probe

package
v0.0.0-...-fdd7787 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2024 License: Apache-2.0 Imports: 88 Imported by: 0

Documentation

Overview

Package probe holds probe related files

Package probe holds probe related files

Index

Constants

View Source
const (
	// HashTriggerTimeout hash triggered because of a timeout
	HashTriggerTimeout = "timeout"
	// HashTriggerProcessExit hash triggered on process exit
	HashTriggerProcessExit = "process_exit"
)
View Source
const (
	// EBPFOrigin eBPF origin
	EBPFOrigin = "ebpf"
	// EBPFLessOrigin eBPF less origin
	EBPFLessOrigin = "ebpfless"
)
View Source
const (
	// DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace
	// pipeline for already deleted file in kernel space.
	DiscardRetention = 5 * time.Second
)
View Source
const (
	// MaxOnDemandEventsPerSecond represents the maximum number of on demand events per second
	// allowed before we switch off the subsystem
	MaxOnDemandEventsPerSecond = 1_000
)
View Source
const (
	// ServiceEnvVar environment variable used to report service
	ServiceEnvVar = "DD_SERVICE"
)

Variables

View Source
var (
	// SupportedDiscarders lists all field which supports discarders
	SupportedDiscarders = make(map[eval.Field]bool)
	// SupportedMultiDiscarder lists all supported multi discarders
	SupportedMultiDiscarder []*rules.MultiDiscarder
)
View Source
var (
	// DiscarderConstants ebpf constants
	DiscarderConstants = []manager.ConstantEditor{
		{
			Name:  "discarder_retention",
			Value: uint64(DiscardRetention.Nanoseconds()),
		},
	}
)
View Source
var ErrActivityDumpManagerDisabled = errors.New("ActivityDumpManager is disabled")

ErrActivityDumpManagerDisabled is returned when the activity dump manager is disabled

View Source
var ErrSecurityProfileManagerDisabled = errors.New("SecurityProfileManager is disabled")

ErrSecurityProfileManagerDisabled is returned when the security profile manager is disabled

View Source
var InvalidDiscarders = map[eval.Field][]string{
	"open.file.path":               dentryInvalidDiscarder,
	"unlink.file.path":             dentryInvalidDiscarder,
	"chmod.file.path":              dentryInvalidDiscarder,
	"chown.file.path":              dentryInvalidDiscarder,
	"mkdir.file.path":              dentryInvalidDiscarder,
	"rmdir.file.path":              dentryInvalidDiscarder,
	"rename.file.path":             dentryInvalidDiscarder,
	"rename.file.destination.path": dentryInvalidDiscarder,
	"utimes.file.path":             dentryInvalidDiscarder,
	"link.file.path":               dentryInvalidDiscarder,
	"link.file.destination.path":   dentryInvalidDiscarder,
	"process.file.path":            dentryInvalidDiscarder,
	"setxattr.file.path":           dentryInvalidDiscarder,
	"removexattr.file.path":        dentryInvalidDiscarder,
	"chdir.file.path":              dentryInvalidDiscarder,
}

InvalidDiscarders exposes list of values that are not discarders

Functions

func AppendProbeRequestsToFetcher

func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version)

AppendProbeRequestsToFetcher returns the offsets and struct sizes constants, from a constant fetcher

func IsNetworkNotSupported

func IsNetworkNotSupported(kv *kernel.Version) bool

IsNetworkNotSupported returns if the network feature is supported

func IsRawPacketNotSupported

func IsRawPacketNotSupported(kv *kernel.Version) bool

IsRawPacketNotSupported returns if the raw packet feature is supported

func NewAbnormalEvent

func NewAbnormalEvent(acc *events.AgentContainerContext, id string, description string, event *model.Event, err error) (*rules.Rule, *events.CustomEvent)

NewAbnormalEvent returns the rule and a populated custom event for a abnormal event

func NewAgentContainerContext

func NewAgentContainerContext() (*events.AgentContainerContext, error)

NewAgentContainerContext returns the agent container context

func NewEBPFLessEvent

func NewEBPFLessEvent(fh *EBPFLessFieldHandlers) *model.Event

NewEBPFLessEvent returns a new event

func NewEBPFLessHelloMsgEvent

func NewEBPFLessHelloMsgEvent(acc *events.AgentContainerContext, msg *ebpfless.HelloMsg, scrubber *procutil.DataScrubber, tagger tags.Tagger) (*rules.Rule, *events.CustomEvent)

NewEBPFLessHelloMsgEvent returns a eBPFLess hello custom event

func NewEBPFLessModel

func NewEBPFLessModel() *model.Model

NewEBPFLessModel returns a new model with some extra field validation

func NewEBPFModel

func NewEBPFModel(probe *EBPFProbe) *model.Model

NewEBPFModel returns a new model with some extra field validation

Types

type AbnormalEvent

type AbnormalEvent struct {
	events.CustomEventCommonFields
	Event *serializers.EventSerializer `json:"triggering_event"`
	Error string                       `json:"error"`
}

AbnormalEvent is used to report that a path resolution failed for a suspicious reason easyjson:json

func (AbnormalEvent) MarshalEasyJSON

func (v AbnormalEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (AbnormalEvent) ToJSON

func (a AbnormalEvent) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*AbnormalEvent) UnmarshalEasyJSON

func (v *AbnormalEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type BaseFieldHandlers

type BaseFieldHandlers struct {
	// contains filtered or unexported fields
}

BaseFieldHandlers holds the base field handlers

func NewBaseFieldHandlers

func NewBaseFieldHandlers(cfg *config.Config, hostname string) (*BaseFieldHandlers, error)

NewBaseFieldHandlers creates a new BaseFieldHandlers

func (*BaseFieldHandlers) ResolveHostname

func (bfh *BaseFieldHandlers) ResolveHostname(_ *model.Event, _ *model.BaseEvent) string

ResolveHostname resolve the hostname

func (*BaseFieldHandlers) ResolveIsIPPublic

func (bfh *BaseFieldHandlers) ResolveIsIPPublic(_ *model.Event, ipCtx *model.IPPortContext) bool

ResolveIsIPPublic resolves if the IP is public

func (*BaseFieldHandlers) ResolveService

func (bfh *BaseFieldHandlers) ResolveService(ev *model.Event, e *model.BaseEvent) string

ResolveService returns the service tag based on the process context

type CoreDump

type CoreDump struct {
	// contains filtered or unexported fields
}

CoreDump defines an internal core dump

func NewCoreDump

func NewCoreDump(def *rules.CoreDumpDefinition, resolvers *resolvers.EBPFResolvers, event events.EventMarshaler) *CoreDump

NewCoreDump returns a new core dump

func (*CoreDump) ToJSON

func (cd *CoreDump) ToJSON() ([]byte, error)

ToJSON return json version of the dump

type CustomEventHandler

type CustomEventHandler interface {
	HandleCustomEvent(rule *rules.Rule, event *events.CustomEvent)
}

CustomEventHandler represents an handler for the custom events sent by the probe

type Discarder

type Discarder struct {
	Field eval.Field
}

Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules

type DiscarderParams

type DiscarderParams struct {
	EventMask  uint64                                                                   `yaml:"event_mask"`
	Timestamps [model.LastDiscarderEventType + 1 - model.FirstDiscarderEventType]uint64 `yaml:"-"`
	ExpireAt   uint64                                                                   `yaml:"expire_at"`
	IsRetained uint32                                                                   `yaml:"is_retained"`
	Revision   uint32
}

DiscarderParams describes a map value

type DiscarderPushedCallback

type DiscarderPushedCallback func(eventType string, event *model.Event, field string)

DiscarderPushedCallback describe the callback used to retrieve pushed discarders information

type DiscardersDump

type DiscardersDump struct {
	Date   time.Time                  `yaml:"date"`
	Inodes []InodeDiscarderDump       `yaml:"inodes"`
	Stats  map[string]discarder.Stats `yaml:"stats"`
}

DiscardersDump describes a dump of discarders

type EBPFFieldHandlers

type EBPFFieldHandlers struct {
	*BaseFieldHandlers
	// contains filtered or unexported fields
}

EBPFFieldHandlers defines a field handlers

func NewEBPFFieldHandlers

func NewEBPFFieldHandlers(config *config.Config, resolvers *resolvers.EBPFResolvers, hostname string, onDemand *OnDemandProbesManager) (*EBPFFieldHandlers, error)

NewEBPFFieldHandlers returns a new EBPFFieldHandlers

func (*EBPFFieldHandlers) GetProcessCacheEntry

func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)

GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFFieldHandlers) ResolveAWSSecurityCredentials

func (fh *EBPFFieldHandlers) ResolveAWSSecurityCredentials(e *model.Event) []model.AWSSecurityCredentials

ResolveAWSSecurityCredentials resolves and updates the AWS security credentials of the input process entry

func (*EBPFFieldHandlers) ResolveAsync

func (fh *EBPFFieldHandlers) ResolveAsync(ev *model.Event) bool

ResolveAsync resolves the async flag

func (*EBPFFieldHandlers) ResolveCGroupID

func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupContext) string

ResolveCGroupID resolves the cgroup ID of the event

func (*EBPFFieldHandlers) ResolveCGroupManager

func (fh *EBPFFieldHandlers) ResolveCGroupManager(ev *model.Event, _ *model.CGroupContext) string

ResolveCGroupManager resolves the manager of the cgroup

func (*EBPFFieldHandlers) ResolveCGroupVersion

func (fh *EBPFFieldHandlers) ResolveCGroupVersion(ev *model.Event, e *model.CGroupContext) int

ResolveCGroupVersion resolves the version of the cgroup API

func (*EBPFFieldHandlers) ResolveChownGID

func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string

ResolveChownGID resolves the group id of a chown event to a group name

func (*EBPFFieldHandlers) ResolveChownUID

func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string

ResolveChownUID resolves the user id of a chown event to a username

func (*EBPFFieldHandlers) ResolveContainerContext

func (fh *EBPFFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)

ResolveContainerContext queries the cgroup resolver to retrieve the ContainerContext of the event

func (*EBPFFieldHandlers) ResolveContainerCreatedAt

func (fh *EBPFFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int

ResolveContainerCreatedAt resolves the container creation time of the event

func (*EBPFFieldHandlers) ResolveContainerID

func (fh *EBPFFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*EBPFFieldHandlers) ResolveContainerRuntime

func (fh *EBPFFieldHandlers) ResolveContainerRuntime(ev *model.Event, _ *model.ContainerContext) string

ResolveContainerRuntime retrieves the container runtime managing the container

func (*EBPFFieldHandlers) ResolveContainerTags

func (fh *EBPFFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string

ResolveContainerTags resolves the container tags of the event

func (*EBPFFieldHandlers) ResolveEventTime

func (fh *EBPFFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time

ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFFieldHandlers) ResolveEventTimestamp

func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.BaseEvent) int

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFFieldHandlers) ResolveFileBasename

func (fh *EBPFFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*EBPFFieldHandlers) ResolveFileFieldsGroup

func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string

ResolveFileFieldsGroup resolves the group id of the file to a group name

func (*EBPFFieldHandlers) ResolveFileFieldsInUpperLayer

func (fh *EBPFFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, f *model.FileFields) bool

ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer

func (*EBPFFieldHandlers) ResolveFileFieldsUser

func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string

ResolveFileFieldsUser resolves the user id of the file to a username

func (*EBPFFieldHandlers) ResolveFileFilesystem

func (fh *EBPFFieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*EBPFFieldHandlers) ResolveFilePath

func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string

ResolveFilePath resolves the inode to a full path

func (*EBPFFieldHandlers) ResolveHashes

func (fh *EBPFFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string

ResolveHashes resolves the hashes of the requested file event

func (*EBPFFieldHandlers) ResolveHashesFromEvent

func (fh *EBPFFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string

ResolveHashesFromEvent resolves the hashes of the requested event

func (*EBPFFieldHandlers) ResolveK8SGroups

func (fh *EBPFFieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string

ResolveK8SGroups resolves the k8s groups of the event

func (*EBPFFieldHandlers) ResolveK8SUID

func (fh *EBPFFieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string

ResolveK8SUID resolves the k8s UID of the event

func (*EBPFFieldHandlers) ResolveK8SUsername

func (fh *EBPFFieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string

ResolveK8SUsername resolves the k8s username of the event

func (*EBPFFieldHandlers) ResolveModuleArgs

func (fh *EBPFFieldHandlers) ResolveModuleArgs(_ *model.Event, module *model.LoadModuleEvent) string

ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args

func (*EBPFFieldHandlers) ResolveModuleArgv

func (fh *EBPFFieldHandlers) ResolveModuleArgv(_ *model.Event, module *model.LoadModuleEvent) []string

ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.

func (*EBPFFieldHandlers) ResolveMountPointPath

func (fh *EBPFFieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string

ResolveMountPointPath resolves a mount point path

func (*EBPFFieldHandlers) ResolveMountRootPath

func (fh *EBPFFieldHandlers) ResolveMountRootPath(ev *model.Event, e *model.MountEvent) string

ResolveMountRootPath resolves a mount root path

func (*EBPFFieldHandlers) ResolveMountSourcePath

func (fh *EBPFFieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string

ResolveMountSourcePath resolves a mount source path

func (*EBPFFieldHandlers) ResolveNetworkDeviceIfName

func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *model.NetworkDeviceContext) string

ResolveNetworkDeviceIfName returns the network iterface name from the network context

func (*EBPFFieldHandlers) ResolveOnDemandArg1Str

func (fh *EBPFFieldHandlers) ResolveOnDemandArg1Str(_ *model.Event, e *model.OnDemandEvent) string

ResolveOnDemandArg1Str resolves the string value of the first argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg1Uint

func (fh *EBPFFieldHandlers) ResolveOnDemandArg1Uint(_ *model.Event, e *model.OnDemandEvent) int

ResolveOnDemandArg1Uint resolves the uint value of the first argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg2Str

func (fh *EBPFFieldHandlers) ResolveOnDemandArg2Str(_ *model.Event, e *model.OnDemandEvent) string

ResolveOnDemandArg2Str resolves the string value of the second argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg2Uint

func (fh *EBPFFieldHandlers) ResolveOnDemandArg2Uint(_ *model.Event, e *model.OnDemandEvent) int

ResolveOnDemandArg2Uint resolves the uint value of the second argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg3Str

func (fh *EBPFFieldHandlers) ResolveOnDemandArg3Str(_ *model.Event, e *model.OnDemandEvent) string

ResolveOnDemandArg3Str resolves the string value of the third argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg3Uint

func (fh *EBPFFieldHandlers) ResolveOnDemandArg3Uint(_ *model.Event, e *model.OnDemandEvent) int

ResolveOnDemandArg3Uint resolves the uint value of the third argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg4Str

func (fh *EBPFFieldHandlers) ResolveOnDemandArg4Str(_ *model.Event, e *model.OnDemandEvent) string

ResolveOnDemandArg4Str resolves the string value of the fourth argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandArg4Uint

func (fh *EBPFFieldHandlers) ResolveOnDemandArg4Uint(_ *model.Event, e *model.OnDemandEvent) int

ResolveOnDemandArg4Uint resolves the uint value of the fourth argument of hooked function

func (*EBPFFieldHandlers) ResolveOnDemandName

func (fh *EBPFFieldHandlers) ResolveOnDemandName(_ *model.Event, e *model.OnDemandEvent) string

ResolveOnDemandName resolves the on-demand event name

func (*EBPFFieldHandlers) ResolvePackageName

func (fh *EBPFFieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent) string

ResolvePackageName resolves the name of the package providing this file

func (*EBPFFieldHandlers) ResolvePackageSourceVersion

func (fh *EBPFFieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string

ResolvePackageSourceVersion resolves the version of the source package of the package providing this file

func (*EBPFFieldHandlers) ResolvePackageVersion

func (fh *EBPFFieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEvent) string

ResolvePackageVersion resolves the version of the package providing this file

func (*EBPFFieldHandlers) ResolveProcessArgs

func (fh *EBPFFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string

ResolveProcessArgs resolves the args of the event

func (*EBPFFieldHandlers) ResolveProcessArgsFlags

func (fh *EBPFFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)

ResolveProcessArgsFlags resolves the arguments flags of the event

func (*EBPFFieldHandlers) ResolveProcessArgsOptions

func (fh *EBPFFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)

ResolveProcessArgsOptions resolves the arguments options of the event

func (*EBPFFieldHandlers) ResolveProcessArgsScrubbed

func (fh *EBPFFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string

ResolveProcessArgsScrubbed resolves the args of the event

func (*EBPFFieldHandlers) ResolveProcessArgsTruncated

func (fh *EBPFFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessArgsTruncated returns whether the args are truncated

func (*EBPFFieldHandlers) ResolveProcessArgv

func (fh *EBPFFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string

ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.

func (*EBPFFieldHandlers) ResolveProcessArgv0

func (fh *EBPFFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string

ResolveProcessArgv0 resolves the first arg of the event

func (*EBPFFieldHandlers) ResolveProcessArgvScrubbed

func (fh *EBPFFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string

ResolveProcessArgvScrubbed resolves the args of the process as an array

func (*EBPFFieldHandlers) ResolveProcessCacheEntry

func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFFieldHandlers) ResolveProcessCmdArgv

func (fh *EBPFFieldHandlers) ResolveProcessCmdArgv(ev *model.Event, process *model.Process) []string

ResolveProcessCmdArgv resolves the command line

func (*EBPFFieldHandlers) ResolveProcessContainerID

func (fh *EBPFFieldHandlers) ResolveProcessContainerID(ev *model.Event, _ *model.Process) string

ResolveProcessContainerID resolves the container ID of the event

func (*EBPFFieldHandlers) ResolveProcessCreatedAt

func (fh *EBPFFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int

ResolveProcessCreatedAt resolves process creation time

func (*EBPFFieldHandlers) ResolveProcessEnvp

func (fh *EBPFFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string

ResolveProcessEnvp resolves the envp of the event as an array

func (*EBPFFieldHandlers) ResolveProcessEnvs

func (fh *EBPFFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string

ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.

func (*EBPFFieldHandlers) ResolveProcessEnvsTruncated

func (fh *EBPFFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessEnvsTruncated returns whether the envs are truncated

func (*EBPFFieldHandlers) ResolveProcessIsThread

func (fh *EBPFFieldHandlers) ResolveProcessIsThread(_ *model.Event, process *model.Process) bool

ResolveProcessIsThread returns true is the process is a thread

func (*EBPFFieldHandlers) ResolveProcessNSID

func (fh *EBPFFieldHandlers) ResolveProcessNSID(e *model.Event) (uint64, error)

ResolveProcessNSID resolves the process namespace ID

func (*EBPFFieldHandlers) ResolveRights

func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*EBPFFieldHandlers) ResolveSELinuxBoolName

func (fh *EBPFFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string

ResolveSELinuxBoolName resolves the boolean name of the SELinux event

func (*EBPFFieldHandlers) ResolveSetgidEGroup

func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetgidFSGroup

func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetgidGroup

func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetuidEUser

func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*EBPFFieldHandlers) ResolveSetuidFSUser

func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*EBPFFieldHandlers) ResolveSetuidUser

func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*EBPFFieldHandlers) ResolveSyscallCtxArgs

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgs(_ *model.Event, e *model.SyscallContext)

ResolveSyscallCtxArgs resolve syscall ctx

func (*EBPFFieldHandlers) ResolveSyscallCtxArgsInt1

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt1(ev *model.Event, e *model.SyscallContext) int

ResolveSyscallCtxArgsInt1 resolve syscall ctx

func (*EBPFFieldHandlers) ResolveSyscallCtxArgsInt2

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt2(ev *model.Event, e *model.SyscallContext) int

ResolveSyscallCtxArgsInt2 resolve syscall ctx

func (*EBPFFieldHandlers) ResolveSyscallCtxArgsInt3

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt3(ev *model.Event, e *model.SyscallContext) int

ResolveSyscallCtxArgsInt3 resolve syscall ctx

func (*EBPFFieldHandlers) ResolveSyscallCtxArgsStr1

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr1(ev *model.Event, e *model.SyscallContext) string

ResolveSyscallCtxArgsStr1 resolve syscall ctx

func (*EBPFFieldHandlers) ResolveSyscallCtxArgsStr2

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr2(ev *model.Event, e *model.SyscallContext) string

ResolveSyscallCtxArgsStr2 resolve syscall ctx

func (*EBPFFieldHandlers) ResolveSyscallCtxArgsStr3

func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr3(ev *model.Event, e *model.SyscallContext) string

ResolveSyscallCtxArgsStr3 resolve syscall ctx

func (*EBPFFieldHandlers) ResolveUserSessionContext

func (fh *EBPFFieldHandlers) ResolveUserSessionContext(evtCtx *model.UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*EBPFFieldHandlers) ResolveXAttrName

func (fh *EBPFFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrName returns the string representation of the extended attribute name

func (*EBPFFieldHandlers) ResolveXAttrNamespace

func (fh *EBPFFieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrNamespace returns the string representation of the extended attribute namespace

type EBPFLessFieldHandlers

type EBPFLessFieldHandlers struct {
	*BaseFieldHandlers
	// contains filtered or unexported fields
}

EBPFLessFieldHandlers defines a field handlers

func NewEBPFLessFieldHandlers

func NewEBPFLessFieldHandlers(config *config.Config, resolvers *resolvers.EBPFLessResolvers, hostname string) (*EBPFLessFieldHandlers, error)

NewEBPFLessFieldHandlers returns a new EBPFLessFieldHandlers

func (*EBPFLessFieldHandlers) GetProcessCacheEntry

func (fh *EBPFLessFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFLessFieldHandlers) ResolveAWSSecurityCredentials

func (fh *EBPFLessFieldHandlers) ResolveAWSSecurityCredentials(_ *model.Event) []model.AWSSecurityCredentials

ResolveAWSSecurityCredentials resolves and updates the AWS security credentials of the input process entry

func (*EBPFLessFieldHandlers) ResolveAsync

func (fh *EBPFLessFieldHandlers) ResolveAsync(ev *model.Event) bool

ResolveAsync resolves the async flag

func (*EBPFLessFieldHandlers) ResolveCGroupID

func (fh *EBPFLessFieldHandlers) ResolveCGroupID(_ *model.Event, _ *model.CGroupContext) string

ResolveCGroupID resolves the cgroup ID of the event

func (*EBPFLessFieldHandlers) ResolveCGroupManager

func (fh *EBPFLessFieldHandlers) ResolveCGroupManager(_ *model.Event, _ *model.CGroupContext) string

ResolveCGroupManager resolves the manager of the cgroup

func (*EBPFLessFieldHandlers) ResolveCGroupVersion

func (fh *EBPFLessFieldHandlers) ResolveCGroupVersion(_ *model.Event, _ *model.CGroupContext) int

ResolveCGroupVersion resolves the version of the cgroup API

func (*EBPFLessFieldHandlers) ResolveChownGID

func (fh *EBPFLessFieldHandlers) ResolveChownGID(_ *model.Event, e *model.ChownEvent) string

ResolveChownGID resolves the ResolveProcessCacheEntry group id of a chown event to a username

func (*EBPFLessFieldHandlers) ResolveChownUID

func (fh *EBPFLessFieldHandlers) ResolveChownUID(_ *model.Event, e *model.ChownEvent) string

ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username

func (*EBPFLessFieldHandlers) ResolveContainerContext

func (fh *EBPFLessFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)

ResolveContainerContext retrieve the ContainerContext of the event

func (*EBPFLessFieldHandlers) ResolveContainerCreatedAt

func (fh *EBPFLessFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int

ResolveContainerCreatedAt resolves the container creation time of the event

func (*EBPFLessFieldHandlers) ResolveContainerID

func (fh *EBPFLessFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*EBPFLessFieldHandlers) ResolveContainerRuntime

func (fh *EBPFLessFieldHandlers) ResolveContainerRuntime(_ *model.Event, _ *model.ContainerContext) string

ResolveContainerRuntime retrieves the container runtime managing the container

func (*EBPFLessFieldHandlers) ResolveContainerTags

func (fh *EBPFLessFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string

ResolveContainerTags resolves the container tags of the event

func (*EBPFLessFieldHandlers) ResolveEventTime

func (fh *EBPFLessFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time

ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFLessFieldHandlers) ResolveEventTimestamp

func (fh *EBPFLessFieldHandlers) ResolveEventTimestamp(_ *model.Event, e *model.BaseEvent) int

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFLessFieldHandlers) ResolveFileBasename

func (fh *EBPFLessFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*EBPFLessFieldHandlers) ResolveFileFieldsGroup

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsGroup(_ *model.Event, e *model.FileFields) string

ResolveFileFieldsGroup resolves the group id of the file to a group name

func (*EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, e *model.FileFields) bool

ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer

func (*EBPFLessFieldHandlers) ResolveFileFieldsUser

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsUser(_ *model.Event, e *model.FileFields) string

ResolveFileFieldsUser resolves the user id of the file to a username

func (*EBPFLessFieldHandlers) ResolveFileFilesystem

func (fh *EBPFLessFieldHandlers) ResolveFileFilesystem(_ *model.Event, e *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*EBPFLessFieldHandlers) ResolveFilePath

func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string

ResolveFilePath resolves the inode to a full path

func (*EBPFLessFieldHandlers) ResolveHashes

func (fh *EBPFLessFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string

ResolveHashes resolves the hash of the provided file

func (*EBPFLessFieldHandlers) ResolveHashesFromEvent

func (fh *EBPFLessFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string

ResolveHashesFromEvent resolves the hashes of the requested event

func (*EBPFLessFieldHandlers) ResolveK8SGroups

func (fh *EBPFLessFieldHandlers) ResolveK8SGroups(_ *model.Event, e *model.UserSessionContext) []string

ResolveK8SGroups resolves the k8s groups of the event

func (*EBPFLessFieldHandlers) ResolveK8SUID

func (fh *EBPFLessFieldHandlers) ResolveK8SUID(_ *model.Event, e *model.UserSessionContext) string

ResolveK8SUID resolves the k8s UID of the event

func (*EBPFLessFieldHandlers) ResolveK8SUsername

func (fh *EBPFLessFieldHandlers) ResolveK8SUsername(_ *model.Event, e *model.UserSessionContext) string

ResolveK8SUsername resolves the k8s username of the event

func (*EBPFLessFieldHandlers) ResolveModuleArgs

func (fh *EBPFLessFieldHandlers) ResolveModuleArgs(_ *model.Event, e *model.LoadModuleEvent) string

ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args

func (*EBPFLessFieldHandlers) ResolveModuleArgv

func (fh *EBPFLessFieldHandlers) ResolveModuleArgv(_ *model.Event, e *model.LoadModuleEvent) []string

ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.

func (*EBPFLessFieldHandlers) ResolveMountPointPath

func (fh *EBPFLessFieldHandlers) ResolveMountPointPath(_ *model.Event, e *model.MountEvent) string

ResolveMountPointPath resolves a mount point path

func (*EBPFLessFieldHandlers) ResolveMountRootPath

func (fh *EBPFLessFieldHandlers) ResolveMountRootPath(_ *model.Event, e *model.MountEvent) string

ResolveMountRootPath resolves a mount root path

func (*EBPFLessFieldHandlers) ResolveMountSourcePath

func (fh *EBPFLessFieldHandlers) ResolveMountSourcePath(_ *model.Event, e *model.MountEvent) string

ResolveMountSourcePath resolves a mount source path

func (*EBPFLessFieldHandlers) ResolveNetworkDeviceIfName

func (fh *EBPFLessFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, e *model.NetworkDeviceContext) string

ResolveNetworkDeviceIfName returns the network iterface name from the network context

func (*EBPFLessFieldHandlers) ResolveOnDemandArg1Str

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg1Str(_ *model.Event, _ *model.OnDemandEvent) string

ResolveOnDemandArg1Str resolves the string value of the first argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg1Uint

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg1Uint(_ *model.Event, _ *model.OnDemandEvent) int

ResolveOnDemandArg1Uint resolves the uint value of the first argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg2Str

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg2Str(_ *model.Event, _ *model.OnDemandEvent) string

ResolveOnDemandArg2Str resolves the string value of the second argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg2Uint

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg2Uint(_ *model.Event, _ *model.OnDemandEvent) int

ResolveOnDemandArg2Uint resolves the uint value of the second argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg3Str

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg3Str(_ *model.Event, _ *model.OnDemandEvent) string

ResolveOnDemandArg3Str resolves the string value of the third argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg3Uint

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg3Uint(_ *model.Event, _ *model.OnDemandEvent) int

ResolveOnDemandArg3Uint resolves the uint value of the third argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg4Str

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg4Str(_ *model.Event, _ *model.OnDemandEvent) string

ResolveOnDemandArg4Str resolves the string value of the fourth argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandArg4Uint

func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg4Uint(_ *model.Event, _ *model.OnDemandEvent) int

ResolveOnDemandArg4Uint resolves the uint value of the fourth argument of hooked function

func (*EBPFLessFieldHandlers) ResolveOnDemandName

func (fh *EBPFLessFieldHandlers) ResolveOnDemandName(_ *model.Event, _ *model.OnDemandEvent) string

ResolveOnDemandName resolves the on-demand event name

func (*EBPFLessFieldHandlers) ResolvePackageName

func (fh *EBPFLessFieldHandlers) ResolvePackageName(_ *model.Event, e *model.FileEvent) string

ResolvePackageName resolves the name of the package providing this file

func (*EBPFLessFieldHandlers) ResolvePackageSourceVersion

func (fh *EBPFLessFieldHandlers) ResolvePackageSourceVersion(_ *model.Event, e *model.FileEvent) string

ResolvePackageSourceVersion resolves the version of the source package of the package providing this file

func (*EBPFLessFieldHandlers) ResolvePackageVersion

func (fh *EBPFLessFieldHandlers) ResolvePackageVersion(_ *model.Event, e *model.FileEvent) string

ResolvePackageVersion resolves the version of the package providing this file

func (*EBPFLessFieldHandlers) ResolveProcessArgs

func (fh *EBPFLessFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string

ResolveProcessArgs resolves the args of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsFlags

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)

ResolveProcessArgsFlags resolves the arguments flags of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsOptions

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)

ResolveProcessArgsOptions resolves the arguments options of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsScrubbed

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string

ResolveProcessArgsScrubbed resolves the args of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsTruncated

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessArgsTruncated returns whether the args are truncated

func (*EBPFLessFieldHandlers) ResolveProcessArgv

func (fh *EBPFLessFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string

ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.

func (*EBPFLessFieldHandlers) ResolveProcessArgv0

func (fh *EBPFLessFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string

ResolveProcessArgv0 resolves the first arg of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgvScrubbed

func (fh *EBPFLessFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string

ResolveProcessArgvScrubbed resolves the args of the process as an array

func (*EBPFLessFieldHandlers) ResolveProcessCacheEntry

func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFLessFieldHandlers) ResolveProcessCmdArgv

func (fh *EBPFLessFieldHandlers) ResolveProcessCmdArgv(ev *model.Event, process *model.Process) []string

ResolveProcessCmdArgv resolves the command line

func (*EBPFLessFieldHandlers) ResolveProcessContainerID

func (fh *EBPFLessFieldHandlers) ResolveProcessContainerID(ev *model.Event, _ *model.Process) string

ResolveProcessContainerID resolves the container ID of the event

func (*EBPFLessFieldHandlers) ResolveProcessCreatedAt

func (fh *EBPFLessFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int

ResolveProcessCreatedAt resolves process creation time

func (*EBPFLessFieldHandlers) ResolveProcessEnvp

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string

ResolveProcessEnvp resolves the envp of the event as an array

func (*EBPFLessFieldHandlers) ResolveProcessEnvs

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string

ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.

func (*EBPFLessFieldHandlers) ResolveProcessEnvsTruncated

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessEnvsTruncated returns whether the envs are truncated

func (*EBPFLessFieldHandlers) ResolveProcessIsThread

func (fh *EBPFLessFieldHandlers) ResolveProcessIsThread(_ *model.Event, process *model.Process) bool

ResolveProcessIsThread returns true is the process is a thread

func (*EBPFLessFieldHandlers) ResolveRights

func (fh *EBPFLessFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*EBPFLessFieldHandlers) ResolveSELinuxBoolName

func (fh *EBPFLessFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string

ResolveSELinuxBoolName resolves the boolean name of the SELinux event

func (*EBPFLessFieldHandlers) ResolveSetgidEGroup

func (fh *EBPFLessFieldHandlers) ResolveSetgidEGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetgidFSGroup

func (fh *EBPFLessFieldHandlers) ResolveSetgidFSGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetgidGroup

func (fh *EBPFLessFieldHandlers) ResolveSetgidGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetuidEUser

func (fh *EBPFLessFieldHandlers) ResolveSetuidEUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSetuidFSUser

func (fh *EBPFLessFieldHandlers) ResolveSetuidFSUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSetuidUser

func (fh *EBPFLessFieldHandlers) ResolveSetuidUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgs

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgs(_ *model.Event, e *model.SyscallContext)

ResolveSyscallCtxArgs resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt1

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt1(_ *model.Event, e *model.SyscallContext) int

ResolveSyscallCtxArgsInt1 resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt2

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt2(_ *model.Event, e *model.SyscallContext) int

ResolveSyscallCtxArgsInt2 resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt3

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt3(_ *model.Event, e *model.SyscallContext) int

ResolveSyscallCtxArgsInt3 resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr1

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr1(_ *model.Event, e *model.SyscallContext) string

ResolveSyscallCtxArgsStr1 resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr2

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr2(_ *model.Event, e *model.SyscallContext) string

ResolveSyscallCtxArgsStr2 resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr3

func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr3(_ *model.Event, e *model.SyscallContext) string

ResolveSyscallCtxArgsStr3 resolve syscall ctx

func (*EBPFLessFieldHandlers) ResolveUserSessionContext

func (fh *EBPFLessFieldHandlers) ResolveUserSessionContext(_ *model.UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*EBPFLessFieldHandlers) ResolveXAttrName

func (fh *EBPFLessFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrName returns the string representation of the extended attribute name

func (*EBPFLessFieldHandlers) ResolveXAttrNamespace

func (fh *EBPFLessFieldHandlers) ResolveXAttrNamespace(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrNamespace returns the string representation of the extended attribute namespace

type EBPFLessHelloMsgEvent

type EBPFLessHelloMsgEvent struct {
	events.CustomEventCommonFields

	NSID      uint64 `json:"nsid,omitempty"`
	Container struct {
		ID             string `json:"id,omitempty"`
		Name           string `json:"name,omitempty"`
		ImageShortName string `json:"short_name,omitempty"`
		ImageTag       string `json:"image_tag,omitempty"`
	} `json:"workload_container,omitempty"`
	EntrypointArgs []string `json:"args,omitempty"`
}

EBPFLessHelloMsgEvent defines a hello message easyjson:json

func (EBPFLessHelloMsgEvent) MarshalEasyJSON

func (v EBPFLessHelloMsgEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EBPFLessHelloMsgEvent) ToJSON

func (e EBPFLessHelloMsgEvent) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EBPFLessHelloMsgEvent) UnmarshalEasyJSON

func (v *EBPFLessHelloMsgEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EBPFLessProbe

type EBPFLessProbe struct {
	sync.Mutex

	Resolvers *resolvers.EBPFLessResolvers
	// contains filtered or unexported fields
}

EBPFLessProbe defines an eBPF less probe

func NewEBPFLessProbe

func NewEBPFLessProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFLessProbe, error)

NewEBPFLessProbe returns a new eBPF less probe

func (*EBPFLessProbe) AddDiscarderPushedCallback

func (p *EBPFLessProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*EBPFLessProbe) ApplyRuleSet

func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet applies the new ruleset

func (*EBPFLessProbe) Close

func (p *EBPFLessProbe) Close() error

Close the probe

func (*EBPFLessProbe) DispatchEvent

func (p *EBPFLessProbe) DispatchEvent(event *model.Event)

DispatchEvent sends an event to the probe event handler

func (*EBPFLessProbe) DumpDiscarders

func (p *EBPFLessProbe) DumpDiscarders() (string, error)

DumpDiscarders dump the discarders

func (*EBPFLessProbe) DumpProcessCache

func (p *EBPFLessProbe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dumps the process cache

func (*EBPFLessProbe) EnableEnforcement

func (p *EBPFLessProbe) EnableEnforcement(state bool)

EnableEnforcement sets the enforcement mode

func (*EBPFLessProbe) FlushDiscarders

func (p *EBPFLessProbe) FlushDiscarders() error

FlushDiscarders flush the discarders

func (*EBPFLessProbe) GetAgentContainerContext

func (p *EBPFLessProbe) GetAgentContainerContext() *events.AgentContainerContext

GetAgentContainerContext returns the agent container context

func (*EBPFLessProbe) GetClientsCount

func (p *EBPFLessProbe) GetClientsCount() int

GetClientsCount returns the number of connected clients

func (*EBPFLessProbe) GetEventTags

func (p *EBPFLessProbe) GetEventTags(containerID containerutils.ContainerID) []string

GetEventTags returns the event tags

func (*EBPFLessProbe) GetFieldHandlers

func (p *EBPFLessProbe) GetFieldHandlers() model.FieldHandlers

GetFieldHandlers returns the field handlers

func (*EBPFLessProbe) GetProfileManager

func (p *EBPFLessProbe) GetProfileManager() interface{}

GetProfileManager returns the Profile Managers

func (*EBPFLessProbe) HandleActions

func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)

HandleActions handles the rule actions

func (*EBPFLessProbe) Init

func (p *EBPFLessProbe) Init() error

Init the probe

func (*EBPFLessProbe) NewEvent

func (p *EBPFLessProbe) NewEvent() *model.Event

NewEvent returns a new event

func (*EBPFLessProbe) NewModel

func (p *EBPFLessProbe) NewModel() *model.Model

NewModel returns a new Model

func (*EBPFLessProbe) OnNewDiscarder

func (p *EBPFLessProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)

OnNewDiscarder handles discarders

func (*EBPFLessProbe) OnNewRuleSetLoaded

func (p *EBPFLessProbe) OnNewRuleSetLoaded(rs *rules.RuleSet)

OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded

func (*EBPFLessProbe) SendStats

func (p *EBPFLessProbe) SendStats() error

SendStats send the stats

func (*EBPFLessProbe) Setup

func (p *EBPFLessProbe) Setup() error

Setup the probe

func (*EBPFLessProbe) Snapshot

func (p *EBPFLessProbe) Snapshot() error

Snapshot the already existing entities

func (*EBPFLessProbe) Start

func (p *EBPFLessProbe) Start() error

Start the probe

func (*EBPFLessProbe) Stop

func (p *EBPFLessProbe) Stop()

Stop the probe

type EBPFMonitors

type EBPFMonitors struct {
	// contains filtered or unexported fields
}

EBPFMonitors regroups all the work we want to do to monitor the probes we pushed in the kernel

func NewEBPFMonitors

func NewEBPFMonitors(p *EBPFProbe) *EBPFMonitors

NewEBPFMonitors returns a new instance of a ProbeMonitor

func (*EBPFMonitors) GetEventStreamMonitor

func (m *EBPFMonitors) GetEventStreamMonitor() *eventstream.Monitor

GetEventStreamMonitor returns the perf buffer monitor

func (*EBPFMonitors) Init

func (m *EBPFMonitors) Init() error

Init initializes the monitor

func (*EBPFMonitors) ProcessEvent

func (m *EBPFMonitors) ProcessEvent(event *model.Event)

ProcessEvent processes an event through the various monitors and controllers of the probe

func (*EBPFMonitors) SendStats

func (m *EBPFMonitors) SendStats() error

SendStats sends statistics about the probe to Datadog

type EBPFProbe

type EBPFProbe struct {
	Resolvers *resolvers.EBPFResolvers

	Manager *manager.Manager

	// Approvers / discarders section
	Erpc *erpc.ERPC
	// contains filtered or unexported fields
}

EBPFProbe defines a platform probe

func NewEBPFProbe

func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFProbe, error)

NewEBPFProbe instantiates a new runtime security agent probe

func (*EBPFProbe) AddActivityDumpHandler

func (p *EBPFProbe) AddActivityDumpHandler(handler dump.ActivityDumpHandler)

AddActivityDumpHandler set the probe activity dump handler

func (*EBPFProbe) AddDiscarderPushedCallback

func (p *EBPFProbe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*EBPFProbe) ApplyFilterPolicy

func (p *EBPFProbe) ApplyFilterPolicy(eventType eval.EventType, mode kfilters.PolicyMode) error

ApplyFilterPolicy is called when a passing policy for an event type is applied

func (*EBPFProbe) ApplyRuleSet

func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet apply the required update to handle the new ruleset

func (*EBPFProbe) Close

func (p *EBPFProbe) Close() error

Close the probe

func (*EBPFProbe) DispatchEvent

func (p *EBPFProbe) DispatchEvent(event *model.Event, notifyConsumers bool)

DispatchEvent sends an event to the probe event handler

func (*EBPFProbe) DumpDiscarders

func (p *EBPFProbe) DumpDiscarders() (string, error)

DumpDiscarders dump the discarders

func (*EBPFProbe) DumpProcessCache

func (p *EBPFProbe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dumps the process cache

func (*EBPFProbe) EnableEnforcement

func (p *EBPFProbe) EnableEnforcement(state bool)

EnableEnforcement sets the enforcement mode

func (*EBPFProbe) EventMarshallerCtor

func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler

EventMarshallerCtor returns the event marshaller ctor

func (*EBPFProbe) FlushDiscarders

func (p *EBPFProbe) FlushDiscarders() error

FlushDiscarders flush the discarders

func (*EBPFProbe) FlushNetworkNamespace

func (p *EBPFProbe) FlushNetworkNamespace(namespace *netns.NetworkNamespace)

FlushNetworkNamespace removes all references and stops all TC programs in the provided network namespace. This method flushes the network namespace in the network namespace resolver as well.

func (*EBPFProbe) GetAgentContainerContext

func (p *EBPFProbe) GetAgentContainerContext() *events.AgentContainerContext

GetAgentContainerContext returns the agent container context

func (*EBPFProbe) GetConstantFetcherStatus

func (p *EBPFProbe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error)

GetConstantFetcherStatus returns the status of the constant fetcher associated with this probe

func (*EBPFProbe) GetDiscarders

func (p *EBPFProbe) GetDiscarders() (*DiscardersDump, error)

GetDiscarders retrieve the discarders

func (*EBPFProbe) GetEventTags

func (p *EBPFProbe) GetEventTags(containerID containerutils.ContainerID) []string

GetEventTags returns the event tags

func (*EBPFProbe) GetFieldHandlers

func (p *EBPFProbe) GetFieldHandlers() model.FieldHandlers

GetFieldHandlers returns the field handlers

func (*EBPFProbe) GetKernelVersion

func (p *EBPFProbe) GetKernelVersion() *kernel.Version

GetKernelVersion computes and returns the running kernel version

func (*EBPFProbe) GetMonitors

func (p *EBPFProbe) GetMonitors() *EBPFMonitors

GetMonitors returns the monitor of the probe

func (*EBPFProbe) GetOffsetConstants

func (p *EBPFProbe) GetOffsetConstants() (map[string]uint64, error)

GetOffsetConstants returns the offsets and struct sizes constants

func (*EBPFProbe) GetProfileManager

func (p *EBPFProbe) GetProfileManager() interface{}

GetProfileManager returns the Profile Managers

func (*EBPFProbe) GetProfileManagers

func (p *EBPFProbe) GetProfileManagers() *SecurityProfileManagers

GetProfileManagers returns the security profile managers

func (*EBPFProbe) HandleActions

func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)

HandleActions handles the rule actions

func (*EBPFProbe) Init

func (p *EBPFProbe) Init() error

Init initializes the probe

func (*EBPFProbe) IsRuntimeCompiled

func (p *EBPFProbe) IsRuntimeCompiled() bool

IsRuntimeCompiled returns true if the eBPF programs where successfully runtime compiled

func (*EBPFProbe) NewEvent

func (p *EBPFProbe) NewEvent() *model.Event

NewEvent returns a new event

func (*EBPFProbe) NewModel

func (p *EBPFProbe) NewModel() *model.Model

NewModel returns a new Model

func (*EBPFProbe) OnNewDiscarder

func (p *EBPFProbe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)

OnNewDiscarder handles new discarders

func (*EBPFProbe) OnNewRuleSetLoaded

func (p *EBPFProbe) OnNewRuleSetLoaded(rs *rules.RuleSet)

OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded

func (*EBPFProbe) RefreshUserCache

func (p *EBPFProbe) RefreshUserCache(containerID containerutils.ContainerID) error

RefreshUserCache refreshes the user cache

func (*EBPFProbe) SendStats

func (p *EBPFProbe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*EBPFProbe) Setup

func (p *EBPFProbe) Setup() error

Setup the probe

func (*EBPFProbe) Snapshot

func (p *EBPFProbe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*EBPFProbe) Start

func (p *EBPFProbe) Start() error

Start the probe

func (*EBPFProbe) Stop

func (p *EBPFProbe) Stop()

Stop the probe

func (*EBPFProbe) UseRingBuffers

func (p *EBPFProbe) UseRingBuffers() bool

UseRingBuffers returns true if eBPF ring buffers are supported and used

func (*EBPFProbe) VerifyEnvironment

func (p *EBPFProbe) VerifyEnvironment() *multierror.Error

VerifyEnvironment returns an error if the current environment seems to be misconfigured

func (*EBPFProbe) VerifyOSVersion

func (p *EBPFProbe) VerifyOSVersion() error

VerifyOSVersion returns an error if the current kernel version is not supported

type ErrDiscarderNotSupported

type ErrDiscarderNotSupported struct {
	Field string
}

ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them

func (ErrDiscarderNotSupported) Error

func (e ErrDiscarderNotSupported) Error() string

type EventConsumer

type EventConsumer struct {
	// contains filtered or unexported fields
}

EventConsumer defines a probe event consumer

func (*EventConsumer) Start

func (p *EventConsumer) Start(ctx context.Context, wg *sync.WaitGroup)

Start the consumer

type EventConsumerHandler

type EventConsumerHandler interface {
	IDer
	ChanSize() int
	HandleEvent(_ any)
	Copy(_ *model.Event) any
	EventTypes() []model.EventType
}

EventConsumerHandler represents a handler for events sent by the probe. This handler makes a copy of the event upon receipt

type EventHandler

type EventHandler interface {
	HandleEvent(event *model.Event)
}

EventHandler represents a handler for events sent by the probe that needs access to all the fields in the SECL model

type EventStream

type EventStream interface {
	Init(*manager.Manager, *pconfig.Config) error
	SetMonitor(eventstream.LostEventCounter)
	Start(*sync.WaitGroup) error
	Pause() error
	Resume() error
}

EventStream describes the interface implemented by reordered perf maps or ring buffers

type FileHasher

type FileHasher struct {
	sync.Mutex
	// contains filtered or unexported fields
}

FileHasher defines a file hasher structure

func NewFileHasher

func NewFileHasher(cfg *config.Config, resolver *hash.Resolver) *FileHasher

NewFileHasher returns a new FileHasher

func (*FileHasher) AddPendingReports

func (p *FileHasher) AddPendingReports(report *HashActionReport)

AddPendingReports add a pending reports

func (*FileHasher) FlushPendingReports

func (p *FileHasher) FlushPendingReports()

FlushPendingReports flush pending reports

func (*FileHasher) HandleProcessExited

func (p *FileHasher) HandleProcessExited(event *model.Event)

HandleProcessExited handles process exited events

func (*FileHasher) HashAndReport

func (p *FileHasher) HashAndReport(rule *rules.Rule, ev *model.Event) bool

HashAndReport hash and report, returns true if the hash computation is supported for the given event

type HashActionReport

type HashActionReport struct {
	sync.RWMutex

	Type    string `json:"type"`
	Path    string `json:"path"`
	State   string `json:"state"`
	Trigger string `json:"trigger"`
	// contains filtered or unexported fields
}

HashActionReport defines a hash action reports easyjson:json

func (*HashActionReport) IsMatchingRule

func (k *HashActionReport) IsMatchingRule(ruleID eval.RuleID) bool

IsMatchingRule returns true if this action report is targeted at the given rule ID

func (*HashActionReport) IsResolved

func (k *HashActionReport) IsResolved() error

IsResolved return if the action is resolved

func (HashActionReport) MarshalEasyJSON

func (v HashActionReport) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*HashActionReport) PatchEvent

func (k *HashActionReport) PatchEvent(ev *serializers.EventSerializer)

PatchEvent implements the EventSerializerPatcher interface

func (*HashActionReport) ToJSON

func (k *HashActionReport) ToJSON() ([]byte, error)

ToJSON marshal the action

func (*HashActionReport) UnmarshalEasyJSON

func (v *HashActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type IDer

type IDer interface {
	// ID returns the ID of the event consumer
	ID() string
}

IDer provides unique ID for each event consumer

type InodeDiscarderDump

type InodeDiscarderDump struct {
	Index                int `yaml:"index"`
	InodeDiscarderParams `yaml:"value"`
	FilePath             string `yaml:"path"`
	Inode                uint64
	MountID              uint32 `yaml:"mount_id"`
}

InodeDiscarderDump describes a dump of an inode discarder

type InodeDiscarderEntry

type InodeDiscarderEntry struct {
	Inode     uint64
	MountID   uint32
	Timestamp uint64
}

InodeDiscarderEntry describes a map entry

type InodeDiscarderMapEntry

type InodeDiscarderMapEntry struct {
	PathKey model.PathKey
	IsLeaf  uint32
	Padding uint32
}

InodeDiscarderMapEntry describes a map entry

type InodeDiscarderParams

type InodeDiscarderParams struct {
	DiscarderParams `yaml:"params"`
	Revision        uint32
}

InodeDiscarderParams describes a map value

type JKillActionReport

type JKillActionReport struct {
	Type         string              `json:"type"`
	Signal       string              `json:"signal"`
	Scope        string              `json:"scope"`
	Status       string              `json:"status"`
	DisarmerType string              `json:"disarmer_type,omitempty"`
	CreatedAt    utils.EasyjsonTime  `json:"created_at"`
	DetectedAt   utils.EasyjsonTime  `json:"detected_at"`
	KilledAt     *utils.EasyjsonTime `json:"killed_at,omitempty"`
	ExitedAt     *utils.EasyjsonTime `json:"exited_at,omitempty"`
	TTR          string              `json:"ttr,omitempty"`
}

JKillActionReport used to serialize date easyjson:json

func (JKillActionReport) MarshalEasyJSON

func (v JKillActionReport) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*JKillActionReport) UnmarshalEasyJSON

func (v *JKillActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type KillActionReport

type KillActionReport struct {
	sync.RWMutex

	Signal       string
	Scope        string
	Status       KillActionStatus
	CreatedAt    time.Time
	DetectedAt   time.Time
	KilledAt     time.Time
	ExitedAt     time.Time
	DisarmerType string

	// internal
	Pid uint32
	// contains filtered or unexported fields
}

KillActionReport defines a kill action reports

func (*KillActionReport) IsMatchingRule

func (k *KillActionReport) IsMatchingRule(ruleID eval.RuleID) bool

IsMatchingRule returns true if this action report is targeted at the given rule ID

func (*KillActionReport) IsResolved

func (k *KillActionReport) IsResolved() error

IsResolved return if the action is resolved

func (*KillActionReport) ToJSON

func (k *KillActionReport) ToJSON() ([]byte, error)

ToJSON marshal the action

type KillActionStatus

type KillActionStatus string

KillActionStatus defines the status of a kill action

const (
	// KillActionStatusPerformed indicates the kill action was performed
	KillActionStatusPerformed KillActionStatus = "performed"
	// KillActionStatusRuleDisarmed indicates the kill action was skipped because the rule was disarmed
	KillActionStatusRuleDisarmed KillActionStatus = "rule_disarmed"
)

type OnDemandProbesManager

type OnDemandProbesManager struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

OnDemandProbesManager is the manager for on-demand probes

type Opts

type Opts struct {
	// DontDiscardRuntime do not discard the runtime. Mostly used by functional tests
	DontDiscardRuntime bool
	// StatsdClient to be used for probe stats
	StatsdClient statsd.ClientInterface
	// PathResolutionEnabled defines if the path resolution is enabled
	PathResolutionEnabled bool
	// EnvsVarResolutionEnabled defines if environment variables resolution is enabled
	EnvsVarResolutionEnabled bool
	// Tagger will override the default one. Mainly here for tests.
	Tagger tags.Tagger
	// SyscallsMonitorEnabled enable syscalls map monitor
	SyscallsMonitorEnabled bool
	// TTYFallbackEnabled enable the tty procfs fallback
	TTYFallbackEnabled bool
	// EBPFLessEnabled use ebpfless source
	EBPFLessEnabled bool
}

Opts defines some probe options

type PlatformProbe

type PlatformProbe interface {
	Setup() error
	Init() error
	Start() error
	Stop()
	SendStats() error
	Snapshot() error
	Close() error
	NewModel() *model.Model
	DumpDiscarders() (string, error)
	FlushDiscarders() error
	ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
	OnNewRuleSetLoaded(_ *rules.RuleSet)
	OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
	HandleActions(_ *eval.Context, _ *rules.Rule)
	NewEvent() *model.Event
	GetFieldHandlers() model.FieldHandlers
	DumpProcessCache(_ bool) (string, error)
	AddDiscarderPushedCallback(_ DiscarderPushedCallback)
	GetEventTags(_ containerutils.ContainerID) []string
	GetProfileManager() interface{}
	EnableEnforcement(bool)
}

PlatformProbe defines a platform dependant probe

type Probe

type Probe struct {
	PlatformProbe PlatformProbe

	// Constants and configuration
	Opts         Opts
	Config       *config.Config
	StatsdClient statsd.ClientInterface
	// contains filtered or unexported fields
}

Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel

func NewProbe

func NewProbe(config *config.Config, opts Opts) (*Probe, error)

NewProbe instantiates a new runtime security agent probe

func (*Probe) AddCustomEventHandler

func (p *Probe) AddCustomEventHandler(eventType model.EventType, handler CustomEventHandler) error

AddCustomEventHandler set the probe event handler

func (*Probe) AddDiscarderPushedCallback

func (p *Probe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*Probe) AddEventConsumer

func (p *Probe) AddEventConsumer(consumer EventConsumerHandler) error

AddEventConsumer sets a probe event consumer

func (*Probe) AddEventHandler

func (p *Probe) AddEventHandler(handler EventHandler) error

AddEventHandler sets a probe event handler for the UnknownEventType which requires access to all the struct fields

func (*Probe) ApplyRuleSet

func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.

func (*Probe) Close

func (p *Probe) Close() error

Close the probe

func (*Probe) DispatchCustomEvent

func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent)

DispatchCustomEvent sends a custom event to the probe event handler

func (*Probe) DumpDiscarders

func (p *Probe) DumpDiscarders() (string, error)

DumpDiscarders removes all the discarders

func (*Probe) DumpProcessCache

func (p *Probe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dump the process cache

func (*Probe) EnableEnforcement

func (p *Probe) EnableEnforcement(state bool)

EnableEnforcement sets the enforcement mode

func (*Probe) FlushDiscarders

func (p *Probe) FlushDiscarders() error

FlushDiscarders invalidates all the discarders

func (*Probe) GetAgentContainerContext

func (p *Probe) GetAgentContainerContext() *events.AgentContainerContext

GetAgentContainerContext returns the agent container context

func (*Probe) GetDebugStats

func (p *Probe) GetDebugStats() map[string]interface{}

GetDebugStats returns the debug stats

func (*Probe) GetEventTags

func (p *Probe) GetEventTags(containerID containerutils.ContainerID) []string

GetEventTags returns the event tags

func (*Probe) GetService

func (p *Probe) GetService(ev *model.Event) string

GetService returns the service name from the process tree

func (*Probe) HandleActions

func (p *Probe) HandleActions(rule *rules.Rule, event eval.Event)

HandleActions executes the actions of a triggered rule

func (*Probe) Init

func (p *Probe) Init() error

Init initializes the probe

func (*Probe) IsActivityDumpEnabled

func (p *Probe) IsActivityDumpEnabled() bool

IsActivityDumpEnabled returns whether activity dump is enabled

func (*Probe) IsActivityDumpTagRulesEnabled

func (p *Probe) IsActivityDumpTagRulesEnabled() bool

IsActivityDumpTagRulesEnabled returns whether rule tags is enabled for activity dumps

func (*Probe) IsNetworkEnabled

func (p *Probe) IsNetworkEnabled() bool

IsNetworkEnabled returns whether network is enabled

func (*Probe) IsNetworkRawPacketEnabled

func (p *Probe) IsNetworkRawPacketEnabled() bool

IsNetworkRawPacketEnabled returns whether network raw packet is enabled

func (*Probe) IsSecurityProfileEnabled

func (p *Probe) IsSecurityProfileEnabled() bool

IsSecurityProfileEnabled returns whether security profile is enabled

func (*Probe) NewRuleSet

func (p *Probe) NewRuleSet(eventTypeEnabled map[eval.EventType]bool) *rules.RuleSet

NewRuleSet returns a new ruleset

func (*Probe) OnNewDiscarder

func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)

OnNewDiscarder is called when a new discarder is found

func (*Probe) OnNewRuleSetLoaded

func (p *Probe) OnNewRuleSetLoaded(rs *rules.RuleSet)

OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded

func (*Probe) Origin

func (p *Probe) Origin() string

Origin returns origin

func (*Probe) SendStats

func (p *Probe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*Probe) Setup

func (p *Probe) Setup() error

Setup the runtime security probe

func (*Probe) Snapshot

func (p *Probe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*Probe) Start

func (p *Probe) Start() error

Start plays the snapshot data and then start the event stream

func (*Probe) StatsPollingInterval

func (p *Probe) StatsPollingInterval() time.Duration

StatsPollingInterval returns the stats polling interval

func (*Probe) Stop

func (p *Probe) Stop()

Stop the probe

type ProcessKiller

type ProcessKiller struct {
	sync.Mutex
	// contains filtered or unexported fields
}

ProcessKiller defines a process killer structure

func NewProcessKiller

func NewProcessKiller(cfg *config.Config) (*ProcessKiller, error)

NewProcessKiller returns a new ProcessKiller

func (*ProcessKiller) AddPendingReports

func (p *ProcessKiller) AddPendingReports(report *KillActionReport)

AddPendingReports add a pending reports

func (*ProcessKiller) FlushPendingReports

func (p *ProcessKiller) FlushPendingReports()

FlushPendingReports flush pending reports

func (*ProcessKiller) HandleProcessExited

func (p *ProcessKiller) HandleProcessExited(event *model.Event)

HandleProcessExited handles process exited events

func (*ProcessKiller) KillAndReport

func (p *ProcessKiller) KillAndReport(kill *rules.KillDefinition, rule *rules.Rule, ev *model.Event, killFnc func(pid uint32, sig uint32) error) bool

KillAndReport kill and report, returns true if we did try to kill

func (*ProcessKiller) KillFromUserspace

func (p *ProcessKiller) KillFromUserspace(pid uint32, sig uint32, ev *model.Event) error

KillFromUserspace tries to kill from userspace

func (*ProcessKiller) Reset

func (p *ProcessKiller) Reset(rs *rules.RuleSet)

Reset the state and statistics of the process killer

func (*ProcessKiller) SendStats

func (p *ProcessKiller) SendStats(statsd statsd.ClientInterface)

SendStats sends runtime security enforcement statistics to Datadog

func (*ProcessKiller) SetState

func (p *ProcessKiller) SetState(enabled bool)

SetState sets the state - enabled or disabled - for the process killer

func (*ProcessKiller) Start

func (p *ProcessKiller) Start(ctx context.Context, wg *sync.WaitGroup)

Start starts the go rountine responsible for flushing the disarmer caches

type QueuedNetworkDeviceError

type QueuedNetworkDeviceError struct {
	// contains filtered or unexported fields
}

QueuedNetworkDeviceError is used to indicate that the new network device was queued until its namespace handle is resolved.

func (QueuedNetworkDeviceError) Error

func (err QueuedNetworkDeviceError) Error() string

type SecurityProfileManagers

type SecurityProfileManagers struct {
	// contains filtered or unexported fields
}

SecurityProfileManagers holds the security profile managers

func NewSecurityProfileManagers

func NewSecurityProfileManagers(p *EBPFProbe) (*SecurityProfileManagers, error)

NewSecurityProfileManagers returns a new manager object

func (*SecurityProfileManagers) AddActivityDumpHandler

func (spm *SecurityProfileManagers) AddActivityDumpHandler(handler dump.ActivityDumpHandler)

AddActivityDumpHandler add a handler

func (*SecurityProfileManagers) DumpActivity

DumpActivity handles an activity dump request

func (*SecurityProfileManagers) GenerateTranscoding

GenerateTranscoding encodes an activity dump following the input parameters

func (*SecurityProfileManagers) GetActivityDumpManager

func (spm *SecurityProfileManagers) GetActivityDumpManager() *dump.ActivityDumpManager

GetActivityDumpManager returns the activity dump manager

func (*SecurityProfileManagers) GetActivityDumpTracedEventTypes

func (spm *SecurityProfileManagers) GetActivityDumpTracedEventTypes() []model.EventType

GetActivityDumpTracedEventTypes returns traced event types

func (*SecurityProfileManagers) GetAnomalyDetectionEventTypes

func (spm *SecurityProfileManagers) GetAnomalyDetectionEventTypes() []model.EventType

GetAnomalyDetectionEventTypes returns the event types that may generate anomaly detections

func (*SecurityProfileManagers) GetSecurityProfileManager

func (spm *SecurityProfileManagers) GetSecurityProfileManager() *profile.SecurityProfileManager

GetSecurityProfileManager returns the security profile manager

func (*SecurityProfileManagers) ListActivityDumps

ListActivityDumps returns the list of active dumps

func (*SecurityProfileManagers) ListSecurityProfiles

ListSecurityProfiles list the profiles

func (*SecurityProfileManagers) SaveSecurityProfile

SaveSecurityProfile save a security profile

func (*SecurityProfileManagers) SendStats

func (spm *SecurityProfileManagers) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*SecurityProfileManagers) SnapshotTracedCgroups

func (spm *SecurityProfileManagers) SnapshotTracedCgroups()

SnapshotTracedCgroups snapshots traced cgroups

func (*SecurityProfileManagers) Start

func (spm *SecurityProfileManagers) Start(ctx context.Context, wg *sync.WaitGroup)

Start triggers the goroutine of all the underlying controllers and monitors of the Monitor

func (*SecurityProfileManagers) StopActivityDump

StopActivityDump stops an active activity dump

Directories

Path Synopsis
Package config holds config related files
Package config holds config related files
Package constantfetch holds constantfetch related files
Package constantfetch holds constantfetch related files
Package erpc holds erpc related files
Package erpc holds erpc related files
Package eventstream holds eventstream related files
Package eventstream holds eventstream related files
reorderer
Package reorderer holds reorderer related files
Package reorderer holds reorderer related files
ringbuffer
Package ringbuffer holds ringbuffer related files
Package ringbuffer holds ringbuffer related files
Package kfilters holds kfilters related files
Package kfilters holds kfilters related files
Package managerhelper holds managerhelper related files
Package managerhelper holds managerhelper related files
monitors
approver
Package approver holds approver related files
Package approver holds approver related files
cgroups
Package cgroups holds cgroups related files
Package cgroups holds cgroups related files
discarder
Package discarder holds discarder related files
Package discarder holds discarder related files
runtime
Package runtime holds runtime related files
Package runtime holds runtime related files
syscalls
Package syscalls holds syscalls related files
Package syscalls holds syscalls related files
Package selftests holds selftests related files
Package selftests holds selftests related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL