model

package
v0.63.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2025 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Overview

Package model holds model related files

Package model holds the security profile data model

Package model holds model related files

Index

Constants

View Source 
const (
	// MaxSegmentLength defines the maximum length of each segment of a path
	MaxSegmentLength = 255

	// MaxPathDepth defines the maximum depth of a path
	// see pkg/security/ebpf/c/dentry_resolver.h: DR_MAX_TAIL_CALL * DR_MAX_ITERATION_DEPTH
	MaxPathDepth = 1363

	// MaxBpfObjName defines the maximum length of a Bpf object name
	MaxBpfObjName = 16

	// PathSuffix defines the suffix used for path fields
	PathSuffix = ".path"

	// NameSuffix defines the suffix used for name fields
	NameSuffix = ".name"

	// ContainerIDLen defines the length of a container ID
	ContainerIDLen = sha256.Size * 2

	// MaxSymlinks maximum symlinks captured
	MaxSymlinks = 2

	// MaxTracedCgroupsCount hard limit for the count of traced cgroups
	MaxTracedCgroupsCount = 128
)
View Source 
const (
	// EventFlagsAsync async event
	EventFlagsAsync = 1 << iota

	// EventFlagsSavedByAD saved by ad
	EventFlagsSavedByAD

	// EventFlagsActivityDumpSample an AD sample
	EventFlagsActivityDumpSample

	// EventFlagsSecurityProfileInProfile true if the event was found in a profile
	EventFlagsSecurityProfileInProfile

	// EventFlagsAnomalyDetectionEvent true if the event is marked as being an anomaly
	EventFlagsAnomalyDetectionEvent

	// EventFlagsHasActiveActivityDump true if the event has an active activity dump associated to it
	EventFlagsHasActiveActivityDump
)
View Source 
const (
	// IMDSRequestType is used to specify that the event is an IDMS request event
	IMDSRequestType = "request"
	// IMDSResponseType is used to specify that the event is an IMDS response event
	IMDSResponseType = "response"
	// IMDSAWSCloudProvider is used to report that the IMDS event is for AWS
	IMDSAWSCloudProvider = "aws"
	// IMDSGCPCloudProvider is used to report that the IMDS event is for GCP
	IMDSGCPCloudProvider = "gcp"
	// IMDSAzureCloudProvider is used to report that the IMDS event is for Azure
	IMDSAzureCloudProvider = "azure"
	// IMDSIBMCloudProvider is used to report that the IMDS event is for ibm
	IMDSIBMCloudProvider = "ibm"
	// IMDSOracleCloudProvider is used to report that the IMDS event is for Oracle
	IMDSOracleCloudProvider = "oracle"
)
View Source 
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

View Source 
const (
	OverlayFS = "overlay" // OverlayFS overlay filesystem
	TmpFS     = "tmpfs"   // TmpFS tmpfs
	UnknownFS = "unknown" // UnknownFS unknown filesystem

	ErrPathMustBeAbsolute = "all the path have to be absolute"            // ErrPathMustBeAbsolute tells when a path is not absolute
	ErrPathDepthLimit     = "path depths have to be shorter than"         // ErrPathDepthLimit tells when a path is too long
	ErrPathSegmentLimit   = "each segment of a path must be shorter than" // ErrPathSegmentLimit tells when a patch reached the segment limit

	// SizeOfCookie size of cookie
	SizeOfCookie = 8
)
View Source 
const (
	ProcessCacheEntryFromUnknown     = iota // ProcessCacheEntryFromUnknown defines a process cache entry from unknown
	ProcessCacheEntryFromPlaceholder        // ProcessCacheEntryFromPlaceholder defines the source of a placeholder process cache entry
	ProcessCacheEntryFromEvent              // ProcessCacheEntryFromEvent defines a process cache entry from event
	ProcessCacheEntryFromKernelMap          // ProcessCacheEntryFromKernelMap defines a process cache entry from kernel map
	ProcessCacheEntryFromProcFS             // ProcessCacheEntryFromProcFS defines a process cache entry from procfs. Note that some exec parent may be missing.
	ProcessCacheEntryFromSnapshot           // ProcessCacheEntryFromSnapshot defines a process cache entry from snapshot
)
View Source 
const (
	// FileFieldsSize is the size used by the file_t structure
	FileFieldsSize = 72
)
View Source 
const PathKeySize = 16

PathKeySize defines the path key size

View Source 
const PathLeafSize = PathKeySize + MaxSegmentLength + 1 + 2 + 6 // path_key + name + len + padding

PathLeafSize defines path_leaf struct size

Variables

View Source 
var (
	// DNSQTypeConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qtypes,DNS qtypes are the supported DNS query types.
	DNSQTypeConstants = map[string]int{
		"None":       0,
		"A":          1,
		"NS":         2,
		"MD":         3,
		"MF":         4,
		"CNAME":      5,
		"SOA":        6,
		"MB":         7,
		"MG":         8,
		"MR":         9,
		"NULL":       10,
		"PTR":        12,
		"HINFO":      13,
		"MINFO":      14,
		"MX":         15,
		"TXT":        16,
		"RP":         17,
		"AFSDB":      18,
		"X25":        19,
		"ISDN":       20,
		"RT":         21,
		"NSAPPTR":    23,
		"SIG":        24,
		"KEY":        25,
		"PX":         26,
		"GPOS":       27,
		"AAAA":       28,
		"LOC":        29,
		"NXT":        30,
		"EID":        31,
		"NIMLOC":     32,
		"SRV":        33,
		"ATMA":       34,
		"NAPTR":      35,
		"KX":         36,
		"CERT":       37,
		"DNAME":      39,
		"OPT":        41,
		"APL":        42,
		"DS":         43,
		"SSHFP":      44,
		"RRSIG":      46,
		"NSEC":       47,
		"DNSKEY":     48,
		"DHCID":      49,
		"NSEC3":      50,
		"NSEC3PARAM": 51,
		"TLSA":       52,
		"SMIMEA":     53,
		"HIP":        55,
		"NINFO":      56,
		"RKEY":       57,
		"TALINK":     58,
		"CDS":        59,
		"CDNSKEY":    60,
		"OPENPGPKEY": 61,
		"CSYNC":      62,
		"ZONEMD":     63,
		"SVCB":       64,
		"HTTPS":      65,
		"SPF":        99,
		"UINFO":      100,
		"UID":        101,
		"GID":        102,
		"UNSPEC":     103,
		"NID":        104,
		"L32":        105,
		"L64":        106,
		"LP":         107,
		"EUI48":      108,
		"EUI64":      109,
		"URI":        256,
		"CAA":        257,
		"AVC":        258,
		"TKEY":       249,
		"TSIG":       250,
		"IXFR":       251,
		"AXFR":       252,
		"MAILB":      253,
		"MAILA":      254,
		"ANY":        255,
		"TA":         32768,
		"DLV":        32769,
		"Reserved":   65535,
	}

	// DNSQClassConstants see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
	// generate_constants:DNS qclasses,DNS qclasses are the supported DNS query classes.
	DNSQClassConstants = map[string]int{
		"CLASS_INET":   1,
		"CLASS_CSNET":  2,
		"CLASS_CHAOS":  3,
		"CLASS_HESIOD": 4,
		"CLASS_NONE":   254,
		"CLASS_ANY":    255,
	}

	// BooleanConstants holds the evaluator for boolean constants
	// generate_constants:Boolean constants,Boolean constants are the supported boolean constants.
	BooleanConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}

	// L3ProtocolConstants is the list of supported L3 protocols
	// generate_constants:L3 protocols,L3 protocols are the supported Layer 3 protocols.
	L3ProtocolConstants = map[string]L3Protocol{
		"ETH_P_LOOP":            EthPLOOP,
		"ETH_P_PUP":             EthPPUP,
		"ETH_P_PUPAT":           EthPPUPAT,
		"ETH_P_TSN":             EthPTSN,
		"ETH_P_IP":              EthPIP,
		"ETH_P_X25":             EthPX25,
		"ETH_P_ARP":             EthPARP,
		"ETH_P_BPQ":             EthPBPQ,
		"ETH_P_IEEEPUP":         EthPIEEEPUP,
		"ETH_P_IEEEPUPAT":       EthPIEEEPUPAT,
		"ETH_P_BATMAN":          EthPBATMAN,
		"ETH_P_DEC":             EthPDEC,
		"ETH_P_DNADL":           EthPDNADL,
		"ETH_P_DNARC":           EthPDNARC,
		"ETH_P_DNART":           EthPDNART,
		"ETH_P_LAT":             EthPLAT,
		"ETH_P_DIAG":            EthPDIAG,
		"ETH_P_CUST":            EthPCUST,
		"ETH_P_SCA":             EthPSCA,
		"ETH_P_TEB":             EthPTEB,
		"ETH_P_RARP":            EthPRARP,
		"ETH_P_ATALK":           EthPATALK,
		"ETH_P_AARP":            EthPAARP,
		"ETH_P_8021_Q":          EthP8021Q,
		"ETH_P_ERSPAN":          EthPERSPAN,
		"ETH_P_IPX":             EthPIPX,
		"ETH_P_IPV6":            EthPIPV6,
		"ETH_P_PAUSE":           EthPPAUSE,
		"ETH_P_SLOW":            EthPSLOW,
		"ETH_P_WCCP":            EthPWCCP,
		"ETH_P_MPLSUC":          EthPMPLSUC,
		"ETH_P_MPLSMC":          EthPMPLSMC,
		"ETH_P_ATMMPOA":         EthPATMMPOA,
		"ETH_P_PPPDISC":         EthPPPPDISC,
		"ETH_P_PPPSES":          EthPPPPSES,
		"ETH_P__LINK_CTL":       EthPLinkCTL,
		"ETH_P_ATMFATE":         EthPATMFATE,
		"ETH_P_PAE":             EthPPAE,
		"ETH_P_AOE":             EthPAOE,
		"ETH_P_8021_AD":         EthP8021AD,
		"ETH_P_802_EX1":         EthP802EX1,
		"ETH_P_TIPC":            EthPTIPC,
		"ETH_P_MACSEC":          EthPMACSEC,
		"ETH_P_8021_AH":         EthP8021AH,
		"ETH_P_MVRP":            EthPMVRP,
		"ETH_P_1588":            EthP1588,
		"ETH_P_NCSI":            EthPNCSI,
		"ETH_P_PRP":             EthPPRP,
		"ETH_P_FCOE":            EthPFCOE,
		"ETH_P_IBOE":            EthPIBOE,
		"ETH_P_TDLS":            EthPTDLS,
		"ETH_P_FIP":             EthPFIP,
		"ETH_P_80221":           EthP80221,
		"ETH_P_HSR":             EthPHSR,
		"ETH_P_NSH":             EthPNSH,
		"ETH_P_LOOPBACK":        EthPLOOPBACK,
		"ETH_P_QINQ1":           EthPQINQ1,
		"ETH_P_QINQ2":           EthPQINQ2,
		"ETH_P_QINQ3":           EthPQINQ3,
		"ETH_P_EDSA":            EthPEDSA,
		"ETH_P_IFE":             EthPIFE,
		"ETH_P_AFIUCV":          EthPAFIUCV,
		"ETH_P_8023_MIN":        EthP8023MIN,
		"ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop,
		"ETH_P_8023":            EthP8023,
		"ETH_P_AX25":            EthPAX25,
		"ETH_P_ALL":             EthPALL,
		"ETH_P_8022":            EthP8022,
		"ETH_P_SNAP":            EthPSNAP,
		"ETH_P_DDCMP":           EthPDDCMP,
		"ETH_P_WANPPP":          EthPWANPPP,
		"ETH_P_PPPMP":           EthPPPPMP,
		"ETH_P_LOCALTALK":       EthPLOCALTALK,
		"ETH_P_CAN":             EthPCAN,
		"ETH_P_CANFD":           EthPCANFD,
		"ETH_P_PPPTALK":         EthPPPPTALK,
		"ETH_P_TR8022":          EthPTR8022,
		"ETH_P_MOBITEX":         EthPMOBITEX,
		"ETH_P_CONTROL":         EthPCONTROL,
		"ETH_P_IRDA":            EthPIRDA,
		"ETH_P_ECONET":          EthPECONET,
		"ETH_P_HDLC":            EthPHDLC,
		"ETH_P_ARCNET":          EthPARCNET,
		"ETH_P_DSA":             EthPDSA,
		"ETH_P_TRAILER":         EthPTRAILER,
		"ETH_P_PHONET":          EthPPHONET,
		"ETH_P_IEEE802154":      EthPIEEE802154,
		"ETH_P_CAIF":            EthPCAIF,
		"ETH_P_XDSA":            EthPXDSA,
		"ETH_P_MAP":             EthPMAP,
	}

	// L4ProtocolConstants is the list of supported L4 protocols
	// generate_constants:L4 protocols,L4 protocols are the supported Layer 4 protocols.
	L4ProtocolConstants = map[string]L4Protocol{
		"IP_PROTO_IP":      IPProtoIP,
		"IP_PROTO_ICMP":    IPProtoICMP,
		"IP_PROTO_IGMP":    IPProtoIGMP,
		"IP_PROTO_IPIP":    IPProtoIPIP,
		"IP_PROTO_TCP":     IPProtoTCP,
		"IP_PROTO_EGP":     IPProtoEGP,
		"IP_PROTO_IGP":     IPProtoIGP,
		"IP_PROTO_PUP":     IPProtoPUP,
		"IP_PROTO_UDP":     IPProtoUDP,
		"IP_PROTO_IDP":     IPProtoIDP,
		"IP_PROTO_TP":      IPProtoTP,
		"IP_PROTO_DCCP":    IPProtoDCCP,
		"IP_PROTO_IPV6":    IPProtoIPV6,
		"IP_PROTO_RSVP":    IPProtoRSVP,
		"IP_PROTO_GRE":     IPProtoGRE,
		"IP_PROTO_ESP":     IPProtoESP,
		"IP_PROTO_AH":      IPProtoAH,
		"IP_PROTO_ICMPV6":  IPProtoICMPV6,
		"IP_PROTO_MTP":     IPProtoMTP,
		"IP_PROTO_BEETPH":  IPProtoBEETPH,
		"IP_PROTO_ENCAP":   IPProtoENCAP,
		"IP_PROTO_PIM":     IPProtoPIM,
		"IP_PROTO_COMP":    IPProtoCOMP,
		"IP_PROTO_SCTP":    IPProtoSCTP,
		"IP_PROTO_UDPLITE": IPProtoUDPLITE,
		"IP_PROTO_MPLS":    IPProtoMPLS,
		"IP_PROTO_RAW":     IPProtoRAW,
	}

	// NetworkDirectionConstants is the list of supported network directions
	// generate_constants:Network directions,Network directions are the supported directions of network packets.
	NetworkDirectionConstants = map[string]NetworkDirection{
		"INGRESS": Ingress,
		"EGRESS":  Egress,
	}
)
View Source 
var (
	// ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
	ErrNotEnoughData = errors.New("not enough data")

	// ErrNotEnoughSpace is returned when the provided buffer is too small to marshal the event
	ErrNotEnoughSpace = errors.New("not enough space")

	// ErrStringArrayOverflow returned when there is a string array overflow
	ErrStringArrayOverflow = errors.New("string array overflow")

	// ErrNonPrintable returned when a string contains non printable char
	ErrNonPrintable = errors.New("non printable")

	// ErrIncorrectDataSize is returned when the data read size doesn't correspond to the expected one
	ErrIncorrectDataSize = errors.New("incorrect data size")

	// ErrNoUsefulData returned when there is no useful data
	ErrNoUsefulData = errors.New("no useful data")
)
View Source 
var (

	// ProcessSymlinkPathname handles symlink for process enrtries
	ProcessSymlinkPathname = &eval.OpOverrides{
		StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.GlobCmp.StringEquals(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.path" || a.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[0](a.Field), b, state)
				if err != nil {
					return nil, err
				}

				se2, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[1](a.Field), b, state)
				if err != nil {
					return nil, err
				}

				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			} else if b.Field == "exec.file.path" || b.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[0](b.Field), a, state)
				if err != nil {
					return nil, err
				}

				se2, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[1](b.Field), a, state)
				if err != nil {
					return nil, err
				}

				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			}

			return path, nil
		},
		StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.GlobCmp.StringValuesContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.path" || a.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringValuesContains(symlinkPathnameEvaluators[0](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				se2, err := eval.GlobCmp.StringValuesContains(symlinkPathnameEvaluators[1](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			}

			return path, nil
		},
		StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.GlobCmp.StringArrayContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.path" || a.Field == "process.file.path" {
				se1, err := eval.GlobCmp.StringArrayContains(symlinkPathnameEvaluators[0](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				se2, err := eval.GlobCmp.StringArrayContains(symlinkPathnameEvaluators[1](a.Field), b, state)
				if err != nil {
					return nil, err
				}
				or, err := eval.Or(se1, se2, state)
				if err != nil {
					return nil, err
				}

				return eval.Or(path, or, state)
			}

			return path, nil
		},
		StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			return eval.GlobCmp.StringArrayMatches(a, b, state)
		},
	}

	// ProcessSymlinkBasename handles symlink for process enrtries
	ProcessSymlinkBasename = &eval.OpOverrides{
		StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.StringEquals(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.name" || a.Field == "process.file.name" {
				symlink, err := eval.StringEquals(symlinkBasenameEvaluator(a.Field), b, state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			} else if b.Field == "exec.file.name" || b.Field == "process.file.name" {
				symlink, err := eval.StringEquals(a, symlinkBasenameEvaluator(b.Field), state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			}

			return path, nil
		},
		StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.StringValuesContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.name" || a.Field == "process.file.name" {
				symlink, err := eval.StringValuesContains(symlinkBasenameEvaluator(a.Field), b, state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			}

			return path, nil
		},
		StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			path, err := eval.StringArrayContains(a, b, state)
			if err != nil {
				return nil, err
			}

			if a.Field == "exec.file.name" || a.Field == "process.file.name" {
				symlink, err := eval.StringArrayContains(symlinkBasenameEvaluator(a.Field), b, state)
				if err != nil {
					return nil, err
				}
				return eval.Or(path, symlink, state)
			}

			return path, nil
		},
		StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) {
			return eval.StringArrayMatches(a, b, state)
		},
	}
)
View Source 
var AllEventFilteringProfileState = []EventFilteringProfileState{NoProfile, ProfileAtMaxSize, UnstableEventType, StableEventType, AutoLearning, WorkloadWarmup}

AllEventFilteringProfileState is the list of all EventFilteringProfileState

View Source 
var ErrNoProcessContext = errors.New("process context not resolved")

ErrNoProcessContext defines an error for event without process context

View Source 
var (

	// KernelCapabilityConstants list of kernel capabilities
	KernelCapabilityConstants = map[string]uint64{}
)
View Source 
var MountOrigins = [...]string{
	"unknown",
	"procfs",
	"event",
	"unshare",
}

MountOrigins defines mount origins

View Source 
var MountSources = [...]string{
	"unknown",
	"mount_id",
	"device",
	"snapshot",
}

MountSources defines mount sources

View Source 
var PacketFilterMatching = &eval.OpOverrides{
	StringEquals: func(_ *eval.StringEvaluator, _ *eval.StringEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) {
		return nil, errUnsupportedPacketFilter
	},
	StringValuesContains: func(_ *eval.StringEvaluator, _ *eval.StringValuesEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) {
		return nil, errUnsupportedPacketFilter
	},
	StringArrayContains: func(_ *eval.StringEvaluator, _ *eval.StringArrayEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) {
		return nil, errUnsupportedPacketFilter
	},
	StringArrayMatches: func(_ *eval.StringArrayEvaluator, _ *eval.StringValuesEvaluator, _ *eval.State) (*eval.BoolEvaluator, error) {
		return nil, errUnsupportedPacketFilter
	},
}

PacketFilterMatching is a set of overrides for packet filter fields, it only supports matching a single static value

View Source 
var ProcessSources = [...]string{
	"unknown",
	"placeholder",
	"event",
	"map",
	"procfs_fallback",
	"procfs_snapshot",
}

ProcessSources defines process sources

View Source 
var SECLLegacyFields = map[eval.Field]eval.Field{

	"async": "event.async",

	"chmod.filename": "chmod.file.path",
	"chmod.basename": "chmod.file.name",
	"chmod.mode":     "chmod.file.destination.mode",

	"chown.filename": "chown.file.path",
	"chown.basename": "chown.file.name",
	"chown.uid":      "chown.file.destination.uid",
	"chown.user":     "chown.file.destination.user",
	"chown.gid":      "chown.file.destination.gid",
	"chown.group":    "chown.file.destination.group",

	"open.filename": "open.file.path",
	"open.basename": "open.file.name",
	"open.mode":     "open.file.destination.mode",

	"mkdir.filename": "mkdir.file.path",
	"mkdir.basename": "mkdir.file.name",
	"mkdir.mode":     "mkdir.file.destination.mode",

	"rmdir.filename": "rmdir.file.path",
	"rmdir.basename": "rmdir.file.name",

	"rename.old.filename": "rename.file.path",
	"rename.old.basename": "rename.file.name",
	"rename.new.filename": "rename.file.destination.path",
	"rename.new.basename": "rename.file.destination.name",

	"unlink.filename": "unlink.file.path",
	"unlink.basename": "unlink.file.name",

	"utimes.filename": "utimes.file.path",
	"utimes.basename": "utimes.file.name",

	"link.source.filename": "link.file.path",
	"link.source.basename": "link.file.name",
	"link.target.filename": "link.file.destination.path",
	"link.target.basename": "link.file.destination.name",

	"setxattr.filename":  "setxattr.file.path",
	"setxattr.basename":  "setxattr.file.name",
	"setxattr.namespace": "setxattr.file.destination.namespace",
	"setxattr.name":      "setxattr.file.destination.name",

	"removexattr.filename":  "removexattr.file.path",
	"removexattr.basename":  "removexattr.file.name",
	"removexattr.namespace": "removexattr.file.destination.namespace",
	"removexattr.name":      "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":           "process.file.path",
	"process.basename":           "process.file.name",
	"process.name":               "process.comm",
	"process.ancestors.filename": "process.ancestors.file.path",
	"process.ancestors.basename": "process.ancestors.file.name",
	"process.ancestors.name":     "process.ancestors.comm",
}

SECLLegacyFields contains the list of the legacy attributes we need to support

View Source 
var (
	// SECLVariables set of variables
	SECLVariables = map[string]eval.VariableValue{
		"process.pid": eval.NewIntVariable(func(ctx *eval.Context) int {
			pc := ctx.Event.(*Event).ProcessContext
			if pc == nil {
				return 0
			}
			return int(pc.Process.Pid)
		}, nil),
	}
)
View Source 
var (

	// SignalConstants on darwin are used by some dd-go tests, so we need them on darwin as well
	SignalConstants = map[string]int{
		"SIGKILL": int(unix.SIGKILL),
	}
)

Functions

func FilterEnvs added in v0.51.0 

func FilterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string

FilterEnvs returns an array of environment variable key value pairs matching the desired keys

func GetEventTypePerCategory added in v0.34.0 

func GetEventTypePerCategory(categories ...EventCategory) map[EventCategory][]eval.EventType

GetEventTypePerCategory returns the event types per category

func IsAlphaNumeric 

func IsAlphaNumeric(r rune) bool

IsAlphaNumeric returns whether a character is either a digit or a letter

func IsPrintable 

func IsPrintable(s string) bool

IsPrintable returns whether the string does contain only unicode printable

func IsPrintableASCII 

func IsPrintableASCII(s string) bool

IsPrintableASCII returns whether the string does contain only ASCII char

func MountOriginToString added in v0.55.0 

func MountOriginToString(origin MountOrigin) string

MountOriginToString returns the string corresponding to a mount origin

func MountSourceToString added in v0.55.0 

func MountSourceToString(source MountSource) string

MountSourceToString returns the string corresponding to a mount source

func NullTerminatedString added in v0.41.0 

func NullTerminatedString(d []byte) string

NullTerminatedString returns null-terminated string

func ProcessSourceToString added in v0.46.0 

func ProcessSourceToString(source uint64) string

ProcessSourceToString returns the string corresponding to a process source

func SECLConstants added in v0.34.0 

func SECLConstants() map[string]interface{}

SECLConstants returns the constants supported in runtime security agent rules, initializing these constants during the first call

func SliceToArray 

func SliceToArray(src []byte, dst []byte)

SliceToArray copy src bytes to dst. Destination should have enough space

func UnmarshalPrintableString 

func UnmarshalPrintableString(data []byte, size int) (string, error)

UnmarshalPrintableString unmarshal printable string

func UnmarshalString 

func UnmarshalString(data []byte, size int) (string, error)

UnmarshalString unmarshal string

func UnmarshalStringArray 

func UnmarshalStringArray(data []byte) ([]string, error)

UnmarshalStringArray extract array of string for array of byte

Types

type AWSIMDSEvent added in v0.55.0 

type AWSIMDSEvent struct {
	IsIMDSv2            bool                   `field:"is_imds_v2"`           // SECLDoc[is_imds_v2] Definition:`a boolean which specifies if the IMDS event follows IMDSv1 or IMDSv2 conventions`
	SecurityCredentials AWSSecurityCredentials `field:"security_credentials"` // SECLDoc[credentials] Definition:`the security credentials in the IMDS answer`
}

AWSIMDSEvent holds data from an AWS IMDS event

type AWSSecurityCredentials added in v0.55.0 

type AWSSecurityCredentials struct {
	Code        string    `field:"-" json:"Code"`
	Type        string    `field:"type" json:"Type"` // SECLDoc[type] Definition:`the security credentials type`
	AccessKeyID string    `field:"-" json:"AccessKeyId"`
	LastUpdated string    `field:"-" json:"LastUpdated"`
	Expiration  time.Time `field:"-"`

	ExpirationRaw string `field:"-" json:"Expiration"`
}

AWSSecurityCredentials is used to parse the fields that are none to be free of credentials or secrets

type AcceptEvent added in v0.63.0 

type AcceptEvent struct {
	SyscallEvent

	Addr       IPPortContext `field:"addr"`        // Connection address
	AddrFamily uint16        `field:"addr.family"` // SECLDoc[addr.family] Definition:`Address family`
}

AcceptEvent represents an accept event

type ActionReport added in v0.52.0 

type ActionReport interface {
	ToJSON() ([]byte, error)
	IsMatchingRule(ruleID eval.RuleID) bool
	IsResolved() error
}

ActionReport defines an action report

type ActivityDumpLoadConfig added in v0.40.0 

type ActivityDumpLoadConfig struct {
	TracedEventTypes     []EventType
	Timeout              time.Duration
	WaitListTimestampRaw uint64
	StartTimestampRaw    uint64
	EndTimestampRaw      uint64
	Rate                 uint32 // max number of events per sec
	Paused               uint32
}

ActivityDumpLoadConfig represents the load configuration of an activity dump

func (*ActivityDumpLoadConfig) SetTimeout added in v0.40.0 

func (adlc *ActivityDumpLoadConfig) SetTimeout(duration time.Duration)

SetTimeout updates the timeout of an activity dump

type AddressFamily added in v0.37.0 

type AddressFamily int

AddressFamily represents a family address (AF_INET, AF_INET6, AF_UNIX etc)

func (AddressFamily) String added in v0.37.0 

func (af AddressFamily) String() string

type AncestorsIterator added in v0.63.0 

type AncestorsIterator[T any] interface {
	Front(ctx *eval.Context) T
	Next(ctx *eval.Context) T
	At(ctx *eval.Context, regID eval.RegisterID, pos int) T
	Len(ctx *eval.Context) int
}

AncestorsIterator is a generic interface that iterators must implement

type ArgsEntry added in v0.34.0 

type ArgsEntry struct {
	Values    []string
	Truncated bool
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) Equals added in v0.36.0 

func (p *ArgsEntry) Equals(o *ArgsEntry) bool

Equals compares two ArgsEntry

type ArgsEnvs added in v0.34.0 

type ArgsEnvs struct {
	ID        uint64
	Size      uint32
	ValuesRaw [sharedconsts.MaxArgEnvSize]byte
}

ArgsEnvs raw value for args and envs

type ArgsEnvsEvent added in v0.34.0 

type ArgsEnvsEvent struct {
	ArgsEnvs
}

ArgsEnvsEvent defines a args/envs event

type BPFEvent added in v0.34.0 

type BPFEvent struct {
	SyscallEvent

	Map     BPFMap     `field:"map"`  // eBPF map involved in the BPF command
	Program BPFProgram `field:"prog"` // eBPF program involved in the BPF command
	Cmd     uint32     `field:"cmd"`  // SECLDoc[cmd] Definition:`BPF command name` Constants:`BPF commands`
}

BPFEvent represents a BPF event

type BPFMap added in v0.34.0 

type BPFMap struct {
	ID   uint32 `field:"-"`    // ID of the eBPF map
	Type uint32 `field:"type"` // SECLDoc[type] Definition:`Type of the eBPF map` Constants:`BPF map types`
	Name string `field:"name"` // SECLDoc[name] Definition:`Name of the eBPF map (added in 7.35)`
}

BPFMap represents a BPF map

type BPFProgram added in v0.34.0 

type BPFProgram struct {
	ID         uint32   `field:"-"`           // ID of the eBPF program
	Type       uint32   `field:"type"`        // SECLDoc[type] Definition:`Type of the eBPF program` Constants:`BPF program types`
	AttachType uint32   `field:"attach_type"` // SECLDoc[attach_type] Definition:`Attach type of the eBPF program` Constants:`BPF attach types`
	Helpers    []uint32 `field:"helpers"`     // SECLDoc[helpers] Definition:`eBPF helpers used by the eBPF program (added in 7.35)` Constants:`BPF helper functions`
	Name       string   `field:"name"`        // SECLDoc[name] Definition:`Name of the eBPF program (added in 7.35)`
	Tag        string   `field:"tag"`         // SECLDoc[tag] Definition:`Hash (sha1) of the eBPF program (added in 7.35)`
}

BPFProgram represents a BPF program

type BaseEvent added in v0.48.0 

type BaseEvent struct {
	ID            string         `field:"-"`
	Type          uint32         `field:"-"`
	Flags         uint32         `field:"-"`
	TimestampRaw  uint64         `field:"event.timestamp,handler:ResolveEventTimestamp"` // SECLDoc[event.timestamp] Definition:`Timestamp of the event`
	Timestamp     time.Time      `field:"timestamp,opts:getters_only|gen_getters,handler:ResolveEventTime"`
	Rules         []*MatchedRule `field:"-"`
	ActionReports []ActionReport `field:"-"`
	Os            string         `field:"event.os"`                                                      // SECLDoc[event.os] Definition:`Operating system of the event`
	Origin        string         `field:"event.origin"`                                                  // SECLDoc[event.origin] Definition:`Origin of the event`
	Service       string         `field:"event.service,handler:ResolveService,opts:skip_ad|gen_getters"` // SECLDoc[event.service] Definition:`Service associated with the event`
	Hostname      string         `field:"event.hostname,handler:ResolveHostname"`                        // SECLDoc[event.hostname] Definition:`Hostname associated with the event`

	// context shared with all events
	ProcessContext         *ProcessContext        `field:"process"`
	ContainerContext       *ContainerContext      `field:"container"`
	SecurityProfileContext SecurityProfileContext `field:"-"`

	// internal usage
	PIDContext        PIDContext         `field:"-"`
	ProcessCacheEntry *ProcessCacheEntry `field:"-"`

	// mark event with having error
	Error error `field:"-"`

	// field resolution
	FieldHandlers FieldHandlers `field:"-"`
}

BaseEvent represents an event sent from the kernel

type BaseExtraFieldHandlers added in v0.50.0 

type BaseExtraFieldHandlers interface {
	ResolveProcessCacheEntry(ev *Event, newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)
	ResolveContainerContext(ev *Event) (*ContainerContext, bool)
}

BaseExtraFieldHandlers handlers not hold by any field

type BindEvent added in v0.37.0 

type BindEvent struct {
	SyscallEvent

	Addr       IPPortContext `field:"addr"`        // Bound address
	AddrFamily uint16        `field:"addr.family"` // SECLDoc[addr.family] Definition:`Address family`
	Protocol   uint16        `field:"protocol"`    // SECLDoc[protocol] Definition:`Socket Protocol`
}

BindEvent represents a bind event

type CGroupContext added in v0.57.0 

type CGroupContext struct {
	CGroupID      containerutils.CGroupID    `field:"id,handler:ResolveCGroupID"` // SECLDoc[id] Definition:`ID of the cgroup`
	CGroupFlags   containerutils.CGroupFlags `field:"-"`
	CGroupManager string                     `field:"manager,handler:ResolveCGroupManager"` // SECLDoc[manager] Definition:`[Experimental] Lifecycle manager of the cgroup`
	CGroupFile    PathKey                    `field:"file"`
	CGroupVersion int                        `field:"version,handler:ResolveCGroupVersion"` // SECLDoc[version] Definition:`[Experimental] Version of the cgroup API`
}

CGroupContext holds the cgroup context of an event

func (*CGroupContext) Merge added in v0.62.0 

func (cg *CGroupContext) Merge(cg2 *CGroupContext)

Merge two cgroup context

type CapsetEvent added in v0.34.0 

type CapsetEvent struct {
	CapEffective uint64 `field:"cap_effective"` // SECLDoc[cap_effective] Definition:`Effective capability set of the process` Constants:`Kernel Capability constants`
	CapPermitted uint64 `field:"cap_permitted"` // SECLDoc[cap_permitted] Definition:`Permitted capability set of the process` Constants:`Kernel Capability constants`
}

CapsetEvent represents a capset event

type CgroupTracingEvent added in v0.36.0 

type CgroupTracingEvent struct {
	ContainerContext ContainerContext
	CGroupContext    CGroupContext
	Config           ActivityDumpLoadConfig
	Pid              uint32
	ConfigCookie     uint64
}

CgroupTracingEvent is used to signal that a new cgroup should be traced by the activity dump manager

type CgroupWriteEvent added in v0.57.0 

type CgroupWriteEvent struct {
	File        FileEvent `field:"file"` // Path to the cgroup
	Pid         uint32    `field:"-"`    // PID of the process added to the cgroup
	CGroupFlags uint32    `field:"-"`    // CGroup flags
}

CgroupWriteEvent is used to signal that a new cgroup was created

type ChdirEvent added in v0.51.1 

type ChdirEvent struct {
	SyscallEvent
	SyscallContext
	File FileEvent `field:"file"`

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:chdir.syscall.str1"` // SECLDoc[syscall.path] Definition:`path argument of the syscall`
}

ChdirEvent represents a chdir event

type ChmodEvent added in v0.34.0 

type ChmodEvent struct {
	SyscallEvent
	SyscallContext
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode; file.destination.rights"` // SECLDoc[file.destination.mode] Definition:`New mode of the chmod-ed file` Constants:`File mode constants` SECLDoc[file.destination.rights] Definition:`New rights of the chmod-ed file` Constants:`File mode constants`

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:chmod.syscall.str1"` // SECLDoc[syscall.path] Definition:`path argument of the syscall`
	SyscallMode int64  `field:"syscall.mode,ref:chmod.syscall.int2"` // SECLDoc[syscall.mode] Definition:`mode argument of the syscall`
}

ChmodEvent represents a chmod event

type ChownEvent added in v0.34.0 

type ChownEvent struct {
	SyscallEvent
	SyscallContext
	File  FileEvent `field:"file"`
	UID   int64     `field:"file.destination.uid"`                           // SECLDoc[file.destination.uid] Definition:`New UID of the chown-ed file's owner`
	User  string    `field:"file.destination.user,handler:ResolveChownUID"`  // SECLDoc[file.destination.user] Definition:`New user of the chown-ed file's owner`
	GID   int64     `field:"file.destination.gid"`                           // SECLDoc[file.destination.gid] Definition:`New GID of the chown-ed file's owner`
	Group string    `field:"file.destination.group,handler:ResolveChownGID"` // SECLDoc[file.destination.group] Definition:`New group of the chown-ed file's owner`

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:chown.syscall.str1"` // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
	SyscallUID  int64  `field:"syscall.uid,ref:chown.syscall.int2"`  // SECLDoc[syscall.uid] Definition:`UID argument of the syscall`
	SyscallGID  int64  `field:"syscall.gid,ref:chown.syscall.int3"`  // SECLDoc[syscall.gid] Definition:`GID argument of the syscall`
}

ChownEvent represents a chown event

type ConnectEvent added in v0.60.0 

type ConnectEvent struct {
	SyscallEvent

	Addr       IPPortContext `field:"addr"`        // Connection address
	AddrFamily uint16        `field:"addr.family"` // SECLDoc[addr.family] Definition:`Address family`
	Protocol   uint16        `field:"protocol"`    // SECLDoc[protocol] Definition:`Socket Protocol`
}

ConnectEvent represents a connect event

type ContainerContext added in v0.34.0 

type ContainerContext struct {
	Releasable
	ContainerID containerutils.ContainerID `field:"id,handler:ResolveContainerID,opts:gen_getters"`                // SECLDoc[id] Definition:`ID of the container`
	CreatedAt   uint64                     `field:"created_at,handler:ResolveContainerCreatedAt,opts:gen_getters"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the container“
	Tags        []string                   `field:"tags,handler:ResolveContainerTags,opts:skip_ad,weight:9999"`    // SECLDoc[tags] Definition:`Tags of the container`
	Resolved    bool                       `field:"-"`
	Runtime     string                     `field:"runtime,handler:ResolveContainerRuntime"` // SECLDoc[runtime] Definition:`Runtime managing the container`
}

ContainerContext holds the container context of an event

type Credentials added in v0.34.0 

type Credentials struct {
	UID   uint32 `field:"uid,opts:gen_getters"`   // SECLDoc[uid] Definition:`UID of the process`
	GID   uint32 `field:"gid,opts:gen_getters"`   // SECLDoc[gid] Definition:`GID of the process`
	User  string `field:"user,opts:gen_getters"`  // SECLDoc[user] Definition:`User of the process` Example:`process.user == "root"` Description:`Constrain an event to be triggered by a process running as the root user.`
	Group string `field:"group,opts:gen_getters"` // SECLDoc[group] Definition:`Group of the process`

	EUID   uint32 `field:"euid"`   // SECLDoc[euid] Definition:`Effective UID of the process`
	EGID   uint32 `field:"egid"`   // SECLDoc[egid] Definition:`Effective GID of the process`
	EUser  string `field:"euser"`  // SECLDoc[euser] Definition:`Effective user of the process`
	EGroup string `field:"egroup"` // SECLDoc[egroup] Definition:`Effective group of the process`

	FSUID   uint32 `field:"fsuid"`   // SECLDoc[fsuid] Definition:`FileSystem-uid of the process`
	FSGID   uint32 `field:"fsgid"`   // SECLDoc[fsgid] Definition:`FileSystem-gid of the process`
	FSUser  string `field:"fsuser"`  // SECLDoc[fsuser] Definition:`FileSystem-user of the process`
	FSGroup string `field:"fsgroup"` // SECLDoc[fsgroup] Definition:`FileSystem-group of the process`

	AUID uint32 `field:"auid"` // SECLDoc[auid] Definition:`Login UID of the process`

	CapEffective uint64 `field:"cap_effective"` // SECLDoc[cap_effective] Definition:`Effective capability set of the process` Constants:`Kernel Capability constants`
	CapPermitted uint64 `field:"cap_permitted"` // SECLDoc[cap_permitted] Definition:`Permitted capability set of the process` Constants:`Kernel Capability constants`
}

Credentials represents the kernel credentials of a process

func (*Credentials) Equals added in v0.47.0 

func (c *Credentials) Equals(o *Credentials) bool

Equals returns if both credentials are equal

type DNSEvent added in v0.36.0 

type DNSEvent struct {
	ID    uint16 `field:"id"`                                                              // SECLDoc[id] Definition:`[Experimental] the DNS request ID`
	Name  string `field:"question.name,opts:length" op_override:"eval.CaseInsensitiveCmp"` // SECLDoc[question.name] Definition:`the queried domain name`
	Type  uint16 `field:"question.type"`                                                   // SECLDoc[question.type] Definition:`a two octet code which specifies the DNS question type` Constants:`DNS qtypes`
	Class uint16 `field:"question.class"`                                                  // SECLDoc[question.class] Definition:`the class looked up by the DNS question` Constants:`DNS qclasses`
	Size  uint16 `field:"question.length"`                                                 // SECLDoc[question.length] Definition:`the total DNS request size in bytes`
	Count uint16 `field:"question.count"`                                                  // SECLDoc[question.count] Definition:`the total count of questions in the DNS request`
}

DNSEvent represents a DNS event

func (*DNSEvent) Matches added in v0.53.0 

func (de *DNSEvent) Matches(new *DNSEvent) bool

Matches returns true if the two DNS events matches

type EnvsEntry added in v0.34.0 

type EnvsEntry struct {
	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Equals added in v0.36.0 

func (p *EnvsEntry) Equals(o *EnvsEntry) bool

Equals compares two EnvsEntry

func (*EnvsEntry) FilterEnvs added in v0.39.0 

func (p *EnvsEntry) FilterEnvs(envsWithValue map[string]bool) ([]string, bool)

FilterEnvs returns an array of envs, only the name of each variable is returned unless the variable name is part of the provided filter

func (*EnvsEntry) Get added in v0.34.0 

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

type ErrInvalidKeyPath added in v0.44.0 

type ErrInvalidKeyPath struct {
	Inode   uint64
	MountID uint32
}

ErrInvalidKeyPath is returned when inode or mountid are not valid

func (*ErrInvalidKeyPath) Error added in v0.44.0 

func (e *ErrInvalidKeyPath) Error() string

type ErrProcessBrokenLineage added in v0.50.0 

type ErrProcessBrokenLineage struct {
	Err error
}

ErrProcessBrokenLineage returned when a process lineage is broken

func (*ErrProcessBrokenLineage) Error added in v0.50.0 

func (e *ErrProcessBrokenLineage) Error() string

Error implements the error interface

func (*ErrProcessBrokenLineage) Unwrap added in v0.50.0 

func (e *ErrProcessBrokenLineage) Unwrap() error

Unwrap implements the error interface

type ErrProcessIncompleteLineage added in v0.50.0 

type ErrProcessIncompleteLineage struct {
	PID         uint32
	PPID        uint32
	ContainerID string
}

ErrProcessIncompleteLineage used when the lineage is incorrect in term of pid/ppid

func (*ErrProcessIncompleteLineage) Error added in v0.50.0 

func (e *ErrProcessIncompleteLineage) Error() string

type ErrProcessMissingParentNode added in v0.50.0 

type ErrProcessMissingParentNode struct {
	PID         uint32
	PPID        uint32
	ContainerID string
}

ErrProcessMissingParentNode used when the lineage is incorrect in term of pid/ppid

func (*ErrProcessMissingParentNode) Error added in v0.50.0 

func (e *ErrProcessMissingParentNode) Error() string

type ErrProcessWrongParentNode added in v0.50.0 

type ErrProcessWrongParentNode struct {
	PID         uint32
	PPID        uint32
	ContainerID string
}

ErrProcessWrongParentNode used when the lineage is correct in term of pid/ppid but an exec parent is missing

func (*ErrProcessWrongParentNode) Error added in v0.50.0 

func (e *ErrProcessWrongParentNode) Error() string

type Event added in v0.34.0 

type Event struct {
	BaseEvent

	// globals
	Async bool `field:"event.async,handler:ResolveAsync"` // SECLDoc[event.async] Definition:`True if the syscall was asynchronous`

	// context
	SpanContext    SpanContext    `field:"-"`
	NetworkContext NetworkContext `field:"network" restricted_to:"dns,imds"` // [7.36] [Network] Network context
	CGroupContext  CGroupContext  `field:"cgroup"`

	// fim events
	Chmod       ChmodEvent    `field:"chmod" event:"chmod"`             // [7.27] [File] A file’s permissions were changed
	Chown       ChownEvent    `field:"chown" event:"chown"`             // [7.27] [File] A file’s owner was changed
	Open        OpenEvent     `field:"open" event:"open"`               // [7.27] [File] A file was opened
	Mkdir       MkdirEvent    `field:"mkdir" event:"mkdir"`             // [7.27] [File] A directory was created
	Rmdir       RmdirEvent    `field:"rmdir" event:"rmdir"`             // [7.27] [File] A directory was removed
	Rename      RenameEvent   `field:"rename" event:"rename"`           // [7.27] [File] A file/directory was renamed
	Unlink      UnlinkEvent   `field:"unlink" event:"unlink"`           // [7.27] [File] A file was deleted
	Utimes      UtimesEvent   `field:"utimes" event:"utimes"`           // [7.27] [File] Change file access/modification times
	Link        LinkEvent     `field:"link" event:"link"`               // [7.27] [File] Create a new name/alias for a file
	SetXAttr    SetXAttrEvent `field:"setxattr" event:"setxattr"`       // [7.27] [File] Set exteneded attributes
	RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"` // [7.27] [File] Remove extended attributes
	Splice      SpliceEvent   `field:"splice" event:"splice"`           // [7.36] [File] A splice command was executed
	Mount       MountEvent    `field:"mount" event:"mount"`             // [7.42] [File] [Experimental] A filesystem was mounted
	Chdir       ChdirEvent    `field:"chdir" event:"chdir"`             // [7.52] [File] [Experimental] A process changed the current directory

	// process events
	Exec          ExecEvent          `field:"exec" event:"exec"`     // [7.27] [Process] A process was executed or forked
	SetUID        SetuidEvent        `field:"setuid" event:"setuid"` // [7.27] [Process] A process changed its effective uid
	SetGID        SetgidEvent        `field:"setgid" event:"setgid"` // [7.27] [Process] A process changed its effective gid
	Capset        CapsetEvent        `field:"capset" event:"capset"` // [7.27] [Process] A process changed its capacity set
	Signal        SignalEvent        `field:"signal" event:"signal"` // [7.35] [Process] A signal was sent
	Exit          ExitEvent          `field:"exit" event:"exit"`     // [7.38] [Process] A process was terminated
	Syscalls      SyscallsEvent      `field:"-"`
	LoginUIDWrite LoginUIDWriteEvent `field:"-"`

	// network syscalls
	Bind    BindEvent    `field:"bind" event:"bind"`       // [7.37] [Network] A bind was executed
	Connect ConnectEvent `field:"connect" event:"connect"` // [7.60] [Network] A connect was executed
	Accept  AcceptEvent  `field:"accept" event:"accept"`   // [7.60] [Network] An accept was executed

	// kernel events
	SELinux      SELinuxEvent      `field:"selinux" event:"selinux"`             // [7.30] [Kernel] An SELinux operation was run
	BPF          BPFEvent          `field:"bpf" event:"bpf"`                     // [7.33] [Kernel] A BPF command was executed
	PTrace       PTraceEvent       `field:"ptrace" event:"ptrace"`               // [7.35] [Kernel] A ptrace command was executed
	MMap         MMapEvent         `field:"mmap" event:"mmap"`                   // [7.35] [Kernel] A mmap command was executed
	MProtect     MProtectEvent     `field:"mprotect" event:"mprotect"`           // [7.35] [Kernel] A mprotect command was executed
	LoadModule   LoadModuleEvent   `field:"load_module" event:"load_module"`     // [7.35] [Kernel] A new kernel module was loaded
	UnloadModule UnloadModuleEvent `field:"unload_module" event:"unload_module"` // [7.35] [Kernel] A kernel module was deleted

	// network events
	DNS                DNSEvent                `field:"dns" event:"dns"`                                   // [7.36] [Network] A DNS request was sent
	IMDS               IMDSEvent               `field:"imds" event:"imds"`                                 // [7.55] [Network] An IMDS event was captured
	RawPacket          RawPacketEvent          `field:"packet" event:"packet"`                             // [7.60] [Network] A raw network packet was captured
	NetworkFlowMonitor NetworkFlowMonitorEvent `field:"network_flow_monitor" event:"network_flow_monitor"` // [7.63] [Network] A network monitor event was sent

	// on-demand events
	OnDemand OnDemandEvent `field:"ondemand" event:"ondemand"`

	// internal usage
	Umount           UmountEvent           `field:"-"`
	InvalidateDentry InvalidateDentryEvent `field:"-"`
	ArgsEnvs         ArgsEnvsEvent         `field:"-"`
	MountReleased    MountReleasedEvent    `field:"-"`
	CgroupTracing    CgroupTracingEvent    `field:"-"`
	CgroupWrite      CgroupWriteEvent      `field:"-"`
	NetDevice        NetDeviceEvent        `field:"-"`
	VethPair         VethPairEvent         `field:"-"`
	UnshareMountNS   UnshareMountNSEvent   `field:"-"`
}

Event represents an event sent from the kernel genaccessors

func NewFakeEvent added in v0.52.0 

func NewFakeEvent() *Event

NewFakeEvent returns a new event using the default field handlers

func (*Event) AddToFlags added in v0.45.0 

func (e *Event) AddToFlags(flag uint32)

AddToFlags adds a flag to the event

func (*Event) GetActionReports added in v0.52.0 

func (e *Event) GetActionReports() []ActionReport

GetActionReports returns the triggred action reports

func (*Event) GetChdirFilePath added in v0.51.1 

func (ev *Event) GetChdirFilePath() string

GetChdirFilePath returns the value of the field, resolving if necessary

func (*Event) GetChdirFilePathLength added in v0.51.1 

func (ev *Event) GetChdirFilePathLength() int

GetChdirFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetChmodFilePath added in v0.49.0 

func (ev *Event) GetChmodFilePath() string

GetChmodFilePath returns the value of the field, resolving if necessary

func (*Event) GetChmodFilePathLength added in v0.49.0 

func (ev *Event) GetChmodFilePathLength() int

GetChmodFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetChownFilePath added in v0.49.0 

func (ev *Event) GetChownFilePath() string

GetChownFilePath returns the value of the field, resolving if necessary

func (*Event) GetChownFilePathLength added in v0.49.0 

func (ev *Event) GetChownFilePathLength() int

GetChownFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetContainerCreatedAt added in v0.49.0 

func (ev *Event) GetContainerCreatedAt() int

GetContainerCreatedAt returns the value of the field, resolving if necessary

func (*Event) GetContainerId added in v0.49.0 

func (ev *Event) GetContainerId() string

GetContainerId returns the value of the field, resolving if necessary

func (*Event) GetEventService added in v0.52.0 

func (ev *Event) GetEventService() string

GetEventService returns the value of the field, resolving if necessary

func (*Event) GetEventType added in v0.34.0 

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetExecCmdargv added in v0.55.0 

func (ev *Event) GetExecCmdargv() []string

GetExecCmdargv returns the value of the field, resolving if necessary

func (*Event) GetExecEnvp added in v0.49.0 

func (ev *Event) GetExecEnvp() []string

GetExecEnvp returns the value of the field, resolving if necessary

func (*Event) GetExecExecTime added in v0.49.0 

func (ev *Event) GetExecExecTime() time.Time

GetExecExecTime returns the value of the field, resolving if necessary

func (*Event) GetExecExitTime added in v0.49.0 

func (ev *Event) GetExecExitTime() time.Time

GetExecExitTime returns the value of the field, resolving if necessary

func (*Event) GetExecFilePath added in v0.49.0 

func (ev *Event) GetExecFilePath() string

GetExecFilePath returns the value of the field, resolving if necessary

func (*Event) GetExecFilePathLength added in v0.49.0 

func (ev *Event) GetExecFilePathLength() int

GetExecFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetExecForkTime added in v0.49.0 

func (ev *Event) GetExecForkTime() time.Time

GetExecForkTime returns the value of the field, resolving if necessary

func (*Event) GetExecGid added in v0.49.0 

func (ev *Event) GetExecGid() uint32

GetExecGid returns the value of the field, resolving if necessary

func (*Event) GetExecGroup added in v0.49.0 

func (ev *Event) GetExecGroup() string

GetExecGroup returns the value of the field, resolving if necessary

func (*Event) GetExecInterpreterFilePath added in v0.49.0 

func (ev *Event) GetExecInterpreterFilePath() string

GetExecInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetExecInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetExecInterpreterFilePathLength() int

GetExecInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetExecPid added in v0.49.0 

func (ev *Event) GetExecPid() uint32

GetExecPid returns the value of the field, resolving if necessary

func (*Event) GetExecPpid added in v0.49.0 

func (ev *Event) GetExecPpid() uint32

GetExecPpid returns the value of the field, resolving if necessary

func (*Event) GetExecUid added in v0.49.0 

func (ev *Event) GetExecUid() uint32

GetExecUid returns the value of the field, resolving if necessary

func (*Event) GetExecUser added in v0.49.0 

func (ev *Event) GetExecUser() string

GetExecUser returns the value of the field, resolving if necessary

func (*Event) GetExitCmdargv added in v0.55.0 

func (ev *Event) GetExitCmdargv() []string

GetExitCmdargv returns the value of the field, resolving if necessary

func (*Event) GetExitCode added in v0.49.0 

func (ev *Event) GetExitCode() uint32

GetExitCode returns the value of the field, resolving if necessary

func (*Event) GetExitEnvp added in v0.49.0 

func (ev *Event) GetExitEnvp() []string

GetExitEnvp returns the value of the field, resolving if necessary

func (*Event) GetExitExecTime added in v0.49.0 

func (ev *Event) GetExitExecTime() time.Time

GetExitExecTime returns the value of the field, resolving if necessary

func (*Event) GetExitExitTime added in v0.49.0 

func (ev *Event) GetExitExitTime() time.Time

GetExitExitTime returns the value of the field, resolving if necessary

func (*Event) GetExitFilePath added in v0.49.0 

func (ev *Event) GetExitFilePath() string

GetExitFilePath returns the value of the field, resolving if necessary

func (*Event) GetExitFilePathLength added in v0.49.0 

func (ev *Event) GetExitFilePathLength() int

GetExitFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetExitForkTime added in v0.49.0 

func (ev *Event) GetExitForkTime() time.Time

GetExitForkTime returns the value of the field, resolving if necessary

func (*Event) GetExitGid added in v0.49.0 

func (ev *Event) GetExitGid() uint32

GetExitGid returns the value of the field, resolving if necessary

func (*Event) GetExitGroup added in v0.49.0 

func (ev *Event) GetExitGroup() string

GetExitGroup returns the value of the field, resolving if necessary

func (*Event) GetExitInterpreterFilePath added in v0.49.0 

func (ev *Event) GetExitInterpreterFilePath() string

GetExitInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetExitInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetExitInterpreterFilePathLength() int

GetExitInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetExitPid added in v0.49.0 

func (ev *Event) GetExitPid() uint32

GetExitPid returns the value of the field, resolving if necessary

func (*Event) GetExitPpid added in v0.49.0 

func (ev *Event) GetExitPpid() uint32

GetExitPpid returns the value of the field, resolving if necessary

func (*Event) GetExitUid added in v0.49.0 

func (ev *Event) GetExitUid() uint32

GetExitUid returns the value of the field, resolving if necessary

func (*Event) GetExitUser added in v0.49.0 

func (ev *Event) GetExitUser() string

GetExitUser returns the value of the field, resolving if necessary

func (*Event) GetFieldMetadata added in v0.63.0 

func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kind, error)

func (*Event) GetFieldValue added in v0.34.0 

func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields added in v0.34.0 

func (ev *Event) GetFields() []eval.Field

func (*Event) GetLinkFileDestinationPath added in v0.49.0 

func (ev *Event) GetLinkFileDestinationPath() string

GetLinkFileDestinationPath returns the value of the field, resolving if necessary

func (*Event) GetLinkFileDestinationPathLength added in v0.49.0 

func (ev *Event) GetLinkFileDestinationPathLength() int

GetLinkFileDestinationPathLength returns the value of the field, resolving if necessary

func (*Event) GetLinkFilePath added in v0.49.0 

func (ev *Event) GetLinkFilePath() string

GetLinkFilePath returns the value of the field, resolving if necessary

func (*Event) GetLinkFilePathLength added in v0.49.0 

func (ev *Event) GetLinkFilePathLength() int

GetLinkFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetLoadModuleFilePath added in v0.49.0 

func (ev *Event) GetLoadModuleFilePath() string

GetLoadModuleFilePath returns the value of the field, resolving if necessary

func (*Event) GetLoadModuleFilePathLength added in v0.49.0 

func (ev *Event) GetLoadModuleFilePathLength() int

GetLoadModuleFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetMkdirFilePath added in v0.49.0 

func (ev *Event) GetMkdirFilePath() string

GetMkdirFilePath returns the value of the field, resolving if necessary

func (*Event) GetMkdirFilePathLength added in v0.49.0 

func (ev *Event) GetMkdirFilePathLength() int

GetMkdirFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetMmapFilePath added in v0.49.0 

func (ev *Event) GetMmapFilePath() string

GetMmapFilePath returns the value of the field, resolving if necessary

func (*Event) GetMmapFilePathLength added in v0.49.0 

func (ev *Event) GetMmapFilePathLength() int

GetMmapFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetMountMountpointPath added in v0.49.0 

func (ev *Event) GetMountMountpointPath() string

GetMountMountpointPath returns the value of the field, resolving if necessary

func (*Event) GetMountRootPath added in v0.51.0 

func (ev *Event) GetMountRootPath() string

GetMountRootPath returns the value of the field, resolving if necessary

func (*Event) GetOpenFilePath added in v0.49.0 

func (ev *Event) GetOpenFilePath() string

GetOpenFilePath returns the value of the field, resolving if necessary

func (*Event) GetOpenFilePathLength added in v0.49.0 

func (ev *Event) GetOpenFilePathLength() int

GetOpenFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsCmdargv added in v0.55.0 

func (ev *Event) GetProcessAncestorsCmdargv() []string

GetProcessAncestorsCmdargv returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsEnvp added in v0.49.0 

func (ev *Event) GetProcessAncestorsEnvp() []string

GetProcessAncestorsEnvp returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsFilePath added in v0.49.0 

func (ev *Event) GetProcessAncestorsFilePath() []string

GetProcessAncestorsFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsFilePathLength added in v0.49.0 

func (ev *Event) GetProcessAncestorsFilePathLength() []int

GetProcessAncestorsFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsGid added in v0.49.0 

func (ev *Event) GetProcessAncestorsGid() []uint32

GetProcessAncestorsGid returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsGroup added in v0.49.0 

func (ev *Event) GetProcessAncestorsGroup() []string

GetProcessAncestorsGroup returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsInterpreterFilePath added in v0.49.0 

func (ev *Event) GetProcessAncestorsInterpreterFilePath() []string

GetProcessAncestorsInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetProcessAncestorsInterpreterFilePathLength() []int

GetProcessAncestorsInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsPid added in v0.49.0 

func (ev *Event) GetProcessAncestorsPid() []uint32

GetProcessAncestorsPid returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsPpid added in v0.49.0 

func (ev *Event) GetProcessAncestorsPpid() []uint32

GetProcessAncestorsPpid returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsUid added in v0.49.0 

func (ev *Event) GetProcessAncestorsUid() []uint32

GetProcessAncestorsUid returns the value of the field, resolving if necessary

func (*Event) GetProcessAncestorsUser added in v0.49.0 

func (ev *Event) GetProcessAncestorsUser() []string

GetProcessAncestorsUser returns the value of the field, resolving if necessary

func (*Event) GetProcessCmdargv added in v0.55.0 

func (ev *Event) GetProcessCmdargv() []string

GetProcessCmdargv returns the value of the field, resolving if necessary

func (*Event) GetProcessEnvp added in v0.49.0 

func (ev *Event) GetProcessEnvp() []string

GetProcessEnvp returns the value of the field, resolving if necessary

func (*Event) GetProcessExecTime added in v0.49.0 

func (ev *Event) GetProcessExecTime() time.Time

GetProcessExecTime returns the value of the field, resolving if necessary

func (*Event) GetProcessExitTime added in v0.49.0 

func (ev *Event) GetProcessExitTime() time.Time

GetProcessExitTime returns the value of the field, resolving if necessary

func (*Event) GetProcessFilePath added in v0.49.0 

func (ev *Event) GetProcessFilePath() string

GetProcessFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessFilePathLength added in v0.49.0 

func (ev *Event) GetProcessFilePathLength() int

GetProcessFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessForkTime added in v0.49.0 

func (ev *Event) GetProcessForkTime() time.Time

GetProcessForkTime returns the value of the field, resolving if necessary

func (*Event) GetProcessGid added in v0.49.0 

func (ev *Event) GetProcessGid() uint32

GetProcessGid returns the value of the field, resolving if necessary

func (*Event) GetProcessGroup added in v0.49.0 

func (ev *Event) GetProcessGroup() string

GetProcessGroup returns the value of the field, resolving if necessary

func (*Event) GetProcessInterpreterFilePath added in v0.49.0 

func (ev *Event) GetProcessInterpreterFilePath() string

GetProcessInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetProcessInterpreterFilePathLength() int

GetProcessInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessParentCmdargv added in v0.55.0 

func (ev *Event) GetProcessParentCmdargv() []string

GetProcessParentCmdargv returns the value of the field, resolving if necessary

func (*Event) GetProcessParentEnvp added in v0.49.0 

func (ev *Event) GetProcessParentEnvp() []string

GetProcessParentEnvp returns the value of the field, resolving if necessary

func (*Event) GetProcessParentFilePath added in v0.49.0 

func (ev *Event) GetProcessParentFilePath() string

GetProcessParentFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessParentFilePathLength added in v0.49.0 

func (ev *Event) GetProcessParentFilePathLength() int

GetProcessParentFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessParentGid added in v0.49.0 

func (ev *Event) GetProcessParentGid() uint32

GetProcessParentGid returns the value of the field, resolving if necessary

func (*Event) GetProcessParentGroup added in v0.49.0 

func (ev *Event) GetProcessParentGroup() string

GetProcessParentGroup returns the value of the field, resolving if necessary

func (*Event) GetProcessParentInterpreterFilePath added in v0.49.0 

func (ev *Event) GetProcessParentInterpreterFilePath() string

GetProcessParentInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetProcessParentInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetProcessParentInterpreterFilePathLength() int

GetProcessParentInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetProcessParentPid added in v0.49.0 

func (ev *Event) GetProcessParentPid() uint32

GetProcessParentPid returns the value of the field, resolving if necessary

func (*Event) GetProcessParentPpid added in v0.49.0 

func (ev *Event) GetProcessParentPpid() uint32

GetProcessParentPpid returns the value of the field, resolving if necessary

func (*Event) GetProcessParentUid added in v0.49.0 

func (ev *Event) GetProcessParentUid() uint32

GetProcessParentUid returns the value of the field, resolving if necessary

func (*Event) GetProcessParentUser added in v0.49.0 

func (ev *Event) GetProcessParentUser() string

GetProcessParentUser returns the value of the field, resolving if necessary

func (*Event) GetProcessPid added in v0.49.0 

func (ev *Event) GetProcessPid() uint32

GetProcessPid returns the value of the field, resolving if necessary

func (*Event) GetProcessPpid added in v0.49.0 

func (ev *Event) GetProcessPpid() uint32

GetProcessPpid returns the value of the field, resolving if necessary

func (*Event) GetProcessUid added in v0.49.0 

func (ev *Event) GetProcessUid() uint32

GetProcessUid returns the value of the field, resolving if necessary

func (*Event) GetProcessUser added in v0.49.0 

func (ev *Event) GetProcessUser() string

GetProcessUser returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsCmdargv added in v0.55.0 

func (ev *Event) GetPtraceTraceeAncestorsCmdargv() []string

GetPtraceTraceeAncestorsCmdargv returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsEnvp added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsEnvp() []string

GetPtraceTraceeAncestorsEnvp returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsFilePath added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsFilePath() []string

GetPtraceTraceeAncestorsFilePath returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsFilePathLength added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsFilePathLength() []int

GetPtraceTraceeAncestorsFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsGid added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsGid() []uint32

GetPtraceTraceeAncestorsGid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsGroup added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsGroup() []string

GetPtraceTraceeAncestorsGroup returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsInterpreterFilePath added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePath() []string

GetPtraceTraceeAncestorsInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePathLength() []int

GetPtraceTraceeAncestorsInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsPid added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsPid() []uint32

GetPtraceTraceeAncestorsPid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsPpid added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsPpid() []uint32

GetPtraceTraceeAncestorsPpid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsUid added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsUid() []uint32

GetPtraceTraceeAncestorsUid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeAncestorsUser added in v0.49.0 

func (ev *Event) GetPtraceTraceeAncestorsUser() []string

GetPtraceTraceeAncestorsUser returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeCmdargv added in v0.55.0 

func (ev *Event) GetPtraceTraceeCmdargv() []string

GetPtraceTraceeCmdargv returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeEnvp added in v0.49.0 

func (ev *Event) GetPtraceTraceeEnvp() []string

GetPtraceTraceeEnvp returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeExecTime added in v0.49.0 

func (ev *Event) GetPtraceTraceeExecTime() time.Time

GetPtraceTraceeExecTime returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeExitTime added in v0.49.0 

func (ev *Event) GetPtraceTraceeExitTime() time.Time

GetPtraceTraceeExitTime returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeFilePath added in v0.49.0 

func (ev *Event) GetPtraceTraceeFilePath() string

GetPtraceTraceeFilePath returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeFilePathLength added in v0.49.0 

func (ev *Event) GetPtraceTraceeFilePathLength() int

GetPtraceTraceeFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeForkTime added in v0.49.0 

func (ev *Event) GetPtraceTraceeForkTime() time.Time

GetPtraceTraceeForkTime returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeGid added in v0.49.0 

func (ev *Event) GetPtraceTraceeGid() uint32

GetPtraceTraceeGid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeGroup added in v0.49.0 

func (ev *Event) GetPtraceTraceeGroup() string

GetPtraceTraceeGroup returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeInterpreterFilePath added in v0.49.0 

func (ev *Event) GetPtraceTraceeInterpreterFilePath() string

GetPtraceTraceeInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetPtraceTraceeInterpreterFilePathLength() int

GetPtraceTraceeInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentCmdargv added in v0.55.0 

func (ev *Event) GetPtraceTraceeParentCmdargv() []string

GetPtraceTraceeParentCmdargv returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentEnvp added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentEnvp() []string

GetPtraceTraceeParentEnvp returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentFilePath added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentFilePath() string

GetPtraceTraceeParentFilePath returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentFilePathLength added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentFilePathLength() int

GetPtraceTraceeParentFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentGid added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentGid() uint32

GetPtraceTraceeParentGid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentGroup added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentGroup() string

GetPtraceTraceeParentGroup returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentInterpreterFilePath added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentInterpreterFilePath() string

GetPtraceTraceeParentInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentInterpreterFilePathLength() int

GetPtraceTraceeParentInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentPid added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentPid() uint32

GetPtraceTraceeParentPid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentPpid added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentPpid() uint32

GetPtraceTraceeParentPpid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentUid added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentUid() uint32

GetPtraceTraceeParentUid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeParentUser added in v0.49.0 

func (ev *Event) GetPtraceTraceeParentUser() string

GetPtraceTraceeParentUser returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceePid added in v0.49.0 

func (ev *Event) GetPtraceTraceePid() uint32

GetPtraceTraceePid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceePpid added in v0.49.0 

func (ev *Event) GetPtraceTraceePpid() uint32

GetPtraceTraceePpid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeUid added in v0.49.0 

func (ev *Event) GetPtraceTraceeUid() uint32

GetPtraceTraceeUid returns the value of the field, resolving if necessary

func (*Event) GetPtraceTraceeUser added in v0.49.0 

func (ev *Event) GetPtraceTraceeUser() string

GetPtraceTraceeUser returns the value of the field, resolving if necessary

func (*Event) GetRemovexattrFilePath added in v0.49.0 

func (ev *Event) GetRemovexattrFilePath() string

GetRemovexattrFilePath returns the value of the field, resolving if necessary

func (*Event) GetRemovexattrFilePathLength added in v0.49.0 

func (ev *Event) GetRemovexattrFilePathLength() int

GetRemovexattrFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetRenameFileDestinationPath added in v0.49.0 

func (ev *Event) GetRenameFileDestinationPath() string

GetRenameFileDestinationPath returns the value of the field, resolving if necessary

func (*Event) GetRenameFileDestinationPathLength added in v0.49.0 

func (ev *Event) GetRenameFileDestinationPathLength() int

GetRenameFileDestinationPathLength returns the value of the field, resolving if necessary

func (*Event) GetRenameFilePath added in v0.49.0 

func (ev *Event) GetRenameFilePath() string

GetRenameFilePath returns the value of the field, resolving if necessary

func (*Event) GetRenameFilePathLength added in v0.49.0 

func (ev *Event) GetRenameFilePathLength() int

GetRenameFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetRmdirFilePath added in v0.49.0 

func (ev *Event) GetRmdirFilePath() string

GetRmdirFilePath returns the value of the field, resolving if necessary

func (*Event) GetRmdirFilePathLength added in v0.49.0 

func (ev *Event) GetRmdirFilePathLength() int

GetRmdirFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSetxattrFilePath added in v0.49.0 

func (ev *Event) GetSetxattrFilePath() string

GetSetxattrFilePath returns the value of the field, resolving if necessary

func (*Event) GetSetxattrFilePathLength added in v0.49.0 

func (ev *Event) GetSetxattrFilePathLength() int

GetSetxattrFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsCmdargv added in v0.55.0 

func (ev *Event) GetSignalTargetAncestorsCmdargv() []string

GetSignalTargetAncestorsCmdargv returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsEnvp added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsEnvp() []string

GetSignalTargetAncestorsEnvp returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsFilePath added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsFilePath() []string

GetSignalTargetAncestorsFilePath returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsFilePathLength added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsFilePathLength() []int

GetSignalTargetAncestorsFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsGid added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsGid() []uint32

GetSignalTargetAncestorsGid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsGroup added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsGroup() []string

GetSignalTargetAncestorsGroup returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsInterpreterFilePath added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsInterpreterFilePath() []string

GetSignalTargetAncestorsInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsInterpreterFilePathLength() []int

GetSignalTargetAncestorsInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsPid added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsPid() []uint32

GetSignalTargetAncestorsPid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsPpid added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsPpid() []uint32

GetSignalTargetAncestorsPpid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsUid added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsUid() []uint32

GetSignalTargetAncestorsUid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetAncestorsUser added in v0.49.0 

func (ev *Event) GetSignalTargetAncestorsUser() []string

GetSignalTargetAncestorsUser returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetCmdargv added in v0.55.0 

func (ev *Event) GetSignalTargetCmdargv() []string

GetSignalTargetCmdargv returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetEnvp added in v0.49.0 

func (ev *Event) GetSignalTargetEnvp() []string

GetSignalTargetEnvp returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetExecTime added in v0.49.0 

func (ev *Event) GetSignalTargetExecTime() time.Time

GetSignalTargetExecTime returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetExitTime added in v0.49.0 

func (ev *Event) GetSignalTargetExitTime() time.Time

GetSignalTargetExitTime returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetFilePath added in v0.49.0 

func (ev *Event) GetSignalTargetFilePath() string

GetSignalTargetFilePath returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetFilePathLength added in v0.49.0 

func (ev *Event) GetSignalTargetFilePathLength() int

GetSignalTargetFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetForkTime added in v0.49.0 

func (ev *Event) GetSignalTargetForkTime() time.Time

GetSignalTargetForkTime returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetGid added in v0.49.0 

func (ev *Event) GetSignalTargetGid() uint32

GetSignalTargetGid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetGroup added in v0.49.0 

func (ev *Event) GetSignalTargetGroup() string

GetSignalTargetGroup returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetInterpreterFilePath added in v0.49.0 

func (ev *Event) GetSignalTargetInterpreterFilePath() string

GetSignalTargetInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetSignalTargetInterpreterFilePathLength() int

GetSignalTargetInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentCmdargv added in v0.55.0 

func (ev *Event) GetSignalTargetParentCmdargv() []string

GetSignalTargetParentCmdargv returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentEnvp added in v0.49.0 

func (ev *Event) GetSignalTargetParentEnvp() []string

GetSignalTargetParentEnvp returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentFilePath added in v0.49.0 

func (ev *Event) GetSignalTargetParentFilePath() string

GetSignalTargetParentFilePath returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentFilePathLength added in v0.49.0 

func (ev *Event) GetSignalTargetParentFilePathLength() int

GetSignalTargetParentFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentGid added in v0.49.0 

func (ev *Event) GetSignalTargetParentGid() uint32

GetSignalTargetParentGid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentGroup added in v0.49.0 

func (ev *Event) GetSignalTargetParentGroup() string

GetSignalTargetParentGroup returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentInterpreterFilePath added in v0.49.0 

func (ev *Event) GetSignalTargetParentInterpreterFilePath() string

GetSignalTargetParentInterpreterFilePath returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentInterpreterFilePathLength added in v0.49.0 

func (ev *Event) GetSignalTargetParentInterpreterFilePathLength() int

GetSignalTargetParentInterpreterFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentPid added in v0.49.0 

func (ev *Event) GetSignalTargetParentPid() uint32

GetSignalTargetParentPid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentPpid added in v0.49.0 

func (ev *Event) GetSignalTargetParentPpid() uint32

GetSignalTargetParentPpid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentUid added in v0.49.0 

func (ev *Event) GetSignalTargetParentUid() uint32

GetSignalTargetParentUid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetParentUser added in v0.49.0 

func (ev *Event) GetSignalTargetParentUser() string

GetSignalTargetParentUser returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetPid added in v0.49.0 

func (ev *Event) GetSignalTargetPid() uint32

GetSignalTargetPid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetPpid added in v0.49.0 

func (ev *Event) GetSignalTargetPpid() uint32

GetSignalTargetPpid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetUid added in v0.49.0 

func (ev *Event) GetSignalTargetUid() uint32

GetSignalTargetUid returns the value of the field, resolving if necessary

func (*Event) GetSignalTargetUser added in v0.49.0 

func (ev *Event) GetSignalTargetUser() string

GetSignalTargetUser returns the value of the field, resolving if necessary

func (*Event) GetSpliceFilePath added in v0.49.0 

func (ev *Event) GetSpliceFilePath() string

GetSpliceFilePath returns the value of the field, resolving if necessary

func (*Event) GetSpliceFilePathLength added in v0.49.0 

func (ev *Event) GetSpliceFilePathLength() int

GetSpliceFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetTags added in v0.34.0 

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetTimestamp added in v0.49.0 

func (ev *Event) GetTimestamp() time.Time

GetTimestamp returns the value of the field, resolving if necessary

func (*Event) GetType added in v0.34.0 

func (e *Event) GetType() string

GetType returns the event type

func (*Event) GetUnlinkFilePath added in v0.49.0 

func (ev *Event) GetUnlinkFilePath() string

GetUnlinkFilePath returns the value of the field, resolving if necessary

func (*Event) GetUnlinkFilePathLength added in v0.49.0 

func (ev *Event) GetUnlinkFilePathLength() int

GetUnlinkFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetUtimesFilePath added in v0.49.0 

func (ev *Event) GetUtimesFilePath() string

GetUtimesFilePath returns the value of the field, resolving if necessary

func (*Event) GetUtimesFilePathLength added in v0.49.0 

func (ev *Event) GetUtimesFilePathLength() int

GetUtimesFilePathLength returns the value of the field, resolving if necessary

func (*Event) GetWorkloadID added in v0.47.0 

func (e *Event) GetWorkloadID() string

GetWorkloadID returns an ID that represents the workload

func (*Event) HasActiveActivityDump added in v0.53.0 

func (e *Event) HasActiveActivityDump() bool

HasActiveActivityDump returns true if the event has an active activity dump associated to it

func (*Event) Init added in v0.39.0 

func (e *Event) Init()

Init initialize the event

func (*Event) IsActivityDumpSample added in v0.40.0 

func (e *Event) IsActivityDumpSample() bool

IsActivityDumpSample return whether AD sample

func (*Event) IsAnomalyDetectionEvent added in v0.47.0 

func (e *Event) IsAnomalyDetectionEvent() bool

IsAnomalyDetectionEvent returns true if the current event is an anomaly detection event (kernel or user space)

func (*Event) IsInProfile added in v0.45.0 

func (e *Event) IsInProfile() bool

IsInProfile return true if the event was found in the profile

func (*Event) IsSavedByActivityDumps added in v0.44.0 

func (e *Event) IsSavedByActivityDumps() bool

IsSavedByActivityDumps return whether saved by AD

func (*Event) Release added in v0.43.0 

func (e *Event) Release()

Release the event

func (*Event) RemoveFromFlags added in v0.45.0 

func (e *Event) RemoveFromFlags(flag uint32)

RemoveFromFlags remove a flag to the event

func (*Event) ResetAnomalyDetectionEvent added in v0.61.0 

func (e *Event) ResetAnomalyDetectionEvent()

ResetAnomalyDetectionEvent removes the anomaly detection event flag

func (*Event) ResolveEventTime added in v0.46.0 

func (e *Event) ResolveEventTime() time.Time

ResolveEventTime uses the field handler

func (*Event) ResolveFields added in v0.43.0 

func (ev *Event) ResolveFields()

ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveFieldsForAD added in v0.44.0 

func (ev *Event) ResolveFieldsForAD()

ResolveFieldsForAD resolves all the fields associate to the event type. Context fields are automatically resolved.

func (*Event) ResolveProcessCacheEntry added in v0.43.0 

func (e *Event) ResolveProcessCacheEntry(newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry uses the field handler

func (*Event) ResolveService added in v0.52.0 

func (e *Event) ResolveService() string

ResolveService uses the field handler

func (*Event) Retain added in v0.43.0 

func (e *Event) Retain() Event

Retain the event

func (*Event) SetFieldValue added in v0.34.0 

func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) SetPathResolutionError added in v0.43.0 

func (ev *Event) SetPathResolutionError(fileFields *FileEvent, err error)

SetPathResolutionError sets the Event.pathResolutionError

func (*Event) Zero added in v0.48.0 

func (e *Event) Zero()

Zero the event

type EventCategory added in v0.34.0 

type EventCategory = string

EventCategory category type 

const (
	// FIMCategory FIM events
	FIMCategory EventCategory = "File Activity"
	// ProcessCategory process events
	ProcessCategory EventCategory = "Process Activity"
	// KernelCategory Kernel events
	KernelCategory EventCategory = "Kernel Activity"
	// NetworkCategory network events
	NetworkCategory EventCategory = "Network Activity"
)

Event categories

func GetAllCategories added in v0.34.0 

func GetAllCategories() []EventCategory

GetAllCategories returns all categories

func GetEventTypeCategory added in v0.34.0 

func GetEventTypeCategory(eventType eval.EventType) EventCategory

GetEventTypeCategory returns the category for the given event type

type EventFilteringProfileState added in v0.55.0 

type EventFilteringProfileState uint8

EventFilteringProfileState is used to compute metrics for the event filtering feature 

const (
	// NoProfile is used to count the events for which we didn't have a profile
	NoProfile EventFilteringProfileState = iota
	// ProfileAtMaxSize is used to count the events that didn't make it into a profile because their matching profile
	// reached the max size threshold
	ProfileAtMaxSize
	// UnstableEventType is used to count the events that didn't make it into a profile because their matching profile was
	// unstable for their event type
	UnstableEventType
	// StableEventType is used to count the events linked to a stable profile for their event type
	StableEventType
	// AutoLearning is used to count the event during the auto learning phase
	AutoLearning
	// WorkloadWarmup is used to count the learned events due to workload warm up time
	WorkloadWarmup
)

func (EventFilteringProfileState) String added in v0.55.0 

func (efr EventFilteringProfileState) String() string

String returns the string representation of the EventFilteringProfileState

func (EventFilteringProfileState) ToTag added in v0.55.0 

func (efr EventFilteringProfileState) ToTag() string

ToTag returns the tag representation of the EventFilteringProfileState

type EventType 

type EventType uint32

EventType describes the type of an event sent from the kernel 

const (
	// UnknownEventType unknown event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimesEventType Utime event
	FileUtimesEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileChdirEventType chdir event
	FileChdirEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event (DEPRECATED)
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// SELinuxEventType selinux event
	SELinuxEventType
	// BPFEventType bpf event
	BPFEventType
	// PTraceEventType PTrace event
	PTraceEventType
	// MMapEventType MMap event
	MMapEventType
	// MProtectEventType MProtect event
	MProtectEventType
	// LoadModuleEventType LoadModule event
	LoadModuleEventType
	// UnloadModuleEventType UnloadModule evnt
	UnloadModuleEventType
	// SignalEventType Signal event
	SignalEventType
	// SpliceEventType Splice event
	SpliceEventType
	// CgroupTracingEventType is sent when a new cgroup is being traced
	CgroupTracingEventType
	// DNSEventType DNS event
	DNSEventType
	// NetDeviceEventType is sent for events on net devices
	NetDeviceEventType
	// VethPairEventType is sent when a new veth pair is created
	VethPairEventType
	// AcceptEventType Accept event
	AcceptEventType
	// BindEventType Bind event
	BindEventType
	// ConnectEventType Connect event
	ConnectEventType
	// UnshareMountNsEventType is sent when a new mount is created from a mount namespace copy
	UnshareMountNsEventType
	// SyscallsEventType Syscalls event
	SyscallsEventType
	// IMDSEventType is sent when an IMDS request or qnswer is captured
	IMDSEventType
	// OnDemandEventType is sent for on-demand events
	OnDemandEventType
	// LoginUIDWriteEventType is sent for login_uid write events
	LoginUIDWriteEventType
	// CgroupWriteEventType is sent when a new cgroup was created
	CgroupWriteEventType
	// RawPacketEventType raw packet event
	RawPacketEventType
	// NetworkFlowMonitorEventType is sent to monitor network activity
	NetworkFlowMonitorEventType
	// StatEventType stat event (used kernel side only)
	StatEventType
	// MaxKernelEventType is used internally to get the maximum number of kernel events.
	MaxKernelEventType

	// FirstEventType is the first valid event type
	FirstEventType = FileOpenEventType

	// LastEventType is the last valid event type
	LastEventType = SyscallsEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileChdirEventType

	// LastApproverEventType is the last event that accepts approvers
	LastApproverEventType = SpliceEventType

	// CustomEventType represents a custom event type
	CustomEventType EventType = iota

	// CreateNewFileEventType event
	CreateNewFileEventType
	// DeleteFileEventType event
	DeleteFileEventType
	// WriteFileEventType event
	WriteFileEventType
	// CreateRegistryKeyEventType event
	CreateRegistryKeyEventType
	// OpenRegistryKeyEventType event
	OpenRegistryKeyEventType
	// SetRegistryKeyValueEventType event
	SetRegistryKeyValueEventType
	// DeleteRegistryKeyEventType event
	DeleteRegistryKeyEventType
	// ChangePermissionEventType event
	ChangePermissionEventType

	// MaxAllEventType is used internally to get the maximum number of events.
	MaxAllEventType
)

func (EventType) String 

func (t EventType) String() string

type ExecEvent added in v0.34.0 

type ExecEvent struct {
	SyscallContext
	*Process

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:exec.syscall.str1"` // SECLDoc[syscall.path] Definition:`path argument of the syscall`
}

ExecEvent represents a exec event

type ExitEvent added in v0.38.0 

type ExitEvent struct {
	*Process
	Cause uint32 `field:"cause"`                 // SECLDoc[cause] Definition:`Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)`
	Code  uint32 `field:"code,opts:gen_getters"` // SECLDoc[code] Definition:`Exit code of the process or number of the signal that caused the process to terminate`
}

ExitEvent represents a process exit event

type ExtraFieldHandlers added in v0.43.0 

type ExtraFieldHandlers interface {
	BaseExtraFieldHandlers
	ResolveHashes(eventType EventType, process *Process, file *FileEvent) []string
	ResolveUserSessionContext(evtCtx *UserSessionContext)
	ResolveAWSSecurityCredentials(event *Event) []AWSSecurityCredentials
	ResolveSyscallCtxArgs(ev *Event, e *SyscallContext)
}

ExtraFieldHandlers handlers not hold by any field

type FakeFieldHandlers added in v0.52.0 

type FakeFieldHandlers struct{}

func (*FakeFieldHandlers) ResolveAWSSecurityCredentials added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveAWSSecurityCredentials(_ *Event) []AWSSecurityCredentials

ResolveAWSSecurityCredentials resolves and updates the AWS security credentials of the input process entry

func (*FakeFieldHandlers) ResolveAsync added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveAsync(ev *Event) bool

func (*FakeFieldHandlers) ResolveCGroupID added in v0.57.0 

func (dfh *FakeFieldHandlers) ResolveCGroupID(ev *Event, e *CGroupContext) string

func (*FakeFieldHandlers) ResolveCGroupManager added in v0.57.0 

func (dfh *FakeFieldHandlers) ResolveCGroupManager(ev *Event, e *CGroupContext) string

func (*FakeFieldHandlers) ResolveCGroupVersion added in v0.62.0 

func (dfh *FakeFieldHandlers) ResolveCGroupVersion(ev *Event, e *CGroupContext) int

func (*FakeFieldHandlers) ResolveChownGID added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveChownGID(ev *Event, e *ChownEvent) string

func (*FakeFieldHandlers) ResolveChownUID added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveChownUID(ev *Event, e *ChownEvent) string

func (*FakeFieldHandlers) ResolveContainerContext added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool)

ResolveContainerContext stub implementation

func (*FakeFieldHandlers) ResolveContainerCreatedAt added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int

func (*FakeFieldHandlers) ResolveContainerID added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerID(ev *Event, e *ContainerContext) string

func (*FakeFieldHandlers) ResolveContainerRuntime added in v0.57.0 

func (dfh *FakeFieldHandlers) ResolveContainerRuntime(ev *Event, e *ContainerContext) string

func (*FakeFieldHandlers) ResolveContainerTags added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string

func (*FakeFieldHandlers) ResolveEventTime added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time

func (*FakeFieldHandlers) ResolveEventTimestamp added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int

func (*FakeFieldHandlers) ResolveFileBasename added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveFileFieldsGroup added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFileFieldsGroup(ev *Event, e *FileFields) string

func (*FakeFieldHandlers) ResolveFileFieldsInUpperLayer added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFileFieldsInUpperLayer(ev *Event, e *FileFields) bool

func (*FakeFieldHandlers) ResolveFileFieldsUser added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFileFieldsUser(ev *Event, e *FileFields) string

func (*FakeFieldHandlers) ResolveFileFilesystem added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFileFilesystem(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveFilePath added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveHashes added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveHashes(_ EventType, _ *Process, _ *FileEvent) []string

ResolveHashes resolves the hash of the provided file

func (*FakeFieldHandlers) ResolveHashesFromEvent added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveHashesFromEvent(ev *Event, e *FileEvent) []string

func (*FakeFieldHandlers) ResolveHostname added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveHostname(ev *Event, e *BaseEvent) string

func (*FakeFieldHandlers) ResolveIsIPPublic added in v0.61.0 

func (dfh *FakeFieldHandlers) ResolveIsIPPublic(ev *Event, e *IPPortContext) bool

func (*FakeFieldHandlers) ResolveK8SGroups added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveK8SGroups(ev *Event, e *UserSessionContext) []string

func (*FakeFieldHandlers) ResolveK8SUID added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveK8SUID(ev *Event, e *UserSessionContext) string

func (*FakeFieldHandlers) ResolveK8SUsername added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveK8SUsername(ev *Event, e *UserSessionContext) string

func (*FakeFieldHandlers) ResolveModuleArgs added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveModuleArgs(ev *Event, e *LoadModuleEvent) string

func (*FakeFieldHandlers) ResolveModuleArgv added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveModuleArgv(ev *Event, e *LoadModuleEvent) []string

func (*FakeFieldHandlers) ResolveMountPointPath added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveMountPointPath(ev *Event, e *MountEvent) string

func (*FakeFieldHandlers) ResolveMountRootPath added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveMountRootPath(ev *Event, e *MountEvent) string

func (*FakeFieldHandlers) ResolveMountSourcePath added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveMountSourcePath(ev *Event, e *MountEvent) string

func (*FakeFieldHandlers) ResolveNetworkDeviceIfName added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveNetworkDeviceIfName(ev *Event, e *NetworkDeviceContext) string

func (*FakeFieldHandlers) ResolveOnDemandArg1Str added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg1Str(ev *Event, e *OnDemandEvent) string

func (*FakeFieldHandlers) ResolveOnDemandArg1Uint added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg1Uint(ev *Event, e *OnDemandEvent) int

func (*FakeFieldHandlers) ResolveOnDemandArg2Str added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg2Str(ev *Event, e *OnDemandEvent) string

func (*FakeFieldHandlers) ResolveOnDemandArg2Uint added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg2Uint(ev *Event, e *OnDemandEvent) int

func (*FakeFieldHandlers) ResolveOnDemandArg3Str added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg3Str(ev *Event, e *OnDemandEvent) string

func (*FakeFieldHandlers) ResolveOnDemandArg3Uint added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg3Uint(ev *Event, e *OnDemandEvent) int

func (*FakeFieldHandlers) ResolveOnDemandArg4Str added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg4Str(ev *Event, e *OnDemandEvent) string

func (*FakeFieldHandlers) ResolveOnDemandArg4Uint added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandArg4Uint(ev *Event, e *OnDemandEvent) int

func (*FakeFieldHandlers) ResolveOnDemandName added in v0.56.0 

func (dfh *FakeFieldHandlers) ResolveOnDemandName(ev *Event, e *OnDemandEvent) string

func (*FakeFieldHandlers) ResolvePackageName added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolvePackageName(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolvePackageSourceVersion added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolvePackageSourceVersion(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolvePackageVersion added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolvePackageVersion(ev *Event, e *FileEvent) string

func (*FakeFieldHandlers) ResolveProcessArgs added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgs(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessArgsFlags added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgsFlags(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessArgsOptions added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgsOptions(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessArgsScrubbed added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgsScrubbed(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessArgsTruncated added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgsTruncated(ev *Event, e *Process) bool

func (*FakeFieldHandlers) ResolveProcessArgv added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgv(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessArgv0 added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgv0(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessArgvScrubbed added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessArgvScrubbed(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessCacheEntry added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(_ *Event, _ func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)

ResolveProcessCacheEntry stub implementation

func (*FakeFieldHandlers) ResolveProcessCmdArgv added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveProcessCmdArgv(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessContainerID added in v0.57.0 

func (dfh *FakeFieldHandlers) ResolveProcessContainerID(ev *Event, e *Process) string

func (*FakeFieldHandlers) ResolveProcessCreatedAt added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int

func (*FakeFieldHandlers) ResolveProcessEnvp added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessEnvp(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessEnvs added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessEnvs(ev *Event, e *Process) []string

func (*FakeFieldHandlers) ResolveProcessEnvsTruncated added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveProcessEnvsTruncated(ev *Event, e *Process) bool

func (*FakeFieldHandlers) ResolveProcessIsThread added in v0.60.0 

func (dfh *FakeFieldHandlers) ResolveProcessIsThread(ev *Event, e *Process) bool

func (*FakeFieldHandlers) ResolveRights added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveRights(ev *Event, e *FileFields) int

func (*FakeFieldHandlers) ResolveSELinuxBoolName added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSELinuxBoolName(ev *Event, e *SELinuxEvent) string

func (*FakeFieldHandlers) ResolveService added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveService(ev *Event, e *BaseEvent) string

func (*FakeFieldHandlers) ResolveSetgidEGroup added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSetgidEGroup(ev *Event, e *SetgidEvent) string

func (*FakeFieldHandlers) ResolveSetgidFSGroup added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSetgidFSGroup(ev *Event, e *SetgidEvent) string

func (*FakeFieldHandlers) ResolveSetgidGroup added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSetgidGroup(ev *Event, e *SetgidEvent) string

func (*FakeFieldHandlers) ResolveSetuidEUser added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSetuidEUser(ev *Event, e *SetuidEvent) string

func (*FakeFieldHandlers) ResolveSetuidFSUser added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSetuidFSUser(ev *Event, e *SetuidEvent) string

func (*FakeFieldHandlers) ResolveSetuidUser added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveSetuidUser(ev *Event, e *SetuidEvent) string

func (*FakeFieldHandlers) ResolveSyscallCtxArgs added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgs(_ *Event, _ *SyscallContext)

ResolveSyscallCtxArgs resolves syscall context

func (*FakeFieldHandlers) ResolveSyscallCtxArgsInt1 added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgsInt1(ev *Event, e *SyscallContext) int

func (*FakeFieldHandlers) ResolveSyscallCtxArgsInt2 added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgsInt2(ev *Event, e *SyscallContext) int

func (*FakeFieldHandlers) ResolveSyscallCtxArgsInt3 added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgsInt3(ev *Event, e *SyscallContext) int

func (*FakeFieldHandlers) ResolveSyscallCtxArgsStr1 added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgsStr1(ev *Event, e *SyscallContext) string

func (*FakeFieldHandlers) ResolveSyscallCtxArgsStr2 added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgsStr2(ev *Event, e *SyscallContext) string

func (*FakeFieldHandlers) ResolveSyscallCtxArgsStr3 added in v0.55.0 

func (dfh *FakeFieldHandlers) ResolveSyscallCtxArgsStr3(ev *Event, e *SyscallContext) string

func (*FakeFieldHandlers) ResolveUserSessionContext added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveUserSessionContext(_ *UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*FakeFieldHandlers) ResolveXAttrName added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveXAttrName(ev *Event, e *SetXAttrEvent) string

func (*FakeFieldHandlers) ResolveXAttrNamespace added in v0.52.0 

func (dfh *FakeFieldHandlers) ResolveXAttrNamespace(ev *Event, e *SetXAttrEvent) string

type FieldHandlers added in v0.43.0 

type FieldHandlers interface {
	ResolveAsync(ev *Event) bool
	ResolveCGroupID(ev *Event, e *CGroupContext) string
	ResolveCGroupManager(ev *Event, e *CGroupContext) string
	ResolveCGroupVersion(ev *Event, e *CGroupContext) int
	ResolveChownGID(ev *Event, e *ChownEvent) string
	ResolveChownUID(ev *Event, e *ChownEvent) string
	ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
	ResolveContainerID(ev *Event, e *ContainerContext) string
	ResolveContainerRuntime(ev *Event, e *ContainerContext) string
	ResolveContainerTags(ev *Event, e *ContainerContext) []string
	ResolveEventTime(ev *Event, e *BaseEvent) time.Time
	ResolveEventTimestamp(ev *Event, e *BaseEvent) int
	ResolveFileBasename(ev *Event, e *FileEvent) string
	ResolveFileFieldsGroup(ev *Event, e *FileFields) string
	ResolveFileFieldsInUpperLayer(ev *Event, e *FileFields) bool
	ResolveFileFieldsUser(ev *Event, e *FileFields) string
	ResolveFileFilesystem(ev *Event, e *FileEvent) string
	ResolveFilePath(ev *Event, e *FileEvent) string
	ResolveHashesFromEvent(ev *Event, e *FileEvent) []string
	ResolveHostname(ev *Event, e *BaseEvent) string
	ResolveIsIPPublic(ev *Event, e *IPPortContext) bool
	ResolveK8SGroups(ev *Event, e *UserSessionContext) []string
	ResolveK8SUID(ev *Event, e *UserSessionContext) string
	ResolveK8SUsername(ev *Event, e *UserSessionContext) string
	ResolveModuleArgs(ev *Event, e *LoadModuleEvent) string
	ResolveModuleArgv(ev *Event, e *LoadModuleEvent) []string
	ResolveMountPointPath(ev *Event, e *MountEvent) string
	ResolveMountRootPath(ev *Event, e *MountEvent) string
	ResolveMountSourcePath(ev *Event, e *MountEvent) string
	ResolveNetworkDeviceIfName(ev *Event, e *NetworkDeviceContext) string
	ResolveOnDemandArg1Str(ev *Event, e *OnDemandEvent) string
	ResolveOnDemandArg1Uint(ev *Event, e *OnDemandEvent) int
	ResolveOnDemandArg2Str(ev *Event, e *OnDemandEvent) string
	ResolveOnDemandArg2Uint(ev *Event, e *OnDemandEvent) int
	ResolveOnDemandArg3Str(ev *Event, e *OnDemandEvent) string
	ResolveOnDemandArg3Uint(ev *Event, e *OnDemandEvent) int
	ResolveOnDemandArg4Str(ev *Event, e *OnDemandEvent) string
	ResolveOnDemandArg4Uint(ev *Event, e *OnDemandEvent) int
	ResolveOnDemandName(ev *Event, e *OnDemandEvent) string
	ResolvePackageName(ev *Event, e *FileEvent) string
	ResolvePackageSourceVersion(ev *Event, e *FileEvent) string
	ResolvePackageVersion(ev *Event, e *FileEvent) string
	ResolveProcessArgs(ev *Event, e *Process) string
	ResolveProcessArgsFlags(ev *Event, e *Process) []string
	ResolveProcessArgsOptions(ev *Event, e *Process) []string
	ResolveProcessArgsScrubbed(ev *Event, e *Process) string
	ResolveProcessArgsTruncated(ev *Event, e *Process) bool
	ResolveProcessArgv(ev *Event, e *Process) []string
	ResolveProcessArgv0(ev *Event, e *Process) string
	ResolveProcessArgvScrubbed(ev *Event, e *Process) []string
	ResolveProcessCmdArgv(ev *Event, e *Process) []string
	ResolveProcessContainerID(ev *Event, e *Process) string
	ResolveProcessCreatedAt(ev *Event, e *Process) int
	ResolveProcessEnvp(ev *Event, e *Process) []string
	ResolveProcessEnvs(ev *Event, e *Process) []string
	ResolveProcessEnvsTruncated(ev *Event, e *Process) bool
	ResolveProcessIsThread(ev *Event, e *Process) bool
	ResolveRights(ev *Event, e *FileFields) int
	ResolveSELinuxBoolName(ev *Event, e *SELinuxEvent) string
	ResolveService(ev *Event, e *BaseEvent) string
	ResolveSetgidEGroup(ev *Event, e *SetgidEvent) string
	ResolveSetgidFSGroup(ev *Event, e *SetgidEvent) string
	ResolveSetgidGroup(ev *Event, e *SetgidEvent) string
	ResolveSetuidEUser(ev *Event, e *SetuidEvent) string
	ResolveSetuidFSUser(ev *Event, e *SetuidEvent) string
	ResolveSetuidUser(ev *Event, e *SetuidEvent) string
	ResolveSyscallCtxArgsInt1(ev *Event, e *SyscallContext) int
	ResolveSyscallCtxArgsInt2(ev *Event, e *SyscallContext) int
	ResolveSyscallCtxArgsInt3(ev *Event, e *SyscallContext) int
	ResolveSyscallCtxArgsStr1(ev *Event, e *SyscallContext) string
	ResolveSyscallCtxArgsStr2(ev *Event, e *SyscallContext) string
	ResolveSyscallCtxArgsStr3(ev *Event, e *SyscallContext) string
	ResolveXAttrName(ev *Event, e *SetXAttrEvent) string
	ResolveXAttrNamespace(ev *Event, e *SetXAttrEvent) string
	// custom handlers not tied to any fields
	ExtraFieldHandlers
}

type FileEvent added in v0.34.0 

type FileEvent struct {
	FileFields

	PathnameStr string `field:"path,handler:ResolveFilePath,opts:length|gen_getters" op_override:"ProcessSymlinkPathname"` // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "/usr/bin/apt"` Description:`Matches the execution of the file located at /usr/bin/apt` Example:`open.file.path == "/etc/passwd"` Description:`Matches any process opening the /etc/passwd file.`
	BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"ProcessSymlinkBasename"`         // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "apt"` Description:`Matches the execution of any file named apt.`
	Filesystem  string `field:"filesystem,handler:ResolveFileFilesystem"`                                                  // SECLDoc[filesystem] Definition:`File's filesystem`

	MountPath   string `field:"-"`
	MountSource uint32 `field:"-"`
	MountOrigin uint32 `field:"-"`

	PathResolutionError error `field:"-"`

	PkgName       string `field:"package.name,handler:ResolvePackageName"`                    // SECLDoc[package.name] Definition:`[Experimental] Name of the package that provided this file`
	PkgVersion    string `field:"package.version,handler:ResolvePackageVersion"`              // SECLDoc[package.version] Definition:`[Experimental] Full version of the package that provided this file`
	PkgSrcVersion string `field:"package.source_version,handler:ResolvePackageSourceVersion"` // SECLDoc[package.source_version] Definition:`[Experimental] Full version of the source package of the package that provided this file`

	HashState HashState `field:"-"`
	Hashes    []string  `field:"hashes,handler:ResolveHashesFromEvent,opts:skip_ad,weight:999"` // SECLDoc[hashes] Definition:`[Experimental] List of cryptographic hashes computed for this file`

	// used to mark as already resolved, can be used in case of empty path
	IsPathnameStrResolved bool `field:"-"`
	IsBasenameStrResolved bool `field:"-"`
}

FileEvent is the common file event type

func (*FileEvent) Equals added in v0.47.0 

func (e *FileEvent) Equals(o *FileEvent) bool

Equals compare two FileEvent

func (*FileEvent) GetPathResolutionError added in v0.34.0 

func (e *FileEvent) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*FileEvent) IsOverlayFS added in v0.46.0 

func (e *FileEvent) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

func (*FileEvent) SetBasenameStr added in v0.36.0 

func (e *FileEvent) SetBasenameStr(str string)

SetBasenameStr set and mark as resolved

func (*FileEvent) SetPathnameStr added in v0.36.0 

func (e *FileEvent) SetPathnameStr(str string)

SetPathnameStr set and mark as resolved

type FileFields added in v0.34.0 

type FileFields struct {
	UID   uint32 `field:"uid"`                                           // SECLDoc[uid] Definition:`UID of the file's owner`
	User  string `field:"user,handler:ResolveFileFieldsUser"`            // SECLDoc[user] Definition:`User of the file's owner`
	GID   uint32 `field:"gid"`                                           // SECLDoc[gid] Definition:`GID of the file's owner`
	Group string `field:"group,handler:ResolveFileFieldsGroup"`          // SECLDoc[group] Definition:`Group of the file's owner`
	Mode  uint16 `field:"mode;rights,handler:ResolveRights,opts:helper"` // SECLDoc[mode] Definition:`Mode of the file` Constants:`Inode mode constants` SECLDoc[rights] Definition:`Rights of the file` Constants:`File mode constants`
	CTime uint64 `field:"change_time"`                                   // SECLDoc[change_time] Definition:`Change time (ctime) of the file`
	MTime uint64 `field:"modification_time"`                             // SECLDoc[modification_time] Definition:`Modification time (mtime) of the file`

	PathKey
	Device uint32 `field:"-"`

	InUpperLayer bool `field:"in_upper_layer,handler:ResolveFileFieldsInUpperLayer"` // SECLDoc[in_upper_layer] Definition:`Indicator of the file layer, for example, in an OverlayFS`

	NLink uint32 `field:"-"`
	Flags int32  `field:"-"`
}

FileFields holds the information required to identify a file

func (*FileFields) Equals added in v0.47.0 

func (f *FileFields) Equals(o *FileFields) bool

Equals compares two FileFields 

func (f *FileFields) HasHardLinks() bool

HasHardLinks returns whether the file has hardlink

func (*FileFields) IsFileless added in v0.42.0 

func (f *FileFields) IsFileless() bool

IsFileless return whether it is a file less access

func (*FileFields) IsInLowerLayer added in v0.63.0 

func (f *FileFields) IsInLowerLayer() bool

IsInLowerLayer returns whether a file is in a lower layer

func (*FileFields) IsInUpperLayer added in v0.63.0 

func (f *FileFields) IsInUpperLayer() bool

IsInUpperLayer returns whether a file is in the upper layer

type FiveTuple added in v0.63.0 

type FiveTuple struct {
	Source      netip.AddrPort
	Destination netip.AddrPort
	L4Protocol  uint16
}

FiveTuple is used to uniquely identify a flow

type Flow added in v0.63.0 

type Flow struct {
	Source      IPPortContext `field:"source"`      // source of the network packet
	Destination IPPortContext `field:"destination"` // destination of the network packet
	L3Protocol  uint16        `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
	L4Protocol  uint16        `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`

	Ingress NetworkStats `field:"ingress"` // SECLDoc[ingress] Definition:`Network statistics about ingress traffic`
	Egress  NetworkStats `field:"egress"`  // SECLDoc[egress] Definition:`Network statistics about egress traffic`
}

Flow is used to represent a network 5-tuple with statistics

func (*Flow) GetFiveTuple added in v0.63.0 

func (f *Flow) GetFiveTuple() FiveTuple

GetFiveTuple returns the five tuple identifying the flow

type FlowsIterator added in v0.63.0 

type FlowsIterator struct {
	// contains filtered or unexported fields
}

FlowsIterator defines an iterator of flows

func (*FlowsIterator) At added in v0.63.0 

func (it *FlowsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) *Flow

At returns the element at the given position

func (*FlowsIterator) Front added in v0.63.0 

func (it *FlowsIterator) Front(ctx *eval.Context) *Flow

Front returns the first element

func (*FlowsIterator) Len added in v0.63.0 

func (it *FlowsIterator) Len(ctx *eval.Context) int

Len returns the len

func (*FlowsIterator) Next added in v0.63.0 

func (it *FlowsIterator) Next(ctx *eval.Context) *Flow

Next returns the next element

type HashAlgorithm added in v0.47.0 

type HashAlgorithm int

HashAlgorithm is used to configure the hash algorithms of the hash resolver 

const (
	// SHA1 is used to identify a SHA1 hash
	SHA1 HashAlgorithm = iota
	// SHA256 is used to identify a SHA256 hash
	SHA256
	// MD5 is used to identify a MD5 hash
	MD5
	// SSDEEP is used to identify a SSDEEP hash
	SSDEEP
	// MaxHashAlgorithm is used for initializations
	MaxHashAlgorithm
)

func (HashAlgorithm) String added in v0.47.0 

func (ha HashAlgorithm) String() string

type HashState added in v0.47.0 

type HashState int

HashState is used to prevent the hash resolver from retrying to hash a file 

const (
	// NoHash means that computing a hash hasn't been attempted
	NoHash HashState = iota
	// Done means that the hashes were already computed
	Done
	// FileNotFound means that the underlying file is not longer available to compute the hash
	FileNotFound
	// PathnameResolutionError means that the underlying file wasn't properly resolved
	PathnameResolutionError
	// FileTooBig means that the underlying file is larger than the hash resolver file size limit
	FileTooBig
	// FileEmpty means that the underlying file is empty
	FileEmpty
	// FileOpenError is a generic hash state to say that we couldn't open the file
	FileOpenError
	// EventTypeNotConfigured means that the event type prevents a hash from being computed
	EventTypeNotConfigured
	// HashWasRateLimited means that the hash will be tried again later, it was rate limited
	HashWasRateLimited
	// HashFailed means that the hashing failed
	HashFailed
	// MaxHashState is used for initializations
	MaxHashState
)

func (HashState) String added in v0.47.0 

func (i HashState) String() string

type IMDSEvent added in v0.55.0 

type IMDSEvent struct {
	Type          string `field:"type"`           // SECLDoc[type] Definition:`the type of IMDS event`
	CloudProvider string `field:"cloud_provider"` // SECLDoc[cloud_provider] Definition:`the intended cloud provider of the IMDS event`
	URL           string `field:"url"`            // SECLDoc[url] Definition:`the queried IMDS URL`
	Host          string `field:"host"`           // SECLDoc[host] Definition:`the host of the HTTP protocol`
	UserAgent     string `field:"user_agent"`     // SECLDoc[user_agent] Definition:`the user agent of the HTTP client`
	Server        string `field:"server"`         // SECLDoc[server] Definition:`the server header of a response`

	// The fields below are optional and cloud specific fields
	AWS AWSIMDSEvent `field:"aws"` // SECLDoc[aws] Definition:`the AWS specific data parsed from the IMDS event`
}

IMDSEvent represents an IMDS event

type IPPortContext added in v0.36.0 

type IPPortContext struct {
	IPNet            net.IPNet `field:"ip"`                                  // SECLDoc[ip] Definition:`IP address`
	Port             uint16    `field:"port"`                                // SECLDoc[port] Definition:`Port number`
	IsPublic         bool      `field:"is_public,handler:ResolveIsIPPublic"` // SECLDoc[is_public] Definition:`Whether the IP address belongs to a public network`
	IsPublicResolved bool      `field:"-"`
}

IPPortContext is used to hold an IP and Port

func (*IPPortContext) GetComparable added in v0.63.0 

func (ipc *IPPortContext) GetComparable() netip.AddrPort

GetComparable returns a comparable version of IPPortContext

type InvalidateDentryEvent added in v0.34.0 

type InvalidateDentryEvent struct {
	Inode   uint64
	MountID uint32
}

InvalidateDentryEvent defines a invalidate dentry event

type L3Protocol added in v0.36.0 

type L3Protocol uint16

L3Protocol Network protocols 

const (
	// EthPLOOP Ethernet Loopback packet
	EthPLOOP L3Protocol = 0x0060
	// EthPPUP Xerox PUP packet
	EthPPUP L3Protocol = 0x0200
	// EthPPUPAT Xerox PUP Addr Trans packet
	EthPPUPAT L3Protocol = 0x0201
	// EthPTSN TSN (IEEE 1722) packet
	EthPTSN L3Protocol = 0x22F0
	// EthPIP Internet Protocol packet
	EthPIP L3Protocol = 0x0800
	// EthPX25 CCITT X.25
	EthPX25 L3Protocol = 0x0805
	// EthPARP Address Resolution packet
	EthPARP L3Protocol = 0x0806
	// EthPBPQ G8BPQ AX.25 Ethernet Packet    [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBPQ L3Protocol = 0x08FF
	// EthPIEEEPUP Xerox IEEE802.3 PUP packet
	EthPIEEEPUP L3Protocol = 0x0a00
	// EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet
	EthPIEEEPUPAT L3Protocol = 0x0a01
	// EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPBATMAN L3Protocol = 0x4305
	// EthPDEC DEC Assigned proto
	EthPDEC L3Protocol = 0x6000
	// EthPDNADL DEC DNA Dump/Load
	EthPDNADL L3Protocol = 0x6001
	// EthPDNARC DEC DNA Remote Console
	EthPDNARC L3Protocol = 0x6002
	// EthPDNART DEC DNA Routing
	EthPDNART L3Protocol = 0x6003
	// EthPLAT DEC LAT
	EthPLAT L3Protocol = 0x6004
	// EthPDIAG DEC Diagnostics
	EthPDIAG L3Protocol = 0x6005
	// EthPCUST DEC Customer use
	EthPCUST L3Protocol = 0x6006
	// EthPSCA DEC Systems Comms Arch
	EthPSCA L3Protocol = 0x6007
	// EthPTEB Trans Ether Bridging
	EthPTEB L3Protocol = 0x6558
	// EthPRARP Reverse Addr Res packet
	EthPRARP L3Protocol = 0x8035
	// EthPATALK Appletalk DDP
	EthPATALK L3Protocol = 0x809B
	// EthPAARP Appletalk AARP
	EthPAARP L3Protocol = 0x80F3
	// EthP8021Q 802.1Q VLAN Extended Header
	EthP8021Q L3Protocol = 0x8100
	// EthPERSPAN ERSPAN type II
	EthPERSPAN L3Protocol = 0x88BE
	// EthPIPX IPX over DIX
	EthPIPX L3Protocol = 0x8137
	// EthPIPV6 IPv6 over bluebook
	EthPIPV6 L3Protocol = 0x86DD
	// EthPPAUSE IEEE Pause frames. See 802.3 31B
	EthPPAUSE L3Protocol = 0x8808
	// EthPSLOW Slow Protocol. See 802.3ad 43B
	EthPSLOW L3Protocol = 0x8809
	// EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt
	EthPWCCP L3Protocol = 0x883E
	// EthPMPLSUC MPLS Unicast traffic
	EthPMPLSUC L3Protocol = 0x8847
	// EthPMPLSMC MPLS Multicast traffic
	EthPMPLSMC L3Protocol = 0x8848
	// EthPATMMPOA MultiProtocol Over ATM
	EthPATMMPOA L3Protocol = 0x884c
	// EthPPPPDISC PPPoE discovery messages
	EthPPPPDISC L3Protocol = 0x8863
	// EthPPPPSES PPPoE session messages
	EthPPPPSES L3Protocol = 0x8864
	// EthPLinkCTL HPNA, wlan link local tunnel
	EthPLinkCTL L3Protocol = 0x886c
	// EthPATMFATE Frame-based ATM Transport over Ethernet
	EthPATMFATE L3Protocol = 0x8884
	// EthPPAE Port Access Entity (IEEE 802.1X)
	EthPPAE L3Protocol = 0x888E
	// EthPAOE ATA over Ethernet
	EthPAOE L3Protocol = 0x88A2
	// EthP8021AD 802.1ad Service VLAN
	EthP8021AD L3Protocol = 0x88A8
	// EthP802EX1 802.1 Local Experimental 1.
	EthP802EX1 L3Protocol = 0x88B5
	// EthPTIPC TIPC
	EthPTIPC L3Protocol = 0x88CA
	// EthPMACSEC 802.1ae MACsec
	EthPMACSEC L3Protocol = 0x88E5
	// EthP8021AH 802.1ah Backbone Service Tag
	EthP8021AH L3Protocol = 0x88E7
	// EthPMVRP 802.1Q MVRP
	EthPMVRP L3Protocol = 0x88F5
	// EthP1588 IEEE 1588 Timesync
	EthP1588 L3Protocol = 0x88F7
	// EthPNCSI NCSI protocol
	EthPNCSI L3Protocol = 0x88F8
	// EthPPRP IEC 62439-3 PRP/HSRv0
	EthPPRP L3Protocol = 0x88FB
	// EthPFCOE Fibre Channel over Ethernet
	EthPFCOE L3Protocol = 0x8906
	// EthPIBOE Infiniband over Ethernet
	EthPIBOE L3Protocol = 0x8915
	// EthPTDLS TDLS
	EthPTDLS L3Protocol = 0x890D
	// EthPFIP FCoE Initialization Protocol
	EthPFIP L3Protocol = 0x8914
	// EthP80221 IEEE 802.21 Media Independent Handover Protocol
	EthP80221 L3Protocol = 0x8917
	// EthPHSR IEC 62439-3 HSRv1
	EthPHSR L3Protocol = 0x892F
	// EthPNSH Network Service Header
	EthPNSH L3Protocol = 0x894F
	// EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3
	EthPLOOPBACK L3Protocol = 0x9000
	// EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ1 L3Protocol = 0x9100
	// EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ2 L3Protocol = 0x9200
	// EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPQINQ3 L3Protocol = 0x9300
	// EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPEDSA L3Protocol = 0xDADA
	// EthPIFE ForCES inter-FE LFB type
	EthPIFE L3Protocol = 0xED3E
	// EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ]
	EthPAFIUCV L3Protocol = 0xFBFB
	// EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3
	EthP8023MIN L3Protocol = 0x0600
	// EthPIPV6HopByHop IPv6 Hop by hop option
	EthPIPV6HopByHop L3Protocol = 0x000
	// EthP8023 Dummy type for 802.3 frames
	EthP8023 L3Protocol = 0x0001
	// EthPAX25 Dummy protocol id for AX.25
	EthPAX25 L3Protocol = 0x0002
	// EthPALL Every packet (be careful!!!)
	EthPALL L3Protocol = 0x0003
	// EthP8022 802.2 frames
	EthP8022 L3Protocol = 0x0004
	// EthPSNAP Internal only
	EthPSNAP L3Protocol = 0x0005
	// EthPDDCMP DEC DDCMP: Internal only
	EthPDDCMP L3Protocol = 0x0006
	// EthPWANPPP Dummy type for WAN PPP frames*/
	EthPWANPPP L3Protocol = 0x0007
	// EthPPPPMP Dummy type for PPP MP frames
	EthPPPPMP L3Protocol = 0x0008
	// EthPLOCALTALK Localtalk pseudo type
	EthPLOCALTALK L3Protocol = 0x0009
	// EthPCAN CAN: Controller Area Network
	EthPCAN L3Protocol = 0x000C
	// EthPCANFD CANFD: CAN flexible data rate*/
	EthPCANFD L3Protocol = 0x000D
	// EthPPPPTALK Dummy type for Atalk over PPP*/
	EthPPPPTALK L3Protocol = 0x0010
	// EthPTR8022 802.2 frames
	EthPTR8022 L3Protocol = 0x0011
	// EthPMOBITEX Mobitex (kaz@cafe.net)
	EthPMOBITEX L3Protocol = 0x0015
	// EthPCONTROL Card specific control frames
	EthPCONTROL L3Protocol = 0x0016
	// EthPIRDA Linux-IrDA
	EthPIRDA L3Protocol = 0x0017
	// EthPECONET Acorn Econet
	EthPECONET L3Protocol = 0x0018
	// EthPHDLC HDLC frames
	EthPHDLC L3Protocol = 0x0019
	// EthPARCNET 1A for ArcNet :-)
	EthPARCNET L3Protocol = 0x001A
	// EthPDSA Distributed Switch Arch.
	EthPDSA L3Protocol = 0x001B
	// EthPTRAILER Trailer switch tagging
	EthPTRAILER L3Protocol = 0x001C
	// EthPPHONET Nokia Phonet frames
	EthPPHONET L3Protocol = 0x00F5
	// EthPIEEE802154 IEEE802.15.4 frame
	EthPIEEE802154 L3Protocol = 0x00F6
	// EthPCAIF ST-Ericsson CAIF protocol
	EthPCAIF L3Protocol = 0x00F7
	// EthPXDSA Multiplexed DSA protocol
	EthPXDSA L3Protocol = 0x00F8
	// EthPMAP Qualcomm multiplexing and aggregation protocol
	EthPMAP L3Protocol = 0x00F9
)

func (L3Protocol) String added in v0.36.0 

func (proto L3Protocol) String() string

type L4Protocol added in v0.36.0 

type L4Protocol uint16

L4Protocol transport protocols 

const (
	// IPProtoIP Dummy protocol for TCP
	IPProtoIP L4Protocol = 0
	// IPProtoICMP Internet Control Message Protocol (IPv4)
	IPProtoICMP L4Protocol = 1
	// IPProtoIGMP Internet Group Management Protocol
	IPProtoIGMP L4Protocol = 2
	// IPProtoIPIP IPIP tunnels (older KA9Q tunnels use 94)
	IPProtoIPIP L4Protocol = 4
	// IPProtoTCP Transmission Control Protocol
	IPProtoTCP L4Protocol = 6
	// IPProtoEGP Exterior Gateway Protocol
	IPProtoEGP L4Protocol = 8
	// IPProtoIGP Interior Gateway Protocol (any private interior gateway (used by Cisco for their IGRP))
	IPProtoIGP L4Protocol = 9
	// IPProtoPUP PUP protocol
	IPProtoPUP L4Protocol = 12
	// IPProtoUDP User Datagram Protocol
	IPProtoUDP L4Protocol = 17
	// IPProtoIDP XNS IDP protocol
	IPProtoIDP L4Protocol = 22
	// IPProtoTP SO Transport Protocol Class 4
	IPProtoTP L4Protocol = 29
	// IPProtoDCCP Datagram Congestion Control Protocol
	IPProtoDCCP L4Protocol = 33
	// IPProtoIPV6 IPv6-in-IPv4 tunnelling
	IPProtoIPV6 L4Protocol = 41
	// IPProtoRSVP RSVP Protocol
	IPProtoRSVP L4Protocol = 46
	// IPProtoGRE Cisco GRE tunnels (rfc 1701,1702)
	IPProtoGRE L4Protocol = 47
	// IPProtoESP Encapsulation Security Payload protocol
	IPProtoESP L4Protocol = 50
	// IPProtoAH Authentication Header protocol
	IPProtoAH L4Protocol = 51
	// IPProtoICMPV6 Internet Control Message Protocol (IPv6)
	IPProtoICMPV6 L4Protocol = 58
	// IPProtoMTP Multicast Transport Protocol
	IPProtoMTP L4Protocol = 92
	// IPProtoBEETPH IP option pseudo header for BEET
	IPProtoBEETPH L4Protocol = 94
	// IPProtoENCAP Encapsulation Header
	IPProtoENCAP L4Protocol = 98
	// IPProtoPIM Protocol Independent Multicast
	IPProtoPIM L4Protocol = 103
	// IPProtoCOMP Compression Header Protocol
	IPProtoCOMP L4Protocol = 108
	// IPProtoSCTP Stream Control Transport Protocol
	IPProtoSCTP L4Protocol = 132
	// IPProtoUDPLITE UDP-Lite (RFC 3828)
	IPProtoUDPLITE L4Protocol = 136
	// IPProtoMPLS MPLS in IP (RFC 4023)
	IPProtoMPLS L4Protocol = 137
	// IPProtoRAW Raw IP packets
	IPProtoRAW L4Protocol = 255
)

func (L4Protocol) String added in v0.36.0 

func (proto L4Protocol) String() string

type LinkEvent added in v0.34.0 

type LinkEvent struct {
	SyscallEvent
	SyscallContext
	Source FileEvent `field:"file"`
	Target FileEvent `field:"file.destination"`

	// Syscall context aliases
	SyscallPath            string `field:"syscall.path,ref:link.syscall.str1"`             // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
	SyscallDestinationPath string `field:"syscall.destination.path,ref:link.syscall.str2"` // SECLDoc[syscall.destination.path] Definition:`Destination path argument of the syscall`
}

LinkEvent represents a link event

type LinuxBinprm added in v0.40.0 

type LinuxBinprm struct {
	FileEvent FileEvent `field:"file"`
}

LinuxBinprm contains content from the linux_binprm struct, which holds the arguments used for loading binaries

type LoadModuleEvent added in v0.35.0 

type LoadModuleEvent struct {
	SyscallEvent

	File             FileEvent `field:"file"`                           // Path to the kernel module file
	LoadedFromMemory bool      `field:"loaded_from_memory"`             // SECLDoc[loaded_from_memory] Definition:`Indicates if the kernel module was loaded from memory`
	Name             string    `field:"name"`                           // SECLDoc[name] Definition:`Name of the new kernel module`
	Args             string    `field:"args,handler:ResolveModuleArgs"` // SECLDoc[args] Definition:`Parameters (as a string) of the new kernel module`
	Argv             []string  `field:"argv,handler:ResolveModuleArgv"` // SECLDoc[argv] Definition:`Parameters (as an array) of the new kernel module`
	ArgsTruncated    bool      `field:"args_truncated"`                 // SECLDoc[args_truncated] Definition:`Indicates if the arguments were truncated or not`
}

LoadModuleEvent represents a load_module event

type LoginUIDWriteEvent added in v0.57.0 

type LoginUIDWriteEvent struct {
	AUID uint32 `field:"-"`
}

LoginUIDWriteEvent is used to propagate login UID updates to user space

type MMapEvent added in v0.34.0 

type MMapEvent struct {
	SyscallEvent

	File       FileEvent `field:"file"`
	Addr       uint64    `field:"-"`
	Offset     uint64    `field:"-"`
	Len        uint64    `field:"-"`
	Protection uint64    `field:"protection"` // SECLDoc[protection] Definition:`memory segment protection` Constants:`Protection constants`
	Flags      uint64    `field:"flags"`      // SECLDoc[flags] Definition:`memory segment flags` Constants:`MMap flags`
}

MMapEvent represents a mmap event

type MProtectEvent added in v0.34.0 

type MProtectEvent struct {
	SyscallEvent

	VMStart       uint64 `field:"-"`
	VMEnd         uint64 `field:"-"`
	VMProtection  int    `field:"vm_protection"`  // SECLDoc[vm_protection] Definition:`initial memory segment protection` Constants:`Virtual Memory flags`
	ReqProtection int    `field:"req_protection"` // SECLDoc[req_protection] Definition:`new memory segment protection` Constants:`Virtual Memory flags`
}

MProtectEvent represents a mprotect event

type MatchedRule added in v0.44.0 

type MatchedRule struct {
	RuleID        string
	RuleVersion   string
	RuleTags      map[string]string
	PolicyName    string
	PolicyVersion string
}

MatchedRule contains the identification of one rule that has match

func AppendMatchedRule added in v0.44.0 

func AppendMatchedRule(list []*MatchedRule, toAdd []*MatchedRule) []*MatchedRule

AppendMatchedRule appends two lists, but avoiding duplicates

func NewMatchedRule added in v0.44.0 

func NewMatchedRule(ruleID, ruleVersion string, ruleTags map[string]string, policyName, policyVersion string) *MatchedRule

NewMatchedRule return a new MatchedRule instance

func (*MatchedRule) Match added in v0.44.0 

func (mr *MatchedRule) Match(mr2 *MatchedRule) bool

Match returns true if the rules are equal

type MkdirEvent added in v0.34.0 

type MkdirEvent struct {
	SyscallEvent
	SyscallContext
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode; file.destination.rights"` // SECLDoc[file.destination.mode] Definition:`Mode of the new directory` Constants:`File mode constants` SECLDoc[file.destination.rights] Definition:`Rights of the new directory` Constants:`File mode constants`

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:mkdir.syscall.str1"` // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
	SyscallMode uint32 `field:"syscall.mode,ref:mkdir.syscall.int2"` // SECLDoc[syscall.mode] Definition:`Mode of the new directory`
}

MkdirEvent represents a mkdir event

type Model added in v0.34.0 

type Model struct {
	ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator added in v0.34.0 

func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes added in v0.34.0 

func (_ *Model) GetEventTypes() []eval.EventType

func (*Model) GetFieldRestrictions added in v0.57.0 

func (_ *Model) GetFieldRestrictions(field eval.Field) []eval.EventType

func (*Model) NewDefaultEventWithType added in v0.43.0 

func (m *Model) NewDefaultEventWithType(kind EventType) eval.Event

NewDefaultEventWithType returns a new Event for the given type

func (*Model) NewEvent added in v0.34.0 

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) ValidateField added in v0.34.0 

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type Mount added in v0.42.0 

type Mount struct {
	MountID        uint32  `field:"-"`
	Device         uint32  `field:"-"`
	ParentPathKey  PathKey `field:"-"`
	RootPathKey    PathKey `field:"-"`
	BindSrcMountID uint32  `field:"-"`
	FSType         string  `field:"fs_type"` // SECLDoc[fs_type] Definition:`Type of the mounted file system`
	MountPointStr  string  `field:"-"`
	RootStr        string  `field:"-"`
	Path           string  `field:"-"`
	Origin         uint32  `field:"-"`
}

Mount represents a mountpoint (used by MountEvent and UnshareMountNSEvent)

func (*Mount) GetFSType added in v0.42.0 

func (m *Mount) GetFSType() string

GetFSType returns the filesystem type of the mountpoint

func (*Mount) IsOverlayFS added in v0.42.0 

func (m *Mount) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

type MountEvent added in v0.34.0 

type MountEvent struct {
	SyscallEvent
	SyscallContext
	Mount
	MountPointPath                 string `field:"mountpoint.path,handler:ResolveMountPointPath,opts:gen_getters"` // SECLDoc[mountpoint.path] Definition:`Path of the mount point`
	MountSourcePath                string `field:"source.path,handler:ResolveMountSourcePath"`                     // SECLDoc[source.path] Definition:`Source path of a bind mount`
	MountRootPath                  string `field:"root.path,handler:ResolveMountRootPath,opts:gen_getters"`        // SECLDoc[root.path] Definition:`Root path of the mount`
	MountPointPathResolutionError  error  `field:"-"`
	MountSourcePathResolutionError error  `field:"-"`
	MountRootPathResolutionError   error  `field:"-"`

	// Syscall context aliases
	SyscallSourcePath     string `field:"syscall.source.path,ref:mount.syscall.str1"`     // SECLDoc[syscall.source.path] Definition:`Source path argument of the syscall`
	SyscallMountpointPath string `field:"syscall.mountpoint.path,ref:mount.syscall.str2"` // SECLDoc[syscall.mountpoint.path] Definition:`Mount point path argument of the syscall`
	SyscallFSType         string `field:"syscall.fs_type,ref:mount.syscall.str3"`         // SECLDoc[syscall.fs_type] Definition:`File system type argument of the syscall`
}

MountEvent represents a mount event

type MountOrigin added in v0.55.0 

type MountOrigin = uint32

MountOrigin origin of the mount 

const (
	MountOriginUnknown MountOrigin = iota // MountOriginUnknown unknown mount origin
	MountOriginProcfs                     //MountOriginProcfs mount point info from procfs
	MountOriginEvent                      // MountOriginEvent mount point info from an event
	MountOriginUnshare                    // MountOriginUnshare mount point info from an event
)

type MountReleasedEvent added in v0.34.0 

type MountReleasedEvent struct {
	MountID uint32
}

MountReleasedEvent defines a mount released event

type MountSource added in v0.55.0 

type MountSource = uint32

MountSource source of the mount 

const (
	MountSourceUnknown  MountSource = iota // MountSourceUnknown mount resolved from unknow source
	MountSourceMountID                     // MountSourceMountID mount resolved with the mount id
	MountSourceDevice                      // MountSourceDevice mount resolved with the device
	MountSourceSnapshot                    // MountSourceSnapshot mount resolved from the snapshot
)

type NetDevice added in v0.36.0 

type NetDevice struct {
	Name        string
	NetNS       uint32
	IfIndex     uint32
	PeerNetNS   uint32
	PeerIfIndex uint32
}

NetDevice represents a network device

func (NetDevice) GetKey added in v0.36.0 

func (d NetDevice) GetKey() string

GetKey returns a key to uniquely identify a network device on the system

type NetDeviceEvent added in v0.36.0 

type NetDeviceEvent struct {
	SyscallEvent

	Device NetDevice
}

NetDeviceEvent represents a network device event

type NetworkContext added in v0.36.0 

type NetworkContext struct {
	Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured

	L3Protocol       uint16        `field:"l3_protocol"`       // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
	L4Protocol       uint16        `field:"l4_protocol"`       // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
	Source           IPPortContext `field:"source"`            // source of the network packet
	Destination      IPPortContext `field:"destination"`       // destination of the network packet
	NetworkDirection uint32        `field:"network_direction"` // SECLDoc[network_direction] Definition:`Network direction of the network packet` Constants:`Network directions`
	Size             uint32        `field:"size"`              // SECLDoc[size] Definition:`Size in bytes of the network packet`
}

NetworkContext represents the network context of the event

func (*NetworkContext) IsZero added in v0.59.0 

func (nc *NetworkContext) IsZero() bool

IsZero returns if there is a network context

type NetworkDeviceContext added in v0.36.0 

type NetworkDeviceContext struct {
	NetNS   uint32 `field:"-"`
	IfIndex uint32 `field:"-"`
	IfName  string `field:"ifname,handler:ResolveNetworkDeviceIfName"` // SECLDoc[ifname] Definition:`Interface ifname`
}

NetworkDeviceContext represents the network device context of a network event

type NetworkDirection added in v0.63.0 

type NetworkDirection uint32

NetworkDirection is used to identify the network direction of a flow 

const (
	// Egress is used to identify egress traffic
	Egress NetworkDirection = iota + 1
	// Ingress is used to identify ingress traffic
	Ingress
)

func (NetworkDirection) String added in v0.63.0 

func (direction NetworkDirection) String() string

type NetworkFlowMonitorEvent added in v0.63.0 

type NetworkFlowMonitorEvent struct {
	Device     NetworkDeviceContext `field:"device"` // network device on which the network flows were captured
	FlowsCount uint64               `field:"-"`
	Flows      []Flow               `field:"flows,iterator:FlowsIterator"` // list of captured flows
}

NetworkFlowMonitorEvent represents a network flow monitor event

type NetworkStats added in v0.63.0 

type NetworkStats struct {
	DataSize    uint64 `field:"data_size"`    // SECLDoc[data_size] Definition:`Amount of data transmitted or received`
	PacketCount uint64 `field:"packet_count"` // SECLDoc[packet_count] Definition:`Count of network packets transmitted or received`
}

NetworkStats is used to record network statistics

func (*NetworkStats) Add added in v0.63.0 

func (ns *NetworkStats) Add(input NetworkStats)

Add the input stats to the current stats

type OnDemandEvent added in v0.56.0 

type OnDemandEvent struct {
	ID       uint32    `field:"-"`
	Name     string    `field:"name,handler:ResolveOnDemandName"`
	Data     [256]byte `field:"-"`
	Arg1Str  string    `field:"arg1.str,handler:ResolveOnDemandArg1Str"`
	Arg1Uint uint64    `field:"arg1.uint,handler:ResolveOnDemandArg1Uint"`
	Arg2Str  string    `field:"arg2.str,handler:ResolveOnDemandArg2Str"`
	Arg2Uint uint64    `field:"arg2.uint,handler:ResolveOnDemandArg2Uint"`
	Arg3Str  string    `field:"arg3.str,handler:ResolveOnDemandArg3Str"`
	Arg3Uint uint64    `field:"arg3.uint,handler:ResolveOnDemandArg3Uint"`
	Arg4Str  string    `field:"arg4.str,handler:ResolveOnDemandArg4Str"`
	Arg4Uint uint64    `field:"arg4.uint,handler:ResolveOnDemandArg4Uint"`
}

OnDemandEvent identifies an on-demand event generated from on-demand probes

type OpenEvent added in v0.34.0 

type OpenEvent struct {
	SyscallEvent
	SyscallContext
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"`                 // SECLDoc[flags] Definition:`Flags used when opening the file` Constants:`Open flags`
	Mode  uint32    `field:"file.destination.mode"` // SECLDoc[file.destination.mode] Definition:`Mode of the created file` Constants:`File mode constants`

	// Syscall context aliases
	SyscallPath  string `field:"syscall.path,ref:open.syscall.str1"`  // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
	SyscallFlags uint32 `field:"syscall.flags,ref:open.syscall.int2"` // SECLDoc[syscall.flags] Definition:`Flags argument of the syscall`
	SyscallMode  uint32 `field:"syscall.mode,ref:open.syscall.int3"`  // SECLDoc[syscall.mode] Definition:`Mode argument of the syscall`
}

OpenEvent represents an open event

type PIDContext added in v0.37.0 

type PIDContext struct {
	Pid       uint32 `field:"pid,opts:gen_getters"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)`
	Tid       uint32 `field:"tid"`                  // SECLDoc[tid] Definition:`Thread ID of the thread`
	NetNS     uint32 `field:"-"`
	IsKworker bool   `field:"is_kworker"` // SECLDoc[is_kworker] Definition:`Indicates whether the process is a kworker`
	ExecInode uint64 `field:"-"`          // used to track exec and event loss
	// used for ebpfless
	NSID uint64 `field:"-"`
}

PIDContext holds the process context of a kernel event

type PTraceEvent added in v0.34.0 

type PTraceEvent struct {
	SyscallEvent

	Request uint32          `field:"request"` // SECLDoc[request] Definition:`ptrace request` Constants:`Ptrace constants`
	PID     uint32          `field:"-"`
	NSPID   uint32          `field:"-"`
	Address uint64          `field:"-"`
	Tracee  *ProcessContext `field:"tracee"` // process context of the tracee
}

PTraceEvent represents a ptrace event

type PathKey added in v0.44.0 

type PathKey struct {
	Inode   uint64 `field:"inode"`    // SECLDoc[inode] Definition:`Inode of the file`
	MountID uint32 `field:"mount_id"` // SECLDoc[mount_id] Definition:`Mount ID of the file`
	PathID  uint32 `field:"-"`
}

PathKey identifies an entry in the dentry cache

func (*PathKey) IsNull added in v0.44.0 

func (p *PathKey) IsNull() bool

IsNull returns true if a key is invalid

func (*PathKey) String added in v0.44.0 

func (p *PathKey) String() string

type PathLeaf added in v0.45.0 

type PathLeaf struct {
	Parent  PathKey
	Name    [MaxSegmentLength + 1]byte
	Len     uint16
	Padding [6]uint8
}

PathLeaf is the go representation of the eBPF path_leaf_t structure

func (*PathLeaf) GetName added in v0.45.0 

func (pl *PathLeaf) GetName() string

GetName returns the path value as a string

func (*PathLeaf) SetName added in v0.45.0 

func (pl *PathLeaf) SetName(name string)

SetName sets the path name

type Process added in v0.34.0 

type Process struct {
	PIDContext

	FileEvent FileEvent `field:"file,check:IsNotKworker"`

	CGroup      CGroupContext              `field:"cgroup"`                                         // SECLDoc[cgroup] Definition:`CGroup`
	ContainerID containerutils.ContainerID `field:"container.id,handler:ResolveProcessContainerID"` // SECLDoc[container.id] Definition:`Container ID`

	SpanID  uint64          `field:"-"`
	TraceID mathutil.Int128 `field:"-"`

	TTYName     string      `field:"tty_name"`                         // SECLDoc[tty_name] Definition:`Name of the TTY associated with the process`
	Comm        string      `field:"comm"`                             // SECLDoc[comm] Definition:`Comm attribute of the process`
	LinuxBinprm LinuxBinprm `field:"interpreter,check:HasInterpreter"` // Script interpreter as identified by the shebang

	// pid_cache_t
	ForkTime time.Time `field:"fork_time,opts:getters_only|gen_getters"`
	ExitTime time.Time `field:"exit_time,opts:getters_only|gen_getters"`
	ExecTime time.Time `field:"exec_time,opts:getters_only|gen_getters"`

	// TODO: merge with ExecTime
	CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process`

	Cookie uint64 `field:"-"`
	PPid   uint32 `field:"ppid,opts:gen_getters"` // SECLDoc[ppid] Definition:`Parent process ID`

	// credentials_t section of pid_cache_t
	Credentials

	UserSession UserSessionContext `field:"user_session"` // SECLDoc[user_session] Definition:`User Session context of this process`

	AWSSecurityCredentials []AWSSecurityCredentials `field:"-"`

	ArgsID uint64 `field:"-"`
	EnvsID uint64 `field:"-"`

	ArgsEntry *ArgsEntry `field:"-"`
	EnvsEntry *EnvsEntry `field:"-"`

	// defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller
	Argv0 string   `field:"argv0,handler:ResolveProcessArgv0,weight:100"`            // SECLDoc[argv0] Definition:`First argument of the process`
	Args  string   `field:"args,handler:ResolveProcessArgs,weight:500,opts:skip_ad"` // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
	Argv  []string ``                                                                // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.`
	/* 235-byte string literal not displayed */
	ArgsTruncated bool     `field:"args_truncated,handler:ResolveProcessArgsTruncated"`          // SECLDoc[args_truncated] Definition:`Indicator of arguments truncation`
	Envs          []string `field:"envs,handler:ResolveProcessEnvs,weight:100"`                  // SECLDoc[envs] Definition:`Environment variable names of the process`
	Envp          []string `field:"envp,handler:ResolveProcessEnvp,weight:100,opts:gen_getters"` // SECLDoc[envp] Definition:`Environment variables of the process`
	EnvsTruncated bool     `field:"envs_truncated,handler:ResolveProcessEnvsTruncated"`          // SECLDoc[envs_truncated] Definition:`Indicator of environment variables truncation`

	ArgsScrubbed string   `field:"args_scrubbed,handler:ResolveProcessArgsScrubbed,opts:getters_only"`
	ArgvScrubbed []string `field:"argv_scrubbed,handler:ResolveProcessArgvScrubbed,opts:getters_only"`

	// symlink to the process binary
	SymlinkPathnameStr [MaxSymlinks]string `field:"-"`
	SymlinkBasenameStr string              `field:"-"`

	// cache version
	ScrubbedArgvResolved bool           `field:"-"`
	Variables            eval.Variables `field:"-"`

	// IsThread is the negation of IsExec and should be manipulated directly
	IsThread        bool `field:"is_thread,handler:ResolveProcessIsThread"` // SECLDoc[is_thread] Definition:`Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)`
	IsExec          bool `field:"is_exec"`                                  // SECLDoc[is_exec] Definition:`Indicates whether the process entry is from a new binary execution`
	IsExecExec      bool `field:"-"`                                        // Indicates whether the process is an exec following another exec
	IsParentMissing bool `field:"-"`                                        // Indicates the direct parent is missing

	Source uint64 `field:"-"`
	// contains filtered or unexported fields
}

Process represents a process

func (*Process) GetPathResolutionError added in v0.34.0 

func (p *Process) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*Process) GetProcessArgv added in v0.51.0 

func (p *Process) GetProcessArgv() ([]string, bool)

GetProcessArgv returns the unscrubbed args of the event as an array. Use with caution.

func (*Process) GetProcessArgv0 added in v0.51.0 

func (p *Process) GetProcessArgv0() (string, bool)

GetProcessArgv0 returns the first arg of the event and whether the process arguments are truncated

func (*Process) HasInterpreter added in v0.40.0 

func (p *Process) HasInterpreter() bool

HasInterpreter returns whether the process uses an interpreter

func (*Process) IsNotKworker added in v0.42.0 

func (p *Process) IsNotKworker() bool

IsNotKworker returns true if the process isn't a kworker

func (*Process) SetSpan added in v0.48.0 

func (p *Process) SetSpan(spanID uint64, traceID mathutil.Int128)

SetSpan sets the span

type ProcessAncestorsIterator added in v0.34.0 

type ProcessAncestorsIterator struct {
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) At added in v0.60.0 

func (it *ProcessAncestorsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) *ProcessCacheEntry

At returns the element at the given position

func (*ProcessAncestorsIterator) Front added in v0.34.0 

func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) *ProcessCacheEntry

Front returns the first element

func (*ProcessAncestorsIterator) Len added in v0.60.0 

func (it *ProcessAncestorsIterator) Len(ctx *eval.Context) int

Len returns the len

func (*ProcessAncestorsIterator) Next added in v0.34.0 

func (it *ProcessAncestorsIterator) Next(_ *eval.Context) *ProcessCacheEntry

Next returns the next element

type ProcessCacheEntry added in v0.34.0 

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func GetPlaceholderProcessCacheEntry added in v0.49.0 

func GetPlaceholderProcessCacheEntry(pid uint32, tid uint32, isKworker bool) *ProcessCacheEntry

GetPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions

func NewPlaceholderProcessCacheEntry added in v0.49.0 

func NewPlaceholderProcessCacheEntry(pid uint32, tid uint32, isKworker bool) *ProcessCacheEntry

NewPlaceholderProcessCacheEntry returns a new empty process cache entry for failed process resolutions

func NewProcessCacheEntry added in v0.34.0 

func NewProcessCacheEntry(coreRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) AppendReleaseCallback added in v0.56.0 

func (pc *ProcessCacheEntry) AppendReleaseCallback(callback func())

AppendReleaseCallback set the callback called when the entry is released

func (*ProcessCacheEntry) ApplyExecTimeOf added in v0.47.0 

func (pc *ProcessCacheEntry) ApplyExecTimeOf(entry *ProcessCacheEntry)

ApplyExecTimeOf replace previous entry values by the given one

func (*ProcessCacheEntry) Equals added in v0.36.0 

func (pc *ProcessCacheEntry) Equals(entry *ProcessCacheEntry) bool

Equals returns whether process cache entries share the same values for file and args/envs

func (*ProcessCacheEntry) Exec added in v0.34.0 

func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)

Exec replace a process

func (*ProcessCacheEntry) Exit added in v0.34.0 

func (pc *ProcessCacheEntry) Exit(exitTime time.Time)

Exit a process

func (*ProcessCacheEntry) Fork added in v0.34.0 

func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)

Fork returns a copy of the current ProcessCacheEntry

func (*ProcessCacheEntry) GetContainerPIDs added in v0.51.0 

func (pc *ProcessCacheEntry) GetContainerPIDs() ([]uint32, []string)

GetContainerPIDs return the pids

func (*ProcessCacheEntry) HasValidLineage added in v0.49.0 

func (pc *ProcessCacheEntry) HasValidLineage() (bool, error)

HasValidLineage returns false if, from the entry, we cannot ascend the ancestors list to PID 1 or if a new is having a missing parent

func (*ProcessCacheEntry) IsContainerRoot added in v0.44.0 

func (pc *ProcessCacheEntry) IsContainerRoot() bool

IsContainerRoot returns whether this is a top level process in the container ID

func (*ProcessCacheEntry) Release added in v0.34.0 

func (pc *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset added in v0.34.0 

func (pc *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain added in v0.34.0 

func (pc *ProcessCacheEntry) Retain()

Retain increment ref counter

func (*ProcessCacheEntry) SetAncestor added in v0.34.0 

func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)

SetAncestor sets the ancestor

func (*ProcessCacheEntry) SetAsExec added in v0.61.0 

func (pc *ProcessCacheEntry) SetAsExec()

SetAsExec set the entry as an Exec

func (*ProcessCacheEntry) SetExecParent added in v0.60.0 

func (pc *ProcessCacheEntry) SetExecParent(parent *ProcessCacheEntry)

SetExecParent set the parent of the exec entry

func (*ProcessCacheEntry) SetForkParent added in v0.60.0 

func (pc *ProcessCacheEntry) SetForkParent(parent *ProcessCacheEntry)

SetForkParent set the parent of the fork entry

type ProcessContext added in v0.34.0 

type ProcessContext struct {
	Process

	Parent   *Process           `field:"parent,opts:exposed_at_event_root_only,check:HasParent"`
	Ancestor *ProcessCacheEntry `field:"ancestors,iterator:ProcessAncestorsIterator,check:IsNotKworker"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) HasParent added in v0.42.0 

func (p *ProcessContext) HasParent() bool

HasParent returns whether the process has a parent

type QClass added in v0.36.0 

type QClass uint32

QClass is used to declare the qclass field of a DNS request

func (QClass) String added in v0.36.0 

func (qc QClass) String() string

type QType added in v0.36.0 

type QType uint32

QType is used to declare the qtype field of a DNS request

func (QType) String added in v0.36.0 

func (qt QType) String() string

type RawPacketEvent added in v0.60.0 

type RawPacketEvent struct {
	NetworkContext
	TLSContext  TLSContext           `field:"tls"`                                       // SECLDoc[tls] Definition:`TLS context`
	Filter      string               `field:"filter" op_override:"PacketFilterMatching"` // SECLDoc[filter] Definition:`pcap filter expression`
	CaptureInfo gopacket.CaptureInfo `field:"-"`
	Data        []byte               `field:"-"`
}

RawPacketEvent represents a packet event

type Releasable added in v0.46.0 

type Releasable struct {
	// contains filtered or unexported fields
}

Releasable represents an object than can be released

func (*Releasable) AppendReleaseCallback added in v0.56.0 

func (r *Releasable) AppendReleaseCallback(callback func())

AppendReleaseCallback sets a callback to be called when the cache entry is released

func (*Releasable) CallReleaseCallback added in v0.46.0 

func (r *Releasable) CallReleaseCallback()

CallReleaseCallback calls the on-release callback

type RenameEvent added in v0.34.0 

type RenameEvent struct {
	SyscallEvent
	SyscallContext
	Old FileEvent `field:"file"`
	New FileEvent `field:"file.destination"`

	// Syscall context aliases
	SyscallPath            string `field:"syscall.path,ref:rename.syscall.str1"`             // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
	SyscallDestinationPath string `field:"syscall.destination.path,ref:rename.syscall.str2"` // SECLDoc[syscall.destination.path] Definition:`Destination path argument of the syscall`
}

RenameEvent represents a rename event

type RetValError added in v0.34.0 

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String added in v0.34.0 

func (f RetValError) String() string

type RmdirEvent added in v0.34.0 

type RmdirEvent struct {
	SyscallEvent
	SyscallContext
	File FileEvent `field:"file"`

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:rmdir.syscall.str1"` // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
}

RmdirEvent represents a rmdir event

type SELinuxEvent added in v0.34.0 

type SELinuxEvent struct {
	File            FileEvent        `field:"-"`
	EventKind       SELinuxEventKind `field:"-"`
	BoolName        string           `field:"bool.name,handler:ResolveSELinuxBoolName"` // SECLDoc[bool.name] Definition:`SELinux boolean name`
	BoolChangeValue string           `field:"bool.state"`                               // SECLDoc[bool.state] Definition:`SELinux boolean new value`
	BoolCommitValue bool             `field:"bool_commit.state"`                        // SECLDoc[bool_commit.state] Definition:`Indicator of a SELinux boolean commit operation`
	EnforceStatus   string           `field:"enforce.status"`                           // SECLDoc[enforce.status] Definition:`SELinux enforcement status (one of "enforcing", "permissive", "disabled")`
}

SELinuxEvent represents a selinux event

type SELinuxEventKind added in v0.34.0 

type SELinuxEventKind uint32

SELinuxEventKind represents the event kind for SELinux events 

const (
	// SELinuxBoolChangeEventKind represents SELinux boolean change events
	SELinuxBoolChangeEventKind SELinuxEventKind = iota
	// SELinuxStatusChangeEventKind represents SELinux status change events
	SELinuxStatusChangeEventKind
	// SELinuxBoolCommitEventKind represents SELinux boolean commit events
	SELinuxBoolCommitEventKind
)

type SecurityProfileContext added in v0.45.0 

type SecurityProfileContext struct {
	Name           string                     `field:"name"`        // SECLDoc[name] Definition:`Name of the security profile`
	Version        string                     `field:"version"`     // SECLDoc[version] Definition:`Version of the security profile`
	Tags           []string                   `field:"tags"`        // SECLDoc[tags] Definition:`Tags of the security profile`
	EventTypes     []EventType                `field:"event_types"` // SECLDoc[event_types] Definition:`Event types enabled for the security profile`
	EventTypeState EventFilteringProfileState `field:"-"`           // State of the event type in this profile
}

SecurityProfileContext holds the security context of the profile

type SetXAttrEvent added in v0.34.0 

type SetXAttrEvent struct {
	SyscallEvent
	File      FileEvent `field:"file"`
	Namespace string    `field:"file.destination.namespace,handler:ResolveXAttrNamespace"` // SECLDoc[file.destination.namespace] Definition:`Namespace of the extended attribute`
	Name      string    `field:"file.destination.name,handler:ResolveXAttrName"`           // SECLDoc[file.destination.name] Definition:`Name of the extended attribute`

	NameRaw [200]byte `field:"-"`
}

SetXAttrEvent represents an extended attributes event

type SetgidEvent added in v0.34.0 

type SetgidEvent struct {
	GID     uint32 `field:"gid"`                                  // SECLDoc[gid] Definition:`New GID of the process`
	Group   string `field:"group,handler:ResolveSetgidGroup"`     // SECLDoc[group] Definition:`New group of the process`
	EGID    uint32 `field:"egid"`                                 // SECLDoc[egid] Definition:`New effective GID of the process`
	EGroup  string `field:"egroup,handler:ResolveSetgidEGroup"`   // SECLDoc[egroup] Definition:`New effective group of the process`
	FSGID   uint32 `field:"fsgid"`                                // SECLDoc[fsgid] Definition:`New FileSystem GID of the process`
	FSGroup string `field:"fsgroup,handler:ResolveSetgidFSGroup"` // SECLDoc[fsgroup] Definition:`New FileSystem group of the process`
}

SetgidEvent represents a setgid event

type SetuidEvent added in v0.34.0 

type SetuidEvent struct {
	UID    uint32 `field:"uid"`                                // SECLDoc[uid] Definition:`New UID of the process`
	User   string `field:"user,handler:ResolveSetuidUser"`     // SECLDoc[user] Definition:`New user of the process`
	EUID   uint32 `field:"euid"`                               // SECLDoc[euid] Definition:`New effective UID of the process`
	EUser  string `field:"euser,handler:ResolveSetuidEUser"`   // SECLDoc[euser] Definition:`New effective user of the process`
	FSUID  uint32 `field:"fsuid"`                              // SECLDoc[fsuid] Definition:`New FileSystem UID of the process`
	FSUser string `field:"fsuser,handler:ResolveSetuidFSUser"` // SECLDoc[fsuser] Definition:`New FileSystem user of the process`
}

SetuidEvent represents a setuid event

type SignalEvent added in v0.35.0 

type SignalEvent struct {
	SyscallEvent

	Type   uint32          `field:"type"`   // SECLDoc[type] Definition:`Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)` Constants:`Signal constants`
	PID    uint32          `field:"pid"`    // SECLDoc[pid] Definition:`Target PID`
	Target *ProcessContext `field:"target"` // Target process context
}

SignalEvent represents a signal event

type SpanContext added in v0.34.0 

type SpanContext struct {
	SpanID  uint64          `field:"-"`
	TraceID mathutil.Int128 `field:"-"`
}

SpanContext describes a span context

type SpliceEvent added in v0.35.0 

type SpliceEvent struct {
	SyscallEvent

	File          FileEvent `field:"file"`            // File modified by the splice syscall
	PipeEntryFlag uint32    `field:"pipe_entry_flag"` // SECLDoc[pipe_entry_flag] Definition:`Entry flag of the "fd_out" pipe passed to the splice syscall` Constants:`Pipe buffer flags`
	PipeExitFlag  uint32    `field:"pipe_exit_flag"`  // SECLDoc[pipe_exit_flag] Definition:`Exit flag of the "fd_out" pipe passed to the splice syscall` Constants:`Pipe buffer flags`
}

SpliceEvent represents a splice event

type Syscall added in v0.39.0 

type Syscall int

Syscall represents a syscall identifier

func (Syscall) String added in v0.39.0 

func (i Syscall) String() string

type SyscallContext added in v0.55.0 

type SyscallContext struct {
	ID uint32 `field:"-"`

	StrArg1 string `field:"syscall.str1,handler:ResolveSyscallCtxArgsStr1,weight:900,opts:getters_only|skip_ad"`
	StrArg2 string `field:"syscall.str2,handler:ResolveSyscallCtxArgsStr2,weight:900,opts:getters_only|skip_ad"`
	StrArg3 string `field:"syscall.str3,handler:ResolveSyscallCtxArgsStr3,weight:900,opts:getters_only|skip_ad"`

	IntArg1 int64 `field:"syscall.int1,handler:ResolveSyscallCtxArgsInt1,weight:900,opts:getters_only|skip_ad"`
	IntArg2 int64 `field:"syscall.int2,handler:ResolveSyscallCtxArgsInt2,weight:900,opts:getters_only|skip_ad"`
	IntArg3 int64 `field:"syscall.int3,handler:ResolveSyscallCtxArgsInt3,weight:900,opts:getters_only|skip_ad"`

	Resolved bool `field:"-"`
}

SyscallContext contains syscall context

type SyscallDriftEventReason added in v0.57.0 

type SyscallDriftEventReason uint64

SyscallDriftEventReason describes why a syscall drift event was sent 

const (
	// SyscallMonitorPeriodReason means that the event was sent because the syscall cache entry was dirty for longer than syscall_monitor.period
	SyscallMonitorPeriodReason SyscallDriftEventReason = iota + 1
	// ExitReason means that the event was sent because a pid that was about to exit had a dirty cache entry
	ExitReason
	// ExecveReason means that the event was sent because an execve syscall was detected on a pid with a dirty cache entry
	ExecveReason
)

func (SyscallDriftEventReason) String added in v0.57.0 

func (r SyscallDriftEventReason) String() string

type SyscallEvent added in v0.34.0 

type SyscallEvent struct {
	Retval int64 `field:"retval"` // SECLDoc[retval] Definition:`Return value of the syscall` Constants:`Error constants`
}

SyscallEvent contains common fields for all the event

type SyscallsEvent added in v0.39.0 

type SyscallsEvent struct {
	EventReason SyscallDriftEventReason
	Syscalls    []Syscall // 64 * 8 = 512 > 450, bytes should be enough to hold all 450 syscalls
}

SyscallsEvent represents a syscalls event

type TLSContext added in v0.60.0 

type TLSContext struct {
	Version uint16 `field:"version"` // SECLDoc[version] Definition:`TLS version`
}

TLSContext represents a tls context

type TLSVersion added in v0.60.0 

type TLSVersion uint16

TLSVersion tls version

func (TLSVersion) String added in v0.60.0 

func (tls TLSVersion) String() string

type UmountEvent added in v0.34.0 

type UmountEvent struct {
	SyscallEvent
	MountID uint32
}

UmountEvent represents an umount event

type UnlinkEvent added in v0.34.0 

type UnlinkEvent struct {
	SyscallEvent
	SyscallContext
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"` // SECLDoc[flags] Definition:`Flags of the unlink syscall` Constants:`Unlink flags`

	// Syscall context aliases
	SyscallDirFd uint64 `field:"syscall.dirfd,ref:unlink.syscall.int1"` // SECLDoc[syscall.dirfd] Definition:`Directory file descriptor argument of the syscall`
	SyscallPath  string `field:"syscall.path,ref:unlink.syscall.str2"`  // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
	SyscallFlags uint64 `field:"syscall.flags,ref:unlink.syscall.int3"` // SECLDoc[syscall.flags] Definition:`Flags argument of the syscall`
}

UnlinkEvent represents an unlink event

type UnloadModuleEvent added in v0.35.0 

type UnloadModuleEvent struct {
	SyscallEvent

	Name string `field:"name"` // SECLDoc[name] Definition:`Name of the kernel module that was deleted`
}

UnloadModuleEvent represents an unload_module event

type UnshareMountNSEvent added in v0.42.0 

type UnshareMountNSEvent struct {
	Mount
}

UnshareMountNSEvent represents a mount cloned from a newly created mount namespace

type UserSessionContext added in v0.50.0 

type UserSessionContext struct {
	ID          uint64           `field:"-"`
	SessionType usersession.Type `field:"-"`
	Resolved    bool             `field:"-"`
	// Kubernetes User Session context
	K8SUsername string              `field:"k8s_username,handler:ResolveK8SUsername" json:"username,omitempty"` // SECLDoc[k8s_username] Definition:`Kubernetes username of the user that executed the process`
	K8SUID      string              `field:"k8s_uid,handler:ResolveK8SUID" json:"uid,omitempty"`                // SECLDoc[k8s_uid] Definition:`Kubernetes UID of the user that executed the process`
	K8SGroups   []string            `field:"k8s_groups,handler:ResolveK8SGroups" json:"groups,omitempty"`       // SECLDoc[k8s_groups] Definition:`Kubernetes groups of the user that executed the process`
	K8SExtra    map[string][]string `json:"extra,omitempty"`
}

UserSessionContext describes the user session context Disclaimer: the `json` tags are used to parse K8s credentials from cws-instrumentation

type UtimesEvent added in v0.34.0 

type UtimesEvent struct {
	SyscallEvent
	SyscallContext
	File  FileEvent `field:"file"`
	Atime time.Time `field:"-"`
	Mtime time.Time `field:"-"`

	// Syscall context aliases
	SyscallPath string `field:"syscall.path,ref:utimes.syscall.str1"` // SECLDoc[syscall.path] Definition:`Path argument of the syscall`
}

UtimesEvent represents a utime event

type VethPairEvent added in v0.36.0 

type VethPairEvent struct {
	SyscallEvent

	HostDevice NetDevice
	PeerDevice NetDevice
}

VethPairEvent represents a veth pair event

Source Files

View all Source files

Directories

Path Synopsis
Package main holds main related files
 Package main holds main related files
Package sharedconsts holds model related shared constants
 Package sharedconsts holds model related shared constants
Package usersession holds model related to the user session context
 Package usersession holds model related to the user session context

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.