model

package
v0.52.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package model holds model related files

Package model holds model related files

Index

Constants

View Source 
const (
	// MaxArgEnvSize maximum size of one argument or environment variable
	MaxArgEnvSize = 256
	// MaxArgsEnvsSize maximum number of args and/or envs
	MaxArgsEnvsSize = 128
)
View Source 
const (
	// MaxSegmentLength defines the maximum length of each segment of a path
	MaxSegmentLength = 255

	// MaxPathDepth defines the maximum depth of a path
	// see pkg/security/ebpf/c/dentry_resolver.h: DR_MAX_TAIL_CALL * DR_MAX_ITERATION_DEPTH
	MaxPathDepth = 1363

	// MaxBpfObjName defines the maximum length of a Bpf object name
	MaxBpfObjName = 16

	// PathSuffix defines the suffix used for path fields
	PathSuffix = ".path"

	// NameSuffix defines the suffix used for name fields
	NameSuffix = ".name"

	// ContainerIDLen defines the length of a container ID
	ContainerIDLen = sha256.Size * 2

	// MaxSymlinks maximum symlinks captured
	MaxSymlinks = 2

	// MaxTracedCgroupsCount hard limit for the count of traced cgroups
	MaxTracedCgroupsCount = 128
)
View Source 
const (
	// EventFlagsAsync async event
	EventFlagsAsync = 1 << iota

	// EventFlagsSavedByAD saved by ad
	EventFlagsSavedByAD

	// EventFlagsActivityDumpSample an AD sample
	EventFlagsActivityDumpSample

	// EventFlagsSecurityProfileInProfile true if the event was found in a profile
	EventFlagsSecurityProfileInProfile

	// EventFlagsAnomalyDetectionEvent true if the event is marked as being an anomaly
	EventFlagsAnomalyDetectionEvent
)
View Source 
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

View Source 
const (
	// UnknownEventType unknown event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimesEventType Utime event
	FileUtimesEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileChdirEventType chdir event
	FileChdirEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event (DEPRECATED)
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// SELinuxEventType selinux event
	SELinuxEventType
	// BPFEventType bpf event
	BPFEventType
	// PTraceEventType PTrace event
	PTraceEventType
	// MMapEventType MMap event
	MMapEventType
	// MProtectEventType MProtect event
	MProtectEventType
	// LoadModuleEventType LoadModule event
	LoadModuleEventType
	// UnloadModuleEventType UnloadModule evnt
	UnloadModuleEventType
	// SignalEventType Signal event
	SignalEventType
	// SpliceEventType Splice event
	SpliceEventType
	// CgroupTracingEventType is sent when a new cgroup is being traced
	CgroupTracingEventType
	// DNSEventType DNS event
	DNSEventType
	// NetDeviceEventType is sent for events on net devices
	NetDeviceEventType
	// VethPairEventType is sent when a new veth pair is created
	VethPairEventType
	// BindEventType Bind event
	BindEventType
	// UnshareMountNsEventType is sent when a new mount is created from a mount namespace copy
	UnshareMountNsEventType
	// SyscallsEventType Syscalls event
	SyscallsEventType
	// AnomalyDetectionSyscallEventType Anomaly Detection Syscall event
	AnomalyDetectionSyscallEventType
	// MaxKernelEventType is used internally to get the maximum number of kernel events.
	MaxKernelEventType

	// FirstEventType is the first valid event type
	FirstEventType = FileOpenEventType

	// LastEventType is the last valid event type
	LastEventType = SyscallsEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileChdirEventType

	// LastApproverEventType is the last event that accepts approvers
	LastApproverEventType = SpliceEventType

	// CustomLostReadEventType is the custom event used to report lost events detected in user space
	CustomLostReadEventType = iota
	// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
	CustomLostWriteEventType
	// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
	CustomRulesetLoadedEventType
	// CustomHeartbeatEventType is the custom event used to report a heartbeat event
	CustomHeartbeatEventType
	// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
	CustomForkBombEventType
	// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
	CustomTruncatedParentsEventType
	// CustomSelfTestEventType is the custom event used to report the results of a self test run
	CustomSelfTestEventType
	// CreateNewFileEventType event
	CreateNewFileEventType
	// CreateRegistryKeyEventType event
	CreateRegistryKeyEventType
	// OpenRegistryKeyEventType event
	OpenRegistryKeyEventType
	// SetRegistryKeyValueEventType event
	SetRegistryKeyValueEventType
	// DeleteRegistryKeyEventType event
	DeleteRegistryKeyEventType
	// MaxAllEventType is used internally to get the maximum number of events.
	MaxAllEventType
)

Variables

View Source 
var (

	// BPFCmdConstants is the list of BPF commands
	// generate_constants:BPF commands,BPF commands are used to specify a command to a bpf syscall.
	BPFCmdConstants = map[string]BPFCmd{
		"BPF_MAP_CREATE":                  BpfMapCreateCmd,
		"BPF_MAP_LOOKUP_ELEM":             BpfMapLookupElemCmd,
		"BPF_MAP_UPDATE_ELEM":             BpfMapUpdateElemCmd,
		"BPF_MAP_DELETE_ELEM":             BpfMapDeleteElemCmd,
		"BPF_MAP_GET_NEXT_KEY":            BpfMapGetNextKeyCmd,
		"BPF_PROG_LOAD":                   BpfProgLoadCmd,
		"BPF_OBJ_PIN":                     BpfObjPinCmd,
		"BPF_OBJ_GET":                     BpfObjGetCmd,
		"BPF_PROG_ATTACH":                 BpfProgAttachCmd,
		"BPF_PROG_DETACH":                 BpfProgDetachCmd,
		"BPF_PROG_TEST_RUN":               BpfProgTestRunCmd,
		"BPF_PROG_RUN":                    BpfProgTestRunCmd,
		"BPF_PROG_GET_NEXT_ID":            BpfProgGetNextIDCmd,
		"BPF_MAP_GET_NEXT_ID":             BpfMapGetNextIDCmd,
		"BPF_PROG_GET_FD_BY_ID":           BpfProgGetFdByIDCmd,
		"BPF_MAP_GET_FD_BY_ID":            BpfMapGetFdByIDCmd,
		"BPF_OBJ_GET_INFO_BY_FD":          BpfObjGetInfoByFdCmd,
		"BPF_PROG_QUERY":                  BpfProgQueryCmd,
		"BPF_RAW_TRACEPOINT_OPEN":         BpfRawTracepointOpenCmd,
		"BPF_BTF_LOAD":                    BpfBtfLoadCmd,
		"BPF_BTF_GET_FD_BY_ID":            BpfBtfGetFdByIDCmd,
		"BPF_TASK_FD_QUERY":               BpfTaskFdQueryCmd,
		"BPF_MAP_LOOKUP_AND_DELETE_ELEM":  BpfMapLookupAndDeleteElemCmd,
		"BPF_MAP_FREEZE":                  BpfMapFreezeCmd,
		"BPF_BTF_GET_NEXT_ID":             BpfBtfGetNextIDCmd,
		"BPF_MAP_LOOKUP_BATCH":            BpfMapLookupBatchCmd,
		"BPF_MAP_LOOKUP_AND_DELETE_BATCH": BpfMapLookupAndDeleteBatchCmd,
		"BPF_MAP_UPDATE_BATCH":            BpfMapUpdateBatchCmd,
		"BPF_MAP_DELETE_BATCH":            BpfMapDeleteBatchCmd,
		"BPF_LINK_CREATE":                 BpfLinkCreateCmd,
		"BPF_LINK_UPDATE":                 BpfLinkUpdateCmd,
		"BPF_LINK_GET_FD_BY_ID":           BpfLinkGetFdByIDCmd,
		"BPF_LINK_GET_NEXT_ID":            BpfLinkGetNextIDCmd,
		"BPF_ENABLE_STATS":                BpfEnableStatsCmd,
		"BPF_ITER_CREATE":                 BpfIterCreateCmd,
		"BPF_LINK_DETACH":                 BpfLinkDetachCmd,
		"BPF_PROG_BIND_MAP":               BpfProgBindMapCmd,
	}

	// BPFHelperFuncConstants is the list of BPF helper func constants
	// generate_constants:BPF helper functions,BPF helper functions are the supported BPF helper functions.
	BPFHelperFuncConstants = map[string]BPFHelperFunc{}/* 166 elements not displayed */

	// BPFMapTypeConstants is the list of BPF map type constants
	// generate_constants:BPF map types,BPF map types are the supported eBPF map types.
	BPFMapTypeConstants = map[string]BPFMapType{
		"BPF_MAP_TYPE_UNSPEC":                BpfMapTypeUnspec,
		"BPF_MAP_TYPE_HASH":                  BpfMapTypeHash,
		"BPF_MAP_TYPE_ARRAY":                 BpfMapTypeArray,
		"BPF_MAP_TYPE_PROG_ARRAY":            BpfMapTypeProgArray,
		"BPF_MAP_TYPE_PERF_EVENT_ARRAY":      BpfMapTypePerfEventArray,
		"BPF_MAP_TYPE_PERCPU_HASH":           BpfMapTypePercpuHash,
		"BPF_MAP_TYPE_PERCPU_ARRAY":          BpfMapTypePercpuArray,
		"BPF_MAP_TYPE_STACK_TRACE":           BpfMapTypeStackTrace,
		"BPF_MAP_TYPE_CGROUP_ARRAY":          BpfMapTypeCgroupArray,
		"BPF_MAP_TYPE_LRU_HASH":              BpfMapTypeLruHash,
		"BPF_MAP_TYPE_LRU_PERCPU_HASH":       BpfMapTypeLruPercpuHash,
		"BPF_MAP_TYPE_LPM_TRIE":              BpfMapTypeLpmTrie,
		"BPF_MAP_TYPE_ARRAY_OF_MAPS":         BpfMapTypeArrayOfMaps,
		"BPF_MAP_TYPE_HASH_OF_MAPS":          BpfMapTypeHashOfMaps,
		"BPF_MAP_TYPE_DEVMAP":                BpfMapTypeDevmap,
		"BPF_MAP_TYPE_SOCKMAP":               BpfMapTypeSockmap,
		"BPF_MAP_TYPE_CPUMAP":                BpfMapTypeCPUmap,
		"BPF_MAP_TYPE_XSKMAP":                BpfMapTypeXskmap,
		"BPF_MAP_TYPE_SOCKHASH":              BpfMapTypeSockhash,
		"BPF_MAP_TYPE_CGROUP_STORAGE":        BpfMapTypeCgroupStorage,
		"BPF_MAP_TYPE_REUSEPORT_SOCKARRAY":   BpfMapTypeReuseportSockarray,
		"BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE": BpfMapTypePercpuCgroupStorage,
		"BPF_MAP_TYPE_QUEUE":                 BpfMapTypeQueue,
		"BPF_MAP_TYPE_STACK":                 BpfMapTypeStack,
		"BPF_MAP_TYPE_SK_STORAGE":            BpfMapTypeSkStorage,
		"BPF_MAP_TYPE_DEVMAP_HASH":           BpfMapTypeDevmapHash,
		"BPF_MAP_TYPE_STRUCT_OPS":            BpfMapTypeStructOps,
		"BPF_MAP_TYPE_RINGBUF":               BpfMapTypeRingbuf,
		"BPF_MAP_TYPE_INODE_STORAGE":         BpfMapTypeInodeStorage,
		"BPF_MAP_TYPE_TASK_STORAGE":          BpfMapTypeTaskStorage,
	}

	// BPFProgramTypeConstants is the list of BPF program type constants
	// generate_constants:BPF program types,BPF program types are the supported eBPF program types.
	BPFProgramTypeConstants = map[string]BPFProgramType{
		"BPF_PROG_TYPE_UNSPEC":                  BpfProgTypeUnspec,
		"BPF_PROG_TYPE_SOCKET_FILTER":           BpfProgTypeSocketFilter,
		"BPF_PROG_TYPE_KPROBE":                  BpfProgTypeKprobe,
		"BPF_PROG_TYPE_SCHED_CLS":               BpfProgTypeSchedCls,
		"BPF_PROG_TYPE_SCHED_ACT":               BpfProgTypeSchedAct,
		"BPF_PROG_TYPE_TRACEPOINT":              BpfProgTypeTracepoint,
		"BPF_PROG_TYPE_XDP":                     BpfProgTypeXdp,
		"BPF_PROG_TYPE_PERF_EVENT":              BpfProgTypePerfEvent,
		"BPF_PROG_TYPE_CGROUP_SKB":              BpfProgTypeCgroupSkb,
		"BPF_PROG_TYPE_CGROUP_SOCK":             BpfProgTypeCgroupSock,
		"BPF_PROG_TYPE_LWT_IN":                  BpfProgTypeLwtIn,
		"BPF_PROG_TYPE_LWT_OUT":                 BpfProgTypeLwtOut,
		"BPF_PROG_TYPE_LWT_XMIT":                BpfProgTypeLwtXmit,
		"BPF_PROG_TYPE_SOCK_OPS":                BpfProgTypeSockOps,
		"BPF_PROG_TYPE_SK_SKB":                  BpfProgTypeSkSkb,
		"BPF_PROG_TYPE_CGROUP_DEVICE":           BpfProgTypeCgroupDevice,
		"BPF_PROG_TYPE_SK_MSG":                  BpfProgTypeSkMsg,
		"BPF_PROG_TYPE_RAW_TRACEPOINT":          BpfProgTypeRawTracepoint,
		"BPF_PROG_TYPE_CGROUP_SOCK_ADDR":        BpfProgTypeCgroupSockAddr,
		"BPF_PROG_TYPE_LWT_SEG6LOCAL":           BpfProgTypeLwtSeg6local,
		"BPF_PROG_TYPE_LIRC_MODE2":              BpfProgTypeLircMode2,
		"BPF_PROG_TYPE_SK_REUSEPORT":            BpfProgTypeSkReuseport,
		"BPF_PROG_TYPE_FLOW_DISSECTOR":          BpfProgTypeFlowDissector,
		"BPF_PROG_TYPE_CGROUP_SYSCTL":           BpfProgTypeCgroupSysctl,
		"BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE": BpfProgTypeRawTracepointWritable,
		"BPF_PROG_TYPE_CGROUP_SOCKOPT":          BpfProgTypeCgroupSockopt,
		"BPF_PROG_TYPE_TRACING":                 BpfProgTypeTracing,
		"BPF_PROG_TYPE_STRUCT_OPS":              BpfProgTypeStructOps,
		"BPF_PROG_TYPE_EXT":                     BpfProgTypeExt,
		"BPF_PROG_TYPE_LSM":                     BpfProgTypeLsm,
		"BPF_PROG_TYPE_SK_LOOKUP":               BpfProgTypeSkLookup,
	}

	// BPFAttachTypeConstants is the list of BPF attach type constants
	// generate_constants:BPF attach types,BPF attach types are the supported eBPF program attach types.
	BPFAttachTypeConstants = map[string]BPFAttachType{
		"BPF_CGROUP_INET_INGRESS":      BpfCgroupInetIngress,
		"BPF_CGROUP_INET_EGRESS":       BpfCgroupInetEgress,
		"BPF_CGROUP_INET_SOCK_CREATE":  BpfCgroupInetSockCreate,
		"BPF_CGROUP_SOCK_OPS":          BpfCgroupSockOps,
		"BPF_SK_SKB_STREAM_PARSER":     BpfSkSkbStreamParser,
		"BPF_SK_SKB_STREAM_VERDICT":    BpfSkSkbStreamVerdict,
		"BPF_CGROUP_DEVICE":            BpfCgroupDevice,
		"BPF_SK_MSG_VERDICT":           BpfSkMsgVerdict,
		"BPF_CGROUP_INET4_BIND":        BpfCgroupInet4Bind,
		"BPF_CGROUP_INET6_BIND":        BpfCgroupInet6Bind,
		"BPF_CGROUP_INET4_CONNECT":     BpfCgroupInet4Connect,
		"BPF_CGROUP_INET6_CONNECT":     BpfCgroupInet6Connect,
		"BPF_CGROUP_INET4_POST_BIND":   BpfCgroupInet4PostBind,
		"BPF_CGROUP_INET6_POST_BIND":   BpfCgroupInet6PostBind,
		"BPF_CGROUP_UDP4_SENDMSG":      BpfCgroupUDP4Sendmsg,
		"BPF_CGROUP_UDP6_SENDMSG":      BpfCgroupUDP6Sendmsg,
		"BPF_LIRC_MODE2":               BpfLircMode2,
		"BPF_FLOW_DISSECTOR":           BpfFlowDissector,
		"BPF_CGROUP_SYSCTL":            BpfCgroupSysctl,
		"BPF_CGROUP_UDP4_RECVMSG":      BpfCgroupUDP4Recvmsg,
		"BPF_CGROUP_UDP6_RECVMSG":      BpfCgroupUDP6Recvmsg,
		"BPF_CGROUP_GETSOCKOPT":        BpfCgroupGetsockopt,
		"BPF_CGROUP_SETSOCKOPT":        BpfCgroupSetsockopt,
		"BPF_TRACE_RAW_TP":             BpfTraceRawTp,
		"BPF_TRACE_FENTRY":             BpfTraceFentry,
		"BPF_TRACE_FEXIT":              BpfTraceFexit,
		"BPF_MODIFY_RETURN":            BpfModifyReturn,
		"BPF_LSM_MAC":                  BpfLsmMac,
		"BPF_TRACE_ITER":               BpfTraceIter,
		"BPF_CGROUP_INET4_GETPEERNAME": BpfCgroupInet4Getpeername,
		"BPF_CGROUP_INET6_GETPEERNAME": BpfCgroupInet6Getpeername,
		"BPF_CGROUP_INET4_GETSOCKNAME": BpfCgroupInet4Getsockname,
		"BPF_CGROUP_INET6_GETSOCKNAME": BpfCgroupInet6Getsockname,
		"BPF_XDP_DEVMAP":               BpfXdpDevmap,
		"BPF_CGROUP_INET_SOCK_RELEASE": BpfCgroupInetSockRelease,
		"BPF_XDP_CPUMAP":               BpfXdpCPUmap,
		"BPF_SK_LOOKUP":                BpfSkLookup,
		"BPF_XDP":                      BpfXdp,
		"BPF_SK_SKB_VERDICT":           BpfSkSkbVerdict,
	}

	// PipeBufFlagConstants is the list of pipe buffer flags
	// generate_constants:Pipe buffer flags,Pipe buffer flags are the supported flags for a pipe buffer.
	PipeBufFlagConstants = map[string]PipeBufFlag{
		"PIPE_BUF_FLAG_LRU":       PipeBufFlagLRU,
		"PIPE_BUF_FLAG_ATOMIC":    PipeBufFlagAtomic,
		"PIPE_BUF_FLAG_GIFT":      PipeBufFlagGift,
		"PIPE_BUF_FLAG_PACKET":    PipeBufFlagPacket,
		"PIPE_BUF_FLAG_CAN_MERGE": PipeBufFlagCanMerge,
		"PIPE_BUF_FLAG_WHOLE":     PipeBufFlagWhole,
		"PIPE_BUF_FLAG_LOSS":      PipeBufFlagLoss,
	}

	// DNSQTypeConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qtypes,DNS qtypes are the supported DNS query types.
	DNSQTypeConstants = map[string]int{
		"None":       0,
		"A":          1,
		"NS":         2,
		"MD":         3,
		"MF":         4,
		"CNAME":      5,
		"SOA":        6,
		"MB":         7,
		"MG":         8,
		"MR":         9,
		"NULL":       10,
		"PTR":        12,
		"HINFO":      13,
		"MINFO":      14,
		"MX":         15,
		"TXT":        16,
		"RP":         17,
		"AFSDB":      18,
		"X25":        19,
		"ISDN":       20,
		"RT":         21,
		"NSAPPTR":    23,
		"SIG":        24,
		"KEY":        25,
		"PX":         26,
		"GPOS":       27,
		"AAAA":       28,
		"LOC":        29,
		"NXT":        30,
		"EID":        31,
		"NIMLOC":     32,
		"SRV":        33,
		"ATMA":       34,
		"NAPTR":      35,
		"KX":         36,
		"CERT":       37,
		"DNAME":      39,
		"OPT":        41,
		"APL":        42,
		"DS":         43,
		"SSHFP":      44,
		"RRSIG":      46,
		"NSEC":       47,
		"DNSKEY":     48,
		"DHCID":      49,
		"NSEC3":      50,
		"NSEC3PARAM": 51,
		"TLSA":       52,
		"SMIMEA":     53,
		"HIP":        55,
		"NINFO":      56,
		"RKEY":       57,
		"TALINK":     58,
		"CDS":        59,
		"CDNSKEY":    60,
		"OPENPGPKEY": 61,
		"CSYNC":      62,
		"ZONEMD":     63,
		"SVCB":       64,
		"HTTPS":      65,
		"SPF":        99,
		"UINFO":      100,
		"UID":        101,
		"GID":        102,
		"UNSPEC":     103,
		"NID":        104,
		"L32":        105,
		"L64":        106,
		"LP":         107,
		"EUI48":      108,
		"EUI64":      109,
		"URI":        256,
		"CAA":        257,
		"AVC":        258,
		"TKEY":       249,
		"TSIG":       250,
		"IXFR":       251,
		"AXFR":       252,
		"MAILB":      253,
		"MAILA":      254,
		"ANY":        255,
		"TA":         32768,
		"DLV":        32769,
		"Reserved":   65535,
	}

	// DNSQClassConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qclasses,DNS qclasses are the supported DNS query classes.
	DNSQClassConstants = map[string]int{
		"CLASS_INET":   1,
		"CLASS_CSNET":  2,
		"CLASS_CHAOS":  3,
		"CLASS_HESIOD": 4,
		"CLASS_NONE":   254,
		"CLASS_ANY":    255,
	}

	// BooleanConstants holds the evaluator for boolean constants
	// generate_constants:Boolean constants,Boolean constants are the supported boolean constants.
	BooleanConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}

	// L3ProtocolConstants is the list of supported L3 protocols
	// generate_constants:L3 protocols,L3 protocols are the supported Layer 3 protocols.
	L3ProtocolConstants = map[string]L3Protocol{
		"ETH_P_LOOP":            EthPLOOP,
		"ETH_P_PUP":             EthPPUP,
		"ETH_P_PUPAT":           EthPPUPAT,
		"ETH_P_TSN":             EthPTSN,
		"ETH_P_IP":              EthPIP,
		"ETH_P_X25":             EthPX25,
		"ETH_P_ARP":             EthPARP,
		"ETH_P_BPQ":             EthPBPQ,
		"ETH_P_IEEEPUP":         EthPIEEEPUP,
		"ETH_P_IEEEPUPAT":       EthPIEEEPUPAT,
		"ETH_P_BATMAN":          EthPBATMAN,
		"ETH_P_DEC":             EthPDEC,
		"ETH_P_DNADL":           EthPDNADL,
		"ETH_P_DNARC":           EthPDNARC,
		"ETH_P_DNART":           EthPDNART,
		"ETH_P_LAT":             EthPLAT,
		"ETH_P_DIAG":            EthPDIAG,
		"ETH_P_CUST":            EthPCUST,
		"ETH_P_SCA":             EthPSCA,
		"ETH_P_TEB":             EthPTEB,
		"ETH_P_RARP":            EthPRARP,
		"ETH_P_ATALK":           EthPATALK,
		"ETH_P_AARP":            EthPAARP,
		"ETH_P_8021_Q":          EthP8021Q,
		"ETH_P_ERSPAN":          EthPERSPAN,
		"ETH_P_IPX":             EthPIPX,
		"ETH_P_IPV6":            EthPIPV6,
		"ETH_P_PAUSE":           EthPPAUSE,
		"ETH_P_SLOW":            EthPSLOW,
		"ETH_P_WCCP":            EthPWCCP,
		"ETH_P_MPLSUC":          EthPMPLSUC,
		"ETH_P_MPLSMC":          EthPMPLSMC,
		"ETH_P_ATMMPOA":         EthPATMMPOA,
		"ETH_P_PPPDISC":         EthPPPPDISC,
		"ETH_P_PPPSES":          EthPPPPSES,
		"ETH_P__LINK_CTL":       EthPLinkCTL,
		"ETH_P_ATMFATE":         EthPATMFATE,
		"ETH_P_PAE":             EthPPAE,
		"ETH_P_AOE":             EthPAOE,
		"ETH_P_8021_AD":         EthP8021AD,
		"ETH_P_802_EX1":         EthP802EX1,
		"ETH_P_TIPC":            EthPTIPC,
		"ETH_P_MACSEC":          EthPMACSEC,
		"ETH_P_8021_AH":         EthP8021AH,
		"ETH_P_MVRP":            EthPMVRP,
		"ETH_P_1588":            EthP1588,
		"ETH_P_NCSI":            EthPNCSI,
		"ETH_P_PRP":             EthPPRP,
		"ETH_P_FCOE":            EthPFCOE,
		"ETH_P_IBOE":            EthPIBOE,
		"ETH_P_TDLS":            EthPTDLS,
		"ETH_P_FIP":             EthPFIP,
		"ETH_P_80221":           EthP80221,
		"ETH_P_HSR":             EthPHSR,
		"ETH_P_NSH":             EthPNSH,
		"ETH_P_LOOPBACK":        EthPLOOPBACK,
		"ETH_P_QINQ1":           EthPQINQ1,
		"ETH_P_QINQ2":           EthPQINQ2,
		"ETH_P_QINQ3":           EthPQINQ3,
		"ETH_P_EDSA":            EthPEDSA,
		"ETH_P_IFE":             EthPIFE,
		"ETH_P_AFIUCV":          EthPAFIUCV,
		"ETH_P_8023_MIN":        EthP8023MIN,
		"ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop,
		"ETH_P_8023":            EthP8023,
		"ETH_P_AX25":            EthPAX25,
		"ETH_P_ALL":             EthPALL,
		"ETH_P_8022":            EthP8022,
		"ETH_P_SNAP":            EthPSNAP,
		"ETH_P_DDCMP":           EthPDDCMP,
		"ETH_P_WANPPP":          EthPWANPPP,
		"ETH_P_PPPMP":           EthPPPPMP,
		"ETH_P_LOCALTALK":       EthPLOCALTALK,
		"ETH_P_CAN":             EthPCAN,
		"ETH_P_CANFD":           EthPCANFD,
		"ETH_P_PPPTALK":         EthPPPPTALK,
		"ETH_P_TR8022":          EthPTR8022,
		"ETH_P_MOBITEX":         EthPMOBITEX,
		"ETH_P_CONTROL":         EthPCONTROL,
		"ETH_P_IRDA":            EthPIRDA,
		"ETH_P_ECONET":          EthPECONET,
		"ETH_P_HDLC":            EthPHDLC,
		"ETH_P_ARCNET":          EthPARCNET,
		"ETH_P_DSA":             EthPDSA,
		"ETH_P_TRAILER":         EthPTRAILER,
		"ETH_P_PHONET":          EthPPHONET,
		"ETH_P_IEEE802154":      EthPIEEE802154,
		"ETH_P_CAIF":            EthPCAIF,
		"ETH_P_XDSA":            EthPXDSA,
		"ETH_P_MAP":             EthPMAP,
	}

	// L4ProtocolConstants is the list of supported L4 protocols
	// generate_constants:L4 protocols,L4 protocols are the supported Layer 4 protocols.
	L4ProtocolConstants = map[string]L4Protocol{
		"IP_PROTO_IP":      IPProtoIP,
		"IP_PROTO_ICMP":    IPProtoICMP,
		"IP_PROTO_IGMP":    IPProtoIGMP,
		"IP_PROTO_IPIP":    IPProtoIPIP,
		"IP_PROTO_TCP":     IPProtoTCP,
		"IP_PROTO_EGP":     IPProtoEGP,
		"IP_PROTO_IGP":     IPProtoIGP,
		"IP_PROTO_PUP":     IPProtoPUP,
		"IP_PROTO_UDP":     IPProtoUDP,
		"IP_PROTO_IDP":     IPProtoIDP,
		"IP_PROTO_TP":      IPProtoTP,
		"IP_PROTO_DCCP":    IPProtoDCCP,
		"IP_PROTO_IPV6":    IPProtoIPV6,
		"IP_PROTO_RSVP":    IPProtoRSVP,
		"IP_PROTO_GRE":     IPProtoGRE,
		"IP_PROTO_ESP":     IPProtoESP,
		"IP_PROTO_AH":      IPProtoAH,
		"IP_PROTO_ICMPV6":  IPProtoICMPV6,
		"IP_PROTO_MTP":     IPProtoMTP,
		"IP_PROTO_BEETPH":  IPProtoBEETPH,
		"IP_PROTO_ENCAP":   IPProtoENCAP,
		"IP_PROTO_PIM":     IPProtoPIM,
		"IP_PROTO_COMP":    IPProtoCOMP,
		"IP_PROTO_SCTP":    IPProtoSCTP,
		"IP_PROTO_UDPLITE": IPProtoUDPLITE,
		"IP_PROTO_MPLS":    IPProtoMPLS,
		"IP_PROTO_RAW":     IPProtoRAW,
	}
)
View Source 
var (

	// KernelCapabilityConstants list of kernel capabilities
	KernelCapabilityConstants = map[string]uint64{}

	// SignalConstants list of signals
	SignalConstants = map[string]int{}
)
View Source 
var (
	// ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
	ErrNotEnoughData = errors.New("not enough data")

	// ErrNotEnoughSpace is returned when the provided buffer is too small to marshal the event
	ErrNotEnoughSpace = errors.New("not enough space")

	// ErrStringArrayOverflow returned when there is a string array overflow
	ErrStringArrayOverflow = errors.New("string array overflow")

	// ErrNonPrintable returned when a string contains non printable char
	ErrNonPrintable = errors.New("non printable")

	// ErrIncorrectDataSize is returned when the data read size doesn't correspond to the expected one
	ErrIncorrectDataSize = errors.New("incorrect data size")
)
View Source 
var SECLLegacyFields = map[eval.Field]eval.Field{

	"async": "event.async",

	"chmod.filename": "chmod.file.path",
	"chmod.basename": "chmod.file.name",
	"chmod.mode":     "chmod.file.destination.mode",

	"chown.filename": "chown.file.path",
	"chown.basename": "chown.file.name",
	"chown.uid":      "chown.file.destination.uid",
	"chown.user":     "chown.file.destination.user",
	"chown.gid":      "chown.file.destination.gid",
	"chown.group":    "chown.file.destination.group",

	"open.filename": "open.file.path",
	"open.basename": "open.file.name",
	"open.mode":     "open.file.destination.mode",

	"mkdir.filename": "mkdir.file.path",
	"mkdir.basename": "mkdir.file.name",
	"mkdir.mode":     "mkdir.file.destination.mode",

	"rmdir.filename": "rmdir.file.path",
	"rmdir.basename": "rmdir.file.name",

	"rename.old.filename": "rename.file.path",
	"rename.old.basename": "rename.file.name",
	"rename.new.filename": "rename.file.destination.path",
	"rename.new.basename": "rename.file.destination.name",

	"unlink.filename": "unlink.file.path",
	"unlink.basename": "unlink.file.name",

	"utimes.filename": "utimes.file.path",
	"utimes.basename": "utimes.file.name",

	"link.source.filename": "link.file.path",
	"link.source.basename": "link.file.name",
	"link.target.filename": "link.file.destination.path",
	"link.target.basename": "link.file.destination.name",

	"setxattr.filename":  "setxattr.file.path",
	"setxattr.basename":  "setxattr.file.name",
	"setxattr.namespace": "setxattr.file.destination.namespace",
	"setxattr.name":      "setxattr.file.destination.name",

	"removexattr.filename":  "removexattr.file.path",
	"removexattr.basename":  "removexattr.file.name",
	"removexattr.namespace": "removexattr.file.destination.namespace",
	"removexattr.name":      "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":           "process.file.path",
	"process.basename":           "process.file.name",
	"process.name":               "process.comm",
	"process.ancestors.filename": "process.ancestors.file.path",
	"process.ancestors.basename": "process.ancestors.file.name",
	"process.ancestors.name":     "process.ancestors.comm",
}

SECLLegacyFields contains the list of the legacy attributes we need to support

View Source 
var (
	// SECLVariables set of variables
	SECLVariables = map[string]eval.VariableValue{
		"process.pid": eval.NewIntVariable(func(ctx *eval.Context) int {
			pc := ctx.Event.(*Event).ProcessContext
			if pc == nil {
				return 0
			}
			return int(pc.Process.Pid)
		}, nil),
	}
)

Functions

func FilterEnvs added in v0.51.0 

func FilterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string

FilterEnvs returns an array of environment variable key value pairs matching the desired keys

func GetEventTypePerCategory added in v0.34.0 

func GetEventTypePerCategory() map[EventCategory][]eval.EventType

GetEventTypePerCategory returns the event types per category

func IsAlphaNumeric 

func IsAlphaNumeric(r rune) bool

IsAlphaNumeric returns whether a character is either a digit or a letter

func IsPrintable 

func IsPrintable(s string) bool

IsPrintable returns whether the string does contain only unicode printable

func IsPrintableASCII 

func IsPrintableASCII(s string) bool

IsPrintableASCII returns whether the string does contain only ASCII char

func NullTerminatedString added in v0.41.0 

func NullTerminatedString(d []byte) string

NullTerminatedString returns null-terminated string

func SECLConstants added in v0.34.0 

func SECLConstants() map[string]interface{}

SECLConstants returns the constants supported in runtime security agent rules, initializing these constants during the first call

func SliceToArray 

func SliceToArray(src []byte, dst []byte)

SliceToArray copy src bytes to dst. Destination should have enough space

func StringifyHelpersList added in v0.34.0 

func StringifyHelpersList(input []uint32) []string

StringifyHelpersList returns a string list representation of a list of helpers

func UnmarshalPrintableString 

func UnmarshalPrintableString(data []byte, size int) (string, error)

UnmarshalPrintableString unmarshal printable string

func UnmarshalString 

func UnmarshalString(data []byte, size int) (string, error)

UnmarshalString unmarshal string

func UnmarshalStringArray 

func UnmarshalStringArray(data []byte) ([]string, error)

UnmarshalStringArray extract array of string for array of byte

Types

type ActionReport added in v0.52.0 

type ActionReport interface {
	ToJSON() ([]byte, error)
}

ActionReport defines an action report

type AddressFamily added in v0.37.0 

type AddressFamily int

AddressFamily represents a family address (AF_INET, AF_INET6, AF_UNIX etc)

func (AddressFamily) String added in v0.37.0 

func (af AddressFamily) String() string

type ArgsEntry added in v0.34.0 

type ArgsEntry struct {
	Values    []string
	Truncated bool
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) Equals added in v0.36.0 

func (p *ArgsEntry) Equals(o *ArgsEntry) bool

Equals compares two ArgsEntry

type ArgsEnvs added in v0.34.0 

type ArgsEnvs struct {
	ID        uint32
	Size      uint32
	ValuesRaw [MaxArgEnvSize]byte
}

ArgsEnvs raw value for args and envs

type BPFAttachType added in v0.34.0 

type BPFAttachType uint32

BPFAttachType is used to define attach type constants 

const (
	// BpfCgroupInetIngress attach type
	BpfCgroupInetIngress BPFAttachType = iota + 1
	// BpfCgroupInetEgress attach type
	BpfCgroupInetEgress
	// BpfCgroupInetSockCreate attach type
	BpfCgroupInetSockCreate
	// BpfCgroupSockOps attach type
	BpfCgroupSockOps
	// BpfSkSkbStreamParser attach type
	BpfSkSkbStreamParser
	// BpfSkSkbStreamVerdict attach type
	BpfSkSkbStreamVerdict
	// BpfCgroupDevice attach type
	BpfCgroupDevice
	// BpfSkMsgVerdict attach type
	BpfSkMsgVerdict
	// BpfCgroupInet4Bind attach type
	BpfCgroupInet4Bind
	// BpfCgroupInet6Bind attach type
	BpfCgroupInet6Bind
	// BpfCgroupInet4Connect attach type
	BpfCgroupInet4Connect
	// BpfCgroupInet6Connect attach type
	BpfCgroupInet6Connect
	// BpfCgroupInet4PostBind attach type
	BpfCgroupInet4PostBind
	// BpfCgroupInet6PostBind attach type
	BpfCgroupInet6PostBind
	// BpfCgroupUDP4Sendmsg attach type
	BpfCgroupUDP4Sendmsg
	// BpfCgroupUDP6Sendmsg attach type
	BpfCgroupUDP6Sendmsg
	// BpfLircMode2 attach type
	BpfLircMode2
	// BpfFlowDissector attach type
	BpfFlowDissector
	// BpfCgroupSysctl attach type
	BpfCgroupSysctl
	// BpfCgroupUDP4Recvmsg attach type
	BpfCgroupUDP4Recvmsg
	// BpfCgroupUDP6Recvmsg attach type
	BpfCgroupUDP6Recvmsg
	// BpfCgroupGetsockopt attach type
	BpfCgroupGetsockopt
	// BpfCgroupSetsockopt attach type
	BpfCgroupSetsockopt
	// BpfTraceRawTp attach type
	BpfTraceRawTp
	// BpfTraceFentry attach type
	BpfTraceFentry
	// BpfTraceFexit attach type
	BpfTraceFexit
	// BpfModifyReturn attach type
	BpfModifyReturn
	// BpfLsmMac attach type
	BpfLsmMac
	// BpfTraceIter attach type
	BpfTraceIter
	// BpfCgroupInet4Getpeername attach type
	BpfCgroupInet4Getpeername
	// BpfCgroupInet6Getpeername attach type
	BpfCgroupInet6Getpeername
	// BpfCgroupInet4Getsockname attach type
	BpfCgroupInet4Getsockname
	// BpfCgroupInet6Getsockname attach type
	BpfCgroupInet6Getsockname
	// BpfXdpDevmap attach type
	BpfXdpDevmap
	// BpfCgroupInetSockRelease attach type
	BpfCgroupInetSockRelease
	// BpfXdpCPUmap attach type
	BpfXdpCPUmap
	// BpfSkLookup attach type
	BpfSkLookup
	// BpfXdp attach type
	BpfXdp
	// BpfSkSkbVerdict attach type
	BpfSkSkbVerdict
)

func (BPFAttachType) String added in v0.34.0 

func (t BPFAttachType) String() string

type BPFCmd added in v0.34.0 

type BPFCmd uint64

BPFCmd represents a BPF command 

const (
	// BpfMapCreateCmd command
	BpfMapCreateCmd BPFCmd = iota
	// BpfMapLookupElemCmd command
	BpfMapLookupElemCmd
	// BpfMapUpdateElemCmd command
	BpfMapUpdateElemCmd
	// BpfMapDeleteElemCmd command
	BpfMapDeleteElemCmd
	// BpfMapGetNextKeyCmd command
	BpfMapGetNextKeyCmd
	// BpfProgLoadCmd command
	BpfProgLoadCmd
	// BpfObjPinCmd command
	BpfObjPinCmd
	// BpfObjGetCmd command
	BpfObjGetCmd
	// BpfProgAttachCmd command
	BpfProgAttachCmd
	// BpfProgDetachCmd command
	BpfProgDetachCmd
	// BpfProgTestRunCmd command
	BpfProgTestRunCmd
	// BpfProgGetNextIDCmd command
	BpfProgGetNextIDCmd
	// BpfMapGetNextIDCmd command
	BpfMapGetNextIDCmd
	// BpfProgGetFdByIDCmd command
	BpfProgGetFdByIDCmd
	// BpfMapGetFdByIDCmd command
	BpfMapGetFdByIDCmd
	// BpfObjGetInfoByFdCmd command
	BpfObjGetInfoByFdCmd
	// BpfProgQueryCmd command
	BpfProgQueryCmd
	// BpfRawTracepointOpenCmd command
	BpfRawTracepointOpenCmd
	// BpfBtfLoadCmd command
	BpfBtfLoadCmd
	// BpfBtfGetFdByIDCmd command
	BpfBtfGetFdByIDCmd
	// BpfTaskFdQueryCmd command
	BpfTaskFdQueryCmd
	// BpfMapLookupAndDeleteElemCmd command
	BpfMapLookupAndDeleteElemCmd
	// BpfMapFreezeCmd command
	BpfMapFreezeCmd
	// BpfBtfGetNextIDCmd command
	BpfBtfGetNextIDCmd
	// BpfMapLookupBatchCmd command
	BpfMapLookupBatchCmd
	// BpfMapLookupAndDeleteBatchCmd command
	BpfMapLookupAndDeleteBatchCmd
	// BpfMapUpdateBatchCmd command
	BpfMapUpdateBatchCmd
	// BpfMapDeleteBatchCmd command
	BpfMapDeleteBatchCmd
	// BpfLinkCreateCmd command
	BpfLinkCreateCmd
	// BpfLinkUpdateCmd command
	BpfLinkUpdateCmd
	// BpfLinkGetFdByIDCmd command
	BpfLinkGetFdByIDCmd
	// BpfLinkGetNextIDCmd command
	BpfLinkGetNextIDCmd
	// BpfEnableStatsCmd command
	BpfEnableStatsCmd
	// BpfIterCreateCmd command
	BpfIterCreateCmd
	// BpfLinkDetachCmd command
	BpfLinkDetachCmd
	// BpfProgBindMapCmd command
	BpfProgBindMapCmd
)

func (BPFCmd) String added in v0.34.0 

func (cmd BPFCmd) String() string

type BPFHelperFunc added in v0.34.0 

type BPFHelperFunc uint32

BPFHelperFunc represents a BPF helper function 

const (
	// BpfUnspec helper function
	BpfUnspec BPFHelperFunc = iota
	// BpfMapLookupElem helper function
	BpfMapLookupElem
	// BpfMapUpdateElem helper function
	BpfMapUpdateElem
	// BpfMapDeleteElem helper function
	BpfMapDeleteElem
	// BpfProbeRead helper function
	BpfProbeRead
	// BpfKtimeGetNs helper function
	BpfKtimeGetNs
	// BpfTracePrintk helper function
	BpfTracePrintk
	// BpfGetPrandomU32 helper function
	BpfGetPrandomU32
	// BpfGetSmpProcessorID helper function
	BpfGetSmpProcessorID
	// BpfSkbStoreBytes helper function
	BpfSkbStoreBytes
	// BpfL3CsumReplace helper function
	BpfL3CsumReplace
	// BpfL4CsumReplace helper function
	BpfL4CsumReplace
	// BpfTailCall helper function
	BpfTailCall
	// BpfCloneRedirect helper function
	BpfCloneRedirect
	// BpfGetCurrentPidTgid helper function
	BpfGetCurrentPidTgid
	// BpfGetCurrentUIDGid helper function
	BpfGetCurrentUIDGid
	// BpfGetCurrentComm helper function
	BpfGetCurrentComm
	// BpfGetCgroupClassid helper function
	BpfGetCgroupClassid
	// BpfSkbVlanPush helper function
	BpfSkbVlanPush
	// BpfSkbVlanPop helper function
	BpfSkbVlanPop
	// BpfSkbGetTunnelKey helper function
	BpfSkbGetTunnelKey
	// BpfSkbSetTunnelKey helper function
	BpfSkbSetTunnelKey
	// BpfPerfEventRead helper function
	BpfPerfEventRead
	// BpfRedirect helper function
	BpfRedirect
	// BpfGetRouteRealm helper function
	BpfGetRouteRealm
	// BpfPerfEventOutput helper function
	BpfPerfEventOutput
	// BpfSkbLoadBytes helper function
	BpfSkbLoadBytes
	// BpfGetStackid helper function
	BpfGetStackid
	// BpfCsumDiff helper function
	BpfCsumDiff
	// BpfSkbGetTunnelOpt helper function
	BpfSkbGetTunnelOpt
	// BpfSkbSetTunnelOpt helper function
	BpfSkbSetTunnelOpt
	// BpfSkbChangeProto helper function
	BpfSkbChangeProto
	// BpfSkbChangeType helper function
	BpfSkbChangeType
	// BpfSkbUnderCgroup helper function
	BpfSkbUnderCgroup
	// BpfGetHashRecalc helper function
	BpfGetHashRecalc
	// BpfGetCurrentTask helper function
	BpfGetCurrentTask
	// BpfProbeWriteUser helper function
	BpfProbeWriteUser
	// BpfCurrentTaskUnderCgroup helper function
	BpfCurrentTaskUnderCgroup
	// BpfSkbChangeTail helper function
	BpfSkbChangeTail
	// BpfSkbPullData helper function
	BpfSkbPullData
	// BpfCsumUpdate helper function
	BpfCsumUpdate
	// BpfSetHashInvalid helper function
	BpfSetHashInvalid
	// BpfGetNumaNodeID helper function
	BpfGetNumaNodeID
	// BpfSkbChangeHead helper function
	BpfSkbChangeHead
	// BpfXdpAdjustHead helper function
	BpfXdpAdjustHead
	// BpfProbeReadStr helper function
	BpfProbeReadStr
	// BpfGetSocketCookie helper function
	BpfGetSocketCookie
	// BpfGetSocketUID helper function
	BpfGetSocketUID
	// BpfSetHash helper function
	BpfSetHash
	// BpfSetsockopt helper function
	BpfSetsockopt
	// BpfSkbAdjustRoom helper function
	BpfSkbAdjustRoom
	// BpfRedirectMap helper function
	BpfRedirectMap
	// BpfSkRedirectMap helper function
	BpfSkRedirectMap
	// BpfSockMapUpdate helper function
	BpfSockMapUpdate
	// BpfXdpAdjustMeta helper function
	BpfXdpAdjustMeta
	// BpfPerfEventReadValue helper function
	BpfPerfEventReadValue
	// BpfPerfProgReadValue helper function
	BpfPerfProgReadValue
	// BpfGetsockopt helper function
	BpfGetsockopt
	// BpfOverrideReturn helper function
	BpfOverrideReturn
	// BpfSockOpsCbFlagsSet helper function
	BpfSockOpsCbFlagsSet
	// BpfMsgRedirectMap helper function
	BpfMsgRedirectMap
	// BpfMsgApplyBytes helper function
	BpfMsgApplyBytes
	// BpfMsgCorkBytes helper function
	BpfMsgCorkBytes
	// BpfMsgPullData helper function
	BpfMsgPullData
	// BpfBind helper function
	BpfBind
	// BpfXdpAdjustTail helper function
	BpfXdpAdjustTail
	// BpfSkbGetXfrmState helper function
	BpfSkbGetXfrmState
	// BpfGetStack helper function
	BpfGetStack
	// BpfSkbLoadBytesRelative helper function
	BpfSkbLoadBytesRelative
	// BpfFibLookup helper function
	BpfFibLookup
	// BpfSockHashUpdate helper function
	BpfSockHashUpdate
	// BpfMsgRedirectHash helper function
	BpfMsgRedirectHash
	// BpfSkRedirectHash helper function
	BpfSkRedirectHash
	// BpfLwtPushEncap helper function
	BpfLwtPushEncap
	// BpfLwtSeg6StoreBytes helper function
	BpfLwtSeg6StoreBytes
	// BpfLwtSeg6AdjustSrh helper function
	BpfLwtSeg6AdjustSrh
	// BpfLwtSeg6Action helper function
	BpfLwtSeg6Action
	// BpfRcRepeat helper function
	BpfRcRepeat
	// BpfRcKeydown helper function
	BpfRcKeydown
	// BpfSkbCgroupID helper function
	BpfSkbCgroupID
	// BpfGetCurrentCgroupID helper function
	BpfGetCurrentCgroupID
	// BpfGetLocalStorage helper function
	BpfGetLocalStorage
	// BpfSkSelectReuseport helper function
	BpfSkSelectReuseport
	// BpfSkbAncestorCgroupID helper function
	BpfSkbAncestorCgroupID
	// BpfSkLookupTCP helper function
	BpfSkLookupTCP
	// BpfSkLookupUDP helper function
	BpfSkLookupUDP
	// BpfSkRelease helper function
	BpfSkRelease
	// BpfMapPushElem helper function
	BpfMapPushElem
	// BpfMapPopElem helper function
	BpfMapPopElem
	// BpfMapPeekElem helper function
	BpfMapPeekElem
	// BpfMsgPushData helper function
	BpfMsgPushData
	// BpfMsgPopData helper function
	BpfMsgPopData
	// BpfRcPointerRel helper function
	BpfRcPointerRel
	// BpfSpinLock helper function
	BpfSpinLock
	// BpfSpinUnlock helper function
	BpfSpinUnlock
	// BpfSkFullsock helper function
	BpfSkFullsock
	// BpfTCPSock helper function
	BpfTCPSock
	// BpfSkbEcnSetCe helper function
	BpfSkbEcnSetCe
	// BpfGetListenerSock helper function
	BpfGetListenerSock
	// BpfSkcLookupTCP helper function
	BpfSkcLookupTCP
	// BpfTCPCheckSyncookie helper function
	BpfTCPCheckSyncookie
	// BpfSysctlGetName helper function
	BpfSysctlGetName
	// BpfSysctlGetCurrentValue helper function
	BpfSysctlGetCurrentValue
	// BpfSysctlGetNewValue helper function
	BpfSysctlGetNewValue
	// BpfSysctlSetNewValue helper function
	BpfSysctlSetNewValue
	// BpfStrtol helper function
	BpfStrtol
	// BpfStrtoul helper function
	BpfStrtoul
	// BpfSkStorageGet helper function
	BpfSkStorageGet
	// BpfSkStorageDelete helper function
	BpfSkStorageDelete
	// BpfSendSignal helper function
	BpfSendSignal
	// BpfTCPGenSyncookie helper function
	BpfTCPGenSyncookie
	// BpfSkbOutput helper function
	BpfSkbOutput
	// BpfProbeReadUser helper function
	BpfProbeReadUser
	// BpfProbeReadKernel helper function
	BpfProbeReadKernel
	// BpfProbeReadUserStr helper function
	BpfProbeReadUserStr
	// BpfProbeReadKernelStr helper function
	BpfProbeReadKernelStr
	// BpfTCPSendAck helper function
	BpfTCPSendAck
	// BpfSendSignalThread helper function
	BpfSendSignalThread
	// BpfJiffies64 helper function
	BpfJiffies64
	// BpfReadBranchRecords helper function
	BpfReadBranchRecords
	// BpfGetNsCurrentPidTgid helper function
	BpfGetNsCurrentPidTgid
	// BpfXdpOutput helper function
	BpfXdpOutput
	// BpfGetNetnsCookie helper function
	BpfGetNetnsCookie
	// BpfGetCurrentAncestorCgroupID helper function
	BpfGetCurrentAncestorCgroupID
	// BpfSkAssign helper function
	BpfSkAssign
	// BpfKtimeGetBootNs helper function
	BpfKtimeGetBootNs
	// BpfSeqPrintf helper function
	BpfSeqPrintf
	// BpfSeqWrite helper function
	BpfSeqWrite
	// BpfSkCgroupID helper function
	BpfSkCgroupID
	// BpfSkAncestorCgroupID helper function
	BpfSkAncestorCgroupID
	// BpfRingbufOutput helper function
	BpfRingbufOutput
	// BpfRingbufReserve helper function
	BpfRingbufReserve
	// BpfRingbufSubmit helper function
	BpfRingbufSubmit
	// BpfRingbufDiscard helper function
	BpfRingbufDiscard
	// BpfRingbufQuery helper function
	BpfRingbufQuery
	// BpfCsumLevel helper function
	BpfCsumLevel
	// BpfSkcToTCP6Sock helper function
	BpfSkcToTCP6Sock
	// BpfSkcToTCPSock helper function
	BpfSkcToTCPSock
	// BpfSkcToTCPTimewaitSock helper function
	BpfSkcToTCPTimewaitSock
	// BpfSkcToTCPRequestSock helper function
	BpfSkcToTCPRequestSock
	// BpfSkcToUDP6Sock helper function
	BpfSkcToUDP6Sock
	// BpfGetTaskStack helper function
	BpfGetTaskStack
	// BpfLoadHdrOpt helper function
	BpfLoadHdrOpt
	// BpfStoreHdrOpt helper function
	BpfStoreHdrOpt
	// BpfReserveHdrOpt helper function
	BpfReserveHdrOpt
	// BpfInodeStorageGet helper function
	BpfInodeStorageGet
	// BpfInodeStorageDelete helper function
	BpfInodeStorageDelete
	// BpfDPath helper function
	BpfDPath
	// BpfCopyFromUser helper function
	BpfCopyFromUser
	// BpfSnprintfBtf helper function
	BpfSnprintfBtf
	// BpfSeqPrintfBtf helper function
	BpfSeqPrintfBtf
	// BpfSkbCgroupClassid helper function
	BpfSkbCgroupClassid
	// BpfRedirectNeigh helper function
	BpfRedirectNeigh
	// BpfPerCPUPtr helper function
	BpfPerCPUPtr
	// BpfThisCPUPtr helper function
	BpfThisCPUPtr
	// BpfRedirectPeer helper function
	BpfRedirectPeer
	// BpfTaskStorageGet helper function
	BpfTaskStorageGet
	// BpfTaskStorageDelete helper function
	BpfTaskStorageDelete
	// BpfGetCurrentTaskBtf helper function
	BpfGetCurrentTaskBtf
	// BpfBprmOptsSet helper function
	BpfBprmOptsSet
	// BpfKtimeGetCoarseNs helper function
	BpfKtimeGetCoarseNs
	// BpfImaInodeHash helper function
	BpfImaInodeHash
	// BpfSockFromFile helper function
	BpfSockFromFile
	// BpfCheckMtu helper function
	BpfCheckMtu
	// BpfForEachMapElem helper function
	BpfForEachMapElem
	// BpfSnprintf helper function
	BpfSnprintf
)

func (BPFHelperFunc) String added in v0.34.0 

func (f BPFHelperFunc) String() string

type BPFMapType added in v0.34.0 

type BPFMapType uint32

BPFMapType is used to define map type constants 

const (
	// BpfMapTypeUnspec map type
	BpfMapTypeUnspec BPFMapType = iota
	// BpfMapTypeHash map type
	BpfMapTypeHash
	// BpfMapTypeArray map type
	BpfMapTypeArray
	// BpfMapTypeProgArray map type
	BpfMapTypeProgArray
	// BpfMapTypePerfEventArray map type
	BpfMapTypePerfEventArray
	// BpfMapTypePercpuHash map type
	BpfMapTypePercpuHash
	// BpfMapTypePercpuArray map type
	BpfMapTypePercpuArray
	// BpfMapTypeStackTrace map type
	BpfMapTypeStackTrace
	// BpfMapTypeCgroupArray map type
	BpfMapTypeCgroupArray
	// BpfMapTypeLruHash map type
	BpfMapTypeLruHash
	// BpfMapTypeLruPercpuHash map type
	BpfMapTypeLruPercpuHash
	// BpfMapTypeLpmTrie map type
	BpfMapTypeLpmTrie
	// BpfMapTypeArrayOfMaps map type
	BpfMapTypeArrayOfMaps
	// BpfMapTypeHashOfMaps map type
	BpfMapTypeHashOfMaps
	// BpfMapTypeDevmap map type
	BpfMapTypeDevmap
	// BpfMapTypeSockmap map type
	BpfMapTypeSockmap
	// BpfMapTypeCPUmap map type
	BpfMapTypeCPUmap
	// BpfMapTypeXskmap map type
	BpfMapTypeXskmap
	// BpfMapTypeSockhash map type
	BpfMapTypeSockhash
	// BpfMapTypeCgroupStorage map type
	BpfMapTypeCgroupStorage
	// BpfMapTypeReuseportSockarray map type
	BpfMapTypeReuseportSockarray
	// BpfMapTypePercpuCgroupStorage map type
	BpfMapTypePercpuCgroupStorage
	// BpfMapTypeQueue map type
	BpfMapTypeQueue
	// BpfMapTypeStack map type
	BpfMapTypeStack
	// BpfMapTypeSkStorage map type
	BpfMapTypeSkStorage
	// BpfMapTypeDevmapHash map type
	BpfMapTypeDevmapHash
	// BpfMapTypeStructOps map type
	BpfMapTypeStructOps
	// BpfMapTypeRingbuf map type
	BpfMapTypeRingbuf
	// BpfMapTypeInodeStorage map type
	BpfMapTypeInodeStorage
	// BpfMapTypeTaskStorage map type
	BpfMapTypeTaskStorage
)

func (BPFMapType) String added in v0.34.0 

func (t BPFMapType) String() string

type BPFProgramType added in v0.34.0 

type BPFProgramType uint32

BPFProgramType is used to define program type constants 

const (
	// BpfProgTypeUnspec program type
	BpfProgTypeUnspec BPFProgramType = iota
	// BpfProgTypeSocketFilter program type
	BpfProgTypeSocketFilter
	// BpfProgTypeKprobe program type
	BpfProgTypeKprobe
	// BpfProgTypeSchedCls program type
	BpfProgTypeSchedCls
	// BpfProgTypeSchedAct program type
	BpfProgTypeSchedAct
	// BpfProgTypeTracepoint program type
	BpfProgTypeTracepoint
	// BpfProgTypeXdp program type
	BpfProgTypeXdp
	// BpfProgTypePerfEvent program type
	BpfProgTypePerfEvent
	// BpfProgTypeCgroupSkb program type
	BpfProgTypeCgroupSkb
	// BpfProgTypeCgroupSock program type
	BpfProgTypeCgroupSock
	// BpfProgTypeLwtIn program type
	BpfProgTypeLwtIn
	// BpfProgTypeLwtOut program type
	BpfProgTypeLwtOut
	// BpfProgTypeLwtXmit program type
	BpfProgTypeLwtXmit
	// BpfProgTypeSockOps program type
	BpfProgTypeSockOps
	// BpfProgTypeSkSkb program type
	BpfProgTypeSkSkb
	// BpfProgTypeCgroupDevice program type
	BpfProgTypeCgroupDevice
	// BpfProgTypeSkMsg program type
	BpfProgTypeSkMsg
	// BpfProgTypeRawTracepoint program type
	BpfProgTypeRawTracepoint
	// BpfProgTypeCgroupSockAddr program type
	BpfProgTypeCgroupSockAddr
	// BpfProgTypeLwtSeg6local program type
	BpfProgTypeLwtSeg6local
	// BpfProgTypeLircMode2 program type
	BpfProgTypeLircMode2
	// BpfProgTypeSkReuseport program type
	BpfProgTypeSkReuseport
	// BpfProgTypeFlowDissector program type
	BpfProgTypeFlowDissector
	// BpfProgTypeCgroupSysctl program type
	BpfProgTypeCgroupSysctl
	// BpfProgTypeRawTracepointWritable program type
	BpfProgTypeRawTracepointWritable
	// BpfProgTypeCgroupSockopt program type
	BpfProgTypeCgroupSockopt
	// BpfProgTypeTracing program type
	BpfProgTypeTracing
	// BpfProgTypeStructOps program type
	BpfProgTypeStructOps
	// BpfProgTypeExt program type
	BpfProgTypeExt
	// BpfProgTypeLsm program type
	BpfProgTypeLsm
	// BpfProgTypeSkLookup program type
	BpfProgTypeSkLookup
)

func (BPFProgramType) String added in v0.34.0 

func (t BPFProgramType) String() string

type BaseEvent added in v0.48.0 

type BaseEvent struct {
	ID            string         `field:"-" event:"*"`
	Type          uint32         `field:"-"`
	Flags         uint32         `field:"-"`
	TimestampRaw  uint64         `field:"event.timestamp,handler:ResolveEventTimestamp" event:"*"` // SECLDoc[event.timestamp] Definition:`Timestamp of the event`
	Timestamp     time.Time      `field:"timestamp,opts:getters_only,handler:ResolveEventTime"`
	Rules         []*MatchedRule `field:"-"`
	ActionReports []ActionReport `field:"-"`
	Origin        string         `field:"-"`
	Service       string         `field:"event.service,handler:ResolveService" event:"*"` // SECLDoc[event.service] Definition:`Service associated with the event`

	// context shared with all events
	ProcessContext         *ProcessContext        `field:"process" event:"*"`
	ContainerContext       *ContainerContext      `field:"container" event:"*"`
	SecurityProfileContext SecurityProfileContext `field:"-"`

	// internal usage
	PIDContext        PIDContext         `field:"-"`
	ProcessCacheEntry *ProcessCacheEntry `field:"-"`

	// mark event with having error
	Error error `field:"-"`

	// field resolution
	FieldHandlers FieldHandlers `field:"-"`
}

BaseEvent represents an event sent from the kernel

type BaseExtraFieldHandlers added in v0.50.0 

type BaseExtraFieldHandlers interface {
	ResolveProcessCacheEntry(ev *Event) (*ProcessCacheEntry, bool)
	ResolveContainerContext(ev *Event) (*ContainerContext, bool)
}

BaseExtraFieldHandlers handlers not hold by any field

type ContainerContext added in v0.34.0 

type ContainerContext struct {
	Releasable
	ID        string   `field:"id,handler:ResolveContainerID"`                              // SECLDoc[id] Definition:`ID of the container`
	CreatedAt uint64   `field:"created_at,handler:ResolveContainerCreatedAt"`               // SECLDoc[created_at] Definition:`Timestamp of the creation of the container“
	Tags      []string `field:"tags,handler:ResolveContainerTags,opts:skip_ad,weight:9999"` // SECLDoc[tags] Definition:`Tags of the container`
	Resolved  bool     `field:"-"`
}

ContainerContext holds the container context of an event

type CreateNewFileEvent added in v0.52.0 

type CreateNewFileEvent struct {
	File FileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}

CreateNewFileEvent defines file creation

type CreateRegistryKeyEvent added in v0.52.0 

type CreateRegistryKeyEvent struct {
	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}

CreateRegistryKeyEvent defines registry key creation

type DNSEvent added in v0.36.0 

type DNSEvent struct {
	ID    uint16 `field:"id"`                                                              // SECLDoc[id] Definition:`[Experimental] the DNS request ID`
	Name  string `field:"question.name,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[question.name] Definition:`the queried domain name`
	Type  uint16 `field:"question.type"`                                                   // SECLDoc[question.type] Definition:`a two octet code which specifies the DNS question type` Constants:`DNS qtypes`
	Class uint16 `field:"question.class"`                                                  // SECLDoc[question.class] Definition:`the class looked up by the DNS question` Constants:`DNS qclasses`
	Size  uint16 `field:"question.length"`                                                 // SECLDoc[question.length] Definition:`the total DNS request size in bytes`
	Count uint16 `field:"question.count"`                                                  // SECLDoc[question.count] Definition:`the total count of questions in the DNS request`
}

DNSEvent represents a DNS event

type DeleteRegistryKeyEvent added in v0.52.0 

type DeleteRegistryKeyEvent struct {
	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}

DeleteRegistryKeyEvent defines registry key deletion

type EnvsEntry added in v0.34.0 

type EnvsEntry struct {
	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Equals added in v0.36.0 

func (p *EnvsEntry) Equals(o *EnvsEntry) bool

Equals compares two EnvsEntry

func (*EnvsEntry) FilterEnvs added in v0.39.0 

func (p *EnvsEntry) FilterEnvs(envsWithValue map[string]bool) ([]string, bool)

FilterEnvs returns an array of envs, only the name of each variable is returned unless the variable name is part of the provided filter

func (*EnvsEntry) Get added in v0.34.0 

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

type ErrInvalidKeyPath added in v0.44.0 

type ErrInvalidKeyPath struct {
	Inode   uint64
	MountID uint32
}

ErrInvalidKeyPath is returned when inode or mountid are not valid

func (*ErrInvalidKeyPath) Error added in v0.44.0 

func (e *ErrInvalidKeyPath) Error() string

type ErrNoProcessContext added in v0.50.0 

type ErrNoProcessContext struct {
	Err error
}

ErrNoProcessContext defines an error for event without process context

func (*ErrNoProcessContext) Error added in v0.50.0 

func (e *ErrNoProcessContext) Error() string

Error implements the error interface

func (*ErrNoProcessContext) Unwrap added in v0.50.0 

func (e *ErrNoProcessContext) Unwrap() error

Unwrap implements the error interface

type ErrProcessBrokenLineage added in v0.50.0 

type ErrProcessBrokenLineage struct {
	Err error
}

ErrProcessBrokenLineage returned when a process lineage is broken

func (*ErrProcessBrokenLineage) Error added in v0.50.0 

func (e *ErrProcessBrokenLineage) Error() string

Error implements the error interface

func (*ErrProcessBrokenLineage) Unwrap added in v0.50.0 

func (e *ErrProcessBrokenLineage) Unwrap() error

Unwrap implements the error interface

type ErrProcessIncompleteLineage added in v0.50.0 

type ErrProcessIncompleteLineage struct {
	PID         uint32
	PPID        uint32
	ContainerID string
}

ErrProcessIncompleteLineage used when the lineage is incorrect in term of pid/ppid

func (*ErrProcessIncompleteLineage) Error added in v0.50.0 

func (e *ErrProcessIncompleteLineage) Error() string

type ErrProcessMissingParentNode added in v0.50.0 

type ErrProcessMissingParentNode struct {
	PID         uint32
	PPID        uint32
	ContainerID string
}

ErrProcessMissingParentNode used when the lineage is incorrect in term of pid/ppid

func (*ErrProcessMissingParentNode) Error added in v0.50.0 

func (e *ErrProcessMissingParentNode) Error() string

type ErrProcessWrongParentNode added in v0.50.0 

type ErrProcessWrongParentNode struct {
	PID         uint32
	PPID        uint32
	ContainerID string
}

ErrProcessWrongParentNode used when the lineage is correct in term of pid/ppid but an exec parent is missing

func (*ErrProcessWrongParentNode) Error added in v0.50.0 

func (e *ErrProcessWrongParentNode) Error() string

type Event added in v0.34.0 

type Event struct {
	BaseEvent

	// process events
	Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked
	Exit ExitEvent `field:"exit" event:"exit"` // [7.38] [Process] A process was terminated

	// FIM
	CreateNewFile CreateNewFileEvent `field:"create" event:"create"` // [7.52] [File] A file was created

	// Registries
	CreateRegistryKey   CreateRegistryKeyEvent   `field:"create_key;create" event:"create_key" `   // [7.52] [Registry] A registry key was created
	OpenRegistryKey     OpenRegistryKeyEvent     `field:"open_key;open" event:"open_key"`          // [7.52] [Registry] A registry key was opened
	SetRegistryKeyValue SetRegistryKeyValueEvent `field:"set_key_value;set" event:"set_key_value"` // [7.52] [Registry] A registry key value was set
	DeleteRegistryKey   DeleteRegistryKeyEvent   `field:"delete_key;delete" event:"delete_key"`    // [7.52] [Registry] A registry key was deleted
}

Event represents an event sent from the kernel genaccessors

func NewFakeEvent added in v0.52.0 

func NewFakeEvent() *Event

NewFakeEvent returns a new event using the default field handlers

func (*Event) AddToFlags added in v0.45.0 

func (e *Event) AddToFlags(flag uint32)

AddToFlags adds a flag to the event

func (*Event) GetActionReports added in v0.52.0 

func (e *Event) GetActionReports() []ActionReport

GetActionReports returns the triggred action reports

func (*Event) GetContainerCreatedAt added in v0.50.0 

func (ev *Event) GetContainerCreatedAt() int

GetContainerCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetContainerId added in v0.50.0 

func (ev *Event) GetContainerId() string

GetContainerId returns the value of the field, resolving if necessary

func (*Event) GetContainerTags added in v0.50.0 

func (ev *Event) GetContainerTags() []string

GetContainerTags returns the value of the field, resolving if necessary

func (*Event) GetCreateFileName added in v0.52.0 

func (ev *Event) GetCreateFileName() string

GetCreateFileName returns the value of the field, resolving if necessary

func (*Event) GetCreateFileNameLength added in v0.52.0 

func (ev *Event) GetCreateFileNameLength() int

GetCreateFileNameLength returns the value of the field, resolving if necessary

func (*Event) GetCreateFilePath added in v0.52.0 

func (ev *Event) GetCreateFilePath() string

GetCreateFilePath returns the value of the field, resolving if necessary

func (*Event) GetCreateFilePathLength added in v0.52.0 

func (ev *Event) GetCreateFilePathLength() int

GetCreateFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetCreateKeyRegistryKeyName added in v0.52.0 

func (ev *Event) GetCreateKeyRegistryKeyName() string

GetCreateKeyRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetCreateKeyRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetCreateKeyRegistryKeyNameLength() int

GetCreateKeyRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetCreateKeyRegistryKeyPath added in v0.52.0 

func (ev *Event) GetCreateKeyRegistryKeyPath() string

GetCreateKeyRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetCreateKeyRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetCreateKeyRegistryKeyPathLength() int

GetCreateKeyRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetCreateRegistryKeyName added in v0.52.0 

func (ev *Event) GetCreateRegistryKeyName() string

GetCreateRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetCreateRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetCreateRegistryKeyNameLength() int

GetCreateRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetCreateRegistryKeyPath added in v0.52.0 

func (ev *Event) GetCreateRegistryKeyPath() string

GetCreateRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetCreateRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetCreateRegistryKeyPathLength() int

GetCreateRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetDeleteKeyRegistryKeyName added in v0.52.0 

func (ev *Event) GetDeleteKeyRegistryKeyName() string

GetDeleteKeyRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetDeleteKeyRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetDeleteKeyRegistryKeyNameLength() int

GetDeleteKeyRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetDeleteKeyRegistryKeyPath added in v0.52.0 

func (ev *Event) GetDeleteKeyRegistryKeyPath() string

GetDeleteKeyRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetDeleteKeyRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetDeleteKeyRegistryKeyPathLength() int

GetDeleteKeyRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetDeleteRegistryKeyName added in v0.52.0 

func (ev *Event) GetDeleteRegistryKeyName() string

GetDeleteRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetDeleteRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetDeleteRegistryKeyNameLength() int

GetDeleteRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetDeleteRegistryKeyPath added in v0.52.0 

func (ev *Event) GetDeleteRegistryKeyPath() string

GetDeleteRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetDeleteRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetDeleteRegistryKeyPathLength() int

GetDeleteRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetEventService added in v0.52.0 

func (ev *Event) GetEventService() string

GetEventService returns the value of the field, resolving if necessary

func (*Event) GetEventTimestamp added in v0.50.0 

func (ev *Event) GetEventTimestamp() int

GetEventTimestamp returns the value of the field, resolving if necessary

func (*Event) GetEventType added in v0.34.0 

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetExecCmdline added in v0.50.0 

func (ev *Event) GetExecCmdline() string

GetExecCmdline returns the value of the field, resolving if necessary

func (*Event) GetExecCmdlineScrubbed added in v0.51.0 

func (ev *Event) GetExecCmdlineScrubbed() string

GetExecCmdlineScrubbed returns the value of the field, resolving if necessary

func (*Event) GetExecContainerId added in v0.50.0 

func (ev *Event) GetExecContainerId() string

GetExecContainerId returns the value of the field, resolving if necessary

func (*Event) GetExecCreatedAt added in v0.50.0 

func (ev *Event) GetExecCreatedAt() int

GetExecCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetExecEnvp added in v0.50.0 

func (ev *Event) GetExecEnvp() []string

GetExecEnvp returns the value of the field, resolving if necessary

func (*Event) GetExecEnvs added in v0.50.0 

func (ev *Event) GetExecEnvs() []string

GetExecEnvs returns the value of the field, resolving if necessary

func (*Event) GetExecExecTime added in v0.50.0 

func (ev *Event) GetExecExecTime() time.Time

GetExecExecTime returns the value of the field, resolving if necessary

func (*Event) GetExecExitTime added in v0.50.0 

func (ev *Event) GetExecExitTime() time.Time

GetExecExitTime returns the value of the field, resolving if necessary

func (*Event) GetExecFileName added in v0.50.0 

func (ev *Event) GetExecFileName() string

GetExecFileName returns the value of the field, resolving if necessary

func (*Event) GetExecFileNameLength added in v0.50.0 

func (ev *Event) GetExecFileNameLength() int

GetExecFileNameLength returns the value of the field, resolving if necessary

func (*Event) GetExecFilePath added in v0.50.0 

func (ev *Event) GetExecFilePath() string

GetExecFilePath returns the value of the field, resolving if necessary

func (*Event) GetExecFilePathLength added in v0.50.0 

func (ev *Event) GetExecFilePathLength() int

GetExecFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetExecPid added in v0.50.0 

func (ev *Event) GetExecPid() uint32

GetExecPid returns the value of the field, resolving if necessary

func (*Event) GetExecPpid added in v0.50.0 

func (ev *Event) GetExecPpid() uint32

GetExecPpid returns the value of the field, resolving if necessary

func (*Event) GetExecUser added in v0.52.0 

func (ev *Event) GetExecUser() string

GetExecUser returns the value of the field, resolving if necessary

func (*Event) GetExecUserSid added in v0.52.0 

func (ev *Event) GetExecUserSid() string

GetExecUserSid returns the value of the field, resolving if necessary

func (*Event) GetExitCause added in v0.50.0 

func (ev *Event) GetExitCause() uint32

GetExitCause returns the value of the field, resolving if necessary

func (*Event) GetExitCmdline added in v0.50.0 

func (ev *Event) GetExitCmdline() string

GetExitCmdline returns the value of the field, resolving if necessary

func (*Event) GetExitCmdlineScrubbed added in v0.51.0 

func (ev *Event) GetExitCmdlineScrubbed() string

GetExitCmdlineScrubbed returns the value of the field, resolving if necessary

func (*Event) GetExitCode added in v0.50.0 

func (ev *Event) GetExitCode() uint32

GetExitCode returns the value of the field, resolving if necessary

func (*Event) GetExitContainerId added in v0.50.0 

func (ev *Event) GetExitContainerId() string

GetExitContainerId returns the value of the field, resolving if necessary

func (*Event) GetExitCreatedAt added in v0.50.0 

func (ev *Event) GetExitCreatedAt() int

GetExitCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetExitEnvp added in v0.50.0 

func (ev *Event) GetExitEnvp() []string

GetExitEnvp returns the value of the field, resolving if necessary

func (*Event) GetExitEnvs added in v0.50.0 

func (ev *Event) GetExitEnvs() []string

GetExitEnvs returns the value of the field, resolving if necessary

func (*Event) GetExitExecTime added in v0.50.0 

func (ev *Event) GetExitExecTime() time.Time

GetExitExecTime returns the value of the field, resolving if necessary

func (*Event) GetExitExitTime added in v0.50.0 

func (ev *Event) GetExitExitTime() time.Time

GetExitExitTime returns the value of the field, resolving if necessary

func (*Event) GetExitFileName added in v0.50.0 

func (ev *Event) GetExitFileName() string

GetExitFileName returns the value of the field, resolving if necessary

func (*Event) GetExitFileNameLength added in v0.50.0 

func (ev *Event) GetExitFileNameLength() int

GetExitFileNameLength returns the value of the field, resolving if necessary

func (*Event) GetExitFilePath added in v0.50.0 

func (ev *Event) GetExitFilePath() string

GetExitFilePath returns the value of the field, resolving if necessary

func (*Event) GetExitFilePathLength added in v0.50.0 

func (ev *Event) GetExitFilePathLength() int

GetExitFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetExitPid added in v0.50.0 

func (ev *Event) GetExitPid() uint32

GetExitPid returns the value of the field, resolving if necessary

func (*Event) GetExitPpid added in v0.50.0 

func (ev *Event) GetExitPpid() uint32

GetExitPpid returns the value of the field, resolving if necessary

func (*Event) GetExitUser added in v0.52.0 

func (ev *Event) GetExitUser() string

GetExitUser returns the value of the field, resolving if necessary

func (*Event) GetExitUserSid added in v0.52.0 

func (ev *Event) GetExitUserSid() string

GetExitUserSid returns the value of the field, resolving if necessary

func (*Event) GetFieldEventType added in v0.34.0 

func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)

func (*Event) GetFieldType added in v0.34.0 

func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error)

func (*Event) GetFieldValue added in v0.34.0 

func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields added in v0.34.0 

func (ev *Event) GetFields() []eval.Field

func (*Event) GetOpenKeyRegistryKeyName added in v0.52.0 

func (ev *Event) GetOpenKeyRegistryKeyName() string

GetOpenKeyRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetOpenKeyRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetOpenKeyRegistryKeyNameLength() int

GetOpenKeyRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetOpenKeyRegistryKeyPath added in v0.52.0 

func (ev *Event) GetOpenKeyRegistryKeyPath() string

GetOpenKeyRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetOpenKeyRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetOpenKeyRegistryKeyPathLength() int

GetOpenKeyRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetOpenRegistryKeyName added in v0.52.0 

func (ev *Event) GetOpenRegistryKeyName() string

GetOpenRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetOpenRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetOpenRegistryKeyNameLength() int

GetOpenRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetOpenRegistryKeyPath added in v0.52.0 

func (ev *Event) GetOpenRegistryKeyPath() string

GetOpenRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetOpenRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetOpenRegistryKeyPathLength() int

GetOpenRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsCmdline added in v0.50.0 

func (ev *Event) GetProcessAncestorsCmdline() []string

GetProcessAncestorsCmdline returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsCmdlineScrubbed added in v0.51.0 

func (ev *Event) GetProcessAncestorsCmdlineScrubbed() []string

GetProcessAncestorsCmdlineScrubbed returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsContainerId added in v0.50.0 

func (ev *Event) GetProcessAncestorsContainerId() []string

GetProcessAncestorsContainerId returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsCreatedAt added in v0.50.0 

func (ev *Event) GetProcessAncestorsCreatedAt() []int

GetProcessAncestorsCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsEnvp added in v0.50.0 

func (ev *Event) GetProcessAncestorsEnvp() []string

GetProcessAncestorsEnvp returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsEnvs added in v0.50.0 

func (ev *Event) GetProcessAncestorsEnvs() []string

GetProcessAncestorsEnvs returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsFileName added in v0.50.0 

func (ev *Event) GetProcessAncestorsFileName() []string

GetProcessAncestorsFileName returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsFileNameLength added in v0.50.0 

func (ev *Event) GetProcessAncestorsFileNameLength() []int

GetProcessAncestorsFileNameLength returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsFilePath added in v0.50.0 

func (ev *Event) GetProcessAncestorsFilePath() []string

GetProcessAncestorsFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsFilePathLength added in v0.50.0 

func (ev *Event) GetProcessAncestorsFilePathLength() []int

GetProcessAncestorsFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsPid added in v0.50.0 

func (ev *Event) GetProcessAncestorsPid() []uint32

GetProcessAncestorsPid returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsPpid added in v0.50.0 

func (ev *Event) GetProcessAncestorsPpid() []uint32

GetProcessAncestorsPpid returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsUser added in v0.52.0 

func (ev *Event) GetProcessAncestorsUser() []string

GetProcessAncestorsUser returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsUserSid added in v0.52.0 

func (ev *Event) GetProcessAncestorsUserSid() []string

GetProcessAncestorsUserSid returns the value of the field, resolving if necessary

func (*Event) GetProcessCmdline added in v0.50.0 

func (ev *Event) GetProcessCmdline() string

GetProcessCmdline returns the value of the field, resolving if necessary

func (*Event) GetProcessCmdlineScrubbed added in v0.51.0 

func (ev *Event) GetProcessCmdlineScrubbed() string

GetProcessCmdlineScrubbed returns the value of the field, resolving if necessary

func (*Event) GetProcessContainerId added in v0.50.0 

func (ev *Event) GetProcessContainerId() string

GetProcessContainerId returns the value of the field, resolving if necessary

func (*Event) GetProcessCreatedAt added in v0.50.0 

func (ev *Event) GetProcessCreatedAt() int

GetProcessCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetProcessEnvp added in v0.50.0 

func (ev *Event) GetProcessEnvp() []string

GetProcessEnvp returns the value of the field, resolving if necessary

func (*Event) GetProcessEnvs added in v0.50.0 

func (ev *Event) GetProcessEnvs() []string

GetProcessEnvs returns the value of the field, resolving if necessary

func (*Event) GetProcessExecTime added in v0.50.0 

func (ev *Event) GetProcessExecTime() time.Time

GetProcessExecTime returns the value of the field, resolving if necessary

func (*Event) GetProcessExitTime added in v0.50.0 

func (ev *Event) GetProcessExitTime() time.Time

GetProcessExitTime returns the value of the field, resolving if necessary

func (*Event) GetProcessFileName added in v0.50.0 

func (ev *Event) GetProcessFileName() string

GetProcessFileName returns the value of the field, resolving if necessary

func (*Event) GetProcessFileNameLength added in v0.50.0 

func (ev *Event) GetProcessFileNameLength() int

GetProcessFileNameLength returns the value of the field, resolving if necessary

func (*Event) GetProcessFilePath added in v0.50.0 

func (ev *Event) GetProcessFilePath() string

GetProcessFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessFilePathLength added in v0.50.0 

func (ev *Event) GetProcessFilePathLength() int

GetProcessFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessParentCmdline added in v0.50.0 

func (ev *Event) GetProcessParentCmdline() string

GetProcessParentCmdline returns the value of the field, resolving if necessary

func (*Event) GetProcessParentCmdlineScrubbed added in v0.51.0 

func (ev *Event) GetProcessParentCmdlineScrubbed() string

GetProcessParentCmdlineScrubbed returns the value of the field, resolving if necessary

func (*Event) GetProcessParentContainerId added in v0.50.0 

func (ev *Event) GetProcessParentContainerId() string

GetProcessParentContainerId returns the value of the field, resolving if necessary

func (*Event) GetProcessParentCreatedAt added in v0.50.0 

func (ev *Event) GetProcessParentCreatedAt() int

GetProcessParentCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetProcessParentEnvp added in v0.50.0 

func (ev *Event) GetProcessParentEnvp() []string

GetProcessParentEnvp returns the value of the field, resolving if necessary

func (*Event) GetProcessParentEnvs added in v0.50.0 

func (ev *Event) GetProcessParentEnvs() []string

GetProcessParentEnvs returns the value of the field, resolving if necessary

func (*Event) GetProcessParentFileName added in v0.50.0 

func (ev *Event) GetProcessParentFileName() string

GetProcessParentFileName returns the value of the field, resolving if necessary

func (*Event) GetProcessParentFileNameLength added in v0.50.0 

func (ev *Event) GetProcessParentFileNameLength() int

GetProcessParentFileNameLength returns the value of the field, resolving if necessary

func (*Event) GetProcessParentFilePath added in v0.50.0 

func (ev *Event) GetProcessParentFilePath() string

GetProcessParentFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessParentFilePathLength added in v0.50.0 

func (ev *Event) GetProcessParentFilePathLength() int

GetProcessParentFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessParentPid added in v0.50.0 

func (ev *Event) GetProcessParentPid() uint32

GetProcessParentPid returns the value of the field, resolving if necessary

func (*Event) GetProcessParentPpid added in v0.50.0 

func (ev *Event) GetProcessParentPpid() uint32

GetProcessParentPpid returns the value of the field, resolving if necessary

func (*Event) GetProcessParentUser added in v0.52.0 

func (ev *Event) GetProcessParentUser() string

GetProcessParentUser returns the value of the field, resolving if necessary

func (*Event) GetProcessParentUserSid added in v0.52.0 

func (ev *Event) GetProcessParentUserSid() string

GetProcessParentUserSid returns the value of the field, resolving if necessary

func (*Event) GetProcessPid added in v0.50.0 

func (ev *Event) GetProcessPid() uint32

GetProcessPid returns the value of the field, resolving if necessary

func (*Event) GetProcessPpid added in v0.50.0 

func (ev *Event) GetProcessPpid() uint32

GetProcessPpid returns the value of the field, resolving if necessary

func (*Event) GetProcessUser added in v0.52.0 

func (ev *Event) GetProcessUser() string

GetProcessUser returns the value of the field, resolving if necessary

func (*Event) GetProcessUserSid added in v0.52.0 

func (ev *Event) GetProcessUserSid() string

GetProcessUserSid returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueRegistryKeyName added in v0.52.0 

func (ev *Event) GetSetKeyValueRegistryKeyName() string

GetSetKeyValueRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetSetKeyValueRegistryKeyNameLength() int

GetSetKeyValueRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueRegistryKeyPath added in v0.52.0 

func (ev *Event) GetSetKeyValueRegistryKeyPath() string

GetSetKeyValueRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetSetKeyValueRegistryKeyPathLength() int

GetSetKeyValueRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueRegistryValueName added in v0.52.0 

func (ev *Event) GetSetKeyValueRegistryValueName() string

GetSetKeyValueRegistryValueName returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueRegistryValueNameLength added in v0.52.0 

func (ev *Event) GetSetKeyValueRegistryValueNameLength() int

GetSetKeyValueRegistryValueNameLength returns the value of the field, resolving if necessary

func (*Event) GetSetKeyValueValueName added in v0.52.0 

func (ev *Event) GetSetKeyValueValueName() string

GetSetKeyValueValueName returns the value of the field, resolving if necessary

func (*Event) GetSetRegistryKeyName added in v0.52.0 

func (ev *Event) GetSetRegistryKeyName() string

GetSetRegistryKeyName returns the value of the field, resolving if necessary

func (*Event) GetSetRegistryKeyNameLength added in v0.52.0 

func (ev *Event) GetSetRegistryKeyNameLength() int

GetSetRegistryKeyNameLength returns the value of the field, resolving if necessary

func (*Event) GetSetRegistryKeyPath added in v0.52.0 

func (ev *Event) GetSetRegistryKeyPath() string

GetSetRegistryKeyPath returns the value of the field, resolving if necessary

func (*Event) GetSetRegistryKeyPathLength added in v0.52.0 

func (ev *Event) GetSetRegistryKeyPathLength() int

GetSetRegistryKeyPathLength returns the value of the field, resolving if necessary

func (*Event) GetSetRegistryValueName added in v0.52.0 

func (ev *Event) GetSetRegistryValueName() string

GetSetRegistryValueName returns the value of the field, resolving if necessary

func (*Event) GetSetRegistryValueNameLength added in v0.52.0 

func (ev *Event) GetSetRegistryValueNameLength() int

GetSetRegistryValueNameLength returns the value of the field, resolving if necessary

func (*Event) GetSetValueName added in v0.52.0 

func (ev *Event) GetSetValueName() string

GetSetValueName returns the value of the field, resolving if necessary

func (*Event) GetTags added in v0.34.0 

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetTimestamp added in v0.50.0 

func (ev *Event) GetTimestamp() time.Time

GetTimestamp returns the value of the field, resolving if necessary

func (*Event) GetType added in v0.34.0 

func (e *Event) GetType() string

GetType returns the event type

func (*Event) GetWorkloadID added in v0.47.0 

func (e *Event) GetWorkloadID() string

GetWorkloadID returns an ID that represents the workload

func (*Event) Init added in v0.39.0 

func (e *Event) Init()

Init initialize the event

func (*Event) IsActivityDumpSample added in v0.40.0 

func (e *Event) IsActivityDumpSample() bool

IsActivityDumpSample return whether AD sample

func (*Event) IsAnomalyDetectionEvent added in v0.47.0 

func (e *Event) IsAnomalyDetectionEvent() bool

IsAnomalyDetectionEvent returns true if the current event is an anomaly detection event (kernel or user space)

func (*Event) IsInProfile added in v0.45.0 

func (e *Event) IsInProfile() bool

IsInProfile return true if the event was found in the profile

func (*Event) IsKernelSpaceAnomalyDetectionEvent added in v0.47.0 

func (e *Event) IsKernelSpaceAnomalyDetectionEvent() bool

IsKernelSpaceAnomalyDetectionEvent returns true if the event is a kernel space anomaly detection event

func (*Event) IsSavedByActivityDumps added in v0.44.0 

func (e *Event) IsSavedByActivityDumps() bool

IsSavedByActivityDumps return whether saved by AD

func (*Event) Release added in v0.43.0 

func (e *Event) Release()

Release the event

func (*Event) RemoveFromFlags added in v0.45.0 

func (e *Event) RemoveFromFlags(flag uint32)

RemoveFromFlags remove a flag to the event

func (*Event) ResolveEventTime added in v0.46.0 

func (e *Event) ResolveEventTime() time.Time

ResolveEventTime uses the field handler

func (*Event) ResolveFields added in v0.43.0 

func (ev *Event) ResolveFields()

ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveFieldsForAD added in v0.44.0 

func (ev *Event) ResolveFieldsForAD()

ResolveFieldsForAD resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveProcessCacheEntry added in v0.43.0 

func (e *Event) ResolveProcessCacheEntry() (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry uses the field handler

func (*Event) ResolveService added in v0.52.0 

func (e *Event) ResolveService() string

ResolveService uses the field handler

func (*Event) Retain added in v0.43.0 

func (e *Event) Retain() Event

Retain the event

func (*Event) SetFieldValue added in v0.34.0 

func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) Zero added in v0.48.0 

func (e *Event) Zero()

Zero the event

type EventCategory added in v0.34.0 

type EventCategory = string

EventCategory category type 

const (
	// FIMCategory FIM events
	FIMCategory EventCategory = "File Activity"
	// ProcessCategory process events
	ProcessCategory EventCategory = "Process Activity"
	// KernelCategory Kernel events
	KernelCategory EventCategory = "Kernel Activity"
	// NetworkCategory network events
	NetworkCategory EventCategory = "Network Activity"
)

Event categories

func GetAllCategories added in v0.34.0 

func GetAllCategories() []EventCategory

GetAllCategories returns all categories

func GetEventTypeCategory added in v0.34.0 

func GetEventTypeCategory(eventType eval.EventType) EventCategory

GetEventTypeCategory returns the category for the given event type

type EventType 

type EventType uint32

EventType describes the type of an event sent from the kernel

func (EventType) String 

func (t EventType) String() string

type ExecEvent added in v0.34.0 

type ExecEvent struct {
	*Process
}

ExecEvent represents a exec event

type ExitCause added in v0.38.0 

type ExitCause uint32

ExitCause represents the cause of a process termination 

const (
	// ExitExited Process exited normally
	ExitExited ExitCause = iota
	// ExitCoreDumped Process was terminated with a coredump signal
	ExitCoreDumped
	// ExitSignaled Process was terminated with a signal other than a coredump
	ExitSignaled
)

func (ExitCause) String added in v0.38.0 

func (cause ExitCause) String() string

type ExitEvent added in v0.38.0 

type ExitEvent struct {
	*Process
	Cause uint32 `field:"cause"` // SECLDoc[cause] Definition:`Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)`
	Code  uint32 `field:"code"`  // SECLDoc[code] Definition:`Exit code of the process or number of the signal that caused the process to terminate`
}

ExitEvent represents a process exit event

type ExtraFieldHandlers added in v0.43.0 

type ExtraFieldHandlers interface {
	BaseExtraFieldHandlers
}

ExtraFieldHandlers handlers not hold by any field

type FakeFieldHandlers added in v0.52.0 

type FakeFieldHandlers struct{}

func (*FakeFieldHandlers) ResolveContainerContext added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool)

ResolveContainerContext stub implementation

func (*FakeFieldHandlers) ResolveContainerCreatedAt added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int

func (*FakeFieldHandlers) ResolveContainerID added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerID(ev *Event, e *ContainerContext) string

func (*FakeFieldHandlers) ResolveContainerTags added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string

func (*FakeFieldHandlers) ResolveEventTime added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time

func (*FakeFieldHandlers) ResolveEventTimestamp added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int

func (*FakeFieldHandlers) ResolveFileBasename added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveFilePath added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveProcessCacheEntry added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(_ *Event) (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry stub implementation

func (*FakeFieldHandlers) ResolveProcessCmdLine added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessCmdLine(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessCmdLineScrubbed added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessCreatedAt added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int

func (*FakeFieldHandlers) ResolveProcessEnvp added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessEnvp(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessEnvs added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessEnvs(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveService added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveService(ev *Event, e *BaseEvent) string

func (*FakeFieldHandlers) ResolveUser added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveUser(ev *Event, e *Process) string

type FieldHandlers added in v0.43.0 

type FieldHandlers interface {
	ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
	ResolveContainerID(ev *Event, e *ContainerContext) string
	ResolveContainerTags(ev *Event, e *ContainerContext) []string
	ResolveEventTime(ev *Event, e *BaseEvent) time.Time
	ResolveEventTimestamp(ev *Event, e *BaseEvent) int
	ResolveFileBasename(ev *Event, e *FileEvent) string
	ResolveFilePath(ev *Event, e *FileEvent) string
	ResolveProcessCmdLine(ev *Event, e *Process) string
	ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string
	ResolveProcessCreatedAt(ev *Event, e *Process) int
	ResolveProcessEnvp(ev *Event, e *Process) []string
	ResolveProcessEnvs(ev *Event, e *Process) []string
	ResolveService(ev *Event, e *BaseEvent) string
	ResolveUser(ev *Event, e *Process) string
	// custom handlers not tied to any fields
	ExtraFieldHandlers
}

type FileEvent added in v0.34.0 

type FileEvent struct {
	PathnameStr string `field:"path,handler:ResolveFilePath,opts:length" op_override:"eval.CaseInsensitiveCmp"`     // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "c:\cmd.bat"` Description:`Matches the execution of the file located at c:\cmd.bat`
	BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "cmd.bat"` Description:`Matches the execution of any file named cmd.bat.`
}

FileEvent is the common file event type

type FileMode added in v0.46.0 

type FileMode int

FileMode represents a file mode bitmask value

func (FileMode) String added in v0.46.0 

func (m FileMode) String() string

type HashAlgorithm added in v0.47.0 

type HashAlgorithm int

HashAlgorithm is used to configure the hash algorithms of the hash resolver 

const (
	// SHA1 is used to identify a SHA1 hash
	SHA1 HashAlgorithm = iota
	// SHA256 is used to identify a SHA256 hash
	SHA256
	// MD5 is used to identify a MD5 hash
	MD5
	// SSDEEP is used to identify a SSDEEP hash
	SSDEEP
	// MaxHashAlgorithm is used for initializations
	MaxHashAlgorithm
)

func (HashAlgorithm) String added in v0.47.0 

func (ha HashAlgorithm) String() string

type HashState added in v0.47.0 

type HashState int

HashState is used to prevent the hash resolver from retrying to hash a file 

const (
	// NoHash means that computing a hash hasn't been attempted
	NoHash HashState = iota
	// Done means that the hashes were already computed
	Done
	// FileNotFound means that the underlying file is not longer available to compute the hash
	FileNotFound
	// PathnameResolutionError means that the underlying file wasn't properly resolved
	PathnameResolutionError
	// FileTooBig means that the underlying file is larger than the hash resolver file size limit
	FileTooBig
	// FileEmpty means that the underlying file is empty
	FileEmpty
	// FileOpenError is a generic hash state to say that we couldn't open the file
	FileOpenError
	// EventTypeNotConfigured means that the event type prevents a hash from being computed
	EventTypeNotConfigured
	// HashWasRateLimited means that the hash will be tried again later, it was rate limited
	HashWasRateLimited
	// HashFailed means that the hashing failed
	HashFailed
	// MaxHashState is used for initializations
	MaxHashState
)

func (HashState) String added in v0.47.0 

func (i HashState) String() string

type IPPortContext added in v0.36.0 

type IPPortContext struct {
	IPNet net.IPNet `field:"ip"`   // SECLDoc[ip] Definition:`IP address`
	Port  uint16    `field:"port"` // SECLDoc[port] Definition:`Port number`
}

IPPortContext is used to hold an IP and Port

type InodeMode added in v0.46.0 

type InodeMode int

InodeMode represents an inode mode bitmask value

func (InodeMode) String added in v0.46.0 

func (m InodeMode) String() string

type KernelCapability added in v0.34.0 

type KernelCapability uint64

KernelCapability represents a kernel capability bitmask value

func (KernelCapability) String added in v0.34.0 

func (kc KernelCapability) String() string

func (KernelCapability) StringArray added in v0.34.0 

func (kc KernelCapability) StringArray() []string

StringArray returns the kernel capabilities as an array of strings

type L3Protocol added in v0.36.0 

type L3Protocol uint16

L3Protocol Network protocols 

const (
	// EthPLOOP Ethernet Loopback packet
	EthPLOOP L3Protocol = 0x0060
	// EthPPUP Xerox PUP packet
	EthPPUP L3Protocol = 0x0200
	// EthPPUPAT Xerox PUP Addr Trans packet
	EthPPUPAT L3Protocol = 0x0201
	// EthPTSN TSN (IEEE 1722) packet
	EthPTSN L3Protocol = 0x22F0
	// EthPIP Internet Protocol packet
	EthPIP L3Protocol = 0x0800
	// EthPX25 CCITT X.25
	EthPX25 L3Protocol = 0x0805
	// EthPARP Address Resolution packet
	EthPARP L3Protocol = 0x0806
	// EthPBPQ G8BPQ AX.25 Ethernet Packet    [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBPQ L3Protocol = 0x08FF
	// EthPIEEEPUP Xerox IEEE802.3 PUP packet
	EthPIEEEPUP L3Protocol = 0x0a00
	// EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet
	EthPIEEEPUPAT L3Protocol = 0x0a01
	// EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBATMAN L3Protocol = 0x4305
	// EthPDEC DEC Assigned proto
	EthPDEC L3Protocol = 0x6000
	// EthPDNADL DEC DNA Dump/Load
	EthPDNADL L3Protocol = 0x6001
	// EthPDNARC DEC DNA Remote Console
	EthPDNARC L3Protocol = 0x6002
	// EthPDNART DEC DNA Routing
	EthPDNART L3Protocol = 0x6003
	// EthPLAT DEC LAT
	EthPLAT L3Protocol = 0x6004
	// EthPDIAG DEC Diagnostics
	EthPDIAG L3Protocol = 0x6005
	// EthPCUST DEC Customer use
	EthPCUST L3Protocol = 0x6006
	// EthPSCA DEC Systems Comms Arch
	EthPSCA L3Protocol = 0x6007
	// EthPTEB Trans Ether Bridging
	EthPTEB L3Protocol = 0x6558
	// EthPRARP Reverse Addr Res packet
	EthPRARP L3Protocol = 0x8035
	// EthPATALK Appletalk DDP
	EthPATALK L3Protocol = 0x809B
	// EthPAARP Appletalk AARP
	EthPAARP L3Protocol = 0x80F3
	// EthP8021Q 802.1Q VLAN Extended Header
	EthP8021Q L3Protocol = 0x8100
	// EthPERSPAN ERSPAN type II
	EthPERSPAN L3Protocol = 0x88BE
	// EthPIPX IPX over DIX
	EthPIPX L3Protocol = 0x8137
	// EthPIPV6 IPv6 over bluebook
	EthPIPV6 L3Protocol = 0x86DD
	// EthPPAUSE IEEE Pause frames. See 802.3 31B
	EthPPAUSE L3Protocol = 0x8808
	// EthPSLOW Slow Protocol. See 802.3ad 43B
	EthPSLOW L3Protocol = 0x8809
	// EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt
	EthPWCCP L3Protocol = 0x883E
	// EthPMPLSUC MPLS Unicast traffic
	EthPMPLSUC L3Protocol = 0x8847
	// EthPMPLSMC MPLS Multicast traffic
	EthPMPLSMC L3Protocol = 0x8848
	// EthPATMMPOA MultiProtocol Over ATM
	EthPATMMPOA L3Protocol = 0x884c
	// EthPPPPDISC PPPoE discovery messages
	EthPPPPDISC L3Protocol = 0x8863
	// EthPPPPSES PPPoE session messages
	EthPPPPSES L3Protocol = 0x8864
	// EthPLinkCTL HPNA, wlan link local tunnel
	EthPLinkCTL L3Protocol = 0x886c
	// EthPATMFATE Frame-based ATM Transport over Ethernet
	EthPATMFATE L3Protocol = 0x8884
	// EthPPAE Port Access Entity (IEEE 802.1X)
	EthPPAE L3Protocol = 0x888E
	// EthPAOE ATA over Ethernet
	EthPAOE L3Protocol = 0x88A2
	// EthP8021AD 802.1ad Service VLAN
	EthP8021AD L3Protocol = 0x88A8
	// EthP802EX1 802.1 Local Experimental 1.
	EthP802EX1 L3Protocol = 0x88B5
	// EthPTIPC TIPC
	EthPTIPC L3Protocol = 0x88CA
	// EthPMACSEC 802.1ae MACsec
	EthPMACSEC L3Protocol = 0x88E5
	// EthP8021AH 802.1ah Backbone Service Tag
	EthP8021AH L3Protocol = 0x88E7
	// EthPMVRP 802.1Q MVRP
	EthPMVRP L3Protocol = 0x88F5
	// EthP1588 IEEE 1588 Timesync
	EthP1588 L3Protocol = 0x88F7
	// EthPNCSI NCSI protocol
	EthPNCSI L3Protocol = 0x88F8
	// EthPPRP IEC 62439-3 PRP/HSRv0
	EthPPRP L3Protocol = 0x88FB
	// EthPFCOE Fibre Channel over Ethernet
	EthPFCOE L3Protocol = 0x8906
	// EthPIBOE Infiniband over Ethernet
	EthPIBOE L3Protocol = 0x8915
	// EthPTDLS TDLS
	EthPTDLS L3Protocol = 0x890D
	// EthPFIP FCoE Initialization Protocol
	EthPFIP L3Protocol = 0x8914
	// EthP80221 IEEE 802.21 Media Independent Handover Protocol
	EthP80221 L3Protocol = 0x8917
	// EthPHSR IEC 62439-3 HSRv1
	EthPHSR L3Protocol = 0x892F
	// EthPNSH Network Service Header
	EthPNSH L3Protocol = 0x894F
	// EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3
	EthPLOOPBACK L3Protocol = 0x9000
	// EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ1 L3Protocol = 0x9100
	// EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ2 L3Protocol = 0x9200
	// EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ3 L3Protocol = 0x9300
	// EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPEDSA L3Protocol = 0xDADA
	// EthPIFE ForCES inter-FE LFB type
	EthPIFE L3Protocol = 0xED3E
	// EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPAFIUCV L3Protocol = 0xFBFB
	// EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3
	EthP8023MIN L3Protocol = 0x0600
	// EthPIPV6HopByHop IPv6 Hop by hop option
	EthPIPV6HopByHop L3Protocol = 0x000
	// EthP8023 Dummy type for 802.3 frames
	EthP8023 L3Protocol = 0x0001
	// EthPAX25 Dummy protocol id for AX.25
	EthPAX25 L3Protocol = 0x0002
	// EthPALL Every packet (be careful!!!)
	EthPALL L3Protocol = 0x0003
	// EthP8022 802.2 frames
	EthP8022 L3Protocol = 0x0004
	// EthPSNAP Internal only
	EthPSNAP L3Protocol = 0x0005
	// EthPDDCMP DEC DDCMP: Internal only
	EthPDDCMP L3Protocol = 0x0006
	// EthPWANPPP Dummy type for WAN PPP frames*/
	EthPWANPPP L3Protocol = 0x0007
	// EthPPPPMP Dummy type for PPP MP frames
	EthPPPPMP L3Protocol = 0x0008
	// EthPLOCALTALK Localtalk pseudo type
	EthPLOCALTALK L3Protocol = 0x0009
	// EthPCAN CAN: Controller Area Network
	EthPCAN L3Protocol = 0x000C
	// EthPCANFD CANFD: CAN flexible data rate*/
	EthPCANFD L3Protocol = 0x000D
	// EthPPPPTALK Dummy type for Atalk over PPP*/
	EthPPPPTALK L3Protocol = 0x0010
	// EthPTR8022 802.2 frames
	EthPTR8022 L3Protocol = 0x0011
	// EthPMOBITEX Mobitex (kaz@cafe.net)
	EthPMOBITEX L3Protocol = 0x0015
	// EthPCONTROL Card specific control frames
	EthPCONTROL L3Protocol = 0x0016
	// EthPIRDA Linux-IrDA
	EthPIRDA L3Protocol = 0x0017
	// EthPECONET Acorn Econet
	EthPECONET L3Protocol = 0x0018
	// EthPHDLC HDLC frames
	EthPHDLC L3Protocol = 0x0019
	// EthPARCNET 1A for ArcNet :-)
	EthPARCNET L3Protocol = 0x001A
	// EthPDSA Distributed Switch Arch.
	EthPDSA L3Protocol = 0x001B
	// EthPTRAILER Trailer switch tagging
	EthPTRAILER L3Protocol = 0x001C
	// EthPPHONET Nokia Phonet frames
	EthPPHONET L3Protocol = 0x00F5
	// EthPIEEE802154 IEEE802.15.4 frame
	EthPIEEE802154 L3Protocol = 0x00F6
	// EthPCAIF ST-Ericsson CAIF protocol
	EthPCAIF L3Protocol = 0x00F7
	// EthPXDSA Multiplexed DSA protocol
	EthPXDSA L3Protocol = 0x00F8
	// EthPMAP Qualcomm multiplexing and aggregation protocol
	EthPMAP L3Protocol = 0x00F9
)

func (L3Protocol) String added in v0.36.0 

func (proto L3Protocol) String() string

type L4Protocol added in v0.36.0 

type L4Protocol uint16

L4Protocol transport protocols 

const (
	// IPProtoIP Dummy protocol for TCP
	IPProtoIP L4Protocol = 0
	// IPProtoICMP Internet Control Message Protocol (IPv4)
	IPProtoICMP L4Protocol = 1
	// IPProtoIGMP Internet Group Management Protocol
	IPProtoIGMP L4Protocol = 2
	// IPProtoIPIP IPIP tunnels (older KA9Q tunnels use 94)
	IPProtoIPIP L4Protocol = 4
	// IPProtoTCP Transmission Control Protocol
	IPProtoTCP L4Protocol = 6
	// IPProtoEGP Exterior Gateway Protocol
	IPProtoEGP L4Protocol = 8
	// IPProtoIGP Interior Gateway Protocol (any private interior gateway (used by Cisco for their IGRP))
	IPProtoIGP L4Protocol = 9
	// IPProtoPUP PUP protocol
	IPProtoPUP L4Protocol = 12
	// IPProtoUDP User Datagram Protocol
	IPProtoUDP L4Protocol = 17
	// IPProtoIDP XNS IDP protocol
	IPProtoIDP L4Protocol = 22
	// IPProtoTP SO Transport Protocol Class 4
	IPProtoTP L4Protocol = 29
	// IPProtoDCCP Datagram Congestion Control Protocol
	IPProtoDCCP L4Protocol = 33
	// IPProtoIPV6 IPv6-in-IPv4 tunnelling
	IPProtoIPV6 L4Protocol = 41
	// IPProtoRSVP RSVP Protocol
	IPProtoRSVP L4Protocol = 46
	// IPProtoGRE Cisco GRE tunnels (rfc 1701,1702)
	IPProtoGRE L4Protocol = 47
	// IPProtoESP Encapsulation Security Payload protocol
	IPProtoESP L4Protocol = 50
	// IPProtoAH Authentication Header protocol
	IPProtoAH L4Protocol = 51
	// IPProtoICMPV6 Internet Control Message Protocol (IPv6)
	IPProtoICMPV6 L4Protocol = 58
	// IPProtoMTP Multicast Transport Protocol
	IPProtoMTP L4Protocol = 92
	// IPProtoBEETPH IP option pseudo header for BEET
	IPProtoBEETPH L4Protocol = 94
	// IPProtoENCAP Encapsulation Header
	IPProtoENCAP L4Protocol = 98
	// IPProtoPIM Protocol Independent Multicast
	IPProtoPIM L4Protocol = 103
	// IPProtoCOMP Compression Header Protocol
	IPProtoCOMP L4Protocol = 108
	// IPProtoSCTP Stream Control Transport Protocol
	IPProtoSCTP L4Protocol = 132
	// IPProtoUDPLITE UDP-Lite (RFC 3828)
	IPProtoUDPLITE L4Protocol = 136
	// IPProtoMPLS MPLS in IP (RFC 4023)
	IPProtoMPLS L4Protocol = 137
	// IPProtoRAW Raw IP packets
	IPProtoRAW L4Protocol = 255
)

func (L4Protocol) String added in v0.36.0 

func (proto L4Protocol) String() string

type MMapFlag added in v0.34.0 

type MMapFlag uint64

MMapFlag represents a mmap flag value

func (MMapFlag) String added in v0.34.0 

func (mmf MMapFlag) String() string

type MatchedRule added in v0.44.0 

type MatchedRule struct {
	RuleID        string
	RuleVersion   string
	RuleTags      map[string]string
	PolicyName    string
	PolicyVersion string
}

MatchedRule contains the identification of one rule that has match

func AppendMatchedRule added in v0.44.0 

func AppendMatchedRule(list []*MatchedRule, toAdd []*MatchedRule) []*MatchedRule

AppendMatchedRule appends two lists, but avoiding duplicates

func NewMatchedRule added in v0.44.0 

func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule

NewMatchedRule return a new MatchedRule instance

func (*MatchedRule) Match added in v0.44.0 

func (mr *MatchedRule) Match(mr2 *MatchedRule) bool

Match returns true if the rules are equal

type Model added in v0.34.0 

type Model struct {
	ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator added in v0.34.0 

func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes added in v0.34.0 

func (m *Model) GetEventTypes() []eval.EventType

func (*Model) GetIterator added in v0.34.0 

func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)

func (*Model) NewDefaultEventWithType added in v0.43.0 

func (m *Model) NewDefaultEventWithType(kind EventType) eval.Event

NewDefaultEventWithType returns a new Event for the given type

func (*Model) NewEvent added in v0.34.0 

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) ValidateField added in v0.34.0 

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type NetworkContext added in v0.36.0 

type NetworkContext struct {
	Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured

	L3Protocol  uint16        `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`l3 protocol of the network packet` Constants:`L3 protocols`
	L4Protocol  uint16        `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`l4 protocol of the network packet` Constants:`L4 protocols`
	Source      IPPortContext `field:"source"`      // source of the network packet
	Destination IPPortContext `field:"destination"` // destination of the network packet
	Size        uint32        `field:"size"`        // SECLDoc[size] Definition:`size in bytes of the network packet`
}

NetworkContext represents the network context of the event

type NetworkDeviceContext added in v0.36.0 

type NetworkDeviceContext struct{}

NetworkDeviceContext defines a network device context

type OpenFlags added in v0.34.0 

type OpenFlags int

OpenFlags represents an open flags bitmask value

func (OpenFlags) String added in v0.34.0 

func (f OpenFlags) String() string

func (OpenFlags) StringArray added in v0.34.0 

func (f OpenFlags) StringArray() []string

StringArray returns the open flags as an array of strings

type OpenRegistryKeyEvent added in v0.52.0 

type OpenRegistryKeyEvent struct {
	Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}

OpenRegistryKeyEvent defines registry key opening

type PIDContext added in v0.37.0 

type PIDContext struct {
	Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)`
}

PIDContext holds the process context of an kernel event

type PTraceRequest added in v0.34.0 

type PTraceRequest uint32

PTraceRequest represents a ptrace request value

func (PTraceRequest) String added in v0.34.0 

func (f PTraceRequest) String() string

type PipeBufFlag added in v0.35.0 

type PipeBufFlag int

PipeBufFlag represents a pipe buffer flag 

const (
	// PipeBufFlagLRU pipe buffer flag
	PipeBufFlagLRU PipeBufFlag = 0x1 /* page is on the LRU */
	// PipeBufFlagAtomic pipe buffer flag
	PipeBufFlagAtomic PipeBufFlag = 0x2 /* was atomically mapped */
	// PipeBufFlagGift pipe buffer flag
	PipeBufFlagGift PipeBufFlag = 0x4 /* page is a gift */
	// PipeBufFlagPacket pipe buffer flag
	PipeBufFlagPacket PipeBufFlag = 0x8 /* read() as a packet */
	// PipeBufFlagCanMerge pipe buffer flag
	PipeBufFlagCanMerge PipeBufFlag = 0x10 /* can merge buffers */
	// PipeBufFlagWhole pipe buffer flag
	PipeBufFlagWhole PipeBufFlag = 0x20 /* read() must return entire buffer or error */
	// PipeBufFlagLoss pipe buffer flag
	PipeBufFlagLoss PipeBufFlag = 0x40 /* Message loss happened after this buffer */
)

func (PipeBufFlag) String added in v0.35.0 

func (pbf PipeBufFlag) String() string

type Process added in v0.34.0 

type Process struct {
	PIDContext

	FileEvent FileEvent `field:"file"`

	ContainerID string `field:"container.id"` // SECLDoc[container.id] Definition:`Container ID`

	ExitTime time.Time `field:"exit_time,opts:getters_only"`
	ExecTime time.Time `field:"exec_time,opts:getters_only"`

	CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process`

	PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID`

	ArgsEntry *ArgsEntry `field:"-"`
	EnvsEntry *EnvsEntry `field:"-"`

	CmdLine         string `field:"cmdline,handler:ResolveProcessCmdLine,weight:200" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[cmdline] Definition:`Command line of the process` Example:`exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.cmdline =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
	CmdLineScrubbed string `field:"cmdline_scrubbed,handler:ResolveProcessCmdLineScrubbed,weight:500,opts:getters_only"`

	OwnerSidString string `field:"user_sid"`                 // SECLDoc[user_sid] Definition:`Sid of the user of the process`
	User           string `field:"user,handler:ResolveUser"` // SECLDoc[user] Definition:`User name`

	Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process`
	Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process`                                                                                                                         // SECLDoc[envp] Definition:`Environment variables of the process`

	// cache version
	Variables               eval.Variables `field:"-"`
	ScrubbedCmdLineResolved bool           `field:"-"`
}

Process represents a process

type ProcessAncestorsIterator added in v0.34.0 

type ProcessAncestorsIterator struct {
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) Front added in v0.34.0 

func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer

Front returns the first element

func (*ProcessAncestorsIterator) Next added in v0.34.0 

func (it *ProcessAncestorsIterator) Next() unsafe.Pointer

Next returns the next element

type ProcessCacheEntry added in v0.34.0 

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func GetPlaceholderProcessCacheEntry added in v0.49.0 

func GetPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry

GetPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions

func NewPlaceholderProcessCacheEntry added in v0.49.0 

func NewPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry

NewPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions

func NewProcessCacheEntry added in v0.34.0 

func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) Exit added in v0.34.0 

func (pc *ProcessCacheEntry) Exit(exitTime time.Time)

Exit a process

func (*ProcessCacheEntry) IsContainerRoot added in v0.44.0 

func (pc *ProcessCacheEntry) IsContainerRoot() bool

IsContainerRoot returns whether this is a top level process in the container ID

func (*ProcessCacheEntry) Release added in v0.34.0 

func (pc *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset added in v0.34.0 

func (pc *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain added in v0.34.0 

func (pc *ProcessCacheEntry) Retain()

Retain increment ref counter

func (*ProcessCacheEntry) SetAncestor added in v0.34.0 

func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)

SetAncestor sets the ancestor

func (*ProcessCacheEntry) SetReleaseCallback added in v0.35.0 

func (pc *ProcessCacheEntry) SetReleaseCallback(callback func())

SetReleaseCallback set the callback called when the entry is released

type ProcessContext added in v0.34.0 

type ProcessContext struct {
	Process

	Parent   *Process           `field:"parent,opts:exposed_at_event_root_only,check:HasParent"`
	Ancestor *ProcessCacheEntry `field:"ancestors,iterator:ProcessAncestorsIterator,check:IsNotKworker"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) HasParent added in v0.42.0 

func (p *ProcessContext) HasParent() bool

HasParent returns whether the process has a parent

type Protection added in v0.34.0 

type Protection int

Protection represents a virtual memory protection bitmask value

func (Protection) String added in v0.34.0 

func (p Protection) String() string

type QClass added in v0.36.0 

type QClass uint32

QClass is used to declare the qclass field of a DNS request

func (QClass) String added in v0.36.0 

func (qc QClass) String() string

type QType added in v0.36.0 

type QType uint32

QType is used to declare the qtype field of a DNS request

func (QType) String added in v0.36.0 

func (qt QType) String() string

type RegistryEvent added in v0.52.0 

type RegistryEvent struct {
	KeyName string `field:"key_name,opts:length"`                                       // SECLDoc[key_name] Definition:`Registry's name`
	KeyPath string `field:"key_path,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[key_path] Definition:`Registry's path`
}

RegistryEvent is the common registry event type

type Releasable added in v0.46.0 

type Releasable struct {
	// contains filtered or unexported fields
}

Releasable represents an object than can be released

func (*Releasable) CallReleaseCallback added in v0.46.0 

func (r *Releasable) CallReleaseCallback()

CallReleaseCallback calls the on-release callback

func (*Releasable) OnRelease added in v0.46.0 

func (r *Releasable) OnRelease()

OnRelease triggers the callback

func (*Releasable) SetReleaseCallback added in v0.46.0 

func (r *Releasable) SetReleaseCallback(callback func())

SetReleaseCallback sets a callback to be called when the cache entry is released

type RetValError added in v0.34.0 

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String added in v0.34.0 

func (f RetValError) String() string

type SecurityProfileContext added in v0.45.0 

type SecurityProfileContext struct {
	Name       string      `field:"name"`        // SECLDoc[name] Definition:`Name of the security profile`
	Version    string      `field:"version"`     // SECLDoc[version] Definition:`Version of the security profile`
	Tags       []string    `field:"tags"`        // SECLDoc[tags] Definition:`Tags of the security profile`
	EventTypes []EventType `field:"event_types"` // SECLDoc[event_types] Definition:`Event types enabled for the security profile`
}

SecurityProfileContext holds the security context of the profile

type SetRegistryKeyValueEvent added in v0.52.0 

type SetRegistryKeyValueEvent struct {
	Registry  RegistryEvent `field:"registry"`                                   // SECLDoc[registry] Definition:`Registry Event`
	ValueName string        `field:"value_name;registry.value_name,opts:length"` // SECLDoc[value_name] Definition:`Registry's value name`

}

SetRegistryKeyValueEvent defines the event of setting up a value of a registry key

type Signal added in v0.35.0 

type Signal int

Signal represents a type of unix signal (ie, SIGKILL, SIGSTOP etc)

func (Signal) String added in v0.35.0 

func (sig Signal) String() string

type SpanContext added in v0.34.0 

type SpanContext struct {
	SpanID  uint64 `field:"_"`
	TraceID uint64 `field:"_"`
}

SpanContext describes a span context

type Syscall added in v0.39.0 

type Syscall int

Syscall represents a syscall identifier

func (Syscall) String added in v0.39.0 

func (i Syscall) String() string

type UnlinkFlags added in v0.34.0 

type UnlinkFlags int

UnlinkFlags represents an unlink flags bitmask value

func (UnlinkFlags) String added in v0.34.0 

func (f UnlinkFlags) String() string

func (UnlinkFlags) StringArray added in v0.34.0 

func (f UnlinkFlags) StringArray() []string

StringArray returns the unlink flags as an array of strings

type UserSessionContext added in v0.50.0 

type UserSessionContext struct {
	ID          uint64           `field:"-"`
	SessionType usersession.Type `field:"-"`
	Resolved    bool             `field:"-"`
	// Kubernetes User Session context
	K8SUsername string              `field:"k8s_username,handler:ResolveK8SUsername" json:"username,omitempty"` // SECLDoc[k8s_username] Definition:`Kubernetes username of the user that executed the process`
	K8SUID      string              `field:"k8s_uid,handler:ResolveK8SUID" json:"uid,omitempty"`                // SECLDoc[k8s_uid] Definition:`Kubernetes UID of the user that executed the process`
	K8SGroups   []string            `field:"k8s_groups,handler:ResolveK8SGroups" json:"groups,omitempty"`       // SECLDoc[k8s_groups] Definition:`Kubernetes groups of the user that executed the process`
	K8SExtra    map[string][]string `json:"extra,omitempty"`
}

UserSessionContext describes the user session context Disclaimer: the `json` tags are used to parse K8s credentials from cws-instrumentation

type VMFlag added in v0.34.0 

type VMFlag uint64

VMFlag represents a VM_* bitmask value

func (VMFlag) String added in v0.34.0 

func (vmf VMFlag) String() string

Source Files

View all Source files

Directories

Path Synopsis
Package main holds main related files
 Package main holds main related files
Package main holds main related files
 Package main holds main related files
Package usersession holds model related to the user session context
 Package usersession holds model related to the user session context

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.