Documentation ¶
Overview ¶
Package monitor represents a wrapper to netlink, which gives us the ability to monitor process events like Exec and Exit, and activate the registered callbacks for the relevant events
Index ¶
- func FindDeletedProcesses[V any](pids map[uint32]V) map[uint32]struct{}
- type Event
- type EventConsumer
- func (ec *EventConsumer) ChanSize() int
- func (ec *EventConsumer) Copy(event *model.Event) any
- func (ec *EventConsumer) EventTypes() []model.EventType
- func (ec *EventConsumer) HandleEvent(event any)
- func (ec *EventConsumer) ID() string
- func (ec *EventConsumer) Start() error
- func (ec *EventConsumer) Stop()
- type ProcessCallback
- type ProcessMonitor
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FindDeletedProcesses ¶
FindDeletedProcesses returns the terminated PIDs from the given map.
Types ¶
type EventConsumer ¶
type EventConsumer struct{}
EventConsumer defines an event consumer to handle event monitor events in the process monitor
func NewProcessMonitorEventConsumer ¶
func NewProcessMonitorEventConsumer(em *eventmonitor.EventMonitor) (*EventConsumer, error)
NewProcessMonitorEventConsumer returns a new process monitor event consumer
func (*EventConsumer) ChanSize ¶
func (ec *EventConsumer) ChanSize() int
ChanSize returns the channel size used by this consumer
func (*EventConsumer) Copy ¶
func (ec *EventConsumer) Copy(event *model.Event) any
Copy should copy the given event or return nil to discard it
func (*EventConsumer) EventTypes ¶
func (ec *EventConsumer) EventTypes() []model.EventType
EventTypes returns the event types handled by this consumer
func (*EventConsumer) HandleEvent ¶
func (ec *EventConsumer) HandleEvent(event any)
HandleEvent handles events received from the event monitor
type ProcessCallback ¶
type ProcessCallback = func(pid uint32)
ProcessCallback is a callback function that is called on a given pid that represents a new process.
type ProcessMonitor ¶
type ProcessMonitor struct {
// contains filtered or unexported fields
}
ProcessMonitor uses netlink process events like Exec and Exit and activate the registered callbacks for the relevant events. ProcessMonitor require root or CAP_NET_ADMIN capabilities
func GetProcessMonitor ¶
func GetProcessMonitor() *ProcessMonitor
GetProcessMonitor create a monitor (only once) that register to netlink process events.
This monitor can monitor.Subscribe(callback, filter) callback on particular event like process EXEC, EXIT. The callback will be called when the filter will match. Filter can be applied on :
process name (NAME) by default ANY is applied
Typical initialization:
mon := GetProcessMonitor() mon.Subscribe(callback) mon.Initialize()
note: o GetProcessMonitor() will always return the same instance
as we can only register once with netlink process event o mon.Subscribe() will subscribe callback before or after the Initialization o mon.Initialize() will scan current processes and call subscribed callback o callback{Event: EXIT, Metadata: ANY} callback is called for all exit events (system-wide) o callback{Event: EXIT, Metadata: NAME} callback will be called if we have seen the process Exec event, the metadata will be saved between Exec and Exit event per pid then the Exit callback will evaluate the same metadata on Exit. We need to save the metadata here as /proc/pid doesn't exist anymore.
func (*ProcessMonitor) Initialize ¶
func (pm *ProcessMonitor) Initialize(useEventStream bool) error
Initialize setting up the process monitor only once, no matter how many times it was called. The initialization order:
- Initializes callback workers.
- Initializes the netlink process monitor.
- Run the main event loop in a goroutine.
- Scans already running processes and call the Exec callbacks on them.
func (*ProcessMonitor) Stop ¶
func (pm *ProcessMonitor) Stop()
Stop decreasing the refcount, and if we reach 0 we terminate the main event loop.
func (*ProcessMonitor) SubscribeExec ¶
func (pm *ProcessMonitor) SubscribeExec(callback ProcessCallback) func()
SubscribeExec register an exec callback and returns unsubscribe function callback that removes the callback.
A callback can be registered only once, callback with a filter type (not ANY) must be registered before the matching Exit callback.
func (*ProcessMonitor) SubscribeExit ¶
func (pm *ProcessMonitor) SubscribeExit(callback ProcessCallback) func()
SubscribeExit register an exit callback and returns unsubscribe function callback that removes the callback.