsumUpdate
	// BpfSetHashInvalid helper function
	BpfSetHashInvalid
	// BpfGetNumaNodeID helper function
	BpfGetNumaNodeID
	// BpfSkbChangeHead helper function
	BpfSkbChangeHead
	// BpfXdpAdjustHead helper function
	BpfXdpAdjustHead
	// BpfProbeReadStr helper function
	BpfProbeReadStr
	// BpfGetSocketCookie helper function
	BpfGetSocketCookie
	// BpfGetSocketUID helper function
	BpfGetSocketUID
	// BpfSetHash helper function
	BpfSetHash
	// BpfSetsockopt helper function
	BpfSetsockopt
	// BpfSkbAdjustRoom helper function
	BpfSkbAdjustRoom
	// BpfRedirectMap helper function
	BpfRedirectMap
	// BpfSkRedirectMap helper function
	BpfSkRedirectMap
	// BpfSockMapUpdate helper function
	BpfSockMapUpdate
	// BpfXdpAdjustMeta helper function
	BpfXdpAdjustMeta
	// BpfPerfEventReadValue helper function
	BpfPerfEventReadValue
	// BpfPerfProgReadValue helper function
	BpfPerfProgReadValue
	// BpfGetsockopt helper function
	BpfGetsockopt
	// BpfOverrideReturn helper function
	BpfOverrideReturn
	// BpfSockOpsCbFlagsSet helper function
	BpfSockOpsCbFlagsSet
	// BpfMsgRedirectMap helper function
	BpfMsgRedirectMap
	// BpfMsgApplyBytes helper function
	BpfMsgApplyBytes
	// BpfMsgCorkBytes helper function
	BpfMsgCorkBytes
	// BpfMsgPullData helper function
	BpfMsgPullData
	// BpfBind helper function
	BpfBind
	// BpfXdpAdjustTail helper function
	BpfXdpAdjustTail
	// BpfSkbGetXfrmState helper function
	BpfSkbGetXfrmState
	// BpfGetStack helper function
	BpfGetStack
	// BpfSkbLoadBytesRelative helper function
	BpfSkbLoadBytesRelative
	// BpfFibLookup helper function
	BpfFibLookup
	// BpfSockHashUpdate helper function
	BpfSockHashUpdate
	// BpfMsgRedirectHash helper function
	BpfMsgRedirectHash
	// BpfSkRedirectHash helper function
	BpfSkRedirectHash
	// BpfLwtPushEncap helper function
	BpfLwtPushEncap
	// BpfLwtSeg6StoreBytes helper function
	BpfLwtSeg6StoreBytes
	// BpfLwtSeg6AdjustSrh helper function
	BpfLwtSeg6AdjustSrh
	// BpfLwtSeg6Action helper function
	BpfLwtSeg6Action
	// BpfRcRepeat helper function
	BpfRcRepeat
	// BpfRcKeydown helper function
	BpfRcKeydown
	// BpfSkbCgroupID helper function
	BpfSkbCgroupID
	// BpfGetCurrentCgroupID helper function
	BpfGetCurrentCgroupID
	// BpfGetLocalStorage helper function
	BpfGetLocalStorage
	// BpfSkSelectReuseport helper function
	BpfSkSelectReuseport
	// BpfSkbAncestorCgroupID helper function
	BpfSkbAncestorCgroupID
	// BpfSkLookupTCP helper function
	BpfSkLookupTCP
	// BpfSkLookupUDP helper function
	BpfSkLookupUDP
	// BpfSkRelease helper function
	BpfSkRelease
	// BpfMapPushElem helper function
	BpfMapPushElem
	// BpfMapPopElem helper function
	BpfMapPopElem
	// BpfMapPeekElem helper function
	BpfMapPeekElem
	// BpfMsgPushData helper function
	BpfMsgPushData
	// BpfMsgPopData helper function
	BpfMsgPopData
	// BpfRcPointerRel helper function
	BpfRcPointerRel
	// BpfSpinLock helper function
	BpfSpinLock
	// BpfSpinUnlock helper function
	BpfSpinUnlock
	// BpfSkFullsock helper function
	BpfSkFullsock
	// BpfTCPSock helper function
	BpfTCPSock
	// BpfSkbEcnSetCe helper function
	BpfSkbEcnSetCe
	// BpfGetListenerSock helper function
	BpfGetListenerSock
	// BpfSkcLookupTCP helper function
	BpfSkcLookupTCP
	// BpfTCPCheckSyncookie helper function
	BpfTCPCheckSyncookie
	// BpfSysctlGetName helper function
	BpfSysctlGetName
	// BpfSysctlGetCurrentValue helper function
	BpfSysctlGetCurrentValue
	// BpfSysctlGetNewValue helper function
	BpfSysctlGetNewValue
	// BpfSysctlSetNewValue helper function
	BpfSysctlSetNewValue
	// BpfStrtol helper function
	BpfStrtol
	// BpfStrtoul helper function
	BpfStrtoul
	// BpfSkStorageGet helper function
	BpfSkStorageGet
	// BpfSkStorageDelete helper function
	BpfSkStorageDelete
	// BpfSendSignal helper function
	BpfSendSignal
	// BpfTCPGenSyncookie helper function
	BpfTCPGenSyncookie
	// BpfSkbOutput helper function
	BpfSkbOutput
	// BpfProbeReadUser helper function
	BpfProbeReadUser
	// BpfProbeReadKernel helper function
	BpfProbeReadKernel
	// BpfProbeReadUserStr helper function
	BpfProbeReadUserStr
	// BpfProbeReadKernelStr helper function
	BpfProbeReadKernelStr
	// BpfTCPSendAck helper function
	BpfTCPSendAck
	// BpfSendSignalThread helper function
	BpfSendSignalThread
	// BpfJiffies64 helper function
	BpfJiffies64
	// BpfReadBranchRecords helper function
	BpfReadBranchRecords
	// BpfGetNsCurrentPidTgid helper function
	BpfGetNsCurrentPidTgid
	// BpfXdpOutput helper function
	BpfXdpOutput
	// BpfGetNetnsCookie helper function
	BpfGetNetnsCookie
	// BpfGetCurrentAncestorCgroupID helper function
	BpfGetCurrentAncestorCgroupID
	// BpfSkAssign helper function
	BpfSkAssign
	// BpfKtimeGetBootNs helper function
	BpfKtimeGetBootNs
	// BpfSeqPrintf helper function
	BpfSeqPrintf
	// BpfSeqWrite helper function
	BpfSeqWrite
	// BpfSkCgroupID helper function
	BpfSkCgroupID
	// BpfSkAncestorCgroupID helper function
	BpfSkAncestorCgroupID
	// BpfRingbufOutput helper function
	BpfRingbufOutput
	// BpfRingbufReserve helper function
	BpfRingbufReserve
	// BpfRingbufSubmit helper function
	BpfRingbufSubmit
	// BpfRingbufDiscard helper function
	BpfRingbufDiscard
	// BpfRingbufQuery helper function
	BpfRingbufQuery
	// BpfCsumLevel helper function
	BpfCsumLevel
	// BpfSkcToTCP6Sock helper function
	BpfSkcToTCP6Sock
	// BpfSkcToTCPSock helper function
	BpfSkcToTCPSock
	// BpfSkcToTCPTimewaitSock helper function
	BpfSkcToTCPTimewaitSock
	// BpfSkcToTCPRequestSock helper function
	BpfSkcToTCPRequestSock
	// BpfSkcToUDP6Sock helper function
	BpfSkcToUDP6Sock
	// BpfGetTaskStack helper function
	BpfGetTaskStack
	// BpfLoadHdrOpt helper function
	BpfLoadHdrOpt
	// BpfStoreHdrOpt helper function
	BpfStoreHdrOpt
	// BpfReserveHdrOpt helper function
	BpfReserveHdrOpt
	// BpfInodeStorageGet helper function
	BpfInodeStorageGet
	// BpfInodeStorageDelete helper function
	BpfInodeStorageDelete
	// BpfDPath helper function
	BpfDPath
	// BpfCopyFromUser helper function
	BpfCopyFromUser
	// BpfSnprintfBtf helper function
	BpfSnprintfBtf
	// BpfSeqPrintfBtf helper function
	BpfSeqPrintfBtf
	// BpfSkbCgroupClassid helper function
	BpfSkbCgroupClassid
	// BpfRedirectNeigh helper function
	BpfRedirectNeigh
	// BpfPerCPUPtr helper function
	BpfPerCPUPtr
	// BpfThisCPUPtr helper function
	BpfThisCPUPtr
	// BpfRedirectPeer helper function
	BpfRedirectPeer
	// BpfTaskStorageGet helper function
	BpfTaskStorageGet
	// BpfTaskStorageDelete helper function
	BpfTaskStorageDelete
	// BpfGetCurrentTaskBtf helper function
	BpfGetCurrentTaskBtf
	// BpfBprmOptsSet helper function
	BpfBprmOptsSet
	// BpfKtimeGetCoarseNs helper function
	BpfKtimeGetCoarseNs
	// BpfImaInodeHash helper function
	BpfImaInodeHash
	// BpfSockFromFile helper function
	BpfSockFromFile
	// BpfCheckMtu helper function
	BpfCheckMtu
	// BpfForEachMapElem helper function
	BpfForEachMapElem
	// BpfSnprintf helper function
	BpfSnprintf
)

func (BPFHelperFunc) String 

func (f BPFHelperFunc) String() string

type BPFMap 

type BPFMap struct {
	ID   uint32 `field:"-" json:"-"` // ID of the eBPF map
	Type uint32 `field:"type"`       // SECLDoc[type] Definition:`Type of the eBPF map` Constants:`BPF map types`
	Name string `field:"name"`       // SECLDoc[name] Definition:`Name of the eBPF map (added in 7.35)`
}

BPFMap represents a BPF map

func (*BPFMap) UnmarshalBinary 

func (m *BPFMap) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFMapType 

type BPFMapType uint32

BPFMapType is used to define map type constants 

const (
	// BpfMapTypeUnspec map type
	BpfMapTypeUnspec BPFMapType = iota
	// BpfMapTypeHash map type
	BpfMapTypeHash
	// BpfMapTypeArray map type
	BpfMapTypeArray
	// BpfMapTypeProgArray map type
	BpfMapTypeProgArray
	// BpfMapTypePerfEventArray map type
	BpfMapTypePerfEventArray
	// BpfMapTypePercpuHash map type
	BpfMapTypePercpuHash
	// BpfMapTypePercpuArray map type
	BpfMapTypePercpuArray
	// BpfMapTypeStackTrace map type
	BpfMapTypeStackTrace
	// BpfMapTypeCgroupArray map type
	BpfMapTypeCgroupArray
	// BpfMapTypeLruHash map type
	BpfMapTypeLruHash
	// BpfMapTypeLruPercpuHash map type
	BpfMapTypeLruPercpuHash
	// BpfMapTypeLpmTrie map type
	BpfMapTypeLpmTrie
	// BpfMapTypeArrayOfMaps map type
	BpfMapTypeArrayOfMaps
	// BpfMapTypeHashOfMaps map type
	BpfMapTypeHashOfMaps
	// BpfMapTypeDevmap map type
	BpfMapTypeDevmap
	// BpfMapTypeSockmap map type
	BpfMapTypeSockmap
	// BpfMapTypeCPUmap map type
	BpfMapTypeCPUmap
	// BpfMapTypeXskmap map type
	BpfMapTypeXskmap
	// BpfMapTypeSockhash map type
	BpfMapTypeSockhash
	// BpfMapTypeCgroupStorage map type
	BpfMapTypeCgroupStorage
	// BpfMapTypeReuseportSockarray map type
	BpfMapTypeReuseportSockarray
	// BpfMapTypePercpuCgroupStorage map type
	BpfMapTypePercpuCgroupStorage
	// BpfMapTypeQueue map type
	BpfMapTypeQueue
	// BpfMapTypeStack map type
	BpfMapTypeStack
	// BpfMapTypeSkStorage map type
	BpfMapTypeSkStorage
	// BpfMapTypeDevmapHash map type
	BpfMapTypeDevmapHash
	// BpfMapTypeStructOps map type
	BpfMapTypeStructOps
	// BpfMapTypeRingbuf map type
	BpfMapTypeRingbuf
	// BpfMapTypeInodeStorage map type
	BpfMapTypeInodeStorage
	// BpfMapTypeTaskStorage map type
	BpfMapTypeTaskStorage
)

func (BPFMapType) String 

func (t BPFMapType) String() string

type BPFProgram 

type BPFProgram struct {
	ID         uint32   `field:"-" json:"-"`  // ID of the eBPF program
	Type       uint32   `field:"type"`        // SECLDoc[type] Definition:`Type of the eBPF program` Constants:`BPF program types`
	AttachType uint32   `field:"attach_type"` // SECLDoc[attach_type] Definition:`Attach type of the eBPF program` Constants:`BPF attach types`
	Helpers    []uint32 `field:"helpers"`     // SECLDoc[helpers] Definition:`eBPF helpers used by the eBPF program (added in 7.35)` Constants:`BPF helper functions`
	Name       string   `field:"name"`        // SECLDoc[name] Definition:`Name of the eBPF program (added in 7.35)`
	Tag        string   `field:"tag"`         // SECLDoc[tag] Definition:`Hash (sha1) of the eBPF program (added in 7.35)`
}

BPFProgram represents a BPF program

func (*BPFProgram) UnmarshalBinary 

func (p *BPFProgram) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFProgramType 

type BPFProgramType uint32

BPFProgramType is used to define program type constants 

const (
	// BpfProgTypeUnspec program type
	BpfProgTypeUnspec BPFProgramType = iota
	// BpfProgTypeSocketFilter program type
	BpfProgTypeSocketFilter
	// BpfProgTypeKprobe program type
	BpfProgTypeKprobe
	// BpfProgTypeSchedCls program type
	BpfProgTypeSchedCls
	// BpfProgTypeSchedAct program type
	BpfProgTypeSchedAct
	// BpfProgTypeTracepoint program type
	BpfProgTypeTracepoint
	// BpfProgTypeXdp program type
	BpfProgTypeXdp
	// BpfProgTypePerfEvent program type
	BpfProgTypePerfEvent
	// BpfProgTypeCgroupSkb program type
	BpfProgTypeCgroupSkb
	// BpfProgTypeCgroupSock program type
	BpfProgTypeCgroupSock
	// BpfProgTypeLwtIn program type
	BpfProgTypeLwtIn
	// BpfProgTypeLwtOut program type
	BpfProgTypeLwtOut
	// BpfProgTypeLwtXmit program type
	BpfProgTypeLwtXmit
	// BpfProgTypeSockOps program type
	BpfProgTypeSockOps
	// BpfProgTypeSkSkb program type
	BpfProgTypeSkSkb
	// BpfProgTypeCgroupDevice program type
	BpfProgTypeCgroupDevice
	// BpfProgTypeSkMsg program type
	BpfProgTypeSkMsg
	// BpfProgTypeRawTracepoint program type
	BpfProgTypeRawTracepoint
	// BpfProgTypeCgroupSockAddr program type
	BpfProgTypeCgroupSockAddr
	// BpfProgTypeLwtSeg6local program type
	BpfProgTypeLwtSeg6local
	// BpfProgTypeLircMode2 program type
	BpfProgTypeLircMode2
	// BpfProgTypeSkReuseport program type
	BpfProgTypeSkReuseport
	// BpfProgTypeFlowDissector program type
	BpfProgTypeFlowDissector
	// BpfProgTypeCgroupSysctl program type
	BpfProgTypeCgroupSysctl
	// BpfProgTypeRawTracepointWritable program type
	BpfProgTypeRawTracepointWritable
	// BpfProgTypeCgroupSockopt program type
	BpfProgTypeCgroupSockopt
	// BpfProgTypeTracing program type
	BpfProgTypeTracing
	// BpfProgTypeStructOps program type
	BpfProgTypeStructOps
	// BpfProgTypeExt program type
	BpfProgTypeExt
	// BpfProgTypeLsm program type
	BpfProgTypeLsm
	// BpfProgTypeSkLookup program type
	BpfProgTypeSkLookup
)

func (BPFProgramType) String 

func (t BPFProgramType) String() string

type BinaryMarshaler added in v0.36.0 

type BinaryMarshaler interface {
	MarshalBinary(data []byte) (int, error)
}

BinaryMarshaler interface implemented by every event type

type BinaryUnmarshaler 

type BinaryUnmarshaler interface {
	UnmarshalBinary(data []byte) (int, error)
}

BinaryUnmarshaler interface implemented by every event type

type BindEvent added in v0.37.0 

type BindEvent struct {
	SyscallEvent

	Addr       IPPortContext `field:"addr"`        // Bound address
	AddrFamily uint16        `field:"addr.family"` // SECLDoc[addr.family] Definition:`Address family`
}

BindEvent represents a bind event

func (*BindEvent) UnmarshalBinary added in v0.37.0 

func (e *BindEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type CapsetEvent 

type CapsetEvent struct {
	CapEffective uint64 `field:"cap_effective"` // SECLDoc[cap_effective] Definition:`Effective capability set of the process` Constants:`Kernel Capability constants`
	CapPermitted uint64 `field:"cap_permitted"` // SECLDoc[cap_permitted] Definition:`Permitted capability set of the process` Constants:`Kernel Capability constants`
}

CapsetEvent represents a capset event

func (*CapsetEvent) UnmarshalBinary 

func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type CgroupTracingEvent added in v0.36.0 

type CgroupTracingEvent struct {
	ContainerContext ContainerContext
	Config           ActivityDumpLoadConfig
	ConfigCookie     uint32
}

CgroupTracingEvent is used to signal that a new cgroup should be traced by the activity dump manager

func (*CgroupTracingEvent) UnmarshalBinary added in v0.36.0 

func (e *CgroupTracingEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type ChmodEvent 

type ChmodEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode; file.destination.rights"` // SECLDoc[file.destination.mode] Definition:`New mode of the chmod-ed file` Constants:`File mode constants` SECLDoc[file.destination.rights] Definition:`New rights of the chmod-ed file` Constants:`File mode constants`
}

ChmodEvent represents a chmod event

func (*ChmodEvent) UnmarshalBinary 

func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ChownEvent 

type ChownEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	UID   int64     `field:"file.destination.uid"`                           // SECLDoc[file.destination.uid] Definition:`New UID of the chown-ed file's owner`
	User  string    `field:"file.destination.user,handler:ResolveChownUID"`  // SECLDoc[file.destination.user] Definition:`New user of the chown-ed file's owner`
	GID   int64     `field:"file.destination.gid"`                           // SECLDoc[file.destination.gid] Definition:`New GID of the chown-ed file's owner`
	Group string    `field:"file.destination.group,handler:ResolveChownGID"` // SECLDoc[file.destination.group] Definition:`New group of the chown-ed file's owner`
}

ChownEvent represents a chown event

func (*ChownEvent) UnmarshalBinary 

func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ContainerContext 

type ContainerContext struct {
	Releasable
	ID        string   `field:"id,handler:ResolveContainerID"`                              // SECLDoc[id] Definition:`ID of the container`
	CreatedAt uint64   `field:"created_at,handler:ResolveContainerCreatedAt"`               // SECLDoc[created_at] Definition:`Timestamp of the creation of the container“
	Tags      []string `field:"tags,handler:ResolveContainerTags,opts:skip_ad,weight:9999"` // SECLDoc[tags] Definition:`Tags of the container`
}

ContainerContext holds the container context of an event

func (*ContainerContext) UnmarshalBinary 

func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type Credentials 

type Credentials struct {
	UID   uint32 `field:"uid"`   // SECLDoc[uid] Definition:`UID of the process`
	GID   uint32 `field:"gid"`   // SECLDoc[gid] Definition:`GID of the process`
	User  string `field:"user"`  // SECLDoc[user] Definition:`User of the process` Example:`process.user == "root"` Description:`Constrain an event to be triggered by a process running as the root user.`
	Group string `field:"group"` // SECLDoc[group] Definition:`Group of the process`

	EUID   uint32 `field:"euid"`   // SECLDoc[euid] Definition:`Effective UID of the process`
	EGID   uint32 `field:"egid"`   // SECLDoc[egid] Definition:`Effective GID of the process`
	EUser  string `field:"euser"`  // SECLDoc[euser] Definition:`Effective user of the process`
	EGroup string `field:"egroup"` // SECLDoc[egroup] Definition:`Effective group of the process`

	FSUID   uint32 `field:"fsuid"`   // SECLDoc[fsuid] Definition:`FileSystem-uid of the process`
	FSGID   uint32 `field:"fsgid"`   // SECLDoc[fsgid] Definition:`FileSystem-gid of the process`
	FSUser  string `field:"fsuser"`  // SECLDoc[fsuser] Definition:`FileSystem-user of the process`
	FSGroup string `field:"fsgroup"` // SECLDoc[fsgroup] Definition:`FileSystem-group of the process`

	CapEffective uint64 `field:"cap_effective"` // SECLDoc[cap_effective] Definition:`Effective capability set of the process` Constants:`Kernel Capability constants`
	CapPermitted uint64 `field:"cap_permitted"` // SECLDoc[cap_permitted] Definition:`Permitted capability set of the process` Constants:`Kernel Capability constants`
}

Credentials represents the kernel credentials of a process

func (*Credentials) Equals added in v0.47.0 

func (c *Credentials) Equals(o *Credentials) bool

Equals returns if both credentials are equal

func (*Credentials) MarshalBinary added in v0.36.0 

func (e *Credentials) MarshalBinary(data []byte) (int, error)

MarshalBinary marshalls a binary representation of itself

func (*Credentials) UnmarshalBinary 

func (e *Credentials) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type DNSEvent added in v0.36.0 

type DNSEvent struct {
	ID    uint16 `field:"id" json:"-"`                                             // SECLDoc[id] Definition:`[Experimental] the DNS request ID`
	Name  string `field:"question.name,opts:length" op_override:"eval.DNSNameCmp"` // SECLDoc[question.name] Definition:`the queried domain name`
	Type  uint16 `field:"question.type"`                                           // SECLDoc[question.type] Definition:`a two octet code which specifies the DNS question type` Constants:`DNS qtypes`
	Class uint16 `field:"question.class"`                                          // SECLDoc[question.class] Definition:`the class looked up by the DNS question` Constants:`DNS qclasses`
	Size  uint16 `field:"question.length"`                                         // SECLDoc[question.length] Definition:`the total DNS request size in bytes`
	Count uint16 `field:"question.count"`                                          // SECLDoc[question.count] Definition:`the total count of questions in the DNS request`
}

DNSEvent represents a DNS event

func (*DNSEvent) UnmarshalBinary added in v0.36.0 

func (e *DNSEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type DefaultFieldHandlers added in v0.43.0 

type DefaultFieldHandlers struct{}

func (*DefaultFieldHandlers) GetProcessService added in v0.46.0 

func (dfh *DefaultFieldHandlers) GetProcessService(ev *Event) string

GetProcessService stub implementation

func (*DefaultFieldHandlers) ResolveAsync added in v0.44.0 

func (dfh *DefaultFieldHandlers) ResolveAsync(ev *Event) bool

func (*DefaultFieldHandlers) ResolveChownGID added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveChownGID(ev *Event, e *ChownEvent) string

func (*DefaultFieldHandlers) ResolveChownUID added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveChownUID(ev *Event, e *ChownEvent) string

func (*DefaultFieldHandlers) ResolveContainerContext added in v0.46.0 

func (dfh *DefaultFieldHandlers) ResolveContainerContext(ev *Event) (*ContainerContext, bool)

ResolveContainerContext stub implementation

func (*DefaultFieldHandlers) ResolveContainerCreatedAt added in v0.44.0 

func (dfh *DefaultFieldHandlers) ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int

func (*DefaultFieldHandlers) ResolveContainerID added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveContainerID(ev *Event, e *ContainerContext) string

func (*DefaultFieldHandlers) ResolveContainerTags added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string

func (*DefaultFieldHandlers) ResolveEventTime added in v0.46.0 

func (dfh *DefaultFieldHandlers) ResolveEventTime(ev *Event) time.Time

ResolveEventTime stub implementation

func (*DefaultFieldHandlers) ResolveEventTimestamp added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveEventTimestamp(ev *Event) int

func (*DefaultFieldHandlers) ResolveFileBasename added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) string

func (*DefaultFieldHandlers) ResolveFileFieldsGroup added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveFileFieldsGroup(ev *Event, e *FileFields) string

func (*DefaultFieldHandlers) ResolveFileFieldsInUpperLayer added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveFileFieldsInUpperLayer(ev *Event, e *FileFields) bool

func (*DefaultFieldHandlers) ResolveFileFieldsUser added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveFileFieldsUser(ev *Event, e *FileFields) string

func (*DefaultFieldHandlers) ResolveFileFilesystem added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveFileFilesystem(ev *Event, e *FileEvent) string

func (*DefaultFieldHandlers) ResolveFilePath added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string

func (*DefaultFieldHandlers) ResolveHashes added in v0.47.0 

func (dfh *DefaultFieldHandlers) ResolveHashes(eventType EventType, process *Process, file *FileEvent) []string

ResolveHashes resolves the hash of the provided file

func (*DefaultFieldHandlers) ResolveHashesFromEvent added in v0.47.0 

func (dfh *DefaultFieldHandlers) ResolveHashesFromEvent(ev *Event, e *FileEvent) []string

func (*DefaultFieldHandlers) ResolveModuleArgs added in v0.45.0 

func (dfh *DefaultFieldHandlers) ResolveModuleArgs(ev *Event, e *LoadModuleEvent) string

func (*DefaultFieldHandlers) ResolveModuleArgv added in v0.45.0 

func (dfh *DefaultFieldHandlers) ResolveModuleArgv(ev *Event, e *LoadModuleEvent) []string

func (*DefaultFieldHandlers) ResolveMountPointPath added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveMountPointPath(ev *Event, e *MountEvent) string

func (*DefaultFieldHandlers) ResolveMountSourcePath added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveMountSourcePath(ev *Event, e *MountEvent) string

func (*DefaultFieldHandlers) ResolveNetworkDeviceIfName added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveNetworkDeviceIfName(ev *Event, e *NetworkDeviceContext) string

func (*DefaultFieldHandlers) ResolvePackageName added in v0.44.0 

func (dfh *DefaultFieldHandlers) ResolvePackageName(ev *Event, e *FileEvent) string

func (*DefaultFieldHandlers) ResolvePackageSourceVersion added in v0.44.0 

func (dfh *DefaultFieldHandlers) ResolvePackageSourceVersion(ev *Event, e *FileEvent) string

func (*DefaultFieldHandlers) ResolvePackageVersion added in v0.44.0 

func (dfh *DefaultFieldHandlers) ResolvePackageVersion(ev *Event, e *FileEvent) string

func (*DefaultFieldHandlers) ResolveProcessArgs added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessArgs(ev *Event, e *Process) string

func (*DefaultFieldHandlers) ResolveProcessArgsFlags added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessArgsFlags(ev *Event, e *Process) []string

func (*DefaultFieldHandlers) ResolveProcessArgsOptions added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessArgsOptions(ev *Event, e *Process) []string

func (*DefaultFieldHandlers) ResolveProcessArgsTruncated added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessArgsTruncated(ev *Event, e *Process) bool

func (*DefaultFieldHandlers) ResolveProcessArgv added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessArgv(ev *Event, e *Process) []string

func (*DefaultFieldHandlers) ResolveProcessArgv0 added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessArgv0(ev *Event, e *Process) string

func (*DefaultFieldHandlers) ResolveProcessCacheEntry added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessCacheEntry(ev *Event) (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry stub implementation

func (*DefaultFieldHandlers) ResolveProcessCreatedAt added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int

func (*DefaultFieldHandlers) ResolveProcessEnvp added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessEnvp(ev *Event, e *Process) []string

func (*DefaultFieldHandlers) ResolveProcessEnvs added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessEnvs(ev *Event, e *Process) []string

func (*DefaultFieldHandlers) ResolveProcessEnvsTruncated added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveProcessEnvsTruncated(ev *Event, e *Process) bool

func (*DefaultFieldHandlers) ResolveRights added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveRights(ev *Event, e *FileFields) int

func (*DefaultFieldHandlers) ResolveSELinuxBoolName added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSELinuxBoolName(ev *Event, e *SELinuxEvent) string

func (*DefaultFieldHandlers) ResolveSetgidEGroup added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSetgidEGroup(ev *Event, e *SetgidEvent) string

func (*DefaultFieldHandlers) ResolveSetgidFSGroup added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSetgidFSGroup(ev *Event, e *SetgidEvent) string

func (*DefaultFieldHandlers) ResolveSetgidGroup added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSetgidGroup(ev *Event, e *SetgidEvent) string

func (*DefaultFieldHandlers) ResolveSetuidEUser added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSetuidEUser(ev *Event, e *SetuidEvent) string

func (*DefaultFieldHandlers) ResolveSetuidFSUser added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSetuidFSUser(ev *Event, e *SetuidEvent) string

func (*DefaultFieldHandlers) ResolveSetuidUser added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveSetuidUser(ev *Event, e *SetuidEvent) string

func (*DefaultFieldHandlers) ResolveXAttrName added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveXAttrName(ev *Event, e *SetXAttrEvent) string

func (*DefaultFieldHandlers) ResolveXAttrNamespace added in v0.43.0 

func (dfh *DefaultFieldHandlers) ResolveXAttrNamespace(ev *Event, e *SetXAttrEvent) string

type EnvsEntry 

type EnvsEntry struct {
	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Equals added in v0.36.0 

func (p *EnvsEntry) Equals(o *EnvsEntry) bool

Equals compares two EnvsEntry

func (*EnvsEntry) FilterEnvs added in v0.39.0 

func (p *EnvsEntry) FilterEnvs(envsWithValue map[string]bool) ([]string, bool)

FilterEnvs returns an array of envs, only the name of each variable is returned unless the variable name is part of the provided filter

func (*EnvsEntry) Get 

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

type ErrInvalidKeyPath added in v0.44.0 

type ErrInvalidKeyPath struct {
	Inode   uint64
	MountID uint32
}

ErrInvalidKeyPath is returned when inode or mountid are not valid

func (*ErrInvalidKeyPath) Error added in v0.44.0 

func (e *ErrInvalidKeyPath) Error() string

type Event 

type Event struct {
	ID           string         `field:"-" json:"-"`
	Type         uint32         `field:"-"`
	Flags        uint32         `field:"-"`
	Async        bool           `field:"event.async,handler:ResolveAsync" event:"*" platform:"linux"` // SECLDoc[event.async] Definition:`True if the syscall was asynchronous`
	TimestampRaw uint64         `field:"event.timestamp,handler:ResolveEventTimestamp" json:"-"`      // SECLDoc[event.timestamp] Definition:`Timestamp of the event`
	Timestamp    time.Time      `field:"-"`
	Rules        []*MatchedRule `field:"-"`

	// context shared with all events
	PIDContext             PIDContext             `field:"-" json:"-" platform:"linux"`
	SpanContext            SpanContext            `field:"-" json:"-" platform:"linux"`
	ProcessContext         *ProcessContext        `field:"process" event:"*" platform:"linux"`
	ContainerContext       *ContainerContext      `field:"container" platform:"linux"`
	NetworkContext         NetworkContext         `field:"network" platform:"linux"`
	SecurityProfileContext SecurityProfileContext `field:"-"`

	// fim events
	Chmod       ChmodEvent    `field:"chmod" event:"chmod" platform:"linux"`             // [7.27] [File] A file’s permissions were changed
	Chown       ChownEvent    `field:"chown" event:"chown" platform:"linux"`             // [7.27] [File] A file’s owner was changed
	Open        OpenEvent     `field:"open" event:"open" platform:"linux"`               // [7.27] [File] A file was opened
	Mkdir       MkdirEvent    `field:"mkdir" event:"mkdir" platform:"linux"`             // [7.27] [File] A directory was created
	Rmdir       RmdirEvent    `field:"rmdir" event:"rmdir" platform:"linux"`             // [7.27] [File] A directory was removed
	Rename      RenameEvent   `field:"rename" event:"rename" platform:"linux"`           // [7.27] [File] A file/directory was renamed
	Unlink      UnlinkEvent   `field:"unlink" event:"unlink" platform:"linux"`           // [7.27] [File] A file was deleted
	Utimes      UtimesEvent   `field:"utimes" event:"utimes" platform:"linux"`           // [7.27] [File] Change file access/modification times
	Link        LinkEvent     `field:"link" event:"link" platform:"linux"`               // [7.27] [File] Create a new name/alias for a file
	SetXAttr    SetXAttrEvent `field:"setxattr" event:"setxattr" platform:"linux"`       // [7.27] [File] Set exteneded attributes
	RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr" platform:"linux"` // [7.27] [File] Remove extended attributes
	Splice      SpliceEvent   `field:"splice" event:"splice" platform:"linux"`           // [7.36] [File] A splice command was executed
	Mount       MountEvent    `field:"mount" event:"mount" platform:"linux"`             // [7.42] [File] [Experimental] A filesystem was mounted

	// process events
	Exec     ExecEvent     `field:"exec" event:"exec" platform:"linux"`     // [7.27] [Process] A process was executed or forked
	SetUID   SetuidEvent   `field:"setuid" event:"setuid" platform:"linux"` // [7.27] [Process] A process changed its effective uid
	SetGID   SetgidEvent   `field:"setgid" event:"setgid" platform:"linux"` // [7.27] [Process] A process changed its effective gid
	Capset   CapsetEvent   `field:"capset" event:"capset" platform:"linux"` // [7.27] [Process] A process changed its capacity set
	Signal   SignalEvent   `field:"signal" event:"signal" platform:"linux"` // [7.35] [Process] A signal was sent
	Exit     ExitEvent     `field:"exit" event:"exit" platform:"linux"`     // [7.38] [Process] A process was terminated
	Syscalls SyscallsEvent `field:"-" platform:"linux"`

	// anomaly detection related events
	AnomalyDetectionSyscallEvent AnomalyDetectionSyscallEvent `field:"-"`

	// kernel events
	SELinux      SELinuxEvent      `field:"selinux" event:"selinux" platform:"linux"`             // [7.30] [Kernel] An SELinux operation was run
	BPF          BPFEvent          `field:"bpf" event:"bpf" platform:"linux"`                     // [7.33] [Kernel] A BPF command was executed
	PTrace       PTraceEvent       `field:"ptrace" event:"ptrace" platform:"linux"`               // [7.35] [Kernel] A ptrace command was executed
	MMap         MMapEvent         `field:"mmap" event:"mmap" platform:"linux"`                   // [7.35] [Kernel] A mmap command was executed
	MProtect     MProtectEvent     `field:"mprotect" event:"mprotect" platform:"linux"`           // [7.35] [Kernel] A mprotect command was executed
	LoadModule   LoadModuleEvent   `field:"load_module" event:"load_module" platform:"linux"`     // [7.35] [Kernel] A new kernel module was loaded
	UnloadModule UnloadModuleEvent `field:"unload_module" event:"unload_module" platform:"linux"` // [7.35] [Kernel] A kernel module was deleted

	// network events
	DNS  DNSEvent  `field:"dns" event:"dns" platform:"linux"`   // [7.36] [Network] A DNS request was sent
	Bind BindEvent `field:"bind" event:"bind" platform:"linux"` // [7.37] [Network] [Experimental] A bind was executed

	// internal usage
	ProcessCacheEntry *ProcessCacheEntry    `field:"-" json:"-" platform:"linux"`
	Umount            UmountEvent           `field:"-" json:"-" platform:"linux"`
	InvalidateDentry  InvalidateDentryEvent `field:"-" json:"-" platform:"linux"`
	ArgsEnvs          ArgsEnvsEvent         `field:"-" json:"-" platform:"linux"`
	MountReleased     MountReleasedEvent    `field:"-" json:"-" platform:"linux"`
	CgroupTracing     CgroupTracingEvent    `field:"-" json:"-" platform:"linux"`
	NetDevice         NetDeviceEvent        `field:"-" json:"-" platform:"linux"`
	VethPair          VethPairEvent         `field:"-" json:"-" platform:"linux"`
	UnshareMountNS    UnshareMountNSEvent   `field:"-" json:"-" platform:"linux"`

	// mark event with having error
	Error error `field:"-" json:"-"`

	// field resolution
	FieldHandlers FieldHandlers `field:"-" json:"-" platform:"linux"`
}

Event represents an event sent from the kernel genaccessors

func (*Event) AddToFlags added in v0.45.0 

func (e *Event) AddToFlags(flag uint32)

AddToFlags adds a flag to the event

func (*Event) GetEventType 

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetFieldEventType 

func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)

func (*Event) GetFieldType 

func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error)

func (*Event) GetFieldValue 

func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields 

func (ev *Event) GetFields() []eval.Field

func (*Event) GetProcessService added in v0.46.0 

func (ev *Event) GetProcessService() string

GetProcessService uses the field handler

func (*Event) GetTags 

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetType 

func (e *Event) GetType() string

GetType returns the event type

func (*Event) GetWorkloadID added in v0.47.0 

func (e *Event) GetWorkloadID() string

GetWorkloadID returns an ID that represents the workload

func (*Event) HasProfile added in v0.45.0 

func (e *Event) HasProfile() bool

HasProfile returns true if we found a profile for that event

func (*Event) Init added in v0.39.0 

func (e *Event) Init()

Init initialize the event

func (*Event) IsActivityDumpSample added in v0.40.0 

func (e *Event) IsActivityDumpSample() bool

IsSavedByActivityDumps return whether AD sample

func (*Event) IsAnomalyDetectionEvent added in v0.47.0 

func (e *Event) IsAnomalyDetectionEvent() bool

IsAnomalyDetectionEvent returns true if the current event is an anomaly detection event (kernel or user space)

func (*Event) IsInProfile added in v0.45.0 

func (e *Event) IsInProfile() bool

IsInProfile return true if the event was found in the profile

func (*Event) IsKernelSpaceAnomalyDetectionEvent added in v0.47.0 

func (e *Event) IsKernelSpaceAnomalyDetectionEvent() bool

IsKernelSpaceAnomalyDetectionEvent returns true if the event is a kernel space anomaly detection event

func (*Event) IsSavedByActivityDumps added in v0.44.0 

func (e *Event) IsSavedByActivityDumps() bool

IsSavedByActivityDumps return whether saved by AD

func (*Event) Release added in v0.43.0 

func (ev *Event) Release()

Release the event

func (*Event) RemoveFromFlags added in v0.45.0 

func (e *Event) RemoveFromFlags(flag uint32)

RemoveFromFlags remove a flag to the event

func (*Event) ResolveEventTime added in v0.46.0 

func (ev *Event) ResolveEventTime() time.Time

ResolveEventTime uses the field handler

func (*Event) ResolveFields added in v0.43.0 

func (ev *Event) ResolveFields()

ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveFieldsForAD added in v0.44.0 

func (ev *Event) ResolveFieldsForAD()

ResolveFieldsForAD resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveProcessCacheEntry added in v0.43.0 

func (ev *Event) ResolveProcessCacheEntry() (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry uses the field handler

func (*Event) Retain added in v0.43.0 

func (ev *Event) Retain() Event

Retain the event

func (*Event) SetFieldValue 

func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) SetPathResolutionError added in v0.43.0 

func (ev *Event) SetPathResolutionError(fileFields *FileEvent, err error)

SetPathResolutionError sets the Event.pathResolutionError

func (*Event) UnmarshalBinary 

func (e *Event) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type EventCategory 

type EventCategory = string

EventCategory category type 

const (
	// FIMCategory FIM events
	FIMCategory EventCategory = "File Activity"
	// ProcessCategory process events
	ProcessCategory EventCategory = "Process Activity"
	// KernelCategory Kernel events
	KernelCategory EventCategory = "Kernel Activity"
	// NetworkCategory network events
	NetworkCategory EventCategory = "Network Activity"
)

Event categories

func GetAllCategories added in v0.34.0 

func GetAllCategories() []EventCategory

GetAllCategories returns all categories

func GetEventTypeCategory 

func GetEventTypeCategory(eventType eval.EventType) EventCategory

GetEventTypeCategory returns the category for the given event type

type EventType 

type EventType uint32

EventType describes the type of an event sent from the kernel 

const (
	// UnknownEventType unknown event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimesEventType Utime event
	FileUtimesEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event (DEPRECATED)
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// SELinuxEventType selinux event
	SELinuxEventType
	// BPFEventType bpf event
	BPFEventType
	// PTraceEventType PTrace event
	PTraceEventType
	// MMapEventType MMap event
	MMapEventType
	// MProtectEventType MProtect event
	MProtectEventType
	// LoadModuleEventType LoadModule event
	LoadModuleEventType
	// UnloadModuleEventType UnloadModule evnt
	UnloadModuleEventType
	// SignalEventType Signal event
	SignalEventType
	// SpliceEventType Splice event
	SpliceEventType
	// CgroupTracingEventType is sent when a new cgroup is being traced
	CgroupTracingEventType
	// DNSEventType DNS event
	DNSEventType
	// NetDeviceEventType is sent for events on net devices
	NetDeviceEventType
	// VethPairEventType is sent when a new veth pair is created
	VethPairEventType
	// BindEventType Bind event
	BindEventType
	// UnshareMountNsEventType is sent when a new mount is created from a mount namespace copy
	UnshareMountNsEventType
	// SyscallsEventType Syscalls event
	SyscallsEventType
	// AnomalyDetectionSyscallEventType Anomaly Detection Syscall event
	AnomalyDetectionSyscallEventType
	// MaxKernelEventType is used internally to get the maximum number of kernel events.
	MaxKernelEventType

	// FirstEventType is the first valid event type
	FirstEventType = FileOpenEventType

	// LastEventType is the last valid event type
	LastEventType = SyscallsEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileRemoveXAttrEventType

	// LastApproverEventType is the last event that accepts approvers
	LastApproverEventType = SpliceEventType

	// CustomLostReadEventType is the custom event used to report lost events detected in user space
	CustomLostReadEventType = iota
	// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
	CustomLostWriteEventType
	// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
	CustomRulesetLoadedEventType
	// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
	CustomForkBombEventType
	// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
	CustomTruncatedParentsEventType
	// CustomSelfTestEventType is the custom event used to report the results of a self test run
	CustomSelfTestEventType
	// MaxAllEventType is used internally to get the maximum number of events.
	MaxAllEventType
)

func (EventType) String 

func (t EventType) String() string

type ExecEvent 

type ExecEvent struct {
	*Process
}

ExecEvent represents a exec event

type ExitCause added in v0.38.0 

type ExitCause uint32

ExitCause represents the cause of a process termination 

const (
	// ExitExited Process exited normally
	ExitExited ExitCause = iota
	// ExitCoreDumped Process was terminated with a coredump signal
	ExitCoreDumped
	// ExitSignaled Process was terminated with a signal other than a coredump
	ExitSignaled
)

func (ExitCause) String added in v0.38.0 

func (cause ExitCause) String() string

type ExitEvent added in v0.38.0 

type ExitEvent struct {
	*Process
	Cause uint32 `field:"cause"` // SECLDoc[cause] Definition:`Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)`
	Code  uint32 `field:"code"`  // SECLDoc[code] Definition:`Exit code of the process or number of the signal that caused the process to terminate`
}

ExitEvent represents a process exit event

func (*ExitEvent) UnmarshalBinary added in v0.38.0 

func (e *ExitEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ExtraFieldHandlers added in v0.43.0 

type ExtraFieldHandlers interface {
	ResolveProcessCacheEntry(ev *Event) (*ProcessCacheEntry, bool)
	ResolveContainerContext(ev *Event) (*ContainerContext, bool)
	ResolveEventTime(ev *Event) time.Time
	GetProcessService(ev *Event) string
	ResolveHashes(eventType EventType, process *Process, file *FileEvent) []string
}

ExtraFieldHandlers handlers not hold by any field

type FieldHandlers added in v0.43.0 

type FieldHandlers interface {
	ResolveAsync(ev *Event) bool
	ResolveChownGID(ev *Event, e *ChownEvent) string
	ResolveChownUID(ev *Event, e *ChownEvent) string
	ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
	ResolveContainerID(ev *Event, e *ContainerContext) string
	ResolveContainerTags(ev *Event, e *ContainerContext) []string
	ResolveEventTimestamp(ev *Event) int
	ResolveFileBasename(ev *Event, e *FileEvent) string
	ResolveFileFieldsGroup(ev *Event, e *FileFields) string
	ResolveFileFieldsInUpperLayer(ev *Event, e *FileFields) bool
	ResolveFileFieldsUser(ev *Event, e *FileFields) string
	ResolveFileFilesystem(ev *Event, e *FileEvent) string
	ResolveFilePath(ev *Event, e *FileEvent) string
	ResolveHashesFromEvent(ev *Event, e *FileEvent) []string
	ResolveModuleArgs(ev *Event, e *LoadModuleEvent) string
	ResolveModuleArgv(ev *Event, e *LoadModuleEvent) []string
	ResolveMountPointPath(ev *Event, e *MountEvent) string
	ResolveMountSourcePath(ev *Event, e *MountEvent) string
	ResolveNetworkDeviceIfName(ev *Event, e *NetworkDeviceContext) string
	ResolvePackageName(ev *Event, e *FileEvent) string
	ResolvePackageSourceVersion(ev *Event, e *FileEvent) string
	ResolvePackageVersion(ev *Event, e *FileEvent) string
	ResolveProcessArgs(ev *Event, e *Process) string
	ResolveProcessArgsFlags(ev *Event, e *Process) []string
	ResolveProcessArgsOptions(ev *Event, e *Process) []string
	ResolveProcessArgsTruncated(ev *Event, e *Process) bool
	ResolveProcessArgv(ev *Event, e *Process) []string
	ResolveProcessArgv0(ev *Event, e *Process) string
	ResolveProcessCreatedAt(ev *Event, e *Process) int
	ResolveProcessEnvp(ev *Event, e *Process) []string
	ResolveProcessEnvs(ev *Event, e *Process) []string
	ResolveProcessEnvsTruncated(ev *Event, e *Process) bool
	ResolveRights(ev *Event, e *FileFields) int
	ResolveSELinuxBoolName(ev *Event, e *SELinuxEvent) string
	ResolveSetgidEGroup(ev *Event, e *SetgidEvent) string
	ResolveSetgidFSGroup(ev *Event, e *SetgidEvent) string
	ResolveSetgidGroup(ev *Event, e *SetgidEvent) string
	ResolveSetuidEUser(ev *Event, e *SetuidEvent) string
	ResolveSetuidFSUser(ev *Event, e *SetuidEvent) string
	ResolveSetuidUser(ev *Event, e *SetuidEvent) string
	ResolveXAttrName(ev *Event, e *SetXAttrEvent) string
	ResolveXAttrNamespace(ev *Event, e *SetXAttrEvent) string
	// custom handlers not tied to any fields
	ExtraFieldHandlers
}

type FileEvent 

type FileEvent struct {
	FileFields ``

	PathnameStr string `field:"path,handler:ResolveFilePath,opts:length" op_override:"ProcessSymlinkPathname"`     // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "/usr/bin/apt"` Description:`Matches the execution of the file located at /usr/bin/apt` Example:`open.file.path == "/etc/passwd"` Description:`Matches any process opening the /etc/passwd file.`
	BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"ProcessSymlinkBasename"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "apt"` Description:`Matches the execution of any file named apt.`
	Filesystem  string `field:"filesystem,handler:ResolveFileFilesystem"`                                          // SECLDoc[filesystem] Definition:`File's filesystem`

	PathResolutionError error `field:"-" json:"-"`

	PkgName       string `field:"package.name,handler:ResolvePackageName"`                    // SECLDoc[package.name] Definition:`[Experimental] Name of the package that provided this file`
	PkgVersion    string `field:"package.version,handler:ResolvePackageVersion"`              // SECLDoc[package.version] Definition:`[Experimental] Full version of the package that provided this file`
	PkgSrcVersion string `field:"package.source_version,handler:ResolvePackageSourceVersion"` // SECLDoc[package.source_version] Definition:`[Experimental] Full version of the source package of the package that provided this file`

	HashState HashState `field:"-"`
	Hashes    []string  `field:"hashes,handler:ResolveHashesFromEvent,opts:skip_ad"` // SECLDoc[hashes] Definition:`[Experimental] List of cryptographic hashes computed for this file`

	// used to mark as already resolved, can be used in case of empty path
	IsPathnameStrResolved bool `field:"-" json:"-"`
	IsBasenameStrResolved bool `field:"-" json:"-"`
}

FileEvent is the common file event type

func (*FileEvent) Equals added in v0.47.0 

func (e *FileEvent) Equals(o *FileEvent) bool

Equals compare two FileEvent

func (*FileEvent) GetPathResolutionError 

func (e *FileEvent) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*FileEvent) IsOverlayFS added in v0.46.0 

func (e *FileEvent) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

func (*FileEvent) SetBasenameStr added in v0.36.0 

func (e *FileEvent) SetBasenameStr(str string)

SetBasenameStr set and mark as resolved

func (*FileEvent) SetPathnameStr added in v0.36.0 

func (e *FileEvent) SetPathnameStr(str string)

SetPathnameStr set and mark as resolved

func (*FileEvent) UnmarshalBinary 

func (e *FileEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type FileFields 

type FileFields struct {
	UID   uint32 `field:"uid"`                                                         // SECLDoc[uid] Definition:`UID of the file's owner`
	User  string `field:"user,handler:ResolveFileFieldsUser"`                          // SECLDoc[user] Definition:`User of the file's owner`
	GID   uint32 `field:"gid"`                                                         // SECLDoc[gid] Definition:`GID of the file's owner`
	Group string `field:"group,handler:ResolveFileFieldsGroup"`                        // SECLDoc[group] Definition:`Group of the file's owner`
	Mode  uint16 `field:"mode;rights,handler:ResolveRights,opts:cacheless_resolution"` // SECLDoc[mode] Definition:`Mode of the file` Constants:`Inode mode constants` SECLDoc[rights] Definition:`Rights of the file` Constants:`File mode constants`
	CTime uint64 `field:"change_time"`                                                 // SECLDoc[change_time] Definition:`Change time of the file`
	MTime uint64 `field:"modification_time"`                                           // SECLDoc[modification_time] Definition:`Modification time of the file`

	PathKey
	InUpperLayer bool `field:"in_upper_layer,handler:ResolveFileFieldsInUpperLayer"` // SECLDoc[in_upper_layer] Definition:`Indicator of the file layer, for example, in an OverlayFS`

	NLink uint32 `field:"-" json:"-"`
	Flags int32  `field:"-" json:"-"`
}

FileFields holds the information required to identify a file

func (*FileFields) Equals added in v0.47.0 

func (f *FileFields) Equals(o *FileFields) bool

Equals compares two FileFields

func (*FileFields) GetInLowerLayer 

func (f *FileFields) GetInLowerLayer() bool

GetInLowerLayer returns whether a file is in a lower layer

func (*FileFields) GetInUpperLayer 

func (f *FileFields) GetInUpperLayer() bool

GetInUpperLayer returns whether a file is in the upper layer 

func (f *FileFields) HasHardLinks() bool

HasHardLinks returns whether the file has hardlink

func (*FileFields) IsFileless added in v0.42.0 

func (f *FileFields) IsFileless() bool

IsFileless return whether it is a file less access

func (*FileFields) MarshalBinary added in v0.36.0 

func (e *FileFields) MarshalBinary(data []byte) (int, error)

MarshalBinary marshals a binary representation of itself

func (*FileFields) UnmarshalBinary 

func (e *FileFields) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type FileMode added in v0.46.0 

type FileMode int

FileMode represents a file mode bitmask value

func (FileMode) String added in v0.46.0 

func (m FileMode) String() string

type HashAlgorithm added in v0.47.0 

type HashAlgorithm int

HashAlgorithm is used to configure the hash algorithms of the hash resolver 

const (
	// SHA1 is used to identify a SHA1 hash
	SHA1 HashAlgorithm = iota
	// SHA256 is used to identify a SHA256 hash
	SHA256
	// MD5 is used to identify a MD5 hash
	MD5
	// MaxHashAlgorithm is used for initializations
	MaxHashAlgorithm
)

func (HashAlgorithm) String added in v0.47.0 

func (ha HashAlgorithm) String() string

type HashState added in v0.47.0 

type HashState int

HashState is used to prevent the hash resolver from retrying to hash a file 

const (
	// NoHash means that computing a hash hasn't been attempted
	NoHash HashState = iota
	// Done means that the hashes were already computed
	Done
	// FileNotFound means that the underlying file is not longer available to compute the hash
	FileNotFound
	// PathnameResolutionError means that the underlying file wasn't properly resolved
	PathnameResolutionError
	// FileTooBig means that the underlying file is larger than the hash resolver file size limit
	FileTooBig
	// EventTypeNotConfigured means that the event type prevents a hash from being computed
	EventTypeNotConfigured
	// HashWasRateLimited means that the hash will be tried again later, it was rate limited
	HashWasRateLimited
	// UnknownHashError means that we couldn't hash the file and we don't know why
	UnknownHashError
	// MaxHashState is used for initializations
	MaxHashState
)

func (HashState) String added in v0.47.0 

func (i HashState) String() string

type IPPortContext added in v0.36.0 

type IPPortContext struct {
	IPNet net.IPNet `field:"ip"`   // SECLDoc[ip] Definition:`IP address`
	Port  uint16    `field:"port"` // SECLDoc[port] Definition:`Port number`
}

IPPortContext is used to hold an IP and Port

type InodeMode added in v0.46.0 

type InodeMode int

InodeMode represents an inode mode bitmask value

func (InodeMode) String added in v0.46.0 

func (m InodeMode) String() string

type InvalidateDentryEvent 

type InvalidateDentryEvent struct {
	Inode   uint64
	MountID uint32
}

InvalidateDentryEvent defines a invalidate dentry event

func (*InvalidateDentryEvent) UnmarshalBinary 

func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type KernelCapability 

type KernelCapability uint64

KernelCapability represents a kernel capability bitmask value

func (KernelCapability) String 

func (kc KernelCapability) String() string

func (KernelCapability) StringArray 

func (kc KernelCapability) StringArray() []string

StringArray returns the kernel capabilities as an array of strings

type L3Protocol added in v0.36.0 

type L3Protocol uint16

L3Protocol Network protocols 

const (
	// EthPLOOP Ethernet Loopback packet
	EthPLOOP L3Protocol = 0x0060
	// EthPPUP Xerox PUP packet
	EthPPUP L3Protocol = 0x0200
	// EthPPUPAT Xerox PUP Addr Trans packet
	EthPPUPAT L3Protocol = 0x0201
	// EthPTSN TSN (IEEE 1722) packet
	EthPTSN L3Protocol = 0x22F0
	// EthPIP Internet Protocol packet
	EthPIP L3Protocol = 0x0800
	// EthPX25 CCITT X.25
	EthPX25 L3Protocol = 0x0805
	// EthPARP Address Resolution packet
	EthPARP L3Protocol = 0x0806
	// EthPBPQ G8BPQ AX.25 Ethernet Packet    [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBPQ L3Protocol = 0x08FF
	// EthPIEEEPUP Xerox IEEE802.3 PUP packet
	EthPIEEEPUP L3Protocol = 0x0a00
	// EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet
	EthPIEEEPUPAT L3Protocol = 0x0a01
	// EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBATMAN L3Protocol = 0x4305
	// EthPDEC DEC Assigned proto
	EthPDEC L3Protocol = 0x6000
	// EthPDNADL DEC DNA Dump/Load
	EthPDNADL L3Protocol = 0x6001
	// EthPDNARC DEC DNA Remote Console
	EthPDNARC L3Protocol = 0x6002
	// EthPDNART DEC DNA Routing
	EthPDNART L3Protocol = 0x6003
	// EthPLAT DEC LAT
	EthPLAT L3Protocol = 0x6004
	// EthPDIAG DEC Diagnostics
	EthPDIAG L3Protocol = 0x6005
	// EthPCUST DEC Customer use
	EthPCUST L3Protocol = 0x6006
	// EthPSCA DEC Systems Comms Arch
	EthPSCA L3Protocol = 0x6007
	// EthPTEB Trans Ether Bridging
	EthPTEB L3Protocol = 0x6558
	// EthPRARP Reverse Addr Res packet
	EthPRARP L3Protocol = 0x8035
	// EthPATALK Appletalk DDP
	EthPATALK L3Protocol = 0x809B
	// EthPAARP Appletalk AARP
	EthPAARP L3Protocol = 0x80F3
	// EthP8021Q 802.1Q VLAN Extended Header
	EthP8021Q L3Protocol = 0x8100
	// EthPERSPAN ERSPAN type II
	EthPERSPAN L3Protocol = 0x88BE
	// EthPIPX IPX over DIX
	EthPIPX L3Protocol = 0x8137
	// EthPIPV6 IPv6 over bluebook
	EthPIPV6 L3Protocol = 0x86DD
	// EthPPAUSE IEEE Pause frames. See 802.3 31B
	EthPPAUSE L3Protocol = 0x8808
	// EthPSLOW Slow Protocol. See 802.3ad 43B
	EthPSLOW L3Protocol = 0x8809
	// EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt
	EthPWCCP L3Protocol = 0x883E
	// EthPMPLSUC MPLS Unicast traffic
	EthPMPLSUC L3Protocol = 0x8847
	// EthPMPLSMC MPLS Multicast traffic
	EthPMPLSMC L3Protocol = 0x8848
	// EthPATMMPOA MultiProtocol Over ATM
	EthPATMMPOA L3Protocol = 0x884c
	// EthPPPPDISC PPPoE discovery messages
	EthPPPPDISC L3Protocol = 0x8863
	// EthPPPPSES PPPoE session messages
	EthPPPPSES L3Protocol = 0x8864
	// EthPLinkCTL HPNA, wlan link local tunnel
	EthPLinkCTL L3Protocol = 0x886c
	// EthPATMFATE Frame-based ATM Transport over Ethernet
	EthPATMFATE L3Protocol = 0x8884
	// EthPPAE Port Access Entity (IEEE 802.1X)
	EthPPAE L3Protocol = 0x888E
	// EthPAOE ATA over Ethernet
	EthPAOE L3Protocol = 0x88A2
	// EthP8021AD 802.1ad Service VLAN
	EthP8021AD L3Protocol = 0x88A8
	// EthP802EX1 802.1 Local Experimental 1.
	EthP802EX1 L3Protocol = 0x88B5
	// EthPTIPC TIPC
	EthPTIPC L3Protocol = 0x88CA
	// EthPMACSEC 802.1ae MACsec
	EthPMACSEC L3Protocol = 0x88E5
	// EthP8021AH 802.1ah Backbone Service Tag
	EthP8021AH L3Protocol = 0x88E7
	// EthPMVRP 802.1Q MVRP
	EthPMVRP L3Protocol = 0x88F5
	// EthP1588 IEEE 1588 Timesync
	EthP1588 L3Protocol = 0x88F7
	// EthPNCSI NCSI protocol
	EthPNCSI L3Protocol = 0x88F8
	// EthPPRP IEC 62439-3 PRP/HSRv0
	EthPPRP L3Protocol = 0x88FB
	// EthPFCOE Fibre Channel over Ethernet
	EthPFCOE L3Protocol = 0x8906
	// EthPIBOE Infiniband over Ethernet
	EthPIBOE L3Protocol = 0x8915
	// EthPTDLS TDLS
	EthPTDLS L3Protocol = 0x890D
	// EthPFIP FCoE Initialization Protocol
	EthPFIP L3Protocol = 0x8914
	// EthP80221 IEEE 802.21 Media Independent Handover Protocol
	EthP80221 L3Protocol = 0x8917
	// EthPHSR IEC 62439-3 HSRv1
	EthPHSR L3Protocol = 0x892F
	// EthPNSH Network Service Header
	EthPNSH L3Protocol = 0x894F
	// EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3
	EthPLOOPBACK L3Protocol = 0x9000
	// EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ1 L3Protocol = 0x9100
	// EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ2 L3Protocol = 0x9200
	// EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ3 L3Protocol = 0x9300
	// EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPEDSA L3Protocol = 0xDADA
	// EthPIFE ForCES inter-FE LFB type
	EthPIFE L3Protocol = 0xED3E
	// EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPAFIUCV L3Protocol = 0xFBFB
	// EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3
	EthP8023MIN L3Protocol = 0x0600
	// EthPIPV6HopByHop IPv6 Hop by hop option
	EthPIPV6HopByHop L3Protocol = 0x000
	// EthP8023 Dummy type for 802.3 frames
	EthP8023 L3Protocol = 0x0001
	// EthPAX25 Dummy protocol id for AX.25
	EthPAX25 L3Protocol = 0x0002
	// EthPALL Every packet (be careful!!!)
	EthPALL L3Protocol = 0x0003
	// EthP8022 802.2 frames
	EthP8022 L3Protocol = 0x0004
	// EthPSNAP Internal only
	EthPSNAP L3Protocol = 0x0005
	// EthPDDCMP DEC DDCMP: Internal only
	EthPDDCMP L3Protocol = 0x0006
	// EthPWANPPP Dummy type for WAN PPP frames*/
	EthPWANPPP L3Protocol = 0x0007
	// EthPPPPMP Dummy type for PPP MP frames
	EthPPPPMP L3Protocol = 0x0008
	// EthPLOCALTALK Localtalk pseudo type
	EthPLOCALTALK L3Protocol = 0x0009
	// EthPCAN CAN: Controller Area Network
	EthPCAN L3Protocol = 0x000C
	// EthPCANFD CANFD: CAN flexible data rate*/
	EthPCANFD L3Protocol = 0x000D
	// EthPPPPTALK Dummy type for Atalk over PPP*/
	EthPPPPTALK L3Protocol = 0x0010
	// EthPTR8022 802.2 frames
	EthPTR8022 L3Protocol = 0x0011
	// EthPMOBITEX Mobitex (kaz@cafe.net)
	EthPMOBITEX L3Protocol = 0x0015
	// EthPCONTROL Card specific control frames
	EthPCONTROL L3Protocol = 0x0016
	// EthPIRDA Linux-IrDA
	EthPIRDA L3Protocol = 0x0017
	// EthPECONET Acorn Econet
	EthPECONET L3Protocol = 0x0018
	// EthPHDLC HDLC frames
	EthPHDLC L3Protocol = 0x0019
	// EthPARCNET 1A for ArcNet :-)
	EthPARCNET L3Protocol = 0x001A
	// EthPDSA Distributed Switch Arch.
	EthPDSA L3Protocol = 0x001B
	// EthPTRAILER Trailer switch tagging
	EthPTRAILER L3Protocol = 0x001C
	// EthPPHONET Nokia Phonet frames
	EthPPHONET L3Protocol = 0x00F5
	// EthPIEEE802154 IEEE802.15.4 frame
	EthPIEEE802154 L3Protocol = 0x00F6
	// EthPCAIF ST-Ericsson CAIF protocol
	EthPCAIF L3Protocol = 0x00F7
	// EthPXDSA Multiplexed DSA protocol
	EthPXDSA L3Protocol = 0x00F8
	// EthPMAP Qualcomm multiplexing and aggregation protocol
	EthPMAP L3Protocol = 0x00F9
)

func (L3Protocol) String added in v0.36.0 

func (proto L3Protocol) String() string

type L4Protocol added in v0.36.0 

type L4Protocol uint16

L4Protocol transport protocols 

const (
	// IPProtoIP Dummy protocol for TCP
	IPProtoIP L4Protocol = 0
	// IPProtoICMP Internet Control Message Protocol (IPv4)
	IPProtoICMP L4Protocol = 1
	// IPProtoIGMP Internet Group Management Protocol
	IPProtoIGMP L4Protocol = 2
	// IPProtoIPIP IPIP tunnels (older KA9Q tunnels use 94)
	IPProtoIPIP L4Protocol = 4
	// IPProtoTCP Transmission Control Protocol
	IPProtoTCP L4Protocol = 6
	// IPProtoEGP Exterior Gateway Protocol
	IPProtoEGP L4Protocol = 8
	// IPProtoIGP Interior Gateway Protocol (any private interior gateway (used by Cisco for their IGRP))
	IPProtoIGP L4Protocol = 9
	// IPProtoPUP PUP protocol
	IPProtoPUP L4Protocol = 12
	// IPProtoUDP User Datagram Protocol
	IPProtoUDP L4Protocol = 17
	// IPProtoIDP XNS IDP protocol
	IPProtoIDP L4Protocol = 22
	// IPProtoTP SO Transport Protocol Class 4
	IPProtoTP L4Protocol = 29
	// IPProtoDCCP Datagram Congestion Control Protocol
	IPProtoDCCP L4Protocol = 33
	// IPProtoIPV6 IPv6-in-IPv4 tunnelling
	IPProtoIPV6 L4Protocol = 41
	// IPProtoRSVP RSVP Protocol
	IPProtoRSVP L4Protocol = 46
	// IPProtoGRE Cisco GRE tunnels (rfc 1701,1702)
	IPProtoGRE L4Protocol = 47
	// IPProtoESP Encapsulation Security Payload protocol
	IPProtoESP L4Protocol = 50
	// IPProtoAH Authentication Header protocol
	IPProtoAH L4Protocol = 51
	// IPProtoICMPV6 Internet Control Message Protocol (IPv6)
	IPProtoICMPV6 L4Protocol = 58
	// IPProtoMTP Multicast Transport Protocol
	IPProtoMTP L4Protocol = 92
	// IPProtoBEETPH IP option pseudo header for BEET
	IPProtoBEETPH L4Protocol = 94
	// IPProtoENCAP Encapsulation Header
	IPProtoENCAP L4Protocol = 98
	// IPProtoPIM Protocol Independent Multicast
	IPProtoPIM L4Protocol = 103
	// IPProtoCOMP Compression Header Protocol
	IPProtoCOMP L4Protocol = 108
	// IPProtoSCTP Stream Control Transport Protocol
	IPProtoSCTP L4Protocol = 132
	// IPProtoUDPLITE UDP-Lite (RFC 3828)
	IPProtoUDPLITE L4Protocol = 136
	// IPProtoMPLS MPLS in IP (RFC 4023)
	IPProtoMPLS L4Protocol = 137
	// IPProtoRAW Raw IP packets
	IPProtoRAW L4Protocol = 255
)

func (L4Protocol) String added in v0.36.0 

func (proto L4Protocol) String() string

type LinkEvent 

type LinkEvent struct {
	SyscallEvent
	Source FileEvent `field:"file"`
	Target FileEvent `field:"file.destination"`
}

LinkEvent represents a link event

func (*LinkEvent) UnmarshalBinary 

func (e *LinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type LinuxBinprm added in v0.40.0 

type LinuxBinprm struct {
	FileEvent FileEvent `field:"file"`
}

LinuxBinprm contains content from the linux_binprm struct, which holds the arguments used for loading binaries

type LoadModuleEvent added in v0.35.0 

type LoadModuleEvent struct {
	SyscallEvent

	File             FileEvent `field:"file"`                           // Path to the kernel module file
	LoadedFromMemory bool      `field:"loaded_from_memory"`             // SECLDoc[loaded_from_memory] Definition:`Indicates if the kernel module was loaded from memory`
	Name             string    `field:"name"`                           // SECLDoc[name] Definition:`Name of the new kernel module`
	Args             string    `field:"args,handler:ResolveModuleArgs"` // SECLDoc[args] Definition:`Parameters (as a string) of the new kernel module`
	Argv             []string  `field:"argv,handler:ResolveModuleArgv"` // SECLDoc[argv] Definition:`Parameters (as an array) of the new kernel module`
	ArgsTruncated    bool      `field:"args_truncated"`                 // SECLDoc[args_truncated] Definition:`Indicates if the arguments were truncated or not`
}

LoadModuleEvent represents a load_module event

func (*LoadModuleEvent) UnmarshalBinary added in v0.35.0 

func (e *LoadModuleEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MMapEvent added in v0.34.0 

type MMapEvent struct {
	SyscallEvent

	File       FileEvent `field:"file"`
	Addr       uint64    `field:"-" json:"-"`
	Offset     uint64    `field:"-" json:"-"`
	Len        uint32    `field:"-" json:"-"`
	Protection int       `field:"protection"` // SECLDoc[protection] Definition:`memory segment protection` Constants:`Protection constants`
	Flags      int       `field:"flags"`      // SECLDoc[flags] Definition:`memory segment flags` Constants:`MMap flags`
}

MMapEvent represents a mmap event

func (*MMapEvent) UnmarshalBinary added in v0.34.0 

func (e *MMapEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MMapFlag added in v0.34.0 

type MMapFlag uint64

MMapFlag represents a mmap flag value

func (MMapFlag) String added in v0.34.0 

func (mmf MMapFlag) String() string

type MProtectEvent added in v0.34.0 

type MProtectEvent struct {
	SyscallEvent

	VMStart       uint64 `field:"-" json:"-"`
	VMEnd         uint64 `field:"-" json:"-"`
	VMProtection  int    `field:"vm_protection"`  // SECLDoc[vm_protection] Definition:`initial memory segment protection` Constants:`Virtual Memory flags`
	ReqProtection int    `field:"req_protection"` // SECLDoc[req_protection] Definition:`new memory segment protection` Constants:`Virtual Memory flags`
}

MProtectEvent represents a mprotect event

func (*MProtectEvent) UnmarshalBinary added in v0.34.0 

func (e *MProtectEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MatchedRule added in v0.44.0 

type MatchedRule struct {
	RuleID        string
	RuleVersion   string
	RuleTags      map[string]string
	PolicyName    string
	PolicyVersion string
}

MatchedRules contains the identification of one rule that has match

func AppendMatchedRule added in v0.44.0 

func AppendMatchedRule(list []*MatchedRule, toAdd []*MatchedRule) []*MatchedRule

Append two lists, but avoiding duplicates

func NewMatchedRule added in v0.44.0 

func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule

NewMatchedRule return a new MatchedRule instance

func (*MatchedRule) Match added in v0.44.0 

func (mr *MatchedRule) Match(mr2 *MatchedRule) bool

type MkdirEvent 

type MkdirEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode; file.destination.rights"` // SECLDoc[file.destination.mode] Definition:`Mode of the new directory` Constants:`File mode constants` SECLDoc[file.destination.rights] Definition:`Rights of the new directory` Constants:`File mode constants`
}

MkdirEvent represents a mkdir event

func (*MkdirEvent) UnmarshalBinary 

func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type Model 

type Model struct {
	ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator 

func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes 

func (m *Model) GetEventTypes() []eval.EventType

func (*Model) GetIterator 

func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)

func (*Model) NewDefaultEventWithType added in v0.43.0 

func (m *Model) NewDefaultEventWithType(kind EventType) eval.Event

NewDefaultEventWithType returns a new Event for the given type

func (*Model) NewEvent 

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) ValidateField 

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type Mount added in v0.42.0 

type Mount struct {
	MountID        uint32  `field:"-"`
	Device         uint32  `field:"-"`
	ParentPathKey  PathKey `field:"-"`
	RootPathKey    PathKey `field:"-"`
	BindSrcMountID uint32  `field:"-"`
	FSType         string  `field:"fs_type"` // SECLDoc[fs_type] Definition:`Type of the mounted file system`
	MountPointStr  string  `field:"-"`
	RootStr        string  `field:"-"`
	Path           string  `field:"-"`
}

Mount represents a mountpoint (used by MountEvent and UnshareMountNSEvent)

func (*Mount) GetFSType added in v0.42.0 

func (m *Mount) GetFSType() string

GetFSType returns the filesystem type of the mountpoint

func (*Mount) IsOverlayFS added in v0.42.0 

func (m *Mount) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

func (*Mount) UnmarshalBinary added in v0.42.0 

func (m *Mount) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type MountEvent 

type MountEvent struct {
	SyscallEvent
	Mount
	MountPointPath                 string `field:"mountpoint.path,handler:ResolveMountPointPath"` // SECLDoc[mountpoint.path] Definition:`Path of the mount point`
	MountSourcePath                string `field:"source.path,handler:ResolveMountSourcePath"`    // SECLDoc[source.path] Definition:`Source path of a bind mount`
	MountPointPathResolutionError  error  `field:"-"`
	MountSourcePathResolutionError error  `field:"-"`
}

MountEvent represents a mount event

func (*MountEvent) UnmarshalBinary 

func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type MountReleasedEvent 

type MountReleasedEvent struct {
	MountID uint32
}

MountReleasedEvent defines a mount released event

func (*MountReleasedEvent) UnmarshalBinary 

func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type NetDevice added in v0.36.0 

type NetDevice struct {
	Name        string
	NetNS       uint32
	IfIndex     uint32
	PeerNetNS   uint32
	PeerIfIndex uint32
}

NetDevice represents a network device

func (NetDevice) GetKey added in v0.36.0 

func (d NetDevice) GetKey() string

GetKey returns a key to uniquely identify a network device on the system

func (*NetDevice) UnmarshalBinary added in v0.36.0 

func (d *NetDevice) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type NetDeviceEvent added in v0.36.0 

type NetDeviceEvent struct {
	SyscallEvent

	Device NetDevice
}

NetDeviceEvent represents a network device event

func (*NetDeviceEvent) UnmarshalBinary added in v0.36.0 

func (e *NetDeviceEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type NetworkContext added in v0.36.0 

type NetworkContext struct {
	Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured

	L3Protocol  uint16        `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`l3 protocol of the network packet` Constants:`L3 protocols`
	L4Protocol  uint16        `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`l4 protocol of the network packet` Constants:`L4 protocols`
	Source      IPPortContext `field:"source"`      // source of the network packet
	Destination IPPortContext `field:"destination"` // destination of the network packet
	Size        uint32        `field:"size"`        // SECLDoc[size] Definition:`size in bytes of the network packet`
}

NetworkContext represents the network context of the event

func (*NetworkContext) UnmarshalBinary added in v0.36.0 

func (e *NetworkContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type NetworkDeviceContext added in v0.36.0 

type NetworkDeviceContext struct {
	NetNS   uint32 `field:"-" json:"-"`
	IfIndex uint32 `field:"ifindex"`                                   // SECLDoc[ifindex] Definition:`interface ifindex`
	IfName  string `field:"ifname,handler:ResolveNetworkDeviceIfName"` // SECLDoc[ifname] Definition:`interface ifname`
}

NetworkDeviceContext represents the network device context of a network event

func (*NetworkDeviceContext) UnmarshalBinary added in v0.36.0 

func (e *NetworkDeviceContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type OpenEvent 

type OpenEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"`                 // SECLDoc[flags] Definition:`Flags used when opening the file` Constants:`Open flags`
	Mode  uint32    `field:"file.destination.mode"` // SECLDoc[file.destination.mode] Definition:`Mode of the created file` Constants:`File mode constants`
}

OpenEvent represents an open event

func (*OpenEvent) UnmarshalBinary 

func (e *OpenEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type OpenFlags 

type OpenFlags int

OpenFlags represents an open flags bitmask value

func (OpenFlags) String 

func (f OpenFlags) String() string

func (OpenFlags) StringArray 

func (f OpenFlags) StringArray() []string

StringArray returns the open flags as an array of strings

type PIDContext added in v0.37.0 

type PIDContext struct {
	Pid       uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)`
	Tid       uint32 `field:"tid"` // SECLDoc[tid] Definition:`Thread ID of the thread`
	NetNS     uint32 `field:"-"`
	IsKworker bool   `field:"is_kworker"` // SECLDoc[is_kworker] Definition:`Indicates whether the process is a kworker`
	ExecInode uint64 `field:"-"`          // used to track exec and event loss
}

PIDContext holds the process context of an kernel event

func (*PIDContext) UnmarshalBinary added in v0.37.0 

func (p *PIDContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself, process_context_t kernel side

type PTraceEvent added in v0.34.0 

type PTraceEvent struct {
	SyscallEvent

	Request uint32          `field:"request"` // SECLDoc[request] Definition:`ptrace request` Constants:`Ptrace constants`
	PID     uint32          `field:"-" json:"-"`
	Address uint64          `field:"-" json:"-"`
	Tracee  *ProcessContext `field:"tracee"` // process context of the tracee
}

PTraceEvent represents a ptrace event

func (*PTraceEvent) UnmarshalBinary added in v0.34.0 

func (e *PTraceEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type PTraceRequest added in v0.34.0 

type PTraceRequest uint32

PTraceRequest represents a ptrace request value

func (PTraceRequest) String added in v0.34.0 

func (f PTraceRequest) String() string

type PathKey added in v0.44.0 

type PathKey struct {
	Inode   uint64 `field:"inode"`    // SECLDoc[inode] Definition:`Inode of the file`
	MountID uint32 `field:"mount_id"` // SECLDoc[mount_id] Definition:`Mount ID of the file`
	PathID  uint32 `field:"-"`
}

PathKey identifies an entry in the dentry cache

func (*PathKey) IsNull added in v0.44.0 

func (p *PathKey) IsNull() bool

IsNull returns true if a key is invalid

func (*PathKey) MarshalBinary added in v0.44.0 

func (p *PathKey) MarshalBinary() ([]byte, error)

MarshalBinary returns the binary representation of a path key

func (*PathKey) String added in v0.44.0 

func (p *PathKey) String() string

func (*PathKey) UnmarshalBinary added in v0.44.0 

func (p *PathKey) UnmarshalBinary(data []byte) (int, error)

func (*PathKey) Write added in v0.44.0 

func (p *PathKey) Write(buffer []byte)

type PathLeaf added in v0.45.0 

type PathLeaf struct {
	Parent PathKey
	Name   [MaxSegmentLength + 1]byte
	Len    uint16
}

PathLeaf is the go representation of the eBPF path_leaf_t structure

func (*PathLeaf) GetName added in v0.45.0 

func (pl *PathLeaf) GetName() string

GetName returns the path value as a string

func (*PathLeaf) MarshalBinary added in v0.45.0 

func (pl *PathLeaf) MarshalBinary() ([]byte, error)

MarshalBinary returns the binary representation of a path key

func (*PathLeaf) SetName added in v0.45.0 

func (pl *PathLeaf) SetName(name string)

GetName returns the path value as a string

type PipeBufFlag added in v0.35.0 

type PipeBufFlag int

PipeBufFlag represents a pipe buffer flag 

const (
	// PipeBufFlagLRU pipe buffer flag
	PipeBufFlagLRU PipeBufFlag = 0x1 /* page is on the LRU */
	// PipeBufFlagAtomic pipe buffer flag
	PipeBufFlagAtomic PipeBufFlag = 0x2 /* was atomically mapped */
	// PipeBufFlagGift pipe buffer flag
	PipeBufFlagGift PipeBufFlag = 0x4 /* page is a gift */
	// PipeBufFlagPacket pipe buffer flag
	PipeBufFlagPacket PipeBufFlag = 0x8 /* read() as a packet */
	// PipeBufFlagCanMerge pipe buffer flag
	PipeBufFlagCanMerge PipeBufFlag = 0x10 /* can merge buffers */
	// PipeBufFlagWhole pipe buffer flag
	PipeBufFlagWhole PipeBufFlag = 0x20 /* read() must return entire buffer or error */
	// PipeBufFlagLoss pipe buffer flag
	PipeBufFlagLoss PipeBufFlag = 0x40 /* Message loss happened after this buffer */
)

func (PipeBufFlag) String added in v0.35.0 

func (pbf PipeBufFlag) String() string

type Process 

type Process struct {
	PIDContext

	FileEvent FileEvent `field:"file,check:IsNotKworker"`

	ContainerID string `field:"container.id"` // SECLDoc[container.id] Definition:`Container ID`

	SpanID  uint64 `field:"-"`
	TraceID uint64 `field:"-"`

	TTYName     string      `field:"tty_name"`                         // SECLDoc[tty_name] Definition:`Name of the TTY associated with the process`
	Comm        string      `field:"comm"`                             // SECLDoc[comm] Definition:`Comm attribute of the process`
	LinuxBinprm LinuxBinprm `field:"interpreter,check:HasInterpreter"` // Script interpreter as identified by the shebang

	// pid_cache_t
	ForkTime time.Time `field:"-" json:"-"`
	ExitTime time.Time `field:"-" json:"-"`
	ExecTime time.Time `field:"-" json:"-"`

	CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process`

	Cookie uint32 `field:"-"`
	PPid   uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID`

	// credentials_t section of pid_cache_t
	Credentials

	ArgsID uint32 `field:"-" json:"-"`
	EnvsID uint32 `field:"-" json:"-"`

	ArgsEntry *ArgsEntry `field:"-" json:"-"`
	EnvsEntry *EnvsEntry `field:"-" json:"-"`

	// defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller
	Argv0 string   `field:"argv0,handler:ResolveProcessArgv0,weight:100"` // SECLDoc[argv0] Definition:`First argument of the process`
	Args  string   `field:"args,handler:ResolveProcessArgs,weight:100"`   // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
	Argv  []string ``                                                     // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.`
	/* 194-byte string literal not displayed */
	ArgsTruncated bool     `field:"args_truncated,handler:ResolveProcessArgsTruncated"` // SECLDoc[args_truncated] Definition:`Indicator of arguments truncation`
	Envs          []string `field:"envs,handler:ResolveProcessEnvs:100"`                // SECLDoc[envs] Definition:`Environment variable names of the process`
	Envp          []string `field:"envp,handler:ResolveProcessEnvp:100"`                // SECLDoc[envp] Definition:`Environment variables of the process`
	EnvsTruncated bool     `field:"envs_truncated,handler:ResolveProcessEnvsTruncated"` // SECLDoc[envs_truncated] Definition:`Indicator of environment variables truncation`

	// symlink to the process binary
	SymlinkPathnameStr [MaxSymlinks]string `field:"-" json:"-"`
	SymlinkBasenameStr string              `field:"-" json:"-"`

	// cache version
	ScrubbedArgvResolved  bool           `field:"-" json:"-"`
	ScrubbedArgv          []string       `field:"-" json:"-"`
	ScrubbedArgsTruncated bool           `field:"-" json:"-"`
	Variables             eval.Variables `field:"-" json:"-"`

	IsThread    bool `field:"is_thread"` // SECLDoc[is_thread] Definition:`Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)`
	IsExecChild bool `field:"-"`         // Indicates whether the process is an exec child of its parent

	Source uint64 `field:"-" json:"-"`
}

Process represents a process

func (*Process) GetPathResolutionError 

func (p *Process) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*Process) HasInterpreter added in v0.40.0 

func (p *Process) HasInterpreter() bool

HasInterpreter returns whether the process uses an interpreter

func (*Process) IsNotKworker added in v0.42.0 

func (p *Process) IsNotKworker() bool

IsNotKworker returns true if the process isn't a kworker

func (*Process) MarshalPidCache added in v0.36.0 

func (e *Process) MarshalPidCache(data []byte) (int, error)

MarshalPidCache marshals a binary representation of itself

func (*Process) MarshalProcCache added in v0.36.0 

func (e *Process) MarshalProcCache(data []byte) (int, error)

MarshalProcCache marshals a binary representation of itself

func (*Process) UnmarshalBinary 

func (e *Process) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

func (*Process) UnmarshalPidCacheBinary added in v0.39.0 

func (e *Process) UnmarshalPidCacheBinary(data []byte) (int, error)

UnmarshalPidCacheBinary unmarshalls Unmarshal pid_cache_t

func (*Process) UnmarshalProcEntryBinary added in v0.39.0 

func (e *Process) UnmarshalProcEntryBinary(data []byte) (int, error)

UnmarshalProcEntryBinary unmarshalls process_entry_t from process.h

type ProcessAncestorsIterator 

type ProcessAncestorsIterator struct {
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) Front 

func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer

Front returns the first element

func (*ProcessAncestorsIterator) Next 

func (it *ProcessAncestorsIterator) Next() unsafe.Pointer

Next returns the next element

type ProcessCacheEntry 

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func NewEmptyProcessCacheEntry added in v0.43.0 

func NewEmptyProcessCacheEntry(pid uint32, tid uint32, isKworker bool) *ProcessCacheEntry

NewEmptyProcessCacheEntry returns an empty process cache entry for kworker events or failed process resolutions

func NewProcessCacheEntry 

func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) ApplyExecTimeOf added in v0.47.0 

func (pc *ProcessCacheEntry) ApplyExecTimeOf(entry *ProcessCacheEntry)

Replace previous entry values by the given one

func (*ProcessCacheEntry) Equals added in v0.36.0 

func (pc *ProcessCacheEntry) Equals(entry *ProcessCacheEntry) bool

Equals returns whether process cache entries share the same values for file and args/envs

func (*ProcessCacheEntry) Exec 

func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)

Exec replace a process

func (*ProcessCacheEntry) Exit 

func (pc *ProcessCacheEntry) Exit(exitTime time.Time)

Exit a process

func (*ProcessCacheEntry) Fork 

func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)

Fork returns a copy of the current ProcessCacheEntry

func (*ProcessCacheEntry) HasCompleteLineage added in v0.43.0 

func (pc *ProcessCacheEntry) HasCompleteLineage() bool

HasCompleteLineage returns false if, from the entry, we cannot ascend the ancestors list to PID 1

func (*ProcessCacheEntry) IsContainerRoot added in v0.44.0 

func (pc *ProcessCacheEntry) IsContainerRoot() bool

IsContainerRoot returns whether this is a top level process in the container ID

func (*ProcessCacheEntry) Release 

func (pc *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset 

func (pc *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain 

func (pc *ProcessCacheEntry) Retain()

Retain increment ref counter

func (*ProcessCacheEntry) SetAncestor 

func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)

SetAncestor sets the ancestor

func (*ProcessCacheEntry) SetParentOfForkChild added in v0.42.0 

func (pc *ProcessCacheEntry) SetParentOfForkChild(parent *ProcessCacheEntry)

SetParentOfForkChild set the parent of a fork child

func (*ProcessCacheEntry) SetReleaseCallback added in v0.35.0 

func (pc *ProcessCacheEntry) SetReleaseCallback(callback func())

SetReleaseCallback set the callback called when the entry is released

func (*ProcessCacheEntry) SetSpan added in v0.36.0 

func (pc *ProcessCacheEntry) SetSpan(spanID uint64, traceID uint64)

SetSpan sets the span

type ProcessContext 

type ProcessContext struct {
	Process

	Parent   *Process           `field:"parent,opts:exposed_at_event_root_only,check:HasParent"`
	Ancestor *ProcessCacheEntry `field:"ancestors,iterator:ProcessAncestorsIterator,check:IsNotKworker"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) HasParent added in v0.42.0 

func (p *ProcessContext) HasParent() bool

HasParent returns whether the process has a parent

type Protection added in v0.34.0 

type Protection int

Protection represents a virtual memory protection bitmask value

func (Protection) String added in v0.34.0 

func (p Protection) String() string

type QClass added in v0.36.0 

type QClass uint32

QClass is used to declare the qclass field of a DNS request

func (QClass) String added in v0.36.0 

func (qc QClass) String() string

type QType added in v0.36.0 

type QType uint32

QType is used to declare the qtype field of a DNS request

func (QType) String added in v0.36.0 

func (qt QType) String() string

type Releasable added in v0.46.0 

type Releasable struct {
	// contains filtered or unexported fields
}

Releasable represents an object than can be released

func (*Releasable) CallReleaseCallback added in v0.46.0 

func (r *Releasable) CallReleaseCallback()

func (*Releasable) OnRelease added in v0.46.0 

func (r *Releasable) OnRelease()

Release triggers the callback

func (*Releasable) SetReleaseCallback added in v0.46.0 

func (r *Releasable) SetReleaseCallback(callback func())

SetReleaseCallback sets a callback to be called when the cache entry is released

type RenameEvent 

type RenameEvent struct {
	SyscallEvent
	Old FileEvent `field:"file"`
	New FileEvent `field:"file.destination"`
}

RenameEvent represents a rename event

func (*RenameEvent) UnmarshalBinary 

func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type RetValError 

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String 

func (f RetValError) String() string

type RmdirEvent 

type RmdirEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
}

RmdirEvent represents a rmdir event

func (*RmdirEvent) UnmarshalBinary 

func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SELinuxEvent 

type SELinuxEvent struct {
	File            FileEvent        `field:"-" json:"-"`
	EventKind       SELinuxEventKind `field:"-" json:"-"`
	BoolName        string           `field:"bool.name,handler:ResolveSELinuxBoolName"` // SECLDoc[bool.name] Definition:`SELinux boolean name`
	BoolChangeValue string           `field:"bool.state"`                               // SECLDoc[bool.state] Definition:`SELinux boolean new value`
	BoolCommitValue bool             `field:"bool_commit.state"`                        // SECLDoc[bool_commit.state] Definition:`Indicator of a SELinux boolean commit operation`
	EnforceStatus   string           `field:"enforce.status"`                           // SECLDoc[enforce.status] Definition:`SELinux enforcement status (one of "enforcing", "permissive", "disabled")`
}

SELinuxEvent represents a selinux event

func (*SELinuxEvent) UnmarshalBinary 

func (e *SELinuxEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SELinuxEventKind 

type SELinuxEventKind uint32

SELinuxEventKind represents the event kind for SELinux events 

const (
	// SELinuxBoolChangeEventKind represents SELinux boolean change events
	SELinuxBoolChangeEventKind SELinuxEventKind = iota
	// SELinuxStatusChangeEventKind represents SELinux status change events
	SELinuxStatusChangeEventKind
	// SELinuxBoolCommitEventKind represents SELinux boolean commit events
	SELinuxBoolCommitEventKind
)

type SecurityProfileContext added in v0.45.0 

type SecurityProfileContext struct {
	Name                       string      `field:"name"`                          // SECLDoc[name] Definition:`Name of the security profile`
	Status                     Status      `field:"status"`                        // SECLDoc[status] Definition:`Status of the security profile`
	Version                    string      `field:"version"`                       // SECLDoc[version] Definition:`Version of the security profile`
	Tags                       []string    `field:"tags"`                          // SECLDoc[tags] Definition:`Tags of the security profile`
	AnomalyDetectionEventTypes []EventType `field:"anomaly_detection_event_types"` // SECLDoc[anomaly_detection_event_types] Definition:`Event types enabled for anomaly detection`
}

SecurityProfileContext holds the security context of the profile

func (SecurityProfileContext) CanGenerateAnomaliesFor added in v0.46.0 

func (spc SecurityProfileContext) CanGenerateAnomaliesFor(evtType EventType) bool

CanGenerateAnomaliesFor returns true if the current profile can generate anomalies for the provided event type

type SetXAttrEvent 

type SetXAttrEvent struct {
	SyscallEvent
	File      FileEvent `field:"file"`
	Namespace string    `field:"file.destination.namespace,handler:ResolveXAttrNamespace"` // SECLDoc[file.destination.namespace] Definition:`Namespace of the extended attribute`
	Name      string    `field:"file.destination.name,handler:ResolveXAttrName"`           // SECLDoc[file.destination.name] Definition:`Name of the extended attribute`

	NameRaw [200]byte `field:"-" json:"-"`
}

SetXAttrEvent represents an extended attributes event

func (*SetXAttrEvent) UnmarshalBinary 

func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SetgidEvent 

type SetgidEvent struct {
	GID     uint32 `field:"gid"`                                  // SECLDoc[gid] Definition:`New GID of the process`
	Group   string `field:"group,handler:ResolveSetgidGroup"`     // SECLDoc[group] Definition:`New group of the process`
	EGID    uint32 `field:"egid"`                                 // SECLDoc[egid] Definition:`New effective GID of the process`
	EGroup  string `field:"egroup,handler:ResolveSetgidEGroup"`   // SECLDoc[egroup] Definition:`New effective group of the process`
	FSGID   uint32 `field:"fsgid"`                                // SECLDoc[fsgid] Definition:`New FileSystem GID of the process`
	FSGroup string `field:"fsgroup,handler:ResolveSetgidFSGroup"` // SECLDoc[fsgroup] Definition:`New FileSystem group of the process`
}

SetgidEvent represents a setgid event

func (*SetgidEvent) UnmarshalBinary 

func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SetuidEvent 

type SetuidEvent struct {
	UID    uint32 `field:"uid"`                                // SECLDoc[uid] Definition:`New UID of the process`
	User   string `field:"user,handler:ResolveSetuidUser"`     // SECLDoc[user] Definition:`New user of the process`
	EUID   uint32 `field:"euid"`                               // SECLDoc[euid] Definition:`New effective UID of the process`
	EUser  string `field:"euser,handler:ResolveSetuidEUser"`   // SECLDoc[euser] Definition:`New effective user of the process`
	FSUID  uint32 `field:"fsuid"`                              // SECLDoc[fsuid] Definition:`New FileSystem UID of the process`
	FSUser string `field:"fsuser,handler:ResolveSetuidFSUser"` // SECLDoc[fsuser] Definition:`New FileSystem user of the process`
}

SetuidEvent represents a setuid event

func (*SetuidEvent) UnmarshalBinary 

func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type Signal added in v0.35.0 

type Signal int

Signal represents a type of unix signal (ie, SIGKILL, SIGSTOP etc)

func (Signal) String added in v0.35.0 

func (sig Signal) String() string

type SignalEvent added in v0.35.0 

type SignalEvent struct {
	SyscallEvent

	Type   uint32          `field:"type"`   // SECLDoc[type] Definition:`Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)` Constants:`Signal constants`
	PID    uint32          `field:"pid"`    // SECLDoc[pid] Definition:`Target PID`
	Target *ProcessContext `field:"target"` // Target process context
}

SignalEvent represents a signal event

func (*SignalEvent) UnmarshalBinary added in v0.35.0 

func (e *SignalEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type SpanContext 

type SpanContext struct {
	SpanID  uint64 `field:"_" json:"-"`
	TraceID uint64 `field:"_" json:"-"`
}

SpanContext describes a span context

func (*SpanContext) UnmarshalBinary 

func (s *SpanContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SpliceEvent added in v0.35.0 

type SpliceEvent struct {
	SyscallEvent

	File          FileEvent `field:"file"`            // File modified by the splice syscall
	PipeEntryFlag uint32    `field:"pipe_entry_flag"` // SECLDoc[pipe_entry_flag] Definition:`Entry flag of the "fd_out" pipe passed to the splice syscall` Constants:`Pipe buffer flags`
	PipeExitFlag  uint32    `field:"pipe_exit_flag"`  // SECLDoc[pipe_exit_flag] Definition:`Exit flag of the "fd_out" pipe passed to the splice syscall` Constants:`Pipe buffer flags`
}

SpliceEvent represents a splice event

func (*SpliceEvent) UnmarshalBinary added in v0.35.0 

func (e *SpliceEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type Status added in v0.45.0 

type Status uint32
const (
	// AnomalyDetection will trigger alerts each time an event is not part of the profile
	AnomalyDetection Status = 1 << iota
	// AutoSuppression will suppress any signal to events present on the profile
	AutoSuppression
	// WorkloadHardening will kill the process that triggered anomaly detection
	WorkloadHardening
)

func (Status) IsEnabled added in v0.45.0 

func (s Status) IsEnabled(option Status) bool

func (Status) String added in v0.45.0 

func (s Status) String() string

type Syscall added in v0.39.0 

type Syscall int

Syscall represents a syscall identifier 

const (
	SysRead                  Syscall = 0
	SysWrite                 Syscall = 1
	SysOpen                  Syscall = 2
	SysClose                 Syscall = 3
	SysStat                  Syscall = 4
	SysFstat                 Syscall = 5
	SysLstat                 Syscall = 6
	SysPoll                  Syscall = 7
	SysLseek                 Syscall = 8
	SysMmap                  Syscall = 9
	SysMprotect              Syscall = 10
	SysMunmap                Syscall = 11
	SysBrk                   Syscall = 12
	SysRtSigaction           Syscall = 13
	SysRtSigprocmask         Syscall = 14
	SysRtSigreturn           Syscall = 15
	SysIoctl                 Syscall = 16
	SysPread64               Syscall = 17
	SysPwrite64              Syscall = 18
	SysReadv                 Syscall = 19
	SysWritev                Syscall = 20
	SysAccess                Syscall = 21
	SysPipe                  Syscall = 22
	SysSelect                Syscall = 23
	SysSchedYield            Syscall = 24
	SysMremap                Syscall = 25
	SysMsync                 Syscall = 26
	SysMincore               Syscall = 27
	SysMadvise               Syscall = 28
	SysShmget                Syscall = 29
	SysShmat                 Syscall = 30
	SysShmctl                Syscall = 31
	SysDup                   Syscall = 32
	SysDup2                  Syscall = 33
	SysPause                 Syscall = 34
	SysNanosleep             Syscall = 35
	SysGetitimer             Syscall = 36
	SysAlarm                 Syscall = 37
	SysSetitimer             Syscall = 38
	SysGetpid                Syscall = 39
	SysSendfile              Syscall = 40
	SysSocket                Syscall = 41
	SysConnect               Syscall = 42
	SysAccept                Syscall = 43
	SysSendto                Syscall = 44
	SysRecvfrom              Syscall = 45
	SysSendmsg               Syscall = 46
	SysRecvmsg               Syscall = 47
	SysShutdown              Syscall = 48
	SysBind                  Syscall = 49
	SysListen                Syscall = 50
	SysGetsockname           Syscall = 51
	SysGetpeername           Syscall = 52
	SysSocketpair            Syscall = 53
	SysSetsockopt            Syscall = 54
	SysGetsockopt            Syscall = 55
	SysClone                 Syscall = 56
	SysFork                  Syscall = 57
	SysVfork                 Syscall = 58
	SysExecve                Syscall = 59
	SysExit                  Syscall = 60
	SysWait4                 Syscall = 61
	SysKill                  Syscall = 62
	SysUname                 Syscall = 63
	SysSemget                Syscall = 64
	SysSemop                 Syscall = 65
	SysSemctl                Syscall = 66
	SysShmdt                 Syscall = 67
	SysMsgget                Syscall = 68
	SysMsgsnd                Syscall = 69
	SysMsgrcv                Syscall = 70
	SysMsgctl                Syscall = 71
	SysFcntl                 Syscall = 72
	SysFlock                 Syscall = 73
	SysFsync                 Syscall = 74
	SysFdatasync             Syscall = 75
	SysTruncate              Syscall = 76
	SysFtruncate             Syscall = 77
	SysGetdents              Syscall = 78
	SysGetcwd                Syscall = 79
	SysChdir                 Syscall = 80
	SysFchdir                Syscall = 81
	SysRename                Syscall = 82
	SysMkdir                 Syscall = 83
	SysRmdir                 Syscall = 84
	SysCreat                 Syscall = 85
	SysLink                  Syscall = 86
	SysUnlink                Syscall = 87
	SysSymlink               Syscall = 88
	SysReadlink              Syscall = 89
	SysChmod                 Syscall = 90
	SysFchmod                Syscall = 91
	SysChown                 Syscall = 92
	SysFchown                Syscall = 93
	SysLchown                Syscall = 94
	SysUmask                 Syscall = 95
	SysGettimeofday          Syscall = 96
	SysGetrlimit             Syscall = 97
	SysGetrusage             Syscall = 98
	SysSysinfo               Syscall = 99
	SysTimes                 Syscall = 100
	SysPtrace                Syscall = 101
	SysGetuid                Syscall = 102
	SysSyslog                Syscall = 103
	SysGetgid                Syscall = 104
	SysSetuid                Syscall = 105
	SysSetgid                Syscall = 106
	SysGeteuid               Syscall = 107
	SysGetegid               Syscall = 108
	SysSetpgid               Syscall = 109
	SysGetppid               Syscall = 110
	SysGetpgrp               Syscall = 111
	SysSetsid                Syscall = 112
	SysSetreuid              Syscall = 113
	SysSetregid              Syscall = 114
	SysGetgroups             Syscall = 115
	SysSetgroups             Syscall = 116
	SysSetresuid             Syscall = 117
	SysGetresuid             Syscall = 118
	SysSetresgid             Syscall = 119
	SysGetresgid             Syscall = 120
	SysGetpgid               Syscall = 121
	SysSetfsuid              Syscall = 122
	SysSetfsgid              Syscall = 123
	SysGetsid                Syscall = 124
	SysCapget                Syscall = 125
	SysCapset                Syscall = 126
	SysRtSigpending          Syscall = 127
	SysRtSigtimedwait        Syscall = 128
	SysRtSigqueueinfo        Syscall = 129
	SysRtSigsuspend          Syscall = 130
	SysSigaltstack           Syscall = 131
	SysUtime                 Syscall = 132
	SysMknod                 Syscall = 133
	SysUselib                Syscall = 134
	SysPersonality           Syscall = 135
	SysUstat                 Syscall = 136
	SysStatfs                Syscall = 137
	SysFstatfs               Syscall = 138
	SysSysfs                 Syscall = 139
	SysGetpriority           Syscall = 140
	SysSetpriority           Syscall = 141
	SysSchedSetparam         Syscall = 142
	SysSchedGetparam         Syscall = 143
	SysSchedSetscheduler     Syscall = 144
	SysSchedGetscheduler     Syscall = 145
	SysSchedGetPriorityMax   Syscall = 146
	SysSchedGetPriorityMin   Syscall = 147
	SysSchedRrGetInterval    Syscall = 148
	SysMlock                 Syscall = 149
	SysMunlock               Syscall = 150
	SysMlockall              Syscall = 151
	SysMunlockall            Syscall = 152
	SysVhangup               Syscall = 153
	SysModifyLdt             Syscall = 154
	SysPivotRoot             Syscall = 155
	SysSysctl                Syscall = 156
	SysPrctl                 Syscall = 157
	SysArchPrctl             Syscall = 158
	SysAdjtimex              Syscall = 159
	SysSetrlimit             Syscall = 160
	SysChroot                Syscall = 161
	SysSync                  Syscall = 162
	SysAcct                  Syscall = 163
	SysSettimeofday          Syscall = 164
	SysMount                 Syscall = 165
	SysUmount2               Syscall = 166
	SysSwapon                Syscall = 167
	SysSwapoff               Syscall = 168
	SysReboot                Syscall = 169
	SysSethostname           Syscall = 170
	SysSetdomainname         Syscall = 171
	SysIopl                  Syscall = 172
	SysIoperm                Syscall = 173
	SysCreateModule          Syscall = 174
	SysInitModule            Syscall = 175
	SysDeleteModule          Syscall = 176
	SysGetKernelSyms         Syscall = 177
	SysQueryModule           Syscall = 178
	SysQuotactl              Syscall = 179
	SysNfsservctl            Syscall = 180
	SysGetpmsg               Syscall = 181
	SysPutpmsg               Syscall = 182
	SysAfsSyscall            Syscall = 183
	SysTuxcall               Syscall = 184
	SysSecurity              Syscall = 185
	SysGettid                Syscall = 186
	SysReadahead             Syscall = 187
	SysSetxattr              Syscall = 188
	SysLsetxattr             Syscall = 189
	SysFsetxattr             Syscall = 190
	SysGetxattr              Syscall = 191
	SysLgetxattr             Syscall = 192
	SysFgetxattr             Syscall = 193
	SysListxattr             Syscall = 194
	SysLlistxattr            Syscall = 195
	SysFlistxattr            Syscall = 196
	SysRemovexattr           Syscall = 197
	SysLremovexattr          Syscall = 198
	SysFremovexattr          Syscall = 199
	SysTkill                 Syscall = 200
	SysTime                  Syscall = 201
	SysFutex                 Syscall = 202
	SysSchedSetaffinity      Syscall = 203
	SysSchedGetaffinity      Syscall = 204
	SysSetThreadArea         Syscall = 205
	SysIoSetup               Syscall = 206
	SysIoDestroy             Syscall = 207
	SysIoGetevents           Syscall = 208
	SysIoSubmit              Syscall = 209
	SysIoCancel              Syscall = 210
	SysGetThreadArea         Syscall = 211
	SysLookupDcookie         Syscall = 212
	SysEpollCreate           Syscall = 213
	SysEpollCtlOld           Syscall = 214
	SysEpollWaitOld          Syscall = 215
	SysRemapFilePages        Syscall = 216
	SysGetdents64            Syscall = 217
	SysSetTidAddress         Syscall = 218
	SysRestartSyscall        Syscall = 219
	SysSemtimedop            Syscall = 220
	SysFadvise64             Syscall = 221
	SysTimerCreate           Syscall = 222
	SysTimerSettime          Syscall = 223
	SysTimerGettime          Syscall = 224
	SysTimerGetoverrun       Syscall = 225
	SysTimerDelete           Syscall = 226
	SysClockSettime          Syscall = 227
	SysClockGettime          Syscall = 228
	SysClockGetres           Syscall = 229
	SysClockNanosleep        Syscall = 230
	SysExitGroup             Syscall = 231
	SysEpollWait             Syscall = 232
	SysEpollCtl              Syscall = 233
	SysTgkill                Syscall = 234
	SysUtimes                Syscall = 235
	SysVserver               Syscall = 236
	SysMbind                 Syscall = 237
	SysSetMempolicy          Syscall = 238
	SysGetMempolicy          Syscall = 239
	SysMqOpen                Syscall = 240
	SysMqUnlink              Syscall = 241
	SysMqTimedsend           Syscall = 242
	SysMqTimedreceive        Syscall = 243
	SysMqNotify              Syscall = 244
	SysMqGetsetattr          Syscall = 245
	SysKexecLoad             Syscall = 246
	SysWaitid                Syscall = 247
	SysAddKey                Syscall = 248
	SysRequestKey            Syscall = 249
	SysKeyctl                Syscall = 250
	SysIoprioSet             Syscall = 251
	SysIoprioGet             Syscall = 252
	SysInotifyInit           Syscall = 253
	SysInotifyAddWatch       Syscall = 254
	SysInotifyRmWatch        Syscall = 255
	SysMigratePages          Syscall = 256
	SysOpenat                Syscall = 257
	SysMkdirat               Syscall = 258
	SysMknodat               Syscall = 259
	SysFchownat              Syscall = 260
	SysFutimesat             Syscall = 261
	SysNewfstatat            Syscall = 262
	SysUnlinkat              Syscall = 263
	SysRenameat              Syscall = 264
	SysLinkat                Syscall = 265
	SysSymlinkat             Syscall = 266
	SysReadlinkat            Syscall = 267
	SysFchmodat              Syscall = 268
	SysFaccessat             Syscall = 269
	SysPselect6              Syscall = 270
	SysPpoll                 Syscall = 271
	SysUnshare               Syscall = 272
	SysSetRobustList         Syscall = 273
	SysGetRobustList         Syscall = 274
	SysSplice                Syscall = 275
	SysTee                   Syscall = 276
	SysSyncFileRange         Syscall = 277
	SysVmsplice              Syscall = 278
	SysMovePages             Syscall = 279
	SysUtimensat             Syscall = 280
	SysEpollPwait            Syscall = 281
	SysSignalfd              Syscall = 282
	SysTimerfdCreate         Syscall = 283
	SysEventfd               Syscall = 284
	SysFallocate             Syscall = 285
	SysTimerfdSettime        Syscall = 286
	SysTimerfdGettime        Syscall = 287
	SysAccept4               Syscall = 288
	SysSignalfd4             Syscall = 289
	SysEventfd2              Syscall = 290
	SysEpollCreate1          Syscall = 291
	SysDup3                  Syscall = 292
	SysPipe2                 Syscall = 293
	SysInotifyInit1          Syscall = 294
	SysPreadv                Syscall = 295
	SysPwritev               Syscall = 296
	SysRtTgsigqueueinfo      Syscall = 297
	SysPerfEventOpen         Syscall = 298
	SysRecvmmsg              Syscall = 299
	SysFanotifyInit          Syscall = 300
	SysFanotifyMark          Syscall = 301
	SysPrlimit64             Syscall = 302
	SysNameToHandleAt        Syscall = 303
	SysOpenByHandleAt        Syscall = 304
	SysClockAdjtime          Syscall = 305
	SysSyncfs                Syscall = 306
	SysSendmmsg              Syscall = 307
	SysSetns                 Syscall = 308
	SysGetcpu                Syscall = 309
	SysProcessVmReadv        Syscall = 310
	SysProcessVmWritev       Syscall = 311
	SysKcmp                  Syscall = 312
	SysFinitModule           Syscall = 313
	SysSchedSetattr          Syscall = 314
	SysSchedGetattr          Syscall = 315
	SysRenameat2             Syscall = 316
	SysSeccomp               Syscall = 317
	SysGetrandom             Syscall = 318
	SysMemfdCreate           Syscall = 319
	SysKexecFileLoad         Syscall = 320
	SysBpf                   Syscall = 321
	SysExecveat              Syscall = 322
	SysUserfaultfd           Syscall = 323
	SysMembarrier            Syscall = 324
	SysMlock2                Syscall = 325
	SysCopyFileRange         Syscall = 326
	SysPreadv2               Syscall = 327
	SysPwritev2              Syscall = 328
	SysPkeyMprotect          Syscall = 329
	SysPkeyAlloc             Syscall = 330
	SysPkeyFree              Syscall = 331
	SysStatx                 Syscall = 332
	SysIoPgetevents          Syscall = 333
	SysRseq                  Syscall = 334
	SysPidfdSendSignal       Syscall = 424
	SysIoUringSetup          Syscall = 425
	SysIoUringEnter          Syscall = 426
	SysIoUringRegister       Syscall = 427
	SysOpenTree              Syscall = 428
	SysMoveMount             Syscall = 429
	SysFsopen                Syscall = 430
	SysFsconfig              Syscall = 431
	SysFsmount               Syscall = 432
	SysFspick                Syscall = 433
	SysPidfdOpen             Syscall = 434
	SysClone3                Syscall = 435
	SysCloseRange            Syscall = 436
	SysOpenat2               Syscall = 437
	SysPidfdGetfd            Syscall = 438
	SysFaccessat2            Syscall = 439
	SysProcessMadvise        Syscall = 440
	SysEpollPwait2           Syscall = 441
	SysMountSetattr          Syscall = 442
	SysQuotactlFd            Syscall = 443
	SysLandlockCreateRuleset Syscall = 444
	SysLandlockAddRule       Syscall = 445
	SysLandlockRestrictSelf  Syscall = 446
	SysMemfdSecret           Syscall = 447
	SysProcessMrelease       Syscall = 448
	SysFutexWaitv            Syscall = 449
	SysSetMempolicyHomeNode  Syscall = 450
)

Linux syscall identifiers

func (Syscall) MarshalText added in v0.39.0 

func (s Syscall) MarshalText() ([]byte, error)

MarshalText maps the syscall identifier to UTF-8-encoded text and returns the result

func (Syscall) String added in v0.39.0 

func (i Syscall) String() string

type SyscallEvent 

type SyscallEvent struct {
	Retval int64 `field:"retval"` // SECLDoc[retval] Definition:`Return value of the syscall` Constants:`Error constants`
}

SyscallEvent contains common fields for all the event

func (*SyscallEvent) UnmarshalBinary 

func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SyscallsEvent added in v0.39.0 

type SyscallsEvent struct {
	Syscalls []Syscall // 64 * 8 = 512 > 450, bytes should be enough to hold all 450 syscalls
}

SyscallsEvent represents a syscalls event

func (*SyscallsEvent) UnmarshalBinary added in v0.39.0 

func (e *SyscallsEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UmountEvent 

type UmountEvent struct {
	SyscallEvent
	MountID uint32
}

UmountEvent represents an umount event

func (*UmountEvent) UnmarshalBinary 

func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UnlinkEvent 

type UnlinkEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"` // SECLDoc[flags] Definition:`Flags of the unlink syscall` Constants:`Unlink flags`
}

UnlinkEvent represents an unlink event

func (*UnlinkEvent) UnmarshalBinary 

func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UnlinkFlags 

type UnlinkFlags int

UnlinkFlags represents an unlink flags bitmask value

func (UnlinkFlags) String 

func (f UnlinkFlags) String() string

func (UnlinkFlags) StringArray 

func (f UnlinkFlags) StringArray() []string

StringArray returns the unlink flags as an array of strings

type UnloadModuleEvent added in v0.35.0 

type UnloadModuleEvent struct {
	SyscallEvent

	Name string `field:"name"` // SECLDoc[name] Definition:`Name of the kernel module that was deleted`
}

UnloadModuleEvent represents an unload_module event

func (*UnloadModuleEvent) UnmarshalBinary added in v0.35.0 

func (e *UnloadModuleEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type UnshareMountNSEvent added in v0.42.0 

type UnshareMountNSEvent struct {
	Mount
}

UnshareMountNSEvent represents a mount cloned from a newly created mount namespace

func (*UnshareMountNSEvent) UnmarshalBinary added in v0.42.0 

func (e *UnshareMountNSEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UtimesEvent 

type UtimesEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Atime time.Time `field:"-" json:"-"`
	Mtime time.Time `field:"-" json:"-"`
}

UtimesEvent represents a utime event

func (*UtimesEvent) UnmarshalBinary 

func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type VMFlag added in v0.34.0 

type VMFlag uint64

VMFlag represents a VM_* bitmask value

func (VMFlag) String added in v0.34.0 

func (vmf VMFlag) String() string

type VethPairEvent added in v0.36.0 

type VethPairEvent struct {
	SyscallEvent

	HostDevice NetDevice
	PeerDevice NetDevice
}

VethPairEvent represents a veth pair event

func (*VethPairEvent) UnmarshalBinary added in v0.36.0 

func (e *VethPairEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.