Documentation ¶
Overview ¶
Package model holds model related files
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files ¶
Package model holds model related files
Index ¶
- Constants
- Variables
- func FilterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string
- func GetEventTypePerCategory() map[EventCategory][]eval.EventType
- func IsAlphaNumeric(r rune) bool
- func IsPrintable(s string) bool
- func IsPrintableASCII(s string) bool
- func NullTerminatedString(d []byte) string
- func SECLConstants() map[string]interface{}
- func SliceToArray(src []byte, dst []byte)
- func StringifyHelpersList(input []uint32) []string
- func UnmarshalPrintableString(data []byte, size int) (string, error)
- func UnmarshalString(data []byte, size int) (string, error)
- func UnmarshalStringArray(data []byte) ([]string, error)
- type ActionReport
- type AddressFamily
- type ArgsEntry
- type ArgsEnvs
- type BPFAttachType
- type BPFCmd
- type BPFHelperFunc
- type BPFMapType
- type BPFProgramType
- type BaseEvent
- type BaseExtraFieldHandlers
- type ContainerContext
- type CreateNewFileEvent
- type CreateRegistryKeyEvent
- type DNSEvent
- type DeleteFileEvent
- type DeleteRegistryKeyEvent
- type EnvsEntry
- type ErrInvalidKeyPath
- type ErrProcessBrokenLineage
- type ErrProcessIncompleteLineage
- type ErrProcessMissingParentNode
- type ErrProcessWrongParentNode
- type Event
- func (e *Event) AddToFlags(flag uint32)
- func (e *Event) GetActionReports() []ActionReport
- func (ev *Event) GetContainerCreatedAt() int
- func (ev *Event) GetContainerId() string
- func (ev *Event) GetContainerTags() []string
- func (ev *Event) GetCreateFileDevicePath() string
- func (ev *Event) GetCreateFileDevicePathLength() int
- func (ev *Event) GetCreateFileName() string
- func (ev *Event) GetCreateFileNameLength() int
- func (ev *Event) GetCreateKeyRegistryKeyName() string
- func (ev *Event) GetCreateKeyRegistryKeyNameLength() int
- func (ev *Event) GetCreateKeyRegistryKeyPath() string
- func (ev *Event) GetCreateKeyRegistryKeyPathLength() int
- func (ev *Event) GetCreateRegistryKeyName() string
- func (ev *Event) GetCreateRegistryKeyNameLength() int
- func (ev *Event) GetCreateRegistryKeyPath() string
- func (ev *Event) GetCreateRegistryKeyPathLength() int
- func (ev *Event) GetDeleteFileDevicePath() string
- func (ev *Event) GetDeleteFileDevicePathLength() int
- func (ev *Event) GetDeleteFileName() string
- func (ev *Event) GetDeleteFileNameLength() int
- func (ev *Event) GetDeleteKeyRegistryKeyName() string
- func (ev *Event) GetDeleteKeyRegistryKeyNameLength() int
- func (ev *Event) GetDeleteKeyRegistryKeyPath() string
- func (ev *Event) GetDeleteKeyRegistryKeyPathLength() int
- func (ev *Event) GetDeleteRegistryKeyName() string
- func (ev *Event) GetDeleteRegistryKeyNameLength() int
- func (ev *Event) GetDeleteRegistryKeyPath() string
- func (ev *Event) GetDeleteRegistryKeyPathLength() int
- func (ev *Event) GetEventOrigin() string
- func (ev *Event) GetEventOs() string
- func (ev *Event) GetEventService() string
- func (ev *Event) GetEventTimestamp() int
- func (e *Event) GetEventType() EventType
- func (ev *Event) GetExecCmdline() string
- func (ev *Event) GetExecCmdlineScrubbed() string
- func (ev *Event) GetExecContainerId() string
- func (ev *Event) GetExecCreatedAt() int
- func (ev *Event) GetExecEnvp() []string
- func (ev *Event) GetExecEnvs() []string
- func (ev *Event) GetExecExecTime() time.Time
- func (ev *Event) GetExecExitTime() time.Time
- func (ev *Event) GetExecFileName() string
- func (ev *Event) GetExecFileNameLength() int
- func (ev *Event) GetExecFilePath() string
- func (ev *Event) GetExecFilePathLength() int
- func (ev *Event) GetExecPid() uint32
- func (ev *Event) GetExecPpid() uint32
- func (ev *Event) GetExecUser() string
- func (ev *Event) GetExecUserSid() string
- func (ev *Event) GetExitCause() uint32
- func (ev *Event) GetExitCmdline() string
- func (ev *Event) GetExitCmdlineScrubbed() string
- func (ev *Event) GetExitCode() uint32
- func (ev *Event) GetExitContainerId() string
- func (ev *Event) GetExitCreatedAt() int
- func (ev *Event) GetExitEnvp() []string
- func (ev *Event) GetExitEnvs() []string
- func (ev *Event) GetExitExecTime() time.Time
- func (ev *Event) GetExitExitTime() time.Time
- func (ev *Event) GetExitFileName() string
- func (ev *Event) GetExitFileNameLength() int
- func (ev *Event) GetExitFilePath() string
- func (ev *Event) GetExitFilePathLength() int
- func (ev *Event) GetExitPid() uint32
- func (ev *Event) GetExitPpid() uint32
- func (ev *Event) GetExitUser() string
- func (ev *Event) GetExitUserSid() string
- func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)
- func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error)
- func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error)
- func (ev *Event) GetFields() []eval.Field
- func (ev *Event) GetOpenKeyRegistryKeyName() string
- func (ev *Event) GetOpenKeyRegistryKeyNameLength() int
- func (ev *Event) GetOpenKeyRegistryKeyPath() string
- func (ev *Event) GetOpenKeyRegistryKeyPathLength() int
- func (ev *Event) GetOpenRegistryKeyName() string
- func (ev *Event) GetOpenRegistryKeyNameLength() int
- func (ev *Event) GetOpenRegistryKeyPath() string
- func (ev *Event) GetOpenRegistryKeyPathLength() int
- func (ev *Event) GetProcessAncestorsCmdline() []string
- func (ev *Event) GetProcessAncestorsCmdlineScrubbed() []string
- func (ev *Event) GetProcessAncestorsContainerId() []string
- func (ev *Event) GetProcessAncestorsCreatedAt() []int
- func (ev *Event) GetProcessAncestorsEnvp() []string
- func (ev *Event) GetProcessAncestorsEnvs() []string
- func (ev *Event) GetProcessAncestorsFileName() []string
- func (ev *Event) GetProcessAncestorsFileNameLength() []int
- func (ev *Event) GetProcessAncestorsFilePath() []string
- func (ev *Event) GetProcessAncestorsFilePathLength() []int
- func (ev *Event) GetProcessAncestorsPid() []uint32
- func (ev *Event) GetProcessAncestorsPpid() []uint32
- func (ev *Event) GetProcessAncestorsUser() []string
- func (ev *Event) GetProcessAncestorsUserSid() []string
- func (ev *Event) GetProcessCmdline() string
- func (ev *Event) GetProcessCmdlineScrubbed() string
- func (ev *Event) GetProcessContainerId() string
- func (ev *Event) GetProcessCreatedAt() int
- func (ev *Event) GetProcessEnvp() []string
- func (ev *Event) GetProcessEnvs() []string
- func (ev *Event) GetProcessExecTime() time.Time
- func (ev *Event) GetProcessExitTime() time.Time
- func (ev *Event) GetProcessFileName() string
- func (ev *Event) GetProcessFileNameLength() int
- func (ev *Event) GetProcessFilePath() string
- func (ev *Event) GetProcessFilePathLength() int
- func (ev *Event) GetProcessParentCmdline() string
- func (ev *Event) GetProcessParentCmdlineScrubbed() string
- func (ev *Event) GetProcessParentContainerId() string
- func (ev *Event) GetProcessParentCreatedAt() int
- func (ev *Event) GetProcessParentEnvp() []string
- func (ev *Event) GetProcessParentEnvs() []string
- func (ev *Event) GetProcessParentFileName() string
- func (ev *Event) GetProcessParentFileNameLength() int
- func (ev *Event) GetProcessParentFilePath() string
- func (ev *Event) GetProcessParentFilePathLength() int
- func (ev *Event) GetProcessParentPid() uint32
- func (ev *Event) GetProcessParentPpid() uint32
- func (ev *Event) GetProcessParentUser() string
- func (ev *Event) GetProcessParentUserSid() string
- func (ev *Event) GetProcessPid() uint32
- func (ev *Event) GetProcessPpid() uint32
- func (ev *Event) GetProcessUser() string
- func (ev *Event) GetProcessUserSid() string
- func (ev *Event) GetRenameFileDestinationDevicePath() string
- func (ev *Event) GetRenameFileDestinationDevicePathLength() int
- func (ev *Event) GetRenameFileDestinationName() string
- func (ev *Event) GetRenameFileDestinationNameLength() int
- func (ev *Event) GetRenameFileDevicePath() string
- func (ev *Event) GetRenameFileDevicePathLength() int
- func (ev *Event) GetRenameFileName() string
- func (ev *Event) GetRenameFileNameLength() int
- func (ev *Event) GetSetKeyValueRegistryKeyName() string
- func (ev *Event) GetSetKeyValueRegistryKeyNameLength() int
- func (ev *Event) GetSetKeyValueRegistryKeyPath() string
- func (ev *Event) GetSetKeyValueRegistryKeyPathLength() int
- func (ev *Event) GetSetKeyValueRegistryValueName() string
- func (ev *Event) GetSetKeyValueRegistryValueNameLength() int
- func (ev *Event) GetSetKeyValueValueName() string
- func (ev *Event) GetSetRegistryKeyName() string
- func (ev *Event) GetSetRegistryKeyNameLength() int
- func (ev *Event) GetSetRegistryKeyPath() string
- func (ev *Event) GetSetRegistryKeyPathLength() int
- func (ev *Event) GetSetRegistryValueName() string
- func (ev *Event) GetSetRegistryValueNameLength() int
- func (ev *Event) GetSetValueName() string
- func (e *Event) GetTags() []string
- func (ev *Event) GetTimestamp() time.Time
- func (e *Event) GetType() string
- func (e *Event) GetWorkloadID() string
- func (ev *Event) GetWriteFileDevicePath() string
- func (ev *Event) GetWriteFileDevicePathLength() int
- func (ev *Event) GetWriteFileName() string
- func (ev *Event) GetWriteFileNameLength() int
- func (e *Event) HasActiveActivityDump() bool
- func (e *Event) Init()
- func (e *Event) IsActivityDumpSample() bool
- func (e *Event) IsAnomalyDetectionEvent() bool
- func (e *Event) IsInProfile() bool
- func (e *Event) IsKernelSpaceAnomalyDetectionEvent() bool
- func (e *Event) IsSavedByActivityDumps() bool
- func (e *Event) Release()
- func (e *Event) RemoveFromFlags(flag uint32)
- func (e *Event) ResolveEventTime() time.Time
- func (ev *Event) ResolveFields()
- func (ev *Event) ResolveFieldsForAD()
- func (e *Event) ResolveProcessCacheEntry() (*ProcessCacheEntry, bool)
- func (e *Event) ResolveService() string
- func (e *Event) Retain() Event
- func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error
- func (e *Event) Zero()
- type EventCategory
- type EventType
- type ExecEvent
- type ExitCause
- type ExitEvent
- type ExtraFieldHandlers
- type FakeFieldHandlers
- func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool)
- func (dfh *FakeFieldHandlers) ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
- func (dfh *FakeFieldHandlers) ResolveContainerID(ev *Event, e *ContainerContext) string
- func (dfh *FakeFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string
- func (dfh *FakeFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time
- func (dfh *FakeFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int
- func (dfh *FakeFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) string
- func (dfh *FakeFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string
- func (dfh *FakeFieldHandlers) ResolveFimFileBasename(ev *Event, e *FimFileEvent) string
- func (dfh *FakeFieldHandlers) ResolveFimFilePath(ev *Event, e *FimFileEvent) string
- func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(_ *Event) (*ProcessCacheEntry, bool)
- func (dfh *FakeFieldHandlers) ResolveProcessCmdLine(ev *Event, e *Process) string
- func (dfh *FakeFieldHandlers) ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string
- func (dfh *FakeFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int
- func (dfh *FakeFieldHandlers) ResolveProcessEnvp(ev *Event, e *Process) []string
- func (dfh *FakeFieldHandlers) ResolveProcessEnvs(ev *Event, e *Process) []string
- func (dfh *FakeFieldHandlers) ResolveService(ev *Event, e *BaseEvent) string
- func (dfh *FakeFieldHandlers) ResolveUser(ev *Event, e *Process) string
- type FieldHandlers
- type FileEvent
- type FileMode
- type FimFileEvent
- type HashAlgorithm
- type HashState
- type IPPortContext
- type InodeMode
- type KernelCapability
- type L3Protocol
- type L4Protocol
- type MMapFlag
- type MatchedRule
- type Model
- func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)
- func (m *Model) GetEventTypes() []eval.EventType
- func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)
- func (m *Model) NewDefaultEventWithType(kind EventType) eval.Event
- func (m *Model) NewEvent() eval.Event
- func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error
- type NetworkContext
- type NetworkDeviceContext
- type OpenFlags
- type OpenRegistryKeyEvent
- type PIDContext
- type PTraceRequest
- type PipeBufFlag
- type Process
- type ProcessAncestorsIterator
- type ProcessCacheEntry
- func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
- func (pc *ProcessCacheEntry) IsContainerRoot() bool
- func (pc *ProcessCacheEntry) Release()
- func (pc *ProcessCacheEntry) Reset()
- func (pc *ProcessCacheEntry) Retain()
- func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)
- func (pc *ProcessCacheEntry) SetReleaseCallback(callback func())
- type ProcessContext
- type Protection
- type QClass
- type QType
- type RegistryEvent
- type Releasable
- type RenameFileEvent
- type RetValError
- type SecurityProfileContext
- type SetRegistryKeyValueEvent
- type Signal
- type SpanContext
- type Syscall
- type UnlinkFlags
- type UserSessionContext
- type VMFlag
- type WriteFileEvent
Constants ¶
const ( // MaxArgEnvSize maximum size of one argument or environment variable MaxArgEnvSize = 256 // MaxArgsEnvsSize maximum number of args and/or envs MaxArgsEnvsSize = 256 )
const ( // MaxSegmentLength defines the maximum length of each segment of a path MaxSegmentLength = 255 // MaxPathDepth defines the maximum depth of a path // see pkg/security/ebpf/c/dentry_resolver.h: DR_MAX_TAIL_CALL * DR_MAX_ITERATION_DEPTH MaxPathDepth = 1363 // MaxBpfObjName defines the maximum length of a Bpf object name MaxBpfObjName = 16 // PathSuffix defines the suffix used for path fields PathSuffix = ".path" // NameSuffix defines the suffix used for name fields NameSuffix = ".name" // ContainerIDLen defines the length of a container ID ContainerIDLen = sha256.Size * 2 // MaxSymlinks maximum symlinks captured MaxSymlinks = 2 // MaxTracedCgroupsCount hard limit for the count of traced cgroups MaxTracedCgroupsCount = 128 )
const ( // EventFlagsAsync async event EventFlagsAsync = 1 << iota // EventFlagsSavedByAD saved by ad EventFlagsSavedByAD // EventFlagsActivityDumpSample an AD sample EventFlagsActivityDumpSample // EventFlagsSecurityProfileInProfile true if the event was found in a profile EventFlagsSecurityProfileInProfile // EventFlagsAnomalyDetectionEvent true if the event is marked as being an anomaly EventFlagsAnomalyDetectionEvent // EventFlagsHasActiveActivityDump true if the event has an active activity dump associated to it EventFlagsHasActiveActivityDump )
const ( LowerLayer = 1 << iota UpperLayer )
File flags
const ( // UnknownEventType unknown event UnknownEventType EventType = iota // FileOpenEventType File open event FileOpenEventType // FileMkdirEventType Folder creation event FileMkdirEventType // FileLinkEventType Hard link creation event FileLinkEventType // FileRenameEventType File or folder rename event FileRenameEventType // FileUnlinkEventType Unlink event FileUnlinkEventType // FileRmdirEventType Rmdir event FileRmdirEventType // FileChmodEventType Chmod event FileChmodEventType // FileChownEventType Chown event FileChownEventType // FileUtimesEventType Utime event FileUtimesEventType // FileSetXAttrEventType Setxattr event FileSetXAttrEventType // FileRemoveXAttrEventType Removexattr event FileRemoveXAttrEventType // FileChdirEventType chdir event FileChdirEventType // FileMountEventType Mount event FileMountEventType // FileUmountEventType Umount event FileUmountEventType // ForkEventType Fork event ForkEventType // ExecEventType Exec event ExecEventType // ExitEventType Exit event ExitEventType // InvalidateDentryEventType Dentry invalidated event (DEPRECATED) InvalidateDentryEventType // SetuidEventType setuid event SetuidEventType // SetgidEventType setgid event SetgidEventType // CapsetEventType capset event CapsetEventType // ArgsEnvsEventType args and envs event ArgsEnvsEventType // MountReleasedEventType sent when a mount point is released MountReleasedEventType // SELinuxEventType selinux event SELinuxEventType // BPFEventType bpf event BPFEventType // PTraceEventType PTrace event PTraceEventType // MMapEventType MMap event MMapEventType // MProtectEventType MProtect event MProtectEventType // LoadModuleEventType LoadModule event LoadModuleEventType // UnloadModuleEventType UnloadModule evnt UnloadModuleEventType // SignalEventType Signal event SignalEventType // SpliceEventType Splice event SpliceEventType // CgroupTracingEventType is sent when a new cgroup is being traced CgroupTracingEventType // DNSEventType DNS event DNSEventType // NetDeviceEventType is sent for events on net devices NetDeviceEventType // VethPairEventType is sent when a new veth pair is created VethPairEventType // BindEventType Bind event BindEventType UnshareMountNsEventType // SyscallsEventType Syscalls event SyscallsEventType // AnomalyDetectionSyscallEventType Anomaly Detection Syscall event AnomalyDetectionSyscallEventType // MaxKernelEventType is used internally to get the maximum number of kernel events. MaxKernelEventType // FirstEventType is the first valid event type FirstEventType = FileOpenEventType // LastEventType is the last valid event type LastEventType = SyscallsEventType // FirstDiscarderEventType first event that accepts discarders FirstDiscarderEventType = FileOpenEventType // LastDiscarderEventType last event that accepts discarders LastDiscarderEventType = FileChdirEventType // LastApproverEventType is the last event that accepts approvers LastApproverEventType = SpliceEventType // CustomLostReadEventType is the custom event used to report lost events detected in user space CustomLostReadEventType = iota // CustomLostWriteEventType is the custom event used to report lost events detected in kernel space CustomLostWriteEventType // CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded CustomRulesetLoadedEventType // CustomHeartbeatEventType is the custom event used to report a heartbeat event CustomHeartbeatEventType // CustomForkBombEventType is the custom event used to report the detection of a fork bomb CustomForkBombEventType // CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated CustomTruncatedParentsEventType // CustomSelfTestEventType is the custom event used to report the results of a self test run CustomSelfTestEventType // CreateNewFileEventType event CreateNewFileEventType // DeleteFileEventType event DeleteFileEventType // WriteFileEventType event WriteFileEventType // CreateRegistryKeyEventType event CreateRegistryKeyEventType // OpenRegistryKeyEventType event OpenRegistryKeyEventType // SetRegistryKeyValueEventType event SetRegistryKeyValueEventType // DeleteRegistryKeyEventType event DeleteRegistryKeyEventType // MaxAllEventType is used internally to get the maximum number of events. MaxAllEventType )
Variables ¶
var ( // BPFCmdConstants is the list of BPF commands // generate_constants:BPF commands,BPF commands are used to specify a command to a bpf syscall. BPFCmdConstants = map[string]BPFCmd{ "BPF_MAP_CREATE": BpfMapCreateCmd, "BPF_MAP_LOOKUP_ELEM": BpfMapLookupElemCmd, "BPF_MAP_UPDATE_ELEM": BpfMapUpdateElemCmd, "BPF_MAP_DELETE_ELEM": BpfMapDeleteElemCmd, "BPF_MAP_GET_NEXT_KEY": BpfMapGetNextKeyCmd, "BPF_PROG_LOAD": BpfProgLoadCmd, "BPF_OBJ_PIN": BpfObjPinCmd, "BPF_OBJ_GET": BpfObjGetCmd, "BPF_PROG_ATTACH": BpfProgAttachCmd, "BPF_PROG_DETACH": BpfProgDetachCmd, "BPF_PROG_TEST_RUN": BpfProgTestRunCmd, "BPF_PROG_RUN": BpfProgTestRunCmd, "BPF_PROG_GET_NEXT_ID": BpfProgGetNextIDCmd, "BPF_MAP_GET_NEXT_ID": BpfMapGetNextIDCmd, "BPF_PROG_GET_FD_BY_ID": BpfProgGetFdByIDCmd, "BPF_MAP_GET_FD_BY_ID": BpfMapGetFdByIDCmd, "BPF_OBJ_GET_INFO_BY_FD": BpfObjGetInfoByFdCmd, "BPF_PROG_QUERY": BpfProgQueryCmd, "BPF_RAW_TRACEPOINT_OPEN": BpfRawTracepointOpenCmd, "BPF_BTF_LOAD": BpfBtfLoadCmd, "BPF_BTF_GET_FD_BY_ID": BpfBtfGetFdByIDCmd, "BPF_TASK_FD_QUERY": BpfTaskFdQueryCmd, "BPF_MAP_LOOKUP_AND_DELETE_ELEM": BpfMapLookupAndDeleteElemCmd, "BPF_MAP_FREEZE": BpfMapFreezeCmd, "BPF_BTF_GET_NEXT_ID": BpfBtfGetNextIDCmd, "BPF_MAP_LOOKUP_BATCH": BpfMapLookupBatchCmd, "BPF_MAP_LOOKUP_AND_DELETE_BATCH": BpfMapLookupAndDeleteBatchCmd, "BPF_MAP_UPDATE_BATCH": BpfMapUpdateBatchCmd, "BPF_MAP_DELETE_BATCH": BpfMapDeleteBatchCmd, "BPF_LINK_CREATE": BpfLinkCreateCmd, "BPF_LINK_UPDATE": BpfLinkUpdateCmd, "BPF_LINK_GET_FD_BY_ID": BpfLinkGetFdByIDCmd, "BPF_LINK_GET_NEXT_ID": BpfLinkGetNextIDCmd, "BPF_ENABLE_STATS": BpfEnableStatsCmd, "BPF_ITER_CREATE": BpfIterCreateCmd, "BPF_LINK_DETACH": BpfLinkDetachCmd, "BPF_PROG_BIND_MAP": BpfProgBindMapCmd, } // BPFHelperFuncConstants is the list of BPF helper func constants // generate_constants:BPF helper functions,BPF helper functions are the supported BPF helper functions. BPFHelperFuncConstants = map[string]BPFHelperFunc{}/* 166 elements not displayed */ // BPFMapTypeConstants is the list of BPF map type constants // generate_constants:BPF map types,BPF map types are the supported eBPF map types. BPFMapTypeConstants = map[string]BPFMapType{ "BPF_MAP_TYPE_UNSPEC": BpfMapTypeUnspec, "BPF_MAP_TYPE_HASH": BpfMapTypeHash, "BPF_MAP_TYPE_ARRAY": BpfMapTypeArray, "BPF_MAP_TYPE_PROG_ARRAY": BpfMapTypeProgArray, "BPF_MAP_TYPE_PERF_EVENT_ARRAY": BpfMapTypePerfEventArray, "BPF_MAP_TYPE_PERCPU_HASH": BpfMapTypePercpuHash, "BPF_MAP_TYPE_PERCPU_ARRAY": BpfMapTypePercpuArray, "BPF_MAP_TYPE_STACK_TRACE": BpfMapTypeStackTrace, "BPF_MAP_TYPE_CGROUP_ARRAY": BpfMapTypeCgroupArray, "BPF_MAP_TYPE_LRU_HASH": BpfMapTypeLruHash, "BPF_MAP_TYPE_LRU_PERCPU_HASH": BpfMapTypeLruPercpuHash, "BPF_MAP_TYPE_LPM_TRIE": BpfMapTypeLpmTrie, "BPF_MAP_TYPE_ARRAY_OF_MAPS": BpfMapTypeArrayOfMaps, "BPF_MAP_TYPE_HASH_OF_MAPS": BpfMapTypeHashOfMaps, "BPF_MAP_TYPE_DEVMAP": BpfMapTypeDevmap, "BPF_MAP_TYPE_SOCKMAP": BpfMapTypeSockmap, "BPF_MAP_TYPE_CPUMAP": BpfMapTypeCPUmap, "BPF_MAP_TYPE_XSKMAP": BpfMapTypeXskmap, "BPF_MAP_TYPE_SOCKHASH": BpfMapTypeSockhash, "BPF_MAP_TYPE_CGROUP_STORAGE": BpfMapTypeCgroupStorage, "BPF_MAP_TYPE_REUSEPORT_SOCKARRAY": BpfMapTypeReuseportSockarray, "BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE": BpfMapTypePercpuCgroupStorage, "BPF_MAP_TYPE_QUEUE": BpfMapTypeQueue, "BPF_MAP_TYPE_STACK": BpfMapTypeStack, "BPF_MAP_TYPE_SK_STORAGE": BpfMapTypeSkStorage, "BPF_MAP_TYPE_DEVMAP_HASH": BpfMapTypeDevmapHash, "BPF_MAP_TYPE_STRUCT_OPS": BpfMapTypeStructOps, "BPF_MAP_TYPE_RINGBUF": BpfMapTypeRingbuf, "BPF_MAP_TYPE_INODE_STORAGE": BpfMapTypeInodeStorage, "BPF_MAP_TYPE_TASK_STORAGE": BpfMapTypeTaskStorage, } // BPFProgramTypeConstants is the list of BPF program type constants // generate_constants:BPF program types,BPF program types are the supported eBPF program types. BPFProgramTypeConstants = map[string]BPFProgramType{ "BPF_PROG_TYPE_UNSPEC": BpfProgTypeUnspec, "BPF_PROG_TYPE_SOCKET_FILTER": BpfProgTypeSocketFilter, "BPF_PROG_TYPE_KPROBE": BpfProgTypeKprobe, "BPF_PROG_TYPE_SCHED_CLS": BpfProgTypeSchedCls, "BPF_PROG_TYPE_SCHED_ACT": BpfProgTypeSchedAct, "BPF_PROG_TYPE_TRACEPOINT": BpfProgTypeTracepoint, "BPF_PROG_TYPE_XDP": BpfProgTypeXdp, "BPF_PROG_TYPE_PERF_EVENT": BpfProgTypePerfEvent, "BPF_PROG_TYPE_CGROUP_SKB": BpfProgTypeCgroupSkb, "BPF_PROG_TYPE_CGROUP_SOCK": BpfProgTypeCgroupSock, "BPF_PROG_TYPE_LWT_IN": BpfProgTypeLwtIn, "BPF_PROG_TYPE_LWT_OUT": BpfProgTypeLwtOut, "BPF_PROG_TYPE_LWT_XMIT": BpfProgTypeLwtXmit, "BPF_PROG_TYPE_SOCK_OPS": BpfProgTypeSockOps, "BPF_PROG_TYPE_SK_SKB": BpfProgTypeSkSkb, "BPF_PROG_TYPE_CGROUP_DEVICE": BpfProgTypeCgroupDevice, "BPF_PROG_TYPE_SK_MSG": BpfProgTypeSkMsg, "BPF_PROG_TYPE_RAW_TRACEPOINT": BpfProgTypeRawTracepoint, "BPF_PROG_TYPE_CGROUP_SOCK_ADDR": BpfProgTypeCgroupSockAddr, "BPF_PROG_TYPE_LWT_SEG6LOCAL": BpfProgTypeLwtSeg6local, "BPF_PROG_TYPE_LIRC_MODE2": BpfProgTypeLircMode2, "BPF_PROG_TYPE_SK_REUSEPORT": BpfProgTypeSkReuseport, "BPF_PROG_TYPE_FLOW_DISSECTOR": BpfProgTypeFlowDissector, "BPF_PROG_TYPE_CGROUP_SYSCTL": BpfProgTypeCgroupSysctl, "BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE": BpfProgTypeRawTracepointWritable, "BPF_PROG_TYPE_CGROUP_SOCKOPT": BpfProgTypeCgroupSockopt, "BPF_PROG_TYPE_TRACING": BpfProgTypeTracing, "BPF_PROG_TYPE_STRUCT_OPS": BpfProgTypeStructOps, "BPF_PROG_TYPE_EXT": BpfProgTypeExt, "BPF_PROG_TYPE_LSM": BpfProgTypeLsm, "BPF_PROG_TYPE_SK_LOOKUP": BpfProgTypeSkLookup, } // BPFAttachTypeConstants is the list of BPF attach type constants // generate_constants:BPF attach types,BPF attach types are the supported eBPF program attach types. BPFAttachTypeConstants = map[string]BPFAttachType{ "BPF_CGROUP_INET_INGRESS": BpfCgroupInetIngress, "BPF_CGROUP_INET_EGRESS": BpfCgroupInetEgress, "BPF_CGROUP_INET_SOCK_CREATE": BpfCgroupInetSockCreate, "BPF_CGROUP_SOCK_OPS": BpfCgroupSockOps, "BPF_SK_SKB_STREAM_PARSER": BpfSkSkbStreamParser, "BPF_SK_SKB_STREAM_VERDICT": BpfSkSkbStreamVerdict, "BPF_CGROUP_DEVICE": BpfCgroupDevice, "BPF_SK_MSG_VERDICT": BpfSkMsgVerdict, "BPF_CGROUP_INET4_BIND": BpfCgroupInet4Bind, "BPF_CGROUP_INET6_BIND": BpfCgroupInet6Bind, "BPF_CGROUP_INET4_CONNECT": BpfCgroupInet4Connect, "BPF_CGROUP_INET6_CONNECT": BpfCgroupInet6Connect, "BPF_CGROUP_INET4_POST_BIND": BpfCgroupInet4PostBind, "BPF_CGROUP_INET6_POST_BIND": BpfCgroupInet6PostBind, "BPF_CGROUP_UDP4_SENDMSG": BpfCgroupUDP4Sendmsg, "BPF_CGROUP_UDP6_SENDMSG": BpfCgroupUDP6Sendmsg, "BPF_LIRC_MODE2": BpfLircMode2, "BPF_FLOW_DISSECTOR": BpfFlowDissector, "BPF_CGROUP_SYSCTL": BpfCgroupSysctl, "BPF_CGROUP_UDP4_RECVMSG": BpfCgroupUDP4Recvmsg, "BPF_CGROUP_UDP6_RECVMSG": BpfCgroupUDP6Recvmsg, "BPF_CGROUP_GETSOCKOPT": BpfCgroupGetsockopt, "BPF_CGROUP_SETSOCKOPT": BpfCgroupSetsockopt, "BPF_TRACE_RAW_TP": BpfTraceRawTp, "BPF_TRACE_FENTRY": BpfTraceFentry, "BPF_TRACE_FEXIT": BpfTraceFexit, "BPF_MODIFY_RETURN": BpfModifyReturn, "BPF_LSM_MAC": BpfLsmMac, "BPF_TRACE_ITER": BpfTraceIter, "BPF_CGROUP_INET4_GETPEERNAME": BpfCgroupInet4Getpeername, "BPF_CGROUP_INET6_GETPEERNAME": BpfCgroupInet6Getpeername, "BPF_CGROUP_INET4_GETSOCKNAME": BpfCgroupInet4Getsockname, "BPF_CGROUP_INET6_GETSOCKNAME": BpfCgroupInet6Getsockname, "BPF_XDP_DEVMAP": BpfXdpDevmap, "BPF_CGROUP_INET_SOCK_RELEASE": BpfCgroupInetSockRelease, "BPF_XDP_CPUMAP": BpfXdpCPUmap, "BPF_SK_LOOKUP": BpfSkLookup, "BPF_XDP": BpfXdp, "BPF_SK_SKB_VERDICT": BpfSkSkbVerdict, } // PipeBufFlagConstants is the list of pipe buffer flags // generate_constants:Pipe buffer flags,Pipe buffer flags are the supported flags for a pipe buffer. PipeBufFlagConstants = map[string]PipeBufFlag{ "PIPE_BUF_FLAG_LRU": PipeBufFlagLRU, "PIPE_BUF_FLAG_ATOMIC": PipeBufFlagAtomic, "PIPE_BUF_FLAG_GIFT": PipeBufFlagGift, "PIPE_BUF_FLAG_PACKET": PipeBufFlagPacket, "PIPE_BUF_FLAG_CAN_MERGE": PipeBufFlagCanMerge, "PIPE_BUF_FLAG_WHOLE": PipeBufFlagWhole, "PIPE_BUF_FLAG_LOSS": PipeBufFlagLoss, } // DNSQTypeConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml // generate_constants:DNS qtypes,DNS qtypes are the supported DNS query types. DNSQTypeConstants = map[string]int{ "None": 0, "A": 1, "NS": 2, "MD": 3, "MF": 4, "CNAME": 5, "SOA": 6, "MB": 7, "MG": 8, "MR": 9, "NULL": 10, "PTR": 12, "HINFO": 13, "MINFO": 14, "MX": 15, "TXT": 16, "RP": 17, "AFSDB": 18, "X25": 19, "ISDN": 20, "RT": 21, "NSAPPTR": 23, "SIG": 24, "KEY": 25, "PX": 26, "GPOS": 27, "AAAA": 28, "LOC": 29, "NXT": 30, "EID": 31, "NIMLOC": 32, "SRV": 33, "ATMA": 34, "NAPTR": 35, "KX": 36, "CERT": 37, "DNAME": 39, "OPT": 41, "APL": 42, "DS": 43, "SSHFP": 44, "RRSIG": 46, "NSEC": 47, "DNSKEY": 48, "DHCID": 49, "NSEC3": 50, "NSEC3PARAM": 51, "TLSA": 52, "SMIMEA": 53, "HIP": 55, "NINFO": 56, "RKEY": 57, "TALINK": 58, "CDS": 59, "CDNSKEY": 60, "OPENPGPKEY": 61, "CSYNC": 62, "ZONEMD": 63, "SVCB": 64, "HTTPS": 65, "SPF": 99, "UINFO": 100, "UID": 101, "GID": 102, "UNSPEC": 103, "NID": 104, "L32": 105, "L64": 106, "LP": 107, "EUI48": 108, "EUI64": 109, "URI": 256, "CAA": 257, "AVC": 258, "TKEY": 249, "TSIG": 250, "IXFR": 251, "AXFR": 252, "MAILB": 253, "MAILA": 254, "ANY": 255, "TA": 32768, "DLV": 32769, "Reserved": 65535, } // DNSQClassConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml // generate_constants:DNS qclasses,DNS qclasses are the supported DNS query classes. DNSQClassConstants = map[string]int{ "CLASS_INET": 1, "CLASS_CSNET": 2, "CLASS_CHAOS": 3, "CLASS_HESIOD": 4, "CLASS_NONE": 254, "CLASS_ANY": 255, } // BooleanConstants holds the evaluator for boolean constants // generate_constants:Boolean constants,Boolean constants are the supported boolean constants. BooleanConstants = map[string]interface{}{ "true": &eval.BoolEvaluator{Value: true}, "false": &eval.BoolEvaluator{Value: false}, } // L3ProtocolConstants is the list of supported L3 protocols // generate_constants:L3 protocols,L3 protocols are the supported Layer 3 protocols. L3ProtocolConstants = map[string]L3Protocol{ "ETH_P_LOOP": EthPLOOP, "ETH_P_PUP": EthPPUP, "ETH_P_PUPAT": EthPPUPAT, "ETH_P_TSN": EthPTSN, "ETH_P_IP": EthPIP, "ETH_P_X25": EthPX25, "ETH_P_ARP": EthPARP, "ETH_P_BPQ": EthPBPQ, "ETH_P_IEEEPUP": EthPIEEEPUP, "ETH_P_IEEEPUPAT": EthPIEEEPUPAT, "ETH_P_BATMAN": EthPBATMAN, "ETH_P_DEC": EthPDEC, "ETH_P_DNADL": EthPDNADL, "ETH_P_DNARC": EthPDNARC, "ETH_P_DNART": EthPDNART, "ETH_P_LAT": EthPLAT, "ETH_P_DIAG": EthPDIAG, "ETH_P_CUST": EthPCUST, "ETH_P_SCA": EthPSCA, "ETH_P_TEB": EthPTEB, "ETH_P_RARP": EthPRARP, "ETH_P_ATALK": EthPATALK, "ETH_P_AARP": EthPAARP, "ETH_P_8021_Q": EthP8021Q, "ETH_P_ERSPAN": EthPERSPAN, "ETH_P_IPX": EthPIPX, "ETH_P_IPV6": EthPIPV6, "ETH_P_PAUSE": EthPPAUSE, "ETH_P_SLOW": EthPSLOW, "ETH_P_WCCP": EthPWCCP, "ETH_P_MPLSUC": EthPMPLSUC, "ETH_P_MPLSMC": EthPMPLSMC, "ETH_P_ATMMPOA": EthPATMMPOA, "ETH_P_PPPDISC": EthPPPPDISC, "ETH_P_PPPSES": EthPPPPSES, "ETH_P__LINK_CTL": EthPLinkCTL, "ETH_P_ATMFATE": EthPATMFATE, "ETH_P_PAE": EthPPAE, "ETH_P_AOE": EthPAOE, "ETH_P_8021_AD": EthP8021AD, "ETH_P_802_EX1": EthP802EX1, "ETH_P_TIPC": EthPTIPC, "ETH_P_MACSEC": EthPMACSEC, "ETH_P_8021_AH": EthP8021AH, "ETH_P_MVRP": EthPMVRP, "ETH_P_1588": EthP1588, "ETH_P_NCSI": EthPNCSI, "ETH_P_PRP": EthPPRP, "ETH_P_FCOE": EthPFCOE, "ETH_P_IBOE": EthPIBOE, "ETH_P_TDLS": EthPTDLS, "ETH_P_FIP": EthPFIP, "ETH_P_80221": EthP80221, "ETH_P_HSR": EthPHSR, "ETH_P_NSH": EthPNSH, "ETH_P_LOOPBACK": EthPLOOPBACK, "ETH_P_QINQ1": EthPQINQ1, "ETH_P_QINQ2": EthPQINQ2, "ETH_P_QINQ3": EthPQINQ3, "ETH_P_EDSA": EthPEDSA, "ETH_P_IFE": EthPIFE, "ETH_P_AFIUCV": EthPAFIUCV, "ETH_P_8023_MIN": EthP8023MIN, "ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop, "ETH_P_8023": EthP8023, "ETH_P_AX25": EthPAX25, "ETH_P_ALL": EthPALL, "ETH_P_8022": EthP8022, "ETH_P_SNAP": EthPSNAP, "ETH_P_DDCMP": EthPDDCMP, "ETH_P_WANPPP": EthPWANPPP, "ETH_P_PPPMP": EthPPPPMP, "ETH_P_LOCALTALK": EthPLOCALTALK, "ETH_P_CAN": EthPCAN, "ETH_P_CANFD": EthPCANFD, "ETH_P_PPPTALK": EthPPPPTALK, "ETH_P_TR8022": EthPTR8022, "ETH_P_MOBITEX": EthPMOBITEX, "ETH_P_CONTROL": EthPCONTROL, "ETH_P_IRDA": EthPIRDA, "ETH_P_ECONET": EthPECONET, "ETH_P_HDLC": EthPHDLC, "ETH_P_ARCNET": EthPARCNET, "ETH_P_DSA": EthPDSA, "ETH_P_TRAILER": EthPTRAILER, "ETH_P_PHONET": EthPPHONET, "ETH_P_IEEE802154": EthPIEEE802154, "ETH_P_CAIF": EthPCAIF, "ETH_P_XDSA": EthPXDSA, "ETH_P_MAP": EthPMAP, } // L4ProtocolConstants is the list of supported L4 protocols // generate_constants:L4 protocols,L4 protocols are the supported Layer 4 protocols. L4ProtocolConstants = map[string]L4Protocol{ "IP_PROTO_IP": IPProtoIP, "IP_PROTO_ICMP": IPProtoICMP, "IP_PROTO_IGMP": IPProtoIGMP, "IP_PROTO_IPIP": IPProtoIPIP, "IP_PROTO_TCP": IPProtoTCP, "IP_PROTO_EGP": IPProtoEGP, "IP_PROTO_IGP": IPProtoIGP, "IP_PROTO_PUP": IPProtoPUP, "IP_PROTO_UDP": IPProtoUDP, "IP_PROTO_IDP": IPProtoIDP, "IP_PROTO_TP": IPProtoTP, "IP_PROTO_DCCP": IPProtoDCCP, "IP_PROTO_IPV6": IPProtoIPV6, "IP_PROTO_RSVP": IPProtoRSVP, "IP_PROTO_GRE": IPProtoGRE, "IP_PROTO_ESP": IPProtoESP, "IP_PROTO_AH": IPProtoAH, "IP_PROTO_ICMPV6": IPProtoICMPV6, "IP_PROTO_MTP": IPProtoMTP, "IP_PROTO_BEETPH": IPProtoBEETPH, "IP_PROTO_ENCAP": IPProtoENCAP, "IP_PROTO_PIM": IPProtoPIM, "IP_PROTO_COMP": IPProtoCOMP, "IP_PROTO_SCTP": IPProtoSCTP, "IP_PROTO_UDPLITE": IPProtoUDPLITE, "IP_PROTO_MPLS": IPProtoMPLS, "IP_PROTO_RAW": IPProtoRAW, } )
var ( // KernelCapabilityConstants list of kernel capabilities KernelCapabilityConstants = map[string]uint64{} // SignalConstants list of signals SignalConstants = map[string]int{} )
var ( // ErrNotEnoughData is returned when the buffer is too small to unmarshal the event ErrNotEnoughData = errors.New("not enough data") // ErrNotEnoughSpace is returned when the provided buffer is too small to marshal the event ErrNotEnoughSpace = errors.New("not enough space") // ErrStringArrayOverflow returned when there is a string array overflow ErrStringArrayOverflow = errors.New("string array overflow") // ErrNonPrintable returned when a string contains non printable char ErrNonPrintable = errors.New("non printable") // ErrIncorrectDataSize is returned when the data read size doesn't correspond to the expected one ErrIncorrectDataSize = errors.New("incorrect data size") )
var ErrNoProcessContext = errors.New("process context not resolved")
ErrNoProcessContext defines an error for event without process context
var SECLLegacyFields = map[eval.Field]eval.Field{
"async": "event.async",
"chmod.filename": "chmod.file.path",
"chmod.basename": "chmod.file.name",
"chmod.mode": "chmod.file.destination.mode",
"chown.filename": "chown.file.path",
"chown.basename": "chown.file.name",
"chown.uid": "chown.file.destination.uid",
"chown.user": "chown.file.destination.user",
"chown.gid": "chown.file.destination.gid",
"chown.group": "chown.file.destination.group",
"open.filename": "open.file.path",
"open.basename": "open.file.name",
"open.mode": "open.file.destination.mode",
"mkdir.filename": "mkdir.file.path",
"mkdir.basename": "mkdir.file.name",
"mkdir.mode": "mkdir.file.destination.mode",
"rmdir.filename": "rmdir.file.path",
"rmdir.basename": "rmdir.file.name",
"rename.old.filename": "rename.file.path",
"rename.old.basename": "rename.file.name",
"rename.new.filename": "rename.file.destination.path",
"rename.new.basename": "rename.file.destination.name",
"unlink.filename": "unlink.file.path",
"unlink.basename": "unlink.file.name",
"utimes.filename": "utimes.file.path",
"utimes.basename": "utimes.file.name",
"link.source.filename": "link.file.path",
"link.source.basename": "link.file.name",
"link.target.filename": "link.file.destination.path",
"link.target.basename": "link.file.destination.name",
"setxattr.filename": "setxattr.file.path",
"setxattr.basename": "setxattr.file.name",
"setxattr.namespace": "setxattr.file.destination.namespace",
"setxattr.name": "setxattr.file.destination.name",
"removexattr.filename": "removexattr.file.path",
"removexattr.basename": "removexattr.file.name",
"removexattr.namespace": "removexattr.file.destination.namespace",
"removexattr.name": "removexattr.file.destination.name",
"exec.filename": "exec.file.path",
"exec.overlay_numlower": "exec.file.overlay_numlower",
"exec.basename": "exec.file.name",
"exec.name": "exec.comm",
"process.filename": "process.file.path",
"process.basename": "process.file.name",
"process.name": "process.comm",
"process.ancestors.filename": "process.ancestors.file.path",
"process.ancestors.basename": "process.ancestors.file.name",
"process.ancestors.name": "process.ancestors.comm",
}
SECLLegacyFields contains the list of the legacy attributes we need to support
var ( // SECLVariables set of variables SECLVariables = map[string]eval.VariableValue{ "process.pid": eval.NewIntVariable(func(ctx *eval.Context) int { pc := ctx.Event.(*Event).ProcessContext if pc == nil { return 0 } return int(pc.Process.Pid) }, nil), } )
Functions ¶
func FilterEnvs ¶ added in v0.51.0
FilterEnvs returns an array of environment variable key value pairs matching the desired keys
func GetEventTypePerCategory ¶ added in v0.34.0
func GetEventTypePerCategory() map[EventCategory][]eval.EventType
GetEventTypePerCategory returns the event types per category
func IsAlphaNumeric ¶
IsAlphaNumeric returns whether a character is either a digit or a letter
func IsPrintable ¶
IsPrintable returns whether the string does contain only unicode printable
func IsPrintableASCII ¶
IsPrintableASCII returns whether the string does contain only ASCII char
func NullTerminatedString ¶ added in v0.41.0
NullTerminatedString returns null-terminated string
func SECLConstants ¶ added in v0.34.0
func SECLConstants() map[string]interface{}
SECLConstants returns the constants supported in runtime security agent rules, initializing these constants during the first call
func SliceToArray ¶
SliceToArray copy src bytes to dst. Destination should have enough space
func StringifyHelpersList ¶ added in v0.34.0
StringifyHelpersList returns a string list representation of a list of helpers
func UnmarshalPrintableString ¶
UnmarshalPrintableString unmarshal printable string
func UnmarshalString ¶
UnmarshalString unmarshal string
func UnmarshalStringArray ¶
UnmarshalStringArray extract array of string for array of byte
Types ¶
type ActionReport ¶ added in v0.52.0
ActionReport defines an action report
type AddressFamily ¶ added in v0.37.0
type AddressFamily int
AddressFamily represents a family address (AF_INET, AF_INET6, AF_UNIX etc)
func (AddressFamily) String ¶ added in v0.37.0
func (af AddressFamily) String() string
type ArgsEnvs ¶ added in v0.34.0
type ArgsEnvs struct { ID uint32 Size uint32 ValuesRaw [MaxArgEnvSize]byte }
ArgsEnvs raw value for args and envs
type BPFAttachType ¶ added in v0.34.0
type BPFAttachType uint32
BPFAttachType is used to define attach type constants
const ( // BpfCgroupInetIngress attach type BpfCgroupInetIngress BPFAttachType = iota + 1 // BpfCgroupInetEgress attach type BpfCgroupInetEgress // BpfCgroupInetSockCreate attach type BpfCgroupInetSockCreate // BpfCgroupSockOps attach type BpfCgroupSockOps // BpfSkSkbStreamParser attach type BpfSkSkbStreamParser // BpfSkSkbStreamVerdict attach type BpfSkSkbStreamVerdict // BpfCgroupDevice attach type BpfCgroupDevice // BpfSkMsgVerdict attach type BpfSkMsgVerdict // BpfCgroupInet4Bind attach type BpfCgroupInet4Bind // BpfCgroupInet6Bind attach type BpfCgroupInet6Bind // BpfCgroupInet4Connect attach type BpfCgroupInet4Connect // BpfCgroupInet6Connect attach type BpfCgroupInet6Connect // BpfCgroupInet4PostBind attach type BpfCgroupInet4PostBind // BpfCgroupInet6PostBind attach type BpfCgroupInet6PostBind // BpfCgroupUDP4Sendmsg attach type BpfCgroupUDP4Sendmsg // BpfCgroupUDP6Sendmsg attach type BpfCgroupUDP6Sendmsg // BpfLircMode2 attach type BpfLircMode2 // BpfFlowDissector attach type BpfFlowDissector // BpfCgroupSysctl attach type BpfCgroupSysctl // BpfCgroupUDP4Recvmsg attach type BpfCgroupUDP4Recvmsg // BpfCgroupUDP6Recvmsg attach type BpfCgroupUDP6Recvmsg // BpfCgroupGetsockopt attach type BpfCgroupGetsockopt // BpfCgroupSetsockopt attach type BpfCgroupSetsockopt // BpfTraceRawTp attach type BpfTraceRawTp // BpfTraceFentry attach type BpfTraceFentry // BpfTraceFexit attach type BpfTraceFexit // BpfModifyReturn attach type BpfModifyReturn // BpfLsmMac attach type BpfLsmMac // BpfTraceIter attach type BpfTraceIter // BpfCgroupInet4Getpeername attach type BpfCgroupInet4Getpeername // BpfCgroupInet6Getpeername attach type BpfCgroupInet6Getpeername // BpfCgroupInet4Getsockname attach type BpfCgroupInet4Getsockname // BpfCgroupInet6Getsockname attach type BpfCgroupInet6Getsockname // BpfXdpDevmap attach type BpfXdpDevmap // BpfCgroupInetSockRelease attach type BpfCgroupInetSockRelease // BpfXdpCPUmap attach type BpfXdpCPUmap // BpfSkLookup attach type BpfSkLookup // BpfXdp attach type BpfXdp // BpfSkSkbVerdict attach type BpfSkSkbVerdict )
func (BPFAttachType) String ¶ added in v0.34.0
func (t BPFAttachType) String() string
type BPFCmd ¶ added in v0.34.0
type BPFCmd uint64
BPFCmd represents a BPF command
const ( // BpfMapCreateCmd command BpfMapCreateCmd BPFCmd = iota // BpfMapLookupElemCmd command BpfMapLookupElemCmd // BpfMapUpdateElemCmd command BpfMapUpdateElemCmd // BpfMapDeleteElemCmd command BpfMapDeleteElemCmd // BpfMapGetNextKeyCmd command BpfMapGetNextKeyCmd // BpfProgLoadCmd command BpfProgLoadCmd // BpfObjPinCmd command BpfObjPinCmd // BpfObjGetCmd command BpfObjGetCmd // BpfProgAttachCmd command BpfProgAttachCmd // BpfProgDetachCmd command BpfProgDetachCmd // BpfProgTestRunCmd command BpfProgTestRunCmd // BpfProgGetNextIDCmd command BpfProgGetNextIDCmd // BpfMapGetNextIDCmd command BpfMapGetNextIDCmd // BpfProgGetFdByIDCmd command BpfProgGetFdByIDCmd // BpfMapGetFdByIDCmd command BpfMapGetFdByIDCmd // BpfObjGetInfoByFdCmd command BpfObjGetInfoByFdCmd // BpfProgQueryCmd command BpfProgQueryCmd // BpfRawTracepointOpenCmd command BpfRawTracepointOpenCmd // BpfBtfLoadCmd command BpfBtfLoadCmd // BpfBtfGetFdByIDCmd command BpfBtfGetFdByIDCmd // BpfTaskFdQueryCmd command BpfTaskFdQueryCmd // BpfMapLookupAndDeleteElemCmd command BpfMapLookupAndDeleteElemCmd // BpfMapFreezeCmd command BpfMapFreezeCmd // BpfBtfGetNextIDCmd command BpfBtfGetNextIDCmd // BpfMapLookupBatchCmd command BpfMapLookupBatchCmd // BpfMapLookupAndDeleteBatchCmd command BpfMapLookupAndDeleteBatchCmd // BpfMapUpdateBatchCmd command BpfMapUpdateBatchCmd // BpfMapDeleteBatchCmd command BpfMapDeleteBatchCmd // BpfLinkCreateCmd command BpfLinkCreateCmd // BpfLinkUpdateCmd command BpfLinkUpdateCmd // BpfLinkGetFdByIDCmd command BpfLinkGetFdByIDCmd // BpfLinkGetNextIDCmd command BpfLinkGetNextIDCmd // BpfEnableStatsCmd command BpfEnableStatsCmd // BpfIterCreateCmd command BpfIterCreateCmd // BpfLinkDetachCmd command BpfLinkDetachCmd // BpfProgBindMapCmd command BpfProgBindMapCmd )
type BPFHelperFunc ¶ added in v0.34.0
type BPFHelperFunc uint32
BPFHelperFunc represents a BPF helper function
const ( // BpfUnspec helper function BpfUnspec BPFHelperFunc = iota // BpfMapLookupElem helper function BpfMapLookupElem // BpfMapUpdateElem helper function BpfMapUpdateElem // BpfMapDeleteElem helper function BpfMapDeleteElem // BpfProbeRead helper function BpfProbeRead // BpfKtimeGetNs helper function BpfKtimeGetNs // BpfTracePrintk helper function BpfTracePrintk // BpfGetPrandomU32 helper function BpfGetPrandomU32 // BpfGetSmpProcessorID helper function BpfGetSmpProcessorID // BpfSkbStoreBytes helper function BpfSkbStoreBytes // BpfL3CsumReplace helper function BpfL3CsumReplace // BpfL4CsumReplace helper function BpfL4CsumReplace // BpfTailCall helper function BpfTailCall // BpfCloneRedirect helper function BpfCloneRedirect // BpfGetCurrentPidTgid helper function BpfGetCurrentPidTgid // BpfGetCurrentUIDGid helper function BpfGetCurrentUIDGid // BpfGetCurrentComm helper function BpfGetCurrentComm // BpfGetCgroupClassid helper function BpfGetCgroupClassid // BpfSkbVlanPush helper function BpfSkbVlanPush // BpfSkbVlanPop helper function BpfSkbVlanPop // BpfSkbGetTunnelKey helper function BpfSkbGetTunnelKey // BpfSkbSetTunnelKey helper function BpfSkbSetTunnelKey // BpfPerfEventRead helper function BpfPerfEventRead // BpfRedirect helper function BpfRedirect // BpfGetRouteRealm helper function BpfGetRouteRealm // BpfPerfEventOutput helper function BpfPerfEventOutput // BpfSkbLoadBytes helper function BpfSkbLoadBytes // BpfGetStackid helper function BpfGetStackid // BpfCsumDiff helper function BpfCsumDiff // BpfSkbGetTunnelOpt helper function BpfSkbGetTunnelOpt // BpfSkbSetTunnelOpt helper function BpfSkbSetTunnelOpt // BpfSkbChangeProto helper function BpfSkbChangeProto // BpfSkbChangeType helper function BpfSkbChangeType // BpfSkbUnderCgroup helper function BpfSkbUnderCgroup // BpfGetHashRecalc helper function BpfGetHashRecalc // BpfGetCurrentTask helper function BpfGetCurrentTask // BpfProbeWriteUser helper function BpfProbeWriteUser // BpfCurrentTaskUnderCgroup helper function BpfCurrentTaskUnderCgroup // BpfSkbChangeTail helper function BpfSkbChangeTail // BpfSkbPullData helper function BpfSkbPullData // BpfCsumUpdate helper function BpfCsumUpdate // BpfSetHashInvalid helper function BpfSetHashInvalid // BpfGetNumaNodeID helper function BpfGetNumaNodeID // BpfSkbChangeHead helper function BpfSkbChangeHead // BpfXdpAdjustHead helper function BpfXdpAdjustHead // BpfProbeReadStr helper function BpfProbeReadStr // BpfGetSocketCookie helper function BpfGetSocketCookie // BpfGetSocketUID helper function BpfGetSocketUID // BpfSetHash helper function BpfSetHash // BpfSetsockopt helper function BpfSetsockopt // BpfSkbAdjustRoom helper function BpfSkbAdjustRoom // BpfRedirectMap helper function BpfRedirectMap // BpfSkRedirectMap helper function BpfSkRedirectMap // BpfSockMapUpdate helper function BpfSockMapUpdate // BpfXdpAdjustMeta helper function BpfXdpAdjustMeta // BpfPerfEventReadValue helper function BpfPerfEventReadValue // BpfPerfProgReadValue helper function BpfPerfProgReadValue // BpfGetsockopt helper function BpfGetsockopt // BpfOverrideReturn helper function BpfOverrideReturn // BpfSockOpsCbFlagsSet helper function BpfSockOpsCbFlagsSet // BpfMsgRedirectMap helper function BpfMsgRedirectMap // BpfMsgApplyBytes helper function BpfMsgApplyBytes // BpfMsgCorkBytes helper function BpfMsgCorkBytes // BpfMsgPullData helper function BpfMsgPullData // BpfBind helper function BpfBind // BpfXdpAdjustTail helper function BpfXdpAdjustTail // BpfSkbGetXfrmState helper function BpfSkbGetXfrmState // BpfGetStack helper function BpfGetStack // BpfSkbLoadBytesRelative helper function BpfSkbLoadBytesRelative // BpfFibLookup helper function BpfFibLookup // BpfSockHashUpdate helper function BpfSockHashUpdate // BpfMsgRedirectHash helper function BpfMsgRedirectHash // BpfSkRedirectHash helper function BpfSkRedirectHash // BpfLwtPushEncap helper function BpfLwtPushEncap // BpfLwtSeg6StoreBytes helper function BpfLwtSeg6StoreBytes // BpfLwtSeg6AdjustSrh helper function BpfLwtSeg6AdjustSrh // BpfLwtSeg6Action helper function BpfLwtSeg6Action // BpfRcRepeat helper function BpfRcRepeat // BpfRcKeydown helper function BpfRcKeydown // BpfSkbCgroupID helper function BpfSkbCgroupID // BpfGetCurrentCgroupID helper function BpfGetCurrentCgroupID // BpfGetLocalStorage helper function BpfGetLocalStorage // BpfSkSelectReuseport helper function BpfSkSelectReuseport // BpfSkbAncestorCgroupID helper function BpfSkbAncestorCgroupID // BpfSkLookupTCP helper function BpfSkLookupTCP // BpfSkLookupUDP helper function BpfSkLookupUDP // BpfSkRelease helper function BpfSkRelease // BpfMapPushElem helper function BpfMapPushElem // BpfMapPopElem helper function BpfMapPopElem // BpfMapPeekElem helper function BpfMapPeekElem // BpfMsgPushData helper function BpfMsgPushData // BpfMsgPopData helper function BpfMsgPopData // BpfRcPointerRel helper function BpfRcPointerRel // BpfSpinLock helper function BpfSpinLock // BpfSpinUnlock helper function BpfSpinUnlock // BpfSkFullsock helper function BpfSkFullsock // BpfTCPSock helper function BpfTCPSock // BpfSkbEcnSetCe helper function BpfSkbEcnSetCe // BpfGetListenerSock helper function BpfGetListenerSock // BpfSkcLookupTCP helper function BpfSkcLookupTCP BpfTCPCheckSyncookie // BpfSysctlGetName helper function BpfSysctlGetName // BpfSysctlGetCurrentValue helper function BpfSysctlGetCurrentValue // BpfSysctlGetNewValue helper function BpfSysctlGetNewValue // BpfSysctlSetNewValue helper function BpfSysctlSetNewValue // BpfStrtol helper function BpfStrtol // BpfStrtoul helper function BpfStrtoul // BpfSkStorageGet helper function BpfSkStorageGet // BpfSkStorageDelete helper function BpfSkStorageDelete // BpfSendSignal helper function BpfSendSignal BpfTCPGenSyncookie // BpfSkbOutput helper function BpfSkbOutput // BpfProbeReadUser helper function BpfProbeReadUser // BpfProbeReadKernel helper function BpfProbeReadKernel // BpfProbeReadUserStr helper function BpfProbeReadUserStr // BpfProbeReadKernelStr helper function BpfProbeReadKernelStr // BpfTCPSendAck helper function BpfTCPSendAck // BpfSendSignalThread helper function BpfSendSignalThread // BpfJiffies64 helper function BpfJiffies64 // BpfReadBranchRecords helper function BpfReadBranchRecords // BpfGetNsCurrentPidTgid helper function BpfGetNsCurrentPidTgid // BpfXdpOutput helper function BpfXdpOutput // BpfGetNetnsCookie helper function BpfGetNetnsCookie // BpfGetCurrentAncestorCgroupID helper function BpfGetCurrentAncestorCgroupID // BpfSkAssign helper function BpfSkAssign // BpfKtimeGetBootNs helper function BpfKtimeGetBootNs // BpfSeqPrintf helper function BpfSeqPrintf // BpfSeqWrite helper function BpfSeqWrite // BpfSkCgroupID helper function BpfSkCgroupID // BpfSkAncestorCgroupID helper function BpfSkAncestorCgroupID // BpfRingbufOutput helper function BpfRingbufOutput // BpfRingbufReserve helper function BpfRingbufReserve // BpfRingbufSubmit helper function BpfRingbufSubmit // BpfRingbufDiscard helper function BpfRingbufDiscard // BpfRingbufQuery helper function BpfRingbufQuery // BpfCsumLevel helper function BpfCsumLevel // BpfSkcToTCP6Sock helper function BpfSkcToTCP6Sock // BpfSkcToTCPSock helper function BpfSkcToTCPSock // BpfSkcToTCPTimewaitSock helper function BpfSkcToTCPTimewaitSock // BpfSkcToTCPRequestSock helper function BpfSkcToTCPRequestSock // BpfSkcToUDP6Sock helper function BpfSkcToUDP6Sock // BpfGetTaskStack helper function BpfGetTaskStack // BpfLoadHdrOpt helper function BpfLoadHdrOpt // BpfStoreHdrOpt helper function BpfStoreHdrOpt // BpfReserveHdrOpt helper function BpfReserveHdrOpt // BpfInodeStorageGet helper function BpfInodeStorageGet // BpfInodeStorageDelete helper function BpfInodeStorageDelete // BpfDPath helper function BpfDPath // BpfCopyFromUser helper function BpfCopyFromUser // BpfSnprintfBtf helper function BpfSnprintfBtf // BpfSeqPrintfBtf helper function BpfSeqPrintfBtf // BpfSkbCgroupClassid helper function BpfSkbCgroupClassid // BpfRedirectNeigh helper function BpfRedirectNeigh // BpfPerCPUPtr helper function BpfPerCPUPtr // BpfThisCPUPtr helper function BpfThisCPUPtr // BpfRedirectPeer helper function BpfRedirectPeer // BpfTaskStorageGet helper function BpfTaskStorageGet // BpfTaskStorageDelete helper function BpfTaskStorageDelete // BpfGetCurrentTaskBtf helper function BpfGetCurrentTaskBtf // BpfBprmOptsSet helper function BpfBprmOptsSet // BpfKtimeGetCoarseNs helper function BpfKtimeGetCoarseNs // BpfImaInodeHash helper function BpfImaInodeHash // BpfSockFromFile helper function BpfSockFromFile // BpfCheckMtu helper function BpfCheckMtu // BpfForEachMapElem helper function BpfForEachMapElem // BpfSnprintf helper function BpfSnprintf )
func (BPFHelperFunc) String ¶ added in v0.34.0
func (f BPFHelperFunc) String() string
type BPFMapType ¶ added in v0.34.0
type BPFMapType uint32
BPFMapType is used to define map type constants
const ( // BpfMapTypeUnspec map type BpfMapTypeUnspec BPFMapType = iota // BpfMapTypeHash map type BpfMapTypeHash // BpfMapTypeArray map type BpfMapTypeArray // BpfMapTypeProgArray map type BpfMapTypeProgArray // BpfMapTypePerfEventArray map type BpfMapTypePerfEventArray // BpfMapTypePercpuHash map type BpfMapTypePercpuHash // BpfMapTypePercpuArray map type BpfMapTypePercpuArray // BpfMapTypeStackTrace map type BpfMapTypeStackTrace // BpfMapTypeCgroupArray map type BpfMapTypeCgroupArray // BpfMapTypeLruHash map type BpfMapTypeLruHash // BpfMapTypeLruPercpuHash map type BpfMapTypeLruPercpuHash // BpfMapTypeLpmTrie map type BpfMapTypeLpmTrie // BpfMapTypeArrayOfMaps map type BpfMapTypeArrayOfMaps // BpfMapTypeHashOfMaps map type BpfMapTypeHashOfMaps // BpfMapTypeDevmap map type BpfMapTypeDevmap // BpfMapTypeSockmap map type BpfMapTypeSockmap // BpfMapTypeCPUmap map type BpfMapTypeCPUmap // BpfMapTypeXskmap map type BpfMapTypeXskmap // BpfMapTypeSockhash map type BpfMapTypeSockhash // BpfMapTypeCgroupStorage map type BpfMapTypeCgroupStorage // BpfMapTypeReuseportSockarray map type BpfMapTypeReuseportSockarray // BpfMapTypePercpuCgroupStorage map type BpfMapTypePercpuCgroupStorage // BpfMapTypeQueue map type BpfMapTypeQueue // BpfMapTypeStack map type BpfMapTypeStack // BpfMapTypeSkStorage map type BpfMapTypeSkStorage // BpfMapTypeDevmapHash map type BpfMapTypeDevmapHash // BpfMapTypeStructOps map type BpfMapTypeStructOps // BpfMapTypeRingbuf map type BpfMapTypeRingbuf // BpfMapTypeInodeStorage map type BpfMapTypeInodeStorage // BpfMapTypeTaskStorage map type BpfMapTypeTaskStorage )
func (BPFMapType) String ¶ added in v0.34.0
func (t BPFMapType) String() string
type BPFProgramType ¶ added in v0.34.0
type BPFProgramType uint32
BPFProgramType is used to define program type constants
const ( // BpfProgTypeUnspec program type BpfProgTypeUnspec BPFProgramType = iota // BpfProgTypeSocketFilter program type BpfProgTypeSocketFilter // BpfProgTypeKprobe program type BpfProgTypeKprobe // BpfProgTypeSchedCls program type BpfProgTypeSchedCls // BpfProgTypeSchedAct program type BpfProgTypeSchedAct // BpfProgTypeTracepoint program type BpfProgTypeTracepoint // BpfProgTypeXdp program type BpfProgTypeXdp // BpfProgTypePerfEvent program type BpfProgTypePerfEvent // BpfProgTypeCgroupSkb program type BpfProgTypeCgroupSkb // BpfProgTypeCgroupSock program type BpfProgTypeCgroupSock // BpfProgTypeLwtIn program type BpfProgTypeLwtIn // BpfProgTypeLwtOut program type BpfProgTypeLwtOut // BpfProgTypeLwtXmit program type BpfProgTypeLwtXmit // BpfProgTypeSockOps program type BpfProgTypeSockOps // BpfProgTypeSkSkb program type BpfProgTypeSkSkb // BpfProgTypeCgroupDevice program type BpfProgTypeCgroupDevice // BpfProgTypeSkMsg program type BpfProgTypeSkMsg // BpfProgTypeRawTracepoint program type BpfProgTypeRawTracepoint // BpfProgTypeCgroupSockAddr program type BpfProgTypeCgroupSockAddr // BpfProgTypeLwtSeg6local program type BpfProgTypeLwtSeg6local // BpfProgTypeLircMode2 program type BpfProgTypeLircMode2 // BpfProgTypeSkReuseport program type BpfProgTypeSkReuseport // BpfProgTypeFlowDissector program type BpfProgTypeFlowDissector // BpfProgTypeCgroupSysctl program type BpfProgTypeCgroupSysctl // BpfProgTypeRawTracepointWritable program type BpfProgTypeRawTracepointWritable // BpfProgTypeCgroupSockopt program type BpfProgTypeCgroupSockopt // BpfProgTypeTracing program type BpfProgTypeTracing // BpfProgTypeStructOps program type BpfProgTypeStructOps // BpfProgTypeExt program type BpfProgTypeExt // BpfProgTypeLsm program type BpfProgTypeLsm // BpfProgTypeSkLookup program type BpfProgTypeSkLookup )
func (BPFProgramType) String ¶ added in v0.34.0
func (t BPFProgramType) String() string
type BaseEvent ¶ added in v0.48.0
type BaseEvent struct { ID string `field:"-" event:"*"` Type uint32 `field:"-"` Flags uint32 `field:"-"` TimestampRaw uint64 `field:"event.timestamp,handler:ResolveEventTimestamp" event:"*"` // SECLDoc[event.timestamp] Definition:`Timestamp of the event` Timestamp time.Time `field:"timestamp,opts:getters_only,handler:ResolveEventTime" event:"*"` Rules []*MatchedRule `field:"-"` ActionReports []ActionReport `field:"-"` Os string `field:"event.os" event:"*"` // SECLDoc[event.os] Definition:`Operating system of the event` Origin string `field:"event.origin" event:"*"` // SECLDoc[event.origin] Definition:`Origin of the event` Service string `field:"event.service,handler:ResolveService" event:"*"` // SECLDoc[event.service] Definition:`Service associated with the event` // context shared with all events ProcessContext *ProcessContext `field:"process" event:"*"` ContainerContext *ContainerContext `field:"container" event:"*"` SecurityProfileContext SecurityProfileContext `field:"-"` // internal usage PIDContext PIDContext `field:"-"` ProcessCacheEntry *ProcessCacheEntry `field:"-"` // mark event with having error Error error `field:"-"` // field resolution FieldHandlers FieldHandlers `field:"-"` }
BaseEvent represents an event sent from the kernel
type BaseExtraFieldHandlers ¶ added in v0.50.0
type BaseExtraFieldHandlers interface { ResolveProcessCacheEntry(ev *Event) (*ProcessCacheEntry, bool) ResolveContainerContext(ev *Event) (*ContainerContext, bool) }
BaseExtraFieldHandlers handlers not hold by any field
type ContainerContext ¶ added in v0.34.0
type ContainerContext struct { Releasable ID string `field:"id,handler:ResolveContainerID"` // SECLDoc[id] Definition:`ID of the container` CreatedAt uint64 `field:"created_at,handler:ResolveContainerCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the container“ Tags []string `field:"tags,handler:ResolveContainerTags,opts:skip_ad,weight:9999"` // SECLDoc[tags] Definition:`Tags of the container` Resolved bool `field:"-"` }
ContainerContext holds the container context of an event
type CreateNewFileEvent ¶ added in v0.52.0
type CreateNewFileEvent struct {
File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}
CreateNewFileEvent defines file creation
type CreateRegistryKeyEvent ¶ added in v0.52.0
type CreateRegistryKeyEvent struct {
Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}
CreateRegistryKeyEvent defines registry key creation
type DNSEvent ¶ added in v0.36.0
type DNSEvent struct { ID uint16 `field:"id"` // SECLDoc[id] Definition:`[Experimental] the DNS request ID` Name string `field:"question.name,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[question.name] Definition:`the queried domain name` Type uint16 `field:"question.type"` // SECLDoc[question.type] Definition:`a two octet code which specifies the DNS question type` Constants:`DNS qtypes` Class uint16 `field:"question.class"` // SECLDoc[question.class] Definition:`the class looked up by the DNS question` Constants:`DNS qclasses` Size uint16 `field:"question.length"` // SECLDoc[question.length] Definition:`the total DNS request size in bytes` Count uint16 `field:"question.count"` // SECLDoc[question.count] Definition:`the total count of questions in the DNS request` }
DNSEvent represents a DNS event
type DeleteFileEvent ¶ added in v0.54.0
type DeleteFileEvent struct {
File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}
DeleteFileEvent represents an unlink event
type DeleteRegistryKeyEvent ¶ added in v0.52.0
type DeleteRegistryKeyEvent struct {
Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}
DeleteRegistryKeyEvent defines registry key deletion
type EnvsEntry ¶ added in v0.34.0
EnvsEntry defines a args cache entry
func (*EnvsEntry) FilterEnvs ¶ added in v0.39.0
FilterEnvs returns an array of envs, only the name of each variable is returned unless the variable name is part of the provided filter
type ErrInvalidKeyPath ¶ added in v0.44.0
ErrInvalidKeyPath is returned when inode or mountid are not valid
func (*ErrInvalidKeyPath) Error ¶ added in v0.44.0
func (e *ErrInvalidKeyPath) Error() string
type ErrProcessBrokenLineage ¶ added in v0.50.0
type ErrProcessBrokenLineage struct {
Err error
}
ErrProcessBrokenLineage returned when a process lineage is broken
func (*ErrProcessBrokenLineage) Error ¶ added in v0.50.0
func (e *ErrProcessBrokenLineage) Error() string
Error implements the error interface
func (*ErrProcessBrokenLineage) Unwrap ¶ added in v0.50.0
func (e *ErrProcessBrokenLineage) Unwrap() error
Unwrap implements the error interface
type ErrProcessIncompleteLineage ¶ added in v0.50.0
ErrProcessIncompleteLineage used when the lineage is incorrect in term of pid/ppid
func (*ErrProcessIncompleteLineage) Error ¶ added in v0.50.0
func (e *ErrProcessIncompleteLineage) Error() string
type ErrProcessMissingParentNode ¶ added in v0.50.0
ErrProcessMissingParentNode used when the lineage is incorrect in term of pid/ppid
func (*ErrProcessMissingParentNode) Error ¶ added in v0.50.0
func (e *ErrProcessMissingParentNode) Error() string
type ErrProcessWrongParentNode ¶ added in v0.50.0
ErrProcessWrongParentNode used when the lineage is correct in term of pid/ppid but an exec parent is missing
func (*ErrProcessWrongParentNode) Error ¶ added in v0.50.0
func (e *ErrProcessWrongParentNode) Error() string
type Event ¶ added in v0.34.0
type Event struct { BaseEvent // process events Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked Exit ExitEvent `field:"exit" event:"exit"` // [7.38] [Process] A process was terminated // FIM CreateNewFile CreateNewFileEvent `field:"create" event:"create"` // [7.52] [File] A file was created RenameFile RenameFileEvent `field:"rename" event:"rename"` // [7.54] [File] A file was renamed DeleteFile DeleteFileEvent `field:"delete" event:"delete"` // [7.54] [File] A file was deleted WriteFile WriteFileEvent `field:"write" event:"write"` // [7.54] [File] A file was written // Registries CreateRegistryKey CreateRegistryKeyEvent `field:"create_key;create" event:"create_key" ` // [7.52] [Registry] A registry key was created OpenRegistryKey OpenRegistryKeyEvent `field:"open_key;open" event:"open_key"` // [7.52] [Registry] A registry key was opened SetRegistryKeyValue SetRegistryKeyValueEvent `field:"set_key_value;set" event:"set_key_value"` // [7.52] [Registry] A registry key value was set DeleteRegistryKey DeleteRegistryKeyEvent `field:"delete_key;delete" event:"delete_key"` // [7.52] [Registry] A registry key was deleted }
Event represents an event sent from the kernel genaccessors
func NewFakeEvent ¶ added in v0.52.0
func NewFakeEvent() *Event
NewFakeEvent returns a new event using the default field handlers
func (*Event) AddToFlags ¶ added in v0.45.0
AddToFlags adds a flag to the event
func (*Event) GetActionReports ¶ added in v0.52.0
func (e *Event) GetActionReports() []ActionReport
GetActionReports returns the triggred action reports
func (*Event) GetContainerCreatedAt ¶ added in v0.50.0
GetContainerCreatedAt returns the value of the field, resolving if necessary
func (*Event) GetContainerId ¶ added in v0.50.0
GetContainerId returns the value of the field, resolving if necessary
func (*Event) GetContainerTags ¶ added in v0.50.0
GetContainerTags returns the value of the field, resolving if necessary
func (*Event) GetCreateFileDevicePath ¶ added in v0.54.0
GetCreateFileDevicePath returns the value of the field, resolving if necessary
func (*Event) GetCreateFileDevicePathLength ¶ added in v0.54.0
GetCreateFileDevicePathLength returns the value of the field, resolving if necessary
func (*Event) GetCreateFileName ¶ added in v0.52.0
GetCreateFileName returns the value of the field, resolving if necessary
func (*Event) GetCreateFileNameLength ¶ added in v0.52.0
GetCreateFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetCreateKeyRegistryKeyName ¶ added in v0.52.0
GetCreateKeyRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetCreateKeyRegistryKeyNameLength ¶ added in v0.52.0
GetCreateKeyRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetCreateKeyRegistryKeyPath ¶ added in v0.52.0
GetCreateKeyRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetCreateKeyRegistryKeyPathLength ¶ added in v0.52.0
GetCreateKeyRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetCreateRegistryKeyName ¶ added in v0.52.0
GetCreateRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetCreateRegistryKeyNameLength ¶ added in v0.52.0
GetCreateRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetCreateRegistryKeyPath ¶ added in v0.52.0
GetCreateRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetCreateRegistryKeyPathLength ¶ added in v0.52.0
GetCreateRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetDeleteFileDevicePath ¶ added in v0.54.0
GetDeleteFileDevicePath returns the value of the field, resolving if necessary
func (*Event) GetDeleteFileDevicePathLength ¶ added in v0.54.0
GetDeleteFileDevicePathLength returns the value of the field, resolving if necessary
func (*Event) GetDeleteFileName ¶ added in v0.54.0
GetDeleteFileName returns the value of the field, resolving if necessary
func (*Event) GetDeleteFileNameLength ¶ added in v0.54.0
GetDeleteFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetDeleteKeyRegistryKeyName ¶ added in v0.52.0
GetDeleteKeyRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetDeleteKeyRegistryKeyNameLength ¶ added in v0.52.0
GetDeleteKeyRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetDeleteKeyRegistryKeyPath ¶ added in v0.52.0
GetDeleteKeyRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetDeleteKeyRegistryKeyPathLength ¶ added in v0.52.0
GetDeleteKeyRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetDeleteRegistryKeyName ¶ added in v0.52.0
GetDeleteRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetDeleteRegistryKeyNameLength ¶ added in v0.52.0
GetDeleteRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetDeleteRegistryKeyPath ¶ added in v0.52.0
GetDeleteRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetDeleteRegistryKeyPathLength ¶ added in v0.52.0
GetDeleteRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetEventOrigin ¶ added in v0.53.0
GetEventOrigin returns the value of the field, resolving if necessary
func (*Event) GetEventOs ¶ added in v0.53.0
GetEventOs returns the value of the field, resolving if necessary
func (*Event) GetEventService ¶ added in v0.52.0
GetEventService returns the value of the field, resolving if necessary
func (*Event) GetEventTimestamp ¶ added in v0.50.0
GetEventTimestamp returns the value of the field, resolving if necessary
func (*Event) GetEventType ¶ added in v0.34.0
GetEventType returns the event type of the event
func (*Event) GetExecCmdline ¶ added in v0.50.0
GetExecCmdline returns the value of the field, resolving if necessary
func (*Event) GetExecCmdlineScrubbed ¶ added in v0.51.0
GetExecCmdlineScrubbed returns the value of the field, resolving if necessary
func (*Event) GetExecContainerId ¶ added in v0.50.0
GetExecContainerId returns the value of the field, resolving if necessary
func (*Event) GetExecCreatedAt ¶ added in v0.50.0
GetExecCreatedAt returns the value of the field, resolving if necessary
func (*Event) GetExecEnvp ¶ added in v0.50.0
GetExecEnvp returns the value of the field, resolving if necessary
func (*Event) GetExecEnvs ¶ added in v0.50.0
GetExecEnvs returns the value of the field, resolving if necessary
func (*Event) GetExecExecTime ¶ added in v0.50.0
GetExecExecTime returns the value of the field, resolving if necessary
func (*Event) GetExecExitTime ¶ added in v0.50.0
GetExecExitTime returns the value of the field, resolving if necessary
func (*Event) GetExecFileName ¶ added in v0.50.0
GetExecFileName returns the value of the field, resolving if necessary
func (*Event) GetExecFileNameLength ¶ added in v0.50.0
GetExecFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetExecFilePath ¶ added in v0.50.0
GetExecFilePath returns the value of the field, resolving if necessary
func (*Event) GetExecFilePathLength ¶ added in v0.50.0
GetExecFilePathLength returns the value of the field, resolving if necessary
func (*Event) GetExecPid ¶ added in v0.50.0
GetExecPid returns the value of the field, resolving if necessary
func (*Event) GetExecPpid ¶ added in v0.50.0
GetExecPpid returns the value of the field, resolving if necessary
func (*Event) GetExecUser ¶ added in v0.52.0
GetExecUser returns the value of the field, resolving if necessary
func (*Event) GetExecUserSid ¶ added in v0.52.0
GetExecUserSid returns the value of the field, resolving if necessary
func (*Event) GetExitCause ¶ added in v0.50.0
GetExitCause returns the value of the field, resolving if necessary
func (*Event) GetExitCmdline ¶ added in v0.50.0
GetExitCmdline returns the value of the field, resolving if necessary
func (*Event) GetExitCmdlineScrubbed ¶ added in v0.51.0
GetExitCmdlineScrubbed returns the value of the field, resolving if necessary
func (*Event) GetExitCode ¶ added in v0.50.0
GetExitCode returns the value of the field, resolving if necessary
func (*Event) GetExitContainerId ¶ added in v0.50.0
GetExitContainerId returns the value of the field, resolving if necessary
func (*Event) GetExitCreatedAt ¶ added in v0.50.0
GetExitCreatedAt returns the value of the field, resolving if necessary
func (*Event) GetExitEnvp ¶ added in v0.50.0
GetExitEnvp returns the value of the field, resolving if necessary
func (*Event) GetExitEnvs ¶ added in v0.50.0
GetExitEnvs returns the value of the field, resolving if necessary
func (*Event) GetExitExecTime ¶ added in v0.50.0
GetExitExecTime returns the value of the field, resolving if necessary
func (*Event) GetExitExitTime ¶ added in v0.50.0
GetExitExitTime returns the value of the field, resolving if necessary
func (*Event) GetExitFileName ¶ added in v0.50.0
GetExitFileName returns the value of the field, resolving if necessary
func (*Event) GetExitFileNameLength ¶ added in v0.50.0
GetExitFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetExitFilePath ¶ added in v0.50.0
GetExitFilePath returns the value of the field, resolving if necessary
func (*Event) GetExitFilePathLength ¶ added in v0.50.0
GetExitFilePathLength returns the value of the field, resolving if necessary
func (*Event) GetExitPid ¶ added in v0.50.0
GetExitPid returns the value of the field, resolving if necessary
func (*Event) GetExitPpid ¶ added in v0.50.0
GetExitPpid returns the value of the field, resolving if necessary
func (*Event) GetExitUser ¶ added in v0.52.0
GetExitUser returns the value of the field, resolving if necessary
func (*Event) GetExitUserSid ¶ added in v0.52.0
GetExitUserSid returns the value of the field, resolving if necessary
func (*Event) GetFieldEventType ¶ added in v0.34.0
func (*Event) GetFieldType ¶ added in v0.34.0
func (*Event) GetFieldValue ¶ added in v0.34.0
func (*Event) GetOpenKeyRegistryKeyName ¶ added in v0.52.0
GetOpenKeyRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetOpenKeyRegistryKeyNameLength ¶ added in v0.52.0
GetOpenKeyRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetOpenKeyRegistryKeyPath ¶ added in v0.52.0
GetOpenKeyRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetOpenKeyRegistryKeyPathLength ¶ added in v0.52.0
GetOpenKeyRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetOpenRegistryKeyName ¶ added in v0.52.0
GetOpenRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetOpenRegistryKeyNameLength ¶ added in v0.52.0
GetOpenRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetOpenRegistryKeyPath ¶ added in v0.52.0
GetOpenRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetOpenRegistryKeyPathLength ¶ added in v0.52.0
GetOpenRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsCmdline ¶ added in v0.50.0
GetProcessAncestorsCmdline returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsCmdlineScrubbed ¶ added in v0.51.0
GetProcessAncestorsCmdlineScrubbed returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsContainerId ¶ added in v0.50.0
GetProcessAncestorsContainerId returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsCreatedAt ¶ added in v0.50.0
GetProcessAncestorsCreatedAt returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsEnvp ¶ added in v0.50.0
GetProcessAncestorsEnvp returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsEnvs ¶ added in v0.50.0
GetProcessAncestorsEnvs returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsFileName ¶ added in v0.50.0
GetProcessAncestorsFileName returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsFileNameLength ¶ added in v0.50.0
GetProcessAncestorsFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsFilePath ¶ added in v0.50.0
GetProcessAncestorsFilePath returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsFilePathLength ¶ added in v0.50.0
GetProcessAncestorsFilePathLength returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsPid ¶ added in v0.50.0
GetProcessAncestorsPid returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsPpid ¶ added in v0.50.0
GetProcessAncestorsPpid returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsUser ¶ added in v0.52.0
GetProcessAncestorsUser returns the value of the field, resolving if necessary
func (*Event) GetProcessAncestorsUserSid ¶ added in v0.52.0
GetProcessAncestorsUserSid returns the value of the field, resolving if necessary
func (*Event) GetProcessCmdline ¶ added in v0.50.0
GetProcessCmdline returns the value of the field, resolving if necessary
func (*Event) GetProcessCmdlineScrubbed ¶ added in v0.51.0
GetProcessCmdlineScrubbed returns the value of the field, resolving if necessary
func (*Event) GetProcessContainerId ¶ added in v0.50.0
GetProcessContainerId returns the value of the field, resolving if necessary
func (*Event) GetProcessCreatedAt ¶ added in v0.50.0
GetProcessCreatedAt returns the value of the field, resolving if necessary
func (*Event) GetProcessEnvp ¶ added in v0.50.0
GetProcessEnvp returns the value of the field, resolving if necessary
func (*Event) GetProcessEnvs ¶ added in v0.50.0
GetProcessEnvs returns the value of the field, resolving if necessary
func (*Event) GetProcessExecTime ¶ added in v0.50.0
GetProcessExecTime returns the value of the field, resolving if necessary
func (*Event) GetProcessExitTime ¶ added in v0.50.0
GetProcessExitTime returns the value of the field, resolving if necessary
func (*Event) GetProcessFileName ¶ added in v0.50.0
GetProcessFileName returns the value of the field, resolving if necessary
func (*Event) GetProcessFileNameLength ¶ added in v0.50.0
GetProcessFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetProcessFilePath ¶ added in v0.50.0
GetProcessFilePath returns the value of the field, resolving if necessary
func (*Event) GetProcessFilePathLength ¶ added in v0.50.0
GetProcessFilePathLength returns the value of the field, resolving if necessary
func (*Event) GetProcessParentCmdline ¶ added in v0.50.0
GetProcessParentCmdline returns the value of the field, resolving if necessary
func (*Event) GetProcessParentCmdlineScrubbed ¶ added in v0.51.0
GetProcessParentCmdlineScrubbed returns the value of the field, resolving if necessary
func (*Event) GetProcessParentContainerId ¶ added in v0.50.0
GetProcessParentContainerId returns the value of the field, resolving if necessary
func (*Event) GetProcessParentCreatedAt ¶ added in v0.50.0
GetProcessParentCreatedAt returns the value of the field, resolving if necessary
func (*Event) GetProcessParentEnvp ¶ added in v0.50.0
GetProcessParentEnvp returns the value of the field, resolving if necessary
func (*Event) GetProcessParentEnvs ¶ added in v0.50.0
GetProcessParentEnvs returns the value of the field, resolving if necessary
func (*Event) GetProcessParentFileName ¶ added in v0.50.0
GetProcessParentFileName returns the value of the field, resolving if necessary
func (*Event) GetProcessParentFileNameLength ¶ added in v0.50.0
GetProcessParentFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetProcessParentFilePath ¶ added in v0.50.0
GetProcessParentFilePath returns the value of the field, resolving if necessary
func (*Event) GetProcessParentFilePathLength ¶ added in v0.50.0
GetProcessParentFilePathLength returns the value of the field, resolving if necessary
func (*Event) GetProcessParentPid ¶ added in v0.50.0
GetProcessParentPid returns the value of the field, resolving if necessary
func (*Event) GetProcessParentPpid ¶ added in v0.50.0
GetProcessParentPpid returns the value of the field, resolving if necessary
func (*Event) GetProcessParentUser ¶ added in v0.52.0
GetProcessParentUser returns the value of the field, resolving if necessary
func (*Event) GetProcessParentUserSid ¶ added in v0.52.0
GetProcessParentUserSid returns the value of the field, resolving if necessary
func (*Event) GetProcessPid ¶ added in v0.50.0
GetProcessPid returns the value of the field, resolving if necessary
func (*Event) GetProcessPpid ¶ added in v0.50.0
GetProcessPpid returns the value of the field, resolving if necessary
func (*Event) GetProcessUser ¶ added in v0.52.0
GetProcessUser returns the value of the field, resolving if necessary
func (*Event) GetProcessUserSid ¶ added in v0.52.0
GetProcessUserSid returns the value of the field, resolving if necessary
func (*Event) GetRenameFileDestinationDevicePath ¶ added in v0.54.0
GetRenameFileDestinationDevicePath returns the value of the field, resolving if necessary
func (*Event) GetRenameFileDestinationDevicePathLength ¶ added in v0.54.0
GetRenameFileDestinationDevicePathLength returns the value of the field, resolving if necessary
func (*Event) GetRenameFileDestinationName ¶ added in v0.54.0
GetRenameFileDestinationName returns the value of the field, resolving if necessary
func (*Event) GetRenameFileDestinationNameLength ¶ added in v0.54.0
GetRenameFileDestinationNameLength returns the value of the field, resolving if necessary
func (*Event) GetRenameFileDevicePath ¶ added in v0.54.0
GetRenameFileDevicePath returns the value of the field, resolving if necessary
func (*Event) GetRenameFileDevicePathLength ¶ added in v0.54.0
GetRenameFileDevicePathLength returns the value of the field, resolving if necessary
func (*Event) GetRenameFileName ¶ added in v0.54.0
GetRenameFileName returns the value of the field, resolving if necessary
func (*Event) GetRenameFileNameLength ¶ added in v0.54.0
GetRenameFileNameLength returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueRegistryKeyName ¶ added in v0.52.0
GetSetKeyValueRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueRegistryKeyNameLength ¶ added in v0.52.0
GetSetKeyValueRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueRegistryKeyPath ¶ added in v0.52.0
GetSetKeyValueRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueRegistryKeyPathLength ¶ added in v0.52.0
GetSetKeyValueRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueRegistryValueName ¶ added in v0.52.0
GetSetKeyValueRegistryValueName returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueRegistryValueNameLength ¶ added in v0.52.0
GetSetKeyValueRegistryValueNameLength returns the value of the field, resolving if necessary
func (*Event) GetSetKeyValueValueName ¶ added in v0.52.0
GetSetKeyValueValueName returns the value of the field, resolving if necessary
func (*Event) GetSetRegistryKeyName ¶ added in v0.52.0
GetSetRegistryKeyName returns the value of the field, resolving if necessary
func (*Event) GetSetRegistryKeyNameLength ¶ added in v0.52.0
GetSetRegistryKeyNameLength returns the value of the field, resolving if necessary
func (*Event) GetSetRegistryKeyPath ¶ added in v0.52.0
GetSetRegistryKeyPath returns the value of the field, resolving if necessary
func (*Event) GetSetRegistryKeyPathLength ¶ added in v0.52.0
GetSetRegistryKeyPathLength returns the value of the field, resolving if necessary
func (*Event) GetSetRegistryValueName ¶ added in v0.52.0
GetSetRegistryValueName returns the value of the field, resolving if necessary
func (*Event) GetSetRegistryValueNameLength ¶ added in v0.52.0
GetSetRegistryValueNameLength returns the value of the field, resolving if necessary
func (*Event) GetSetValueName ¶ added in v0.52.0
GetSetValueName returns the value of the field, resolving if necessary
func (*Event) GetTimestamp ¶ added in v0.50.0
GetTimestamp returns the value of the field, resolving if necessary
func (*Event) GetWorkloadID ¶ added in v0.47.0
GetWorkloadID returns an ID that represents the workload
func (*Event) GetWriteFileDevicePath ¶ added in v0.54.0
GetWriteFileDevicePath returns the value of the field, resolving if necessary
func (*Event) GetWriteFileDevicePathLength ¶ added in v0.54.0
GetWriteFileDevicePathLength returns the value of the field, resolving if necessary
func (*Event) GetWriteFileName ¶ added in v0.54.0
GetWriteFileName returns the value of the field, resolving if necessary
func (*Event) GetWriteFileNameLength ¶ added in v0.54.0
GetWriteFileNameLength returns the value of the field, resolving if necessary
func (*Event) HasActiveActivityDump ¶ added in v0.53.0
HasActiveActivityDump returns true if the event has an active activity dump associated to it
func (*Event) IsActivityDumpSample ¶ added in v0.40.0
IsActivityDumpSample return whether AD sample
func (*Event) IsAnomalyDetectionEvent ¶ added in v0.47.0
IsAnomalyDetectionEvent returns true if the current event is an anomaly detection event (kernel or user space)
func (*Event) IsInProfile ¶ added in v0.45.0
IsInProfile return true if the event was found in the profile
func (*Event) IsKernelSpaceAnomalyDetectionEvent ¶ added in v0.47.0
IsKernelSpaceAnomalyDetectionEvent returns true if the event is a kernel space anomaly detection event
func (*Event) IsSavedByActivityDumps ¶ added in v0.44.0
IsSavedByActivityDumps return whether saved by AD
func (*Event) RemoveFromFlags ¶ added in v0.45.0
RemoveFromFlags remove a flag to the event
func (*Event) ResolveEventTime ¶ added in v0.46.0
ResolveEventTime uses the field handler
func (*Event) ResolveFields ¶ added in v0.43.0
func (ev *Event) ResolveFields()
ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.
func (*Event) ResolveFieldsForAD ¶ added in v0.44.0
func (ev *Event) ResolveFieldsForAD()
ResolveFieldsForAD resolves all the fields associate to the event type. Context fields are automatically resolved.
func (*Event) ResolveProcessCacheEntry ¶ added in v0.43.0
func (e *Event) ResolveProcessCacheEntry() (*ProcessCacheEntry, bool)
ResolveProcessCacheEntry uses the field handler
func (*Event) ResolveService ¶ added in v0.52.0
ResolveService uses the field handler
func (*Event) SetFieldValue ¶ added in v0.34.0
type EventCategory ¶ added in v0.34.0
type EventCategory = string
EventCategory category type
const ( // FIMCategory FIM events FIMCategory EventCategory = "File Activity" // ProcessCategory process events ProcessCategory EventCategory = "Process Activity" // KernelCategory Kernel events KernelCategory EventCategory = "Kernel Activity" // NetworkCategory network events NetworkCategory EventCategory = "Network Activity" )
Event categories
func GetAllCategories ¶ added in v0.34.0
func GetAllCategories() []EventCategory
GetAllCategories returns all categories
func GetEventTypeCategory ¶ added in v0.34.0
func GetEventTypeCategory(eventType eval.EventType) EventCategory
GetEventTypeCategory returns the category for the given event type
type EventType ¶
type EventType uint32
EventType describes the type of an event sent from the kernel
type ExecEvent ¶ added in v0.34.0
type ExecEvent struct {
*Process
}
ExecEvent represents a exec event
type ExitCause ¶ added in v0.38.0
type ExitCause uint32
ExitCause represents the cause of a process termination
type ExitEvent ¶ added in v0.38.0
type ExitEvent struct { *Process Cause uint32 `field:"cause"` // SECLDoc[cause] Definition:`Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)` Code uint32 `field:"code"` // SECLDoc[code] Definition:`Exit code of the process or number of the signal that caused the process to terminate` }
ExitEvent represents a process exit event
type ExtraFieldHandlers ¶ added in v0.43.0
type ExtraFieldHandlers interface { BaseExtraFieldHandlers }
ExtraFieldHandlers handlers not hold by any field
type FakeFieldHandlers ¶ added in v0.52.0
type FakeFieldHandlers struct{}
func (*FakeFieldHandlers) ResolveContainerContext ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool)
ResolveContainerContext stub implementation
func (*FakeFieldHandlers) ResolveContainerCreatedAt ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
func (*FakeFieldHandlers) ResolveContainerID ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveContainerID(ev *Event, e *ContainerContext) string
func (*FakeFieldHandlers) ResolveContainerTags ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string
func (*FakeFieldHandlers) ResolveEventTime ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time
func (*FakeFieldHandlers) ResolveEventTimestamp ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int
func (*FakeFieldHandlers) ResolveFileBasename ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) string
func (*FakeFieldHandlers) ResolveFilePath ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string
func (*FakeFieldHandlers) ResolveFimFileBasename ¶ added in v0.54.0
func (dfh *FakeFieldHandlers) ResolveFimFileBasename(ev *Event, e *FimFileEvent) string
func (*FakeFieldHandlers) ResolveFimFilePath ¶ added in v0.54.0
func (dfh *FakeFieldHandlers) ResolveFimFilePath(ev *Event, e *FimFileEvent) string
func (*FakeFieldHandlers) ResolveProcessCacheEntry ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(_ *Event) (*ProcessCacheEntry, bool)
ResolveProcessCacheEntry stub implementation
func (*FakeFieldHandlers) ResolveProcessCmdLine ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveProcessCmdLine(ev *Event, e *Process) string
func (*FakeFieldHandlers) ResolveProcessCmdLineScrubbed ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string
func (*FakeFieldHandlers) ResolveProcessCreatedAt ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int
func (*FakeFieldHandlers) ResolveProcessEnvp ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveProcessEnvp(ev *Event, e *Process) []string
func (*FakeFieldHandlers) ResolveProcessEnvs ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveProcessEnvs(ev *Event, e *Process) []string
func (*FakeFieldHandlers) ResolveService ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveService(ev *Event, e *BaseEvent) string
func (*FakeFieldHandlers) ResolveUser ¶ added in v0.52.0
func (dfh *FakeFieldHandlers) ResolveUser(ev *Event, e *Process) string
type FieldHandlers ¶ added in v0.43.0
type FieldHandlers interface { ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int ResolveContainerID(ev *Event, e *ContainerContext) string ResolveContainerTags(ev *Event, e *ContainerContext) []string ResolveEventTime(ev *Event, e *BaseEvent) time.Time ResolveEventTimestamp(ev *Event, e *BaseEvent) int ResolveFileBasename(ev *Event, e *FileEvent) string ResolveFilePath(ev *Event, e *FileEvent) string ResolveFimFileBasename(ev *Event, e *FimFileEvent) string ResolveFimFilePath(ev *Event, e *FimFileEvent) string ResolveProcessCmdLine(ev *Event, e *Process) string ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string ResolveProcessCreatedAt(ev *Event, e *Process) int ResolveProcessEnvp(ev *Event, e *Process) []string ResolveProcessEnvs(ev *Event, e *Process) []string ResolveService(ev *Event, e *BaseEvent) string ResolveUser(ev *Event, e *Process) string // custom handlers not tied to any fields ExtraFieldHandlers }
type FileEvent ¶ added in v0.34.0
type FileEvent struct { FileObject uint64 `field:"-"` // handle numeric value PathnameStr string `field:"path,handler:ResolveFilePath,opts:length" op_override:"eval.WindowsPathCmp"` // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "c:\cmd.bat"` Description:`Matches the execution of the file located at c:\cmd.bat` BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "cmd.bat"` Description:`Matches the execution of any file named cmd.bat.` }
FileEvent is the common file event type
type FimFileEvent ¶ added in v0.54.0
type FimFileEvent struct { FileObject uint64 `field:"-"` // handle numeric value PathnameStr string `field:"device_path,handler:ResolveFimFilePath,opts:length" op_override:"eval.WindowsPathCmp"` // SECLDoc[device_path] Definition:`File's path` Example:`create.file.device_path == "\device\harddisk1\cmd.bat"` Description:`Matches the creation of the file located at c:\cmd.bat` BasenameStr string `field:"name,handler:ResolveFimFileBasename,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[name] Definition:`File's basename` Example:`create.file.name == "cmd.bat"` Description:`Matches the creation of any file named cmd.bat.` }
FimFileEvent is the common file event type
type HashAlgorithm ¶ added in v0.47.0
type HashAlgorithm int
HashAlgorithm is used to configure the hash algorithms of the hash resolver
const ( // SHA1 is used to identify a SHA1 hash SHA1 HashAlgorithm = iota // SHA256 is used to identify a SHA256 hash SHA256 // MD5 is used to identify a MD5 hash MD5 // SSDEEP is used to identify a SSDEEP hash SSDEEP // MaxHashAlgorithm is used for initializations MaxHashAlgorithm )
func (HashAlgorithm) String ¶ added in v0.47.0
func (ha HashAlgorithm) String() string
type HashState ¶ added in v0.47.0
type HashState int
HashState is used to prevent the hash resolver from retrying to hash a file
const ( // NoHash means that computing a hash hasn't been attempted NoHash HashState = iota // Done means that the hashes were already computed Done // FileNotFound means that the underlying file is not longer available to compute the hash FileNotFound // PathnameResolutionError means that the underlying file wasn't properly resolved PathnameResolutionError // FileTooBig means that the underlying file is larger than the hash resolver file size limit FileTooBig // FileEmpty means that the underlying file is empty FileEmpty // FileOpenError is a generic hash state to say that we couldn't open the file FileOpenError // EventTypeNotConfigured means that the event type prevents a hash from being computed EventTypeNotConfigured // HashWasRateLimited means that the hash will be tried again later, it was rate limited HashWasRateLimited // HashFailed means that the hashing failed HashFailed // MaxHashState is used for initializations MaxHashState )
type IPPortContext ¶ added in v0.36.0
type IPPortContext struct { IPNet net.IPNet `field:"ip"` // SECLDoc[ip] Definition:`IP address` Port uint16 `field:"port"` // SECLDoc[port] Definition:`Port number` }
IPPortContext is used to hold an IP and Port
type InodeMode ¶ added in v0.46.0
type InodeMode int
InodeMode represents an inode mode bitmask value
type KernelCapability ¶ added in v0.34.0
type KernelCapability uint64
KernelCapability represents a kernel capability bitmask value
func (KernelCapability) String ¶ added in v0.34.0
func (kc KernelCapability) String() string
func (KernelCapability) StringArray ¶ added in v0.34.0
func (kc KernelCapability) StringArray() []string
StringArray returns the kernel capabilities as an array of strings
type L3Protocol ¶ added in v0.36.0
type L3Protocol uint16
L3Protocol Network protocols
const ( // EthPLOOP Ethernet Loopback packet EthPLOOP L3Protocol = 0x0060 // EthPPUP Xerox PUP packet EthPPUP L3Protocol = 0x0200 // EthPPUPAT Xerox PUP Addr Trans packet EthPPUPAT L3Protocol = 0x0201 // EthPTSN TSN (IEEE 1722) packet EthPTSN L3Protocol = 0x22F0 // EthPIP Internet Protocol packet EthPIP L3Protocol = 0x0800 // EthPX25 CCITT X.25 EthPX25 L3Protocol = 0x0805 // EthPARP Address Resolution packet EthPARP L3Protocol = 0x0806 // EthPBPQ G8BPQ AX.25 Ethernet Packet [ NOT AN OFFICIALLY REGISTERED ID ] EthPBPQ L3Protocol = 0x08FF // EthPIEEEPUP Xerox IEEE802.3 PUP packet EthPIEEEPUP L3Protocol = 0x0a00 // EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet EthPIEEEPUPAT L3Protocol = 0x0a01 // EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ] EthPBATMAN L3Protocol = 0x4305 // EthPDEC DEC Assigned proto EthPDEC L3Protocol = 0x6000 // EthPDNADL DEC DNA Dump/Load EthPDNADL L3Protocol = 0x6001 // EthPDNARC DEC DNA Remote Console EthPDNARC L3Protocol = 0x6002 // EthPDNART DEC DNA Routing EthPDNART L3Protocol = 0x6003 // EthPLAT DEC LAT EthPLAT L3Protocol = 0x6004 // EthPDIAG DEC Diagnostics EthPDIAG L3Protocol = 0x6005 // EthPCUST DEC Customer use EthPCUST L3Protocol = 0x6006 // EthPSCA DEC Systems Comms Arch EthPSCA L3Protocol = 0x6007 // EthPTEB Trans Ether Bridging EthPTEB L3Protocol = 0x6558 // EthPRARP Reverse Addr Res packet EthPRARP L3Protocol = 0x8035 // EthPATALK Appletalk DDP EthPATALK L3Protocol = 0x809B // EthPAARP Appletalk AARP EthPAARP L3Protocol = 0x80F3 // EthP8021Q 802.1Q VLAN Extended Header EthP8021Q L3Protocol = 0x8100 // EthPERSPAN ERSPAN type II EthPERSPAN L3Protocol = 0x88BE // EthPIPX IPX over DIX EthPIPX L3Protocol = 0x8137 // EthPIPV6 IPv6 over bluebook EthPIPV6 L3Protocol = 0x86DD // EthPPAUSE IEEE Pause frames. See 802.3 31B EthPPAUSE L3Protocol = 0x8808 // EthPSLOW Slow Protocol. See 802.3ad 43B EthPSLOW L3Protocol = 0x8809 // EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt EthPWCCP L3Protocol = 0x883E // EthPMPLSUC MPLS Unicast traffic EthPMPLSUC L3Protocol = 0x8847 // EthPMPLSMC MPLS Multicast traffic EthPMPLSMC L3Protocol = 0x8848 // EthPATMMPOA MultiProtocol Over ATM EthPATMMPOA L3Protocol = 0x884c // EthPPPPDISC PPPoE discovery messages EthPPPPDISC L3Protocol = 0x8863 // EthPPPPSES PPPoE session messages EthPPPPSES L3Protocol = 0x8864 // EthPLinkCTL HPNA, wlan link local tunnel EthPLinkCTL L3Protocol = 0x886c // EthPATMFATE Frame-based ATM Transport over Ethernet EthPATMFATE L3Protocol = 0x8884 // EthPPAE Port Access Entity (IEEE 802.1X) EthPPAE L3Protocol = 0x888E // EthPAOE ATA over Ethernet EthPAOE L3Protocol = 0x88A2 // EthP8021AD 802.1ad Service VLAN EthP8021AD L3Protocol = 0x88A8 // EthP802EX1 802.1 Local Experimental 1. EthP802EX1 L3Protocol = 0x88B5 // EthPTIPC TIPC EthPTIPC L3Protocol = 0x88CA // EthPMACSEC 802.1ae MACsec EthPMACSEC L3Protocol = 0x88E5 // EthP8021AH 802.1ah Backbone Service Tag EthP8021AH L3Protocol = 0x88E7 // EthPMVRP 802.1Q MVRP EthPMVRP L3Protocol = 0x88F5 // EthP1588 IEEE 1588 Timesync EthP1588 L3Protocol = 0x88F7 // EthPNCSI NCSI protocol EthPNCSI L3Protocol = 0x88F8 // EthPPRP IEC 62439-3 PRP/HSRv0 EthPPRP L3Protocol = 0x88FB // EthPFCOE Fibre Channel over Ethernet EthPFCOE L3Protocol = 0x8906 // EthPIBOE Infiniband over Ethernet EthPIBOE L3Protocol = 0x8915 // EthPTDLS TDLS EthPTDLS L3Protocol = 0x890D // EthPFIP FCoE Initialization Protocol EthPFIP L3Protocol = 0x8914 // EthP80221 IEEE 802.21 Media Independent Handover Protocol EthP80221 L3Protocol = 0x8917 // EthPHSR IEC 62439-3 HSRv1 EthPHSR L3Protocol = 0x892F // EthPNSH Network Service Header EthPNSH L3Protocol = 0x894F // EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3 EthPLOOPBACK L3Protocol = 0x9000 // EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ1 L3Protocol = 0x9100 // EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ2 L3Protocol = 0x9200 // EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ3 L3Protocol = 0x9300 // EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ] EthPEDSA L3Protocol = 0xDADA // EthPIFE ForCES inter-FE LFB type EthPIFE L3Protocol = 0xED3E // EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ] EthPAFIUCV L3Protocol = 0xFBFB // EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3 EthP8023MIN L3Protocol = 0x0600 // EthPIPV6HopByHop IPv6 Hop by hop option EthPIPV6HopByHop L3Protocol = 0x000 // EthP8023 Dummy type for 802.3 frames EthP8023 L3Protocol = 0x0001 // EthPAX25 Dummy protocol id for AX.25 EthPAX25 L3Protocol = 0x0002 // EthPALL Every packet (be careful!!!) EthPALL L3Protocol = 0x0003 // EthP8022 802.2 frames EthP8022 L3Protocol = 0x0004 // EthPSNAP Internal only EthPSNAP L3Protocol = 0x0005 // EthPDDCMP DEC DDCMP: Internal only EthPDDCMP L3Protocol = 0x0006 // EthPWANPPP Dummy type for WAN PPP frames*/ EthPWANPPP L3Protocol = 0x0007 // EthPPPPMP Dummy type for PPP MP frames EthPPPPMP L3Protocol = 0x0008 // EthPLOCALTALK Localtalk pseudo type EthPLOCALTALK L3Protocol = 0x0009 // EthPCAN CAN: Controller Area Network EthPCAN L3Protocol = 0x000C // EthPCANFD CANFD: CAN flexible data rate*/ EthPCANFD L3Protocol = 0x000D // EthPPPPTALK Dummy type for Atalk over PPP*/ EthPPPPTALK L3Protocol = 0x0010 // EthPTR8022 802.2 frames EthPTR8022 L3Protocol = 0x0011 // EthPMOBITEX Mobitex (kaz@cafe.net) EthPMOBITEX L3Protocol = 0x0015 // EthPCONTROL Card specific control frames EthPCONTROL L3Protocol = 0x0016 // EthPIRDA Linux-IrDA EthPIRDA L3Protocol = 0x0017 // EthPECONET Acorn Econet EthPECONET L3Protocol = 0x0018 // EthPHDLC HDLC frames EthPHDLC L3Protocol = 0x0019 // EthPARCNET 1A for ArcNet :-) EthPARCNET L3Protocol = 0x001A // EthPDSA Distributed Switch Arch. EthPDSA L3Protocol = 0x001B // EthPTRAILER Trailer switch tagging EthPTRAILER L3Protocol = 0x001C // EthPPHONET Nokia Phonet frames EthPPHONET L3Protocol = 0x00F5 // EthPIEEE802154 IEEE802.15.4 frame EthPIEEE802154 L3Protocol = 0x00F6 // EthPCAIF ST-Ericsson CAIF protocol EthPCAIF L3Protocol = 0x00F7 // EthPXDSA Multiplexed DSA protocol EthPXDSA L3Protocol = 0x00F8 // EthPMAP Qualcomm multiplexing and aggregation protocol EthPMAP L3Protocol = 0x00F9 )
func (L3Protocol) String ¶ added in v0.36.0
func (proto L3Protocol) String() string
type L4Protocol ¶ added in v0.36.0
type L4Protocol uint16
L4Protocol transport protocols
const ( // IPProtoIP Dummy protocol for TCP IPProtoIP L4Protocol = 0 // IPProtoICMP Internet Control Message Protocol (IPv4) IPProtoICMP L4Protocol = 1 // IPProtoIGMP Internet Group Management Protocol IPProtoIGMP L4Protocol = 2 // IPProtoIPIP IPIP tunnels (older KA9Q tunnels use 94) IPProtoIPIP L4Protocol = 4 // IPProtoTCP Transmission Control Protocol IPProtoTCP L4Protocol = 6 // IPProtoEGP Exterior Gateway Protocol IPProtoEGP L4Protocol = 8 // IPProtoIGP Interior Gateway Protocol (any private interior gateway (used by Cisco for their IGRP)) IPProtoIGP L4Protocol = 9 // IPProtoPUP PUP protocol IPProtoPUP L4Protocol = 12 // IPProtoUDP User Datagram Protocol IPProtoUDP L4Protocol = 17 // IPProtoIDP XNS IDP protocol IPProtoIDP L4Protocol = 22 // IPProtoTP SO Transport Protocol Class 4 IPProtoTP L4Protocol = 29 // IPProtoDCCP Datagram Congestion Control Protocol IPProtoDCCP L4Protocol = 33 // IPProtoIPV6 IPv6-in-IPv4 tunnelling IPProtoIPV6 L4Protocol = 41 // IPProtoRSVP RSVP Protocol IPProtoRSVP L4Protocol = 46 // IPProtoGRE Cisco GRE tunnels (rfc 1701,1702) IPProtoGRE L4Protocol = 47 // IPProtoESP Encapsulation Security Payload protocol IPProtoESP L4Protocol = 50 // IPProtoAH Authentication Header protocol IPProtoAH L4Protocol = 51 // IPProtoICMPV6 Internet Control Message Protocol (IPv6) IPProtoICMPV6 L4Protocol = 58 // IPProtoMTP Multicast Transport Protocol IPProtoMTP L4Protocol = 92 // IPProtoBEETPH IP option pseudo header for BEET IPProtoBEETPH L4Protocol = 94 // IPProtoENCAP Encapsulation Header IPProtoENCAP L4Protocol = 98 // IPProtoPIM Protocol Independent Multicast IPProtoPIM L4Protocol = 103 // IPProtoCOMP Compression Header Protocol IPProtoCOMP L4Protocol = 108 // IPProtoSCTP Stream Control Transport Protocol IPProtoSCTP L4Protocol = 132 // IPProtoUDPLITE UDP-Lite (RFC 3828) IPProtoUDPLITE L4Protocol = 136 // IPProtoMPLS MPLS in IP (RFC 4023) IPProtoMPLS L4Protocol = 137 // IPProtoRAW Raw IP packets IPProtoRAW L4Protocol = 255 )
func (L4Protocol) String ¶ added in v0.36.0
func (proto L4Protocol) String() string
type MatchedRule ¶ added in v0.44.0
type MatchedRule struct { RuleID string RuleVersion string RuleTags map[string]string PolicyName string PolicyVersion string }
MatchedRule contains the identification of one rule that has match
func AppendMatchedRule ¶ added in v0.44.0
func AppendMatchedRule(list []*MatchedRule, toAdd []*MatchedRule) []*MatchedRule
AppendMatchedRule appends two lists, but avoiding duplicates
func NewMatchedRule ¶ added in v0.44.0
func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule
NewMatchedRule return a new MatchedRule instance
func (*MatchedRule) Match ¶ added in v0.44.0
func (mr *MatchedRule) Match(mr2 *MatchedRule) bool
Match returns true if the rules are equal
type Model ¶ added in v0.34.0
type Model struct {
ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
}
Model describes the data model for the runtime security agent events
func (*Model) GetEvaluator ¶ added in v0.34.0
func (*Model) GetEventTypes ¶ added in v0.34.0
func (*Model) GetIterator ¶ added in v0.34.0
func (*Model) NewDefaultEventWithType ¶ added in v0.43.0
NewDefaultEventWithType returns a new Event for the given type
func (*Model) ValidateField ¶ added in v0.34.0
ValidateField validates the value of a field
type NetworkContext ¶ added in v0.36.0
type NetworkContext struct { Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`l3 protocol of the network packet` Constants:`L3 protocols` L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`l4 protocol of the network packet` Constants:`L4 protocols` Source IPPortContext `field:"source"` // source of the network packet Destination IPPortContext `field:"destination"` // destination of the network packet Size uint32 `field:"size"` // SECLDoc[size] Definition:`size in bytes of the network packet` }
NetworkContext represents the network context of the event
type NetworkDeviceContext ¶ added in v0.36.0
type NetworkDeviceContext struct{}
NetworkDeviceContext defines a network device context
type OpenFlags ¶ added in v0.34.0
type OpenFlags int
OpenFlags represents an open flags bitmask value
func (OpenFlags) StringArray ¶ added in v0.34.0
StringArray returns the open flags as an array of strings
type OpenRegistryKeyEvent ¶ added in v0.52.0
type OpenRegistryKeyEvent struct {
Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event`
}
OpenRegistryKeyEvent defines registry key opening
type PIDContext ¶ added in v0.37.0
type PIDContext struct {
Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)`
}
PIDContext holds the process context of an kernel event
type PTraceRequest ¶ added in v0.34.0
type PTraceRequest uint32
PTraceRequest represents a ptrace request value
func (PTraceRequest) String ¶ added in v0.34.0
func (f PTraceRequest) String() string
type PipeBufFlag ¶ added in v0.35.0
type PipeBufFlag int
PipeBufFlag represents a pipe buffer flag
const ( // PipeBufFlagLRU pipe buffer flag PipeBufFlagLRU PipeBufFlag = 0x1 /* page is on the LRU */ // PipeBufFlagAtomic pipe buffer flag PipeBufFlagAtomic PipeBufFlag = 0x2 /* was atomically mapped */ // PipeBufFlagGift pipe buffer flag PipeBufFlagGift PipeBufFlag = 0x4 /* page is a gift */ // PipeBufFlagPacket pipe buffer flag PipeBufFlagPacket PipeBufFlag = 0x8 /* read() as a packet */ // PipeBufFlagCanMerge pipe buffer flag PipeBufFlagCanMerge PipeBufFlag = 0x10 /* can merge buffers */ // PipeBufFlagWhole pipe buffer flag PipeBufFlagWhole PipeBufFlag = 0x20 /* read() must return entire buffer or error */ // PipeBufFlagLoss pipe buffer flag PipeBufFlagLoss PipeBufFlag = 0x40 /* Message loss happened after this buffer */ )
func (PipeBufFlag) String ¶ added in v0.35.0
func (pbf PipeBufFlag) String() string
type Process ¶ added in v0.34.0
type Process struct { PIDContext FileEvent FileEvent `field:"file"` ContainerID string `field:"container.id"` // SECLDoc[container.id] Definition:`Container ID` ExitTime time.Time `field:"exit_time,opts:getters_only"` ExecTime time.Time `field:"exec_time,opts:getters_only"` CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process` PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID` ArgsEntry *ArgsEntry `field:"-"` EnvsEntry *EnvsEntry `field:"-"` CmdLine string `field:"cmdline,handler:ResolveProcessCmdLine,weight:200" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[cmdline] Definition:`Command line of the process` Example:`exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.cmdline =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".` CmdLineScrubbed string `field:"cmdline_scrubbed,handler:ResolveProcessCmdLineScrubbed,weight:500,opts:getters_only"` OwnerSidString string `field:"user_sid"` // SECLDoc[user_sid] Definition:`Sid of the user of the process` User string `field:"user,handler:ResolveUser"` // SECLDoc[user] Definition:`User name` Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process` // cache version Variables eval.Variables `field:"-"` ScrubbedCmdLineResolved bool `field:"-"` }
Process represents a process
type ProcessAncestorsIterator ¶ added in v0.34.0
type ProcessAncestorsIterator struct {
// contains filtered or unexported fields
}
ProcessAncestorsIterator defines an iterator of ancestors
func (*ProcessAncestorsIterator) Front ¶ added in v0.34.0
func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer
Front returns the first element
func (*ProcessAncestorsIterator) Next ¶ added in v0.34.0
func (it *ProcessAncestorsIterator) Next() unsafe.Pointer
Next returns the next element
type ProcessCacheEntry ¶ added in v0.34.0
type ProcessCacheEntry struct { ProcessContext // contains filtered or unexported fields }
ProcessCacheEntry this struct holds process context kept in the process tree
func GetPlaceholderProcessCacheEntry ¶ added in v0.49.0
func GetPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry
GetPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions
func NewPlaceholderProcessCacheEntry ¶ added in v0.49.0
func NewPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry
NewPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions
func NewProcessCacheEntry ¶ added in v0.34.0
func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry
NewProcessCacheEntry returns a new process cache entry
func (*ProcessCacheEntry) Exit ¶ added in v0.34.0
func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
Exit a process
func (*ProcessCacheEntry) IsContainerRoot ¶ added in v0.44.0
func (pc *ProcessCacheEntry) IsContainerRoot() bool
IsContainerRoot returns whether this is a top level process in the container ID
func (*ProcessCacheEntry) Release ¶ added in v0.34.0
func (pc *ProcessCacheEntry) Release()
Release decrement and eventually release the entry
func (*ProcessCacheEntry) Reset ¶ added in v0.34.0
func (pc *ProcessCacheEntry) Reset()
Reset the entry
func (*ProcessCacheEntry) Retain ¶ added in v0.34.0
func (pc *ProcessCacheEntry) Retain()
Retain increment ref counter
func (*ProcessCacheEntry) SetAncestor ¶ added in v0.34.0
func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)
SetAncestor sets the ancestor
func (*ProcessCacheEntry) SetReleaseCallback ¶ added in v0.35.0
func (pc *ProcessCacheEntry) SetReleaseCallback(callback func())
SetReleaseCallback set the callback called when the entry is released
type ProcessContext ¶ added in v0.34.0
type ProcessContext struct { Process Parent *Process `field:"parent,opts:exposed_at_event_root_only,check:HasParent"` Ancestor *ProcessCacheEntry `field:"ancestors,iterator:ProcessAncestorsIterator,check:IsNotKworker"` }
ProcessContext holds the process context of an event
func (*ProcessContext) HasParent ¶ added in v0.42.0
func (p *ProcessContext) HasParent() bool
HasParent returns whether the process has a parent
type Protection ¶ added in v0.34.0
type Protection int
Protection represents a virtual memory protection bitmask value
func (Protection) String ¶ added in v0.34.0
func (p Protection) String() string
type QClass ¶ added in v0.36.0
type QClass uint32
QClass is used to declare the qclass field of a DNS request
type QType ¶ added in v0.36.0
type QType uint32
QType is used to declare the qtype field of a DNS request
type RegistryEvent ¶ added in v0.52.0
type RegistryEvent struct { KeyName string `field:"key_name,opts:length"` // SECLDoc[key_name] Definition:`Registry's name` KeyPath string `field:"key_path,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[key_path] Definition:`Registry's path` }
RegistryEvent is the common registry event type
type Releasable ¶ added in v0.46.0
type Releasable struct {
// contains filtered or unexported fields
}
Releasable represents an object than can be released
func (*Releasable) CallReleaseCallback ¶ added in v0.46.0
func (r *Releasable) CallReleaseCallback()
CallReleaseCallback calls the on-release callback
func (*Releasable) OnRelease ¶ added in v0.46.0
func (r *Releasable) OnRelease()
OnRelease triggers the callback
func (*Releasable) SetReleaseCallback ¶ added in v0.46.0
func (r *Releasable) SetReleaseCallback(callback func())
SetReleaseCallback sets a callback to be called when the cache entry is released
type RenameFileEvent ¶ added in v0.54.0
type RenameFileEvent struct { Old FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event` New FimFileEvent `field:"file.destination"` // SECLDoc[file] Definition:`File Event` }
RenameFileEvent defines file renaming
type RetValError ¶ added in v0.34.0
type RetValError int
RetValError represents a syscall return error value
func (RetValError) String ¶ added in v0.34.0
func (f RetValError) String() string
type SecurityProfileContext ¶ added in v0.45.0
type SecurityProfileContext struct { Name string `field:"name"` // SECLDoc[name] Definition:`Name of the security profile` Version string `field:"version"` // SECLDoc[version] Definition:`Version of the security profile` Tags []string `field:"tags"` // SECLDoc[tags] Definition:`Tags of the security profile` EventTypes []EventType `field:"event_types"` // SECLDoc[event_types] Definition:`Event types enabled for the security profile` }
SecurityProfileContext holds the security context of the profile
type SetRegistryKeyValueEvent ¶ added in v0.52.0
type SetRegistryKeyValueEvent struct { Registry RegistryEvent `field:"registry"` // SECLDoc[registry] Definition:`Registry Event` ValueName string `field:"value_name;registry.value_name,opts:length"` // SECLDoc[value_name] Definition:`Registry's value name` }
SetRegistryKeyValueEvent defines the event of setting up a value of a registry key
type Signal ¶ added in v0.35.0
type Signal int
Signal represents a type of unix signal (ie, SIGKILL, SIGSTOP etc)
type SpanContext ¶ added in v0.34.0
SpanContext describes a span context
type UnlinkFlags ¶ added in v0.34.0
type UnlinkFlags int
UnlinkFlags represents an unlink flags bitmask value
func (UnlinkFlags) String ¶ added in v0.34.0
func (f UnlinkFlags) String() string
func (UnlinkFlags) StringArray ¶ added in v0.34.0
func (f UnlinkFlags) StringArray() []string
StringArray returns the unlink flags as an array of strings
type UserSessionContext ¶ added in v0.50.0
type UserSessionContext struct { ID uint64 `field:"-"` SessionType usersession.Type `field:"-"` Resolved bool `field:"-"` // Kubernetes User Session context K8SUsername string `field:"k8s_username,handler:ResolveK8SUsername" json:"username,omitempty"` // SECLDoc[k8s_username] Definition:`Kubernetes username of the user that executed the process` K8SUID string `field:"k8s_uid,handler:ResolveK8SUID" json:"uid,omitempty"` // SECLDoc[k8s_uid] Definition:`Kubernetes UID of the user that executed the process` K8SGroups []string `field:"k8s_groups,handler:ResolveK8SGroups" json:"groups,omitempty"` // SECLDoc[k8s_groups] Definition:`Kubernetes groups of the user that executed the process` K8SExtra map[string][]string `json:"extra,omitempty"` }
UserSessionContext describes the user session context Disclaimer: the `json` tags are used to parse K8s credentials from cws-instrumentation
type WriteFileEvent ¶ added in v0.54.0
type WriteFileEvent struct {
File FimFileEvent `field:"file"` // SECLDoc[file] Definition:`File Event`
}
WriteFileEvent represents a write event
Source Files ¶
- accessors_windows.go
- args_envs.go
- category.go
- consts_common.go
- consts_map_names.go
- consts_other.go
- errors.go
- events.go
- field_accessors_windows.go
- field_handlers_windows.go
- legacy_secl.go
- model.go
- model_string.go
- model_windows.go
- process_cache_entry_windows.go
- strings.go
- syscalls_unsupported.go
- utils.go
- variables.go
Directories ¶
Path | Synopsis |
---|---|
Package main holds main related files
|
Package main holds main related files |
Package main holds main related files
|
Package main holds main related files |
Package usersession holds model related to the user session context
|
Package usersession holds model related to the user session context |