monitor

package
v0.0.0-...-45a9bcf Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package monitor represents a wrapper to netlink, which gives us the ability to monitor process events like Exec and Exit, and activate the registered callbacks for the relevant events

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FindDeletedProcesses

func FindDeletedProcesses[V any](pids map[uint32]V) map[uint32]struct{}

FindDeletedProcesses returns the terminated PIDs from the given map.

Types

type Event

type Event struct {
	Type model.EventType
	Pid  uint32
}

Event defines the event used by the process monitor

type EventConsumer

type EventConsumer struct{}

EventConsumer defines an event consumer to handle event monitor events in the process monitor

func NewProcessMonitorEventConsumer

func NewProcessMonitorEventConsumer(em *eventmonitor.EventMonitor) (*EventConsumer, error)

NewProcessMonitorEventConsumer returns a new process monitor event consumer

func (*EventConsumer) ChanSize

func (ec *EventConsumer) ChanSize() int

ChanSize returns the channel size used by this consumer

func (*EventConsumer) Copy

func (ec *EventConsumer) Copy(event *model.Event) any

Copy should copy the given event or return nil to discard it

func (*EventConsumer) EventTypes

func (ec *EventConsumer) EventTypes() []model.EventType

EventTypes returns the event types handled by this consumer

func (*EventConsumer) HandleEvent

func (ec *EventConsumer) HandleEvent(event any)

HandleEvent handles events received from the event monitor

func (*EventConsumer) ID

func (ec *EventConsumer) ID() string

ID returns the ID of this consumer

func (*EventConsumer) Start

func (ec *EventConsumer) Start() error

Start the consumer

func (*EventConsumer) Stop

func (ec *EventConsumer) Stop()

Stop the consumer

type ProcessCallback

type ProcessCallback = func(pid uint32)

ProcessCallback is a callback function that is called on a given pid that represents a new process.

type ProcessMonitor

type ProcessMonitor struct {
	// contains filtered or unexported fields
}

ProcessMonitor uses netlink process events like Exec and Exit and activate the registered callbacks for the relevant events. ProcessMonitor require root or CAP_NET_ADMIN capabilities

func GetProcessMonitor

func GetProcessMonitor() *ProcessMonitor

GetProcessMonitor create a monitor (only once) that register to netlink process events.

This monitor can monitor.Subscribe(callback, filter) callback on particular event like process EXEC, EXIT. The callback will be called when the filter will match. Filter can be applied on :

process name (NAME)
by default ANY is applied

Typical initialization:

mon := GetProcessMonitor()
mon.Subscribe(callback)
mon.Initialize()

note: o GetProcessMonitor() will always return the same instance

  as we can only register once with netlink process event
o mon.Subscribe() will subscribe callback before or after the Initialization
o mon.Initialize() will scan current processes and call subscribed callback

o callback{Event: EXIT, Metadata: ANY}   callback is called for all exit events (system-wide)
o callback{Event: EXIT, Metadata: NAME}  callback will be called if we have seen the process Exec event,
                                         the metadata will be saved between Exec and Exit event per pid
                                         then the Exit callback will evaluate the same metadata on Exit.
                                         We need to save the metadata here as /proc/pid doesn't exist anymore.

func (*ProcessMonitor) Initialize

func (pm *ProcessMonitor) Initialize(useEventStream bool) error

Initialize setting up the process monitor only once, no matter how many times it was called. The initialization order:

  1. Initializes callback workers.
  2. Initializes the netlink process monitor.
  3. Run the main event loop in a goroutine.
  4. Scans already running processes and call the Exec callbacks on them.

func (*ProcessMonitor) Stop

func (pm *ProcessMonitor) Stop()

Stop decreasing the refcount, and if we reach 0 we terminate the main event loop.

func (*ProcessMonitor) SubscribeExec

func (pm *ProcessMonitor) SubscribeExec(callback ProcessCallback) func()

SubscribeExec register an exec callback and returns unsubscribe function callback that removes the callback.

A callback can be registered only once, callback with a filter type (not ANY) must be registered before the matching Exit callback.

func (*ProcessMonitor) SubscribeExit

func (pm *ProcessMonitor) SubscribeExit(callback ProcessCallback) func()

SubscribeExit register an exit callback and returns unsubscribe function callback that removes the callback.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL