Documentation ¶
Overview ¶
Package probe holds probe related files
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files ¶
Package probe holds probe related files
Index ¶
- Constants
- Variables
- func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version)
- func IsNetworkNotSupported(kv *kernel.Version) bool
- func IsRawPacketNotSupported(kv *kernel.Version) bool
- func NewAbnormalEvent(acc *events.AgentContainerContext, id string, description string, ...) (*rules.Rule, *events.CustomEvent)
- func NewAgentContainerContext() (*events.AgentContainerContext, error)
- func NewEBPFLessEvent(fh *EBPFLessFieldHandlers) *model.Event
- func NewEBPFLessHelloMsgEvent(acc *events.AgentContainerContext, msg *ebpfless.HelloMsg, ...) (*rules.Rule, *events.CustomEvent)
- func NewEBPFLessModel() *model.Model
- func NewEBPFModel(probe *EBPFProbe) *model.Model
- type AbnormalEvent
- type BaseFieldHandlers
- type CoreDump
- type CustomEventHandler
- type Discarder
- type DiscarderParams
- type DiscarderPushedCallback
- type DiscardersDump
- type EBPFFieldHandlers
- func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)
- func (fh *EBPFFieldHandlers) ResolveAWSSecurityCredentials(e *model.Event) []model.AWSSecurityCredentials
- func (fh *EBPFFieldHandlers) ResolveAsync(ev *model.Event) bool
- func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupContext) string
- func (fh *EBPFFieldHandlers) ResolveCGroupManager(ev *model.Event, _ *model.CGroupContext) string
- func (fh *EBPFFieldHandlers) ResolveCGroupVersion(ev *model.Event, e *model.CGroupContext) int
- func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string
- func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string
- func (fh *EBPFFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)
- func (fh *EBPFFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int
- func (fh *EBPFFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string
- func (fh *EBPFFieldHandlers) ResolveContainerRuntime(ev *model.Event, _ *model.ContainerContext) string
- func (fh *EBPFFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string
- func (fh *EBPFFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time
- func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.BaseEvent) int
- func (fh *EBPFFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string
- func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string
- func (fh *EBPFFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, f *model.FileFields) bool
- func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string
- func (fh *EBPFFieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEvent) string
- func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string
- func (fh *EBPFFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string
- func (fh *EBPFFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string
- func (fh *EBPFFieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string
- func (fh *EBPFFieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string
- func (fh *EBPFFieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string
- func (fh *EBPFFieldHandlers) ResolveModuleArgs(_ *model.Event, module *model.LoadModuleEvent) string
- func (fh *EBPFFieldHandlers) ResolveModuleArgv(_ *model.Event, module *model.LoadModuleEvent) []string
- func (fh *EBPFFieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string
- func (fh *EBPFFieldHandlers) ResolveMountRootPath(ev *model.Event, e *model.MountEvent) string
- func (fh *EBPFFieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string
- func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *model.NetworkDeviceContext) string
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg1Str(_ *model.Event, e *model.OnDemandEvent) string
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg1Uint(_ *model.Event, e *model.OnDemandEvent) int
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg2Str(_ *model.Event, e *model.OnDemandEvent) string
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg2Uint(_ *model.Event, e *model.OnDemandEvent) int
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg3Str(_ *model.Event, e *model.OnDemandEvent) string
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg3Uint(_ *model.Event, e *model.OnDemandEvent) int
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg4Str(_ *model.Event, e *model.OnDemandEvent) string
- func (fh *EBPFFieldHandlers) ResolveOnDemandArg4Uint(_ *model.Event, e *model.OnDemandEvent) int
- func (fh *EBPFFieldHandlers) ResolveOnDemandName(_ *model.Event, e *model.OnDemandEvent) string
- func (fh *EBPFFieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent) string
- func (fh *EBPFFieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string
- func (fh *EBPFFieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEvent) string
- func (fh *EBPFFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string
- func (fh *EBPFFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)
- func (fh *EBPFFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)
- func (fh *EBPFFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string
- func (fh *EBPFFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool
- func (fh *EBPFFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string
- func (fh *EBPFFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string
- func (fh *EBPFFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string
- func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)
- func (fh *EBPFFieldHandlers) ResolveProcessCmdArgv(ev *model.Event, process *model.Process) []string
- func (fh *EBPFFieldHandlers) ResolveProcessContainerID(ev *model.Event, _ *model.Process) string
- func (fh *EBPFFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int
- func (fh *EBPFFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string
- func (fh *EBPFFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string
- func (fh *EBPFFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool
- func (fh *EBPFFieldHandlers) ResolveProcessIsThread(_ *model.Event, process *model.Process) bool
- func (fh *EBPFFieldHandlers) ResolveProcessNSID(e *model.Event) (uint64, error)
- func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int
- func (fh *EBPFFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string
- func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string
- func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string
- func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string
- func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string
- func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string
- func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgs(_ *model.Event, e *model.SyscallContext)
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt1(ev *model.Event, e *model.SyscallContext) int
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt2(ev *model.Event, e *model.SyscallContext) int
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt3(ev *model.Event, e *model.SyscallContext) int
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr1(ev *model.Event, e *model.SyscallContext) string
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr2(ev *model.Event, e *model.SyscallContext) string
- func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr3(ev *model.Event, e *model.SyscallContext) string
- func (fh *EBPFFieldHandlers) ResolveUserSessionContext(evtCtx *model.UserSessionContext)
- func (fh *EBPFFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string
- func (fh *EBPFFieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string
- type EBPFLessFieldHandlers
- func (fh *EBPFLessFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)
- func (fh *EBPFLessFieldHandlers) ResolveAWSSecurityCredentials(_ *model.Event) []model.AWSSecurityCredentials
- func (fh *EBPFLessFieldHandlers) ResolveAsync(ev *model.Event) bool
- func (fh *EBPFLessFieldHandlers) ResolveCGroupID(_ *model.Event, _ *model.CGroupContext) string
- func (fh *EBPFLessFieldHandlers) ResolveCGroupManager(_ *model.Event, _ *model.CGroupContext) string
- func (fh *EBPFLessFieldHandlers) ResolveCGroupVersion(_ *model.Event, _ *model.CGroupContext) int
- func (fh *EBPFLessFieldHandlers) ResolveChownGID(_ *model.Event, e *model.ChownEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveChownUID(_ *model.Event, e *model.ChownEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)
- func (fh *EBPFLessFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int
- func (fh *EBPFLessFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string
- func (fh *EBPFLessFieldHandlers) ResolveContainerRuntime(_ *model.Event, _ *model.ContainerContext) string
- func (fh *EBPFLessFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string
- func (fh *EBPFLessFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time
- func (fh *EBPFLessFieldHandlers) ResolveEventTimestamp(_ *model.Event, e *model.BaseEvent) int
- func (fh *EBPFLessFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveFileFieldsGroup(_ *model.Event, e *model.FileFields) string
- func (fh *EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, e *model.FileFields) bool
- func (fh *EBPFLessFieldHandlers) ResolveFileFieldsUser(_ *model.Event, e *model.FileFields) string
- func (fh *EBPFLessFieldHandlers) ResolveFileFilesystem(_ *model.Event, e *model.FileEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string
- func (fh *EBPFLessFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string
- func (fh *EBPFLessFieldHandlers) ResolveK8SGroups(_ *model.Event, e *model.UserSessionContext) []string
- func (fh *EBPFLessFieldHandlers) ResolveK8SUID(_ *model.Event, e *model.UserSessionContext) string
- func (fh *EBPFLessFieldHandlers) ResolveK8SUsername(_ *model.Event, e *model.UserSessionContext) string
- func (fh *EBPFLessFieldHandlers) ResolveModuleArgs(_ *model.Event, e *model.LoadModuleEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveModuleArgv(_ *model.Event, e *model.LoadModuleEvent) []string
- func (fh *EBPFLessFieldHandlers) ResolveMountPointPath(_ *model.Event, e *model.MountEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveMountRootPath(_ *model.Event, e *model.MountEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveMountSourcePath(_ *model.Event, e *model.MountEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, e *model.NetworkDeviceContext) string
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg1Str(_ *model.Event, _ *model.OnDemandEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg1Uint(_ *model.Event, _ *model.OnDemandEvent) int
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg2Str(_ *model.Event, _ *model.OnDemandEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg2Uint(_ *model.Event, _ *model.OnDemandEvent) int
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg3Str(_ *model.Event, _ *model.OnDemandEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg3Uint(_ *model.Event, _ *model.OnDemandEvent) int
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg4Str(_ *model.Event, _ *model.OnDemandEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg4Uint(_ *model.Event, _ *model.OnDemandEvent) int
- func (fh *EBPFLessFieldHandlers) ResolveOnDemandName(_ *model.Event, _ *model.OnDemandEvent) string
- func (fh *EBPFLessFieldHandlers) ResolvePackageName(_ *model.Event, e *model.FileEvent) string
- func (fh *EBPFLessFieldHandlers) ResolvePackageSourceVersion(_ *model.Event, e *model.FileEvent) string
- func (fh *EBPFLessFieldHandlers) ResolvePackageVersion(_ *model.Event, e *model.FileEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string
- func (fh *EBPFLessFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string
- func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)
- func (fh *EBPFLessFieldHandlers) ResolveProcessCmdArgv(ev *model.Event, process *model.Process) []string
- func (fh *EBPFLessFieldHandlers) ResolveProcessContainerID(ev *model.Event, _ *model.Process) string
- func (fh *EBPFLessFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int
- func (fh *EBPFLessFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string
- func (fh *EBPFLessFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string
- func (fh *EBPFLessFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool
- func (fh *EBPFLessFieldHandlers) ResolveProcessIsThread(_ *model.Event, process *model.Process) bool
- func (fh *EBPFLessFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int
- func (fh *EBPFLessFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSetgidEGroup(_ *model.Event, e *model.SetgidEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSetgidFSGroup(_ *model.Event, e *model.SetgidEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSetgidGroup(_ *model.Event, e *model.SetgidEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSetuidEUser(_ *model.Event, e *model.SetuidEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSetuidFSUser(_ *model.Event, e *model.SetuidEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSetuidUser(_ *model.Event, e *model.SetuidEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgs(_ *model.Event, e *model.SyscallContext)
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt1(_ *model.Event, e *model.SyscallContext) int
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt2(_ *model.Event, e *model.SyscallContext) int
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt3(_ *model.Event, e *model.SyscallContext) int
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr1(_ *model.Event, e *model.SyscallContext) string
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr2(_ *model.Event, e *model.SyscallContext) string
- func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr3(_ *model.Event, e *model.SyscallContext) string
- func (fh *EBPFLessFieldHandlers) ResolveUserSessionContext(_ *model.UserSessionContext)
- func (fh *EBPFLessFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string
- func (fh *EBPFLessFieldHandlers) ResolveXAttrNamespace(_ *model.Event, e *model.SetXAttrEvent) string
- type EBPFLessHelloMsgEvent
- type EBPFLessProbe
- func (p *EBPFLessProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback)
- func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
- func (p *EBPFLessProbe) Close() error
- func (p *EBPFLessProbe) DispatchEvent(event *model.Event)
- func (p *EBPFLessProbe) DumpDiscarders() (string, error)
- func (p *EBPFLessProbe) DumpProcessCache(withArgs bool) (string, error)
- func (p *EBPFLessProbe) EnableEnforcement(state bool)
- func (p *EBPFLessProbe) FlushDiscarders() error
- func (p *EBPFLessProbe) GetAgentContainerContext() *events.AgentContainerContext
- func (p *EBPFLessProbe) GetClientsCount() int
- func (p *EBPFLessProbe) GetEventTags(containerID containerutils.ContainerID) []string
- func (p *EBPFLessProbe) GetFieldHandlers() model.FieldHandlers
- func (p *EBPFLessProbe) GetProfileManager() interface{}
- func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)
- func (p *EBPFLessProbe) Init() error
- func (p *EBPFLessProbe) NewEvent() *model.Event
- func (p *EBPFLessProbe) NewModel() *model.Model
- func (p *EBPFLessProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
- func (p *EBPFLessProbe) OnNewRuleSetLoaded(rs *rules.RuleSet)
- func (p *EBPFLessProbe) SendStats() error
- func (p *EBPFLessProbe) Setup() error
- func (p *EBPFLessProbe) Snapshot() error
- func (p *EBPFLessProbe) Start() error
- func (p *EBPFLessProbe) Stop()
- type EBPFMonitors
- type EBPFProbe
- func (p *EBPFProbe) AddActivityDumpHandler(handler dump.ActivityDumpHandler)
- func (p *EBPFProbe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)
- func (p *EBPFProbe) ApplyFilterPolicy(eventType eval.EventType, mode kfilters.PolicyMode) error
- func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
- func (p *EBPFProbe) Close() error
- func (p *EBPFProbe) DispatchEvent(event *model.Event, notifyConsumers bool)
- func (p *EBPFProbe) DumpDiscarders() (string, error)
- func (p *EBPFProbe) DumpProcessCache(withArgs bool) (string, error)
- func (p *EBPFProbe) EnableEnforcement(state bool)
- func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler
- func (p *EBPFProbe) FlushDiscarders() error
- func (p *EBPFProbe) FlushNetworkNamespace(namespace *netns.NetworkNamespace)
- func (p *EBPFProbe) GetAgentContainerContext() *events.AgentContainerContext
- func (p *EBPFProbe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error)
- func (p *EBPFProbe) GetDiscarders() (*DiscardersDump, error)
- func (p *EBPFProbe) GetEventTags(containerID containerutils.ContainerID) []string
- func (p *EBPFProbe) GetFieldHandlers() model.FieldHandlers
- func (p *EBPFProbe) GetKernelVersion() *kernel.Version
- func (p *EBPFProbe) GetMonitors() *EBPFMonitors
- func (p *EBPFProbe) GetOffsetConstants() (map[string]uint64, error)
- func (p *EBPFProbe) GetProfileManager() interface{}
- func (p *EBPFProbe) GetProfileManagers() *SecurityProfileManagers
- func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)
- func (p *EBPFProbe) Init() error
- func (p *EBPFProbe) IsRuntimeCompiled() bool
- func (p *EBPFProbe) NewEvent() *model.Event
- func (p *EBPFProbe) NewModel() *model.Model
- func (p *EBPFProbe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)
- func (p *EBPFProbe) OnNewRuleSetLoaded(rs *rules.RuleSet)
- func (p *EBPFProbe) RefreshUserCache(containerID containerutils.ContainerID) error
- func (p *EBPFProbe) SendStats() error
- func (p *EBPFProbe) Setup() error
- func (p *EBPFProbe) Snapshot() error
- func (p *EBPFProbe) Start() error
- func (p *EBPFProbe) Stop()
- func (p *EBPFProbe) UseRingBuffers() bool
- func (p *EBPFProbe) VerifyEnvironment() *multierror.Error
- func (p *EBPFProbe) VerifyOSVersion() error
- type ErrDiscarderNotSupported
- type EventConsumer
- type EventConsumerHandler
- type EventHandler
- type EventStream
- type FileHasher
- type HashActionReport
- func (k *HashActionReport) IsMatchingRule(ruleID eval.RuleID) bool
- func (k *HashActionReport) IsResolved() error
- func (v HashActionReport) MarshalEasyJSON(w *jwriter.Writer)
- func (k *HashActionReport) PatchEvent(ev *serializers.EventSerializer)
- func (k *HashActionReport) ToJSON() ([]byte, error)
- func (v *HashActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)
- type IDer
- type InodeDiscarderDump
- type InodeDiscarderEntry
- type InodeDiscarderMapEntry
- type InodeDiscarderParams
- type JKillActionReport
- type KillActionReport
- type KillActionStatus
- type OnDemandProbesManager
- type Opts
- type PlatformProbe
- type Probe
- func (p *Probe) AddCustomEventHandler(eventType model.EventType, handler CustomEventHandler) error
- func (p *Probe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)
- func (p *Probe) AddEventConsumer(consumer EventConsumerHandler) error
- func (p *Probe) AddEventHandler(handler EventHandler) error
- func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
- func (p *Probe) Close() error
- func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent)
- func (p *Probe) DumpDiscarders() (string, error)
- func (p *Probe) DumpProcessCache(withArgs bool) (string, error)
- func (p *Probe) EnableEnforcement(state bool)
- func (p *Probe) FlushDiscarders() error
- func (p *Probe) GetAgentContainerContext() *events.AgentContainerContext
- func (p *Probe) GetDebugStats() map[string]interface{}
- func (p *Probe) GetEventTags(containerID containerutils.ContainerID) []string
- func (p *Probe) GetService(ev *model.Event) string
- func (p *Probe) HandleActions(rule *rules.Rule, event eval.Event)
- func (p *Probe) Init() error
- func (p *Probe) IsActivityDumpEnabled() bool
- func (p *Probe) IsActivityDumpTagRulesEnabled() bool
- func (p *Probe) IsNetworkEnabled() bool
- func (p *Probe) IsNetworkRawPacketEnabled() bool
- func (p *Probe) IsSecurityProfileEnabled() bool
- func (p *Probe) NewRuleSet(eventTypeEnabled map[eval.EventType]bool) *rules.RuleSet
- func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)
- func (p *Probe) OnNewRuleSetLoaded(rs *rules.RuleSet)
- func (p *Probe) Origin() string
- func (p *Probe) SendStats() error
- func (p *Probe) Setup() error
- func (p *Probe) Snapshot() error
- func (p *Probe) Start() error
- func (p *Probe) StatsPollingInterval() time.Duration
- func (p *Probe) Stop()
- type ProcessKiller
- func (p *ProcessKiller) AddPendingReports(report *KillActionReport)
- func (p *ProcessKiller) FlushPendingReports()
- func (p *ProcessKiller) HandleProcessExited(event *model.Event)
- func (p *ProcessKiller) KillAndReport(kill *rules.KillDefinition, rule *rules.Rule, ev *model.Event, ...) bool
- func (p *ProcessKiller) KillFromUserspace(pid uint32, sig uint32, ev *model.Event) error
- func (p *ProcessKiller) Reset(rs *rules.RuleSet)
- func (p *ProcessKiller) SendStats(statsd statsd.ClientInterface)
- func (p *ProcessKiller) SetState(enabled bool)
- func (p *ProcessKiller) Start(ctx context.Context, wg *sync.WaitGroup)
- type QueuedNetworkDeviceError
- type SecurityProfileManagers
- func (spm *SecurityProfileManagers) AddActivityDumpHandler(handler dump.ActivityDumpHandler)
- func (spm *SecurityProfileManagers) DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)
- func (spm *SecurityProfileManagers) GenerateTranscoding(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)
- func (spm *SecurityProfileManagers) GetActivityDumpManager() *dump.ActivityDumpManager
- func (spm *SecurityProfileManagers) GetActivityDumpTracedEventTypes() []model.EventType
- func (spm *SecurityProfileManagers) GetAnomalyDetectionEventTypes() []model.EventType
- func (spm *SecurityProfileManagers) GetSecurityProfileManager() *profile.SecurityProfileManager
- func (spm *SecurityProfileManagers) ListActivityDumps(params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)
- func (spm *SecurityProfileManagers) ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)
- func (spm *SecurityProfileManagers) SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)
- func (spm *SecurityProfileManagers) SendStats() error
- func (spm *SecurityProfileManagers) SnapshotTracedCgroups()
- func (spm *SecurityProfileManagers) Start(ctx context.Context, wg *sync.WaitGroup)
- func (spm *SecurityProfileManagers) StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)
Constants ¶
const ( // HashTriggerTimeout hash triggered because of a timeout HashTriggerTimeout = "timeout" // HashTriggerProcessExit hash triggered on process exit HashTriggerProcessExit = "process_exit" )
const ( // EBPFOrigin eBPF origin EBPFOrigin = "ebpf" // EBPFLessOrigin eBPF less origin EBPFLessOrigin = "ebpfless" )
const ( // DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace // pipeline for already deleted file in kernel space. DiscardRetention = 5 * time.Second )
const ( // MaxOnDemandEventsPerSecond represents the maximum number of on demand events per second // allowed before we switch off the subsystem MaxOnDemandEventsPerSecond = 1_000 )
const (
// ServiceEnvVar environment variable used to report service
ServiceEnvVar = "DD_SERVICE"
)
Variables ¶
var ( // SupportedDiscarders lists all field which supports discarders SupportedDiscarders = make(map[eval.Field]bool) // SupportedMultiDiscarder lists all supported multi discarders SupportedMultiDiscarder []*rules.MultiDiscarder )
var ( // DiscarderConstants ebpf constants DiscarderConstants = []manager.ConstantEditor{ { Name: "discarder_retention", Value: uint64(DiscardRetention.Nanoseconds()), }, } )
var ErrActivityDumpManagerDisabled = errors.New("ActivityDumpManager is disabled")
ErrActivityDumpManagerDisabled is returned when the activity dump manager is disabled
var ErrSecurityProfileManagerDisabled = errors.New("SecurityProfileManager is disabled")
ErrSecurityProfileManagerDisabled is returned when the security profile manager is disabled
var InvalidDiscarders = map[eval.Field][]string{
"open.file.path": dentryInvalidDiscarder,
"unlink.file.path": dentryInvalidDiscarder,
"chmod.file.path": dentryInvalidDiscarder,
"chown.file.path": dentryInvalidDiscarder,
"mkdir.file.path": dentryInvalidDiscarder,
"rmdir.file.path": dentryInvalidDiscarder,
"rename.file.path": dentryInvalidDiscarder,
"rename.file.destination.path": dentryInvalidDiscarder,
"utimes.file.path": dentryInvalidDiscarder,
"link.file.path": dentryInvalidDiscarder,
"link.file.destination.path": dentryInvalidDiscarder,
"process.file.path": dentryInvalidDiscarder,
"setxattr.file.path": dentryInvalidDiscarder,
"removexattr.file.path": dentryInvalidDiscarder,
"chdir.file.path": dentryInvalidDiscarder,
}
InvalidDiscarders exposes list of values that are not discarders
Functions ¶
func AppendProbeRequestsToFetcher ¶
func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version)
AppendProbeRequestsToFetcher returns the offsets and struct sizes constants, from a constant fetcher
func IsNetworkNotSupported ¶
IsNetworkNotSupported returns if the network feature is supported
func IsRawPacketNotSupported ¶
IsRawPacketNotSupported returns if the raw packet feature is supported
func NewAbnormalEvent ¶
func NewAbnormalEvent(acc *events.AgentContainerContext, id string, description string, event *model.Event, err error) (*rules.Rule, *events.CustomEvent)
NewAbnormalEvent returns the rule and a populated custom event for a abnormal event
func NewAgentContainerContext ¶
func NewAgentContainerContext() (*events.AgentContainerContext, error)
NewAgentContainerContext returns the agent container context
func NewEBPFLessEvent ¶
func NewEBPFLessEvent(fh *EBPFLessFieldHandlers) *model.Event
NewEBPFLessEvent returns a new event
func NewEBPFLessHelloMsgEvent ¶
func NewEBPFLessHelloMsgEvent(acc *events.AgentContainerContext, msg *ebpfless.HelloMsg, scrubber *procutil.DataScrubber, tagger tags.Tagger) (*rules.Rule, *events.CustomEvent)
NewEBPFLessHelloMsgEvent returns a eBPFLess hello custom event
func NewEBPFLessModel ¶
NewEBPFLessModel returns a new model with some extra field validation
func NewEBPFModel ¶
NewEBPFModel returns a new model with some extra field validation
Types ¶
type AbnormalEvent ¶
type AbnormalEvent struct { events.CustomEventCommonFields Event *serializers.EventSerializer `json:"triggering_event"` Error string `json:"error"` }
AbnormalEvent is used to report that a path resolution failed for a suspicious reason easyjson:json
func (AbnormalEvent) MarshalEasyJSON ¶
func (v AbnormalEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (AbnormalEvent) ToJSON ¶
func (a AbnormalEvent) ToJSON() ([]byte, error)
ToJSON marshal using json format
func (*AbnormalEvent) UnmarshalEasyJSON ¶
func (v *AbnormalEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type BaseFieldHandlers ¶
type BaseFieldHandlers struct {
// contains filtered or unexported fields
}
BaseFieldHandlers holds the base field handlers
func NewBaseFieldHandlers ¶
func NewBaseFieldHandlers(cfg *config.Config, hostname string) (*BaseFieldHandlers, error)
NewBaseFieldHandlers creates a new BaseFieldHandlers
func (*BaseFieldHandlers) ResolveHostname ¶
ResolveHostname resolve the hostname
func (*BaseFieldHandlers) ResolveIsIPPublic ¶
func (bfh *BaseFieldHandlers) ResolveIsIPPublic(_ *model.Event, ipCtx *model.IPPortContext) bool
ResolveIsIPPublic resolves if the IP is public
func (*BaseFieldHandlers) ResolveService ¶
ResolveService returns the service tag based on the process context
type CoreDump ¶
type CoreDump struct {
// contains filtered or unexported fields
}
CoreDump defines an internal core dump
func NewCoreDump ¶
func NewCoreDump(def *rules.CoreDumpDefinition, resolvers *resolvers.EBPFResolvers, event events.EventMarshaler) *CoreDump
NewCoreDump returns a new core dump
type CustomEventHandler ¶
type CustomEventHandler interface {
HandleCustomEvent(rule *rules.Rule, event *events.CustomEvent)
}
CustomEventHandler represents an handler for the custom events sent by the probe
type Discarder ¶
Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules
type DiscarderParams ¶
type DiscarderParams struct { EventMask uint64 `yaml:"event_mask"` Timestamps [model.LastDiscarderEventType + 1 - model.FirstDiscarderEventType]uint64 `yaml:"-"` ExpireAt uint64 `yaml:"expire_at"` IsRetained uint32 `yaml:"is_retained"` Revision uint32 }
DiscarderParams describes a map value
type DiscarderPushedCallback ¶
DiscarderPushedCallback describe the callback used to retrieve pushed discarders information
type DiscardersDump ¶
type DiscardersDump struct { Date time.Time `yaml:"date"` Inodes []InodeDiscarderDump `yaml:"inodes"` Stats map[string]discarder.Stats `yaml:"stats"` }
DiscardersDump describes a dump of discarders
type EBPFFieldHandlers ¶
type EBPFFieldHandlers struct { *BaseFieldHandlers // contains filtered or unexported fields }
EBPFFieldHandlers defines a field handlers
func NewEBPFFieldHandlers ¶
func NewEBPFFieldHandlers(config *config.Config, resolvers *resolvers.EBPFResolvers, hostname string, onDemand *OnDemandProbesManager) (*EBPFFieldHandlers, error)
NewEBPFFieldHandlers returns a new EBPFFieldHandlers
func (*EBPFFieldHandlers) GetProcessCacheEntry ¶
func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)
GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
func (*EBPFFieldHandlers) ResolveAWSSecurityCredentials ¶
func (fh *EBPFFieldHandlers) ResolveAWSSecurityCredentials(e *model.Event) []model.AWSSecurityCredentials
ResolveAWSSecurityCredentials resolves and updates the AWS security credentials of the input process entry
func (*EBPFFieldHandlers) ResolveAsync ¶
func (fh *EBPFFieldHandlers) ResolveAsync(ev *model.Event) bool
ResolveAsync resolves the async flag
func (*EBPFFieldHandlers) ResolveCGroupID ¶
func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupContext) string
ResolveCGroupID resolves the cgroup ID of the event
func (*EBPFFieldHandlers) ResolveCGroupManager ¶
func (fh *EBPFFieldHandlers) ResolveCGroupManager(ev *model.Event, _ *model.CGroupContext) string
ResolveCGroupManager resolves the manager of the cgroup
func (*EBPFFieldHandlers) ResolveCGroupVersion ¶
func (fh *EBPFFieldHandlers) ResolveCGroupVersion(ev *model.Event, e *model.CGroupContext) int
ResolveCGroupVersion resolves the version of the cgroup API
func (*EBPFFieldHandlers) ResolveChownGID ¶
func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string
ResolveChownGID resolves the group id of a chown event to a group name
func (*EBPFFieldHandlers) ResolveChownUID ¶
func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string
ResolveChownUID resolves the user id of a chown event to a username
func (*EBPFFieldHandlers) ResolveContainerContext ¶
func (fh *EBPFFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)
ResolveContainerContext queries the cgroup resolver to retrieve the ContainerContext of the event
func (*EBPFFieldHandlers) ResolveContainerCreatedAt ¶
func (fh *EBPFFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int
ResolveContainerCreatedAt resolves the container creation time of the event
func (*EBPFFieldHandlers) ResolveContainerID ¶
func (fh *EBPFFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string
ResolveContainerID resolves the container ID of the event
func (*EBPFFieldHandlers) ResolveContainerRuntime ¶
func (fh *EBPFFieldHandlers) ResolveContainerRuntime(ev *model.Event, _ *model.ContainerContext) string
ResolveContainerRuntime retrieves the container runtime managing the container
func (*EBPFFieldHandlers) ResolveContainerTags ¶
func (fh *EBPFFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string
ResolveContainerTags resolves the container tags of the event
func (*EBPFFieldHandlers) ResolveEventTime ¶
ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time
func (*EBPFFieldHandlers) ResolveEventTimestamp ¶
ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time
func (*EBPFFieldHandlers) ResolveFileBasename ¶
ResolveFileBasename resolves the inode to a full path
func (*EBPFFieldHandlers) ResolveFileFieldsGroup ¶
func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string
ResolveFileFieldsGroup resolves the group id of the file to a group name
func (*EBPFFieldHandlers) ResolveFileFieldsInUpperLayer ¶
func (fh *EBPFFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, f *model.FileFields) bool
ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer
func (*EBPFFieldHandlers) ResolveFileFieldsUser ¶
func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string
ResolveFileFieldsUser resolves the user id of the file to a username
func (*EBPFFieldHandlers) ResolveFileFilesystem ¶
ResolveFileFilesystem resolves the filesystem a file resides in
func (*EBPFFieldHandlers) ResolveFilePath ¶
ResolveFilePath resolves the inode to a full path
func (*EBPFFieldHandlers) ResolveHashes ¶
func (fh *EBPFFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string
ResolveHashes resolves the hashes of the requested file event
func (*EBPFFieldHandlers) ResolveHashesFromEvent ¶
ResolveHashesFromEvent resolves the hashes of the requested event
func (*EBPFFieldHandlers) ResolveK8SGroups ¶
func (fh *EBPFFieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string
ResolveK8SGroups resolves the k8s groups of the event
func (*EBPFFieldHandlers) ResolveK8SUID ¶
func (fh *EBPFFieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string
ResolveK8SUID resolves the k8s UID of the event
func (*EBPFFieldHandlers) ResolveK8SUsername ¶
func (fh *EBPFFieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string
ResolveK8SUsername resolves the k8s username of the event
func (*EBPFFieldHandlers) ResolveModuleArgs ¶
func (fh *EBPFFieldHandlers) ResolveModuleArgs(_ *model.Event, module *model.LoadModuleEvent) string
ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args
func (*EBPFFieldHandlers) ResolveModuleArgv ¶
func (fh *EBPFFieldHandlers) ResolveModuleArgv(_ *model.Event, module *model.LoadModuleEvent) []string
ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.
func (*EBPFFieldHandlers) ResolveMountPointPath ¶
func (fh *EBPFFieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string
ResolveMountPointPath resolves a mount point path
func (*EBPFFieldHandlers) ResolveMountRootPath ¶
func (fh *EBPFFieldHandlers) ResolveMountRootPath(ev *model.Event, e *model.MountEvent) string
ResolveMountRootPath resolves a mount root path
func (*EBPFFieldHandlers) ResolveMountSourcePath ¶
func (fh *EBPFFieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string
ResolveMountSourcePath resolves a mount source path
func (*EBPFFieldHandlers) ResolveNetworkDeviceIfName ¶
func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *model.NetworkDeviceContext) string
ResolveNetworkDeviceIfName returns the network iterface name from the network context
func (*EBPFFieldHandlers) ResolveOnDemandArg1Str ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg1Str(_ *model.Event, e *model.OnDemandEvent) string
ResolveOnDemandArg1Str resolves the string value of the first argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg1Uint ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg1Uint(_ *model.Event, e *model.OnDemandEvent) int
ResolveOnDemandArg1Uint resolves the uint value of the first argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg2Str ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg2Str(_ *model.Event, e *model.OnDemandEvent) string
ResolveOnDemandArg2Str resolves the string value of the second argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg2Uint ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg2Uint(_ *model.Event, e *model.OnDemandEvent) int
ResolveOnDemandArg2Uint resolves the uint value of the second argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg3Str ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg3Str(_ *model.Event, e *model.OnDemandEvent) string
ResolveOnDemandArg3Str resolves the string value of the third argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg3Uint ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg3Uint(_ *model.Event, e *model.OnDemandEvent) int
ResolveOnDemandArg3Uint resolves the uint value of the third argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg4Str ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg4Str(_ *model.Event, e *model.OnDemandEvent) string
ResolveOnDemandArg4Str resolves the string value of the fourth argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandArg4Uint ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandArg4Uint(_ *model.Event, e *model.OnDemandEvent) int
ResolveOnDemandArg4Uint resolves the uint value of the fourth argument of hooked function
func (*EBPFFieldHandlers) ResolveOnDemandName ¶
func (fh *EBPFFieldHandlers) ResolveOnDemandName(_ *model.Event, e *model.OnDemandEvent) string
ResolveOnDemandName resolves the on-demand event name
func (*EBPFFieldHandlers) ResolvePackageName ¶
ResolvePackageName resolves the name of the package providing this file
func (*EBPFFieldHandlers) ResolvePackageSourceVersion ¶
func (fh *EBPFFieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string
ResolvePackageSourceVersion resolves the version of the source package of the package providing this file
func (*EBPFFieldHandlers) ResolvePackageVersion ¶
ResolvePackageVersion resolves the version of the package providing this file
func (*EBPFFieldHandlers) ResolveProcessArgs ¶
ResolveProcessArgs resolves the args of the event
func (*EBPFFieldHandlers) ResolveProcessArgsFlags ¶
func (fh *EBPFFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)
ResolveProcessArgsFlags resolves the arguments flags of the event
func (*EBPFFieldHandlers) ResolveProcessArgsOptions ¶
func (fh *EBPFFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)
ResolveProcessArgsOptions resolves the arguments options of the event
func (*EBPFFieldHandlers) ResolveProcessArgsScrubbed ¶
func (fh *EBPFFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string
ResolveProcessArgsScrubbed resolves the args of the event
func (*EBPFFieldHandlers) ResolveProcessArgsTruncated ¶
func (fh *EBPFFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool
ResolveProcessArgsTruncated returns whether the args are truncated
func (*EBPFFieldHandlers) ResolveProcessArgv ¶
ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.
func (*EBPFFieldHandlers) ResolveProcessArgv0 ¶
ResolveProcessArgv0 resolves the first arg of the event
func (*EBPFFieldHandlers) ResolveProcessArgvScrubbed ¶
func (fh *EBPFFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string
ResolveProcessArgvScrubbed resolves the args of the process as an array
func (*EBPFFieldHandlers) ResolveProcessCacheEntry ¶
func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)
ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
func (*EBPFFieldHandlers) ResolveProcessCmdArgv ¶
func (fh *EBPFFieldHandlers) ResolveProcessCmdArgv(ev *model.Event, process *model.Process) []string
ResolveProcessCmdArgv resolves the command line
func (*EBPFFieldHandlers) ResolveProcessContainerID ¶
ResolveProcessContainerID resolves the container ID of the event
func (*EBPFFieldHandlers) ResolveProcessCreatedAt ¶
ResolveProcessCreatedAt resolves process creation time
func (*EBPFFieldHandlers) ResolveProcessEnvp ¶
ResolveProcessEnvp resolves the envp of the event as an array
func (*EBPFFieldHandlers) ResolveProcessEnvs ¶
ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.
func (*EBPFFieldHandlers) ResolveProcessEnvsTruncated ¶
func (fh *EBPFFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool
ResolveProcessEnvsTruncated returns whether the envs are truncated
func (*EBPFFieldHandlers) ResolveProcessIsThread ¶
ResolveProcessIsThread returns true is the process is a thread
func (*EBPFFieldHandlers) ResolveProcessNSID ¶
func (fh *EBPFFieldHandlers) ResolveProcessNSID(e *model.Event) (uint64, error)
ResolveProcessNSID resolves the process namespace ID
func (*EBPFFieldHandlers) ResolveRights ¶
func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int
ResolveRights resolves the rights of a file
func (*EBPFFieldHandlers) ResolveSELinuxBoolName ¶
func (fh *EBPFFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string
ResolveSELinuxBoolName resolves the boolean name of the SELinux event
func (*EBPFFieldHandlers) ResolveSetgidEGroup ¶
func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string
ResolveSetgidEGroup resolves the effective group of the Setgid event
func (*EBPFFieldHandlers) ResolveSetgidFSGroup ¶
func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string
ResolveSetgidFSGroup resolves the file-system group of the Setgid event
func (*EBPFFieldHandlers) ResolveSetgidGroup ¶
func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string
ResolveSetgidGroup resolves the group of the Setgid event
func (*EBPFFieldHandlers) ResolveSetuidEUser ¶
func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string
ResolveSetuidEUser resolves the effective user of the Setuid event
func (*EBPFFieldHandlers) ResolveSetuidFSUser ¶
func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string
ResolveSetuidFSUser resolves the file-system user of the Setuid event
func (*EBPFFieldHandlers) ResolveSetuidUser ¶
func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string
ResolveSetuidUser resolves the user of the Setuid event
func (*EBPFFieldHandlers) ResolveSyscallCtxArgs ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgs(_ *model.Event, e *model.SyscallContext)
ResolveSyscallCtxArgs resolve syscall ctx
func (*EBPFFieldHandlers) ResolveSyscallCtxArgsInt1 ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt1(ev *model.Event, e *model.SyscallContext) int
ResolveSyscallCtxArgsInt1 resolve syscall ctx
func (*EBPFFieldHandlers) ResolveSyscallCtxArgsInt2 ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt2(ev *model.Event, e *model.SyscallContext) int
ResolveSyscallCtxArgsInt2 resolve syscall ctx
func (*EBPFFieldHandlers) ResolveSyscallCtxArgsInt3 ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsInt3(ev *model.Event, e *model.SyscallContext) int
ResolveSyscallCtxArgsInt3 resolve syscall ctx
func (*EBPFFieldHandlers) ResolveSyscallCtxArgsStr1 ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr1(ev *model.Event, e *model.SyscallContext) string
ResolveSyscallCtxArgsStr1 resolve syscall ctx
func (*EBPFFieldHandlers) ResolveSyscallCtxArgsStr2 ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr2(ev *model.Event, e *model.SyscallContext) string
ResolveSyscallCtxArgsStr2 resolve syscall ctx
func (*EBPFFieldHandlers) ResolveSyscallCtxArgsStr3 ¶
func (fh *EBPFFieldHandlers) ResolveSyscallCtxArgsStr3(ev *model.Event, e *model.SyscallContext) string
ResolveSyscallCtxArgsStr3 resolve syscall ctx
func (*EBPFFieldHandlers) ResolveUserSessionContext ¶
func (fh *EBPFFieldHandlers) ResolveUserSessionContext(evtCtx *model.UserSessionContext)
ResolveUserSessionContext resolves and updates the provided user session context
func (*EBPFFieldHandlers) ResolveXAttrName ¶
func (fh *EBPFFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string
ResolveXAttrName returns the string representation of the extended attribute name
func (*EBPFFieldHandlers) ResolveXAttrNamespace ¶
func (fh *EBPFFieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string
ResolveXAttrNamespace returns the string representation of the extended attribute namespace
type EBPFLessFieldHandlers ¶
type EBPFLessFieldHandlers struct { *BaseFieldHandlers // contains filtered or unexported fields }
EBPFLessFieldHandlers defines a field handlers
func NewEBPFLessFieldHandlers ¶
func NewEBPFLessFieldHandlers(config *config.Config, resolvers *resolvers.EBPFLessResolvers, hostname string) (*EBPFLessFieldHandlers, error)
NewEBPFLessFieldHandlers returns a new EBPFLessFieldHandlers
func (*EBPFLessFieldHandlers) GetProcessCacheEntry ¶
func (fh *EBPFLessFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)
GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
func (*EBPFLessFieldHandlers) ResolveAWSSecurityCredentials ¶
func (fh *EBPFLessFieldHandlers) ResolveAWSSecurityCredentials(_ *model.Event) []model.AWSSecurityCredentials
ResolveAWSSecurityCredentials resolves and updates the AWS security credentials of the input process entry
func (*EBPFLessFieldHandlers) ResolveAsync ¶
func (fh *EBPFLessFieldHandlers) ResolveAsync(ev *model.Event) bool
ResolveAsync resolves the async flag
func (*EBPFLessFieldHandlers) ResolveCGroupID ¶
func (fh *EBPFLessFieldHandlers) ResolveCGroupID(_ *model.Event, _ *model.CGroupContext) string
ResolveCGroupID resolves the cgroup ID of the event
func (*EBPFLessFieldHandlers) ResolveCGroupManager ¶
func (fh *EBPFLessFieldHandlers) ResolveCGroupManager(_ *model.Event, _ *model.CGroupContext) string
ResolveCGroupManager resolves the manager of the cgroup
func (*EBPFLessFieldHandlers) ResolveCGroupVersion ¶
func (fh *EBPFLessFieldHandlers) ResolveCGroupVersion(_ *model.Event, _ *model.CGroupContext) int
ResolveCGroupVersion resolves the version of the cgroup API
func (*EBPFLessFieldHandlers) ResolveChownGID ¶
func (fh *EBPFLessFieldHandlers) ResolveChownGID(_ *model.Event, e *model.ChownEvent) string
ResolveChownGID resolves the ResolveProcessCacheEntry group id of a chown event to a username
func (*EBPFLessFieldHandlers) ResolveChownUID ¶
func (fh *EBPFLessFieldHandlers) ResolveChownUID(_ *model.Event, e *model.ChownEvent) string
ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username
func (*EBPFLessFieldHandlers) ResolveContainerContext ¶
func (fh *EBPFLessFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)
ResolveContainerContext retrieve the ContainerContext of the event
func (*EBPFLessFieldHandlers) ResolveContainerCreatedAt ¶
func (fh *EBPFLessFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int
ResolveContainerCreatedAt resolves the container creation time of the event
func (*EBPFLessFieldHandlers) ResolveContainerID ¶
func (fh *EBPFLessFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string
ResolveContainerID resolves the container ID of the event
func (*EBPFLessFieldHandlers) ResolveContainerRuntime ¶
func (fh *EBPFLessFieldHandlers) ResolveContainerRuntime(_ *model.Event, _ *model.ContainerContext) string
ResolveContainerRuntime retrieves the container runtime managing the container
func (*EBPFLessFieldHandlers) ResolveContainerTags ¶
func (fh *EBPFLessFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string
ResolveContainerTags resolves the container tags of the event
func (*EBPFLessFieldHandlers) ResolveEventTime ¶
ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time
func (*EBPFLessFieldHandlers) ResolveEventTimestamp ¶
ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time
func (*EBPFLessFieldHandlers) ResolveFileBasename ¶
ResolveFileBasename resolves the inode to a full path
func (*EBPFLessFieldHandlers) ResolveFileFieldsGroup ¶
func (fh *EBPFLessFieldHandlers) ResolveFileFieldsGroup(_ *model.Event, e *model.FileFields) string
ResolveFileFieldsGroup resolves the group id of the file to a group name
func (*EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer ¶
func (fh *EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, e *model.FileFields) bool
ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer
func (*EBPFLessFieldHandlers) ResolveFileFieldsUser ¶
func (fh *EBPFLessFieldHandlers) ResolveFileFieldsUser(_ *model.Event, e *model.FileFields) string
ResolveFileFieldsUser resolves the user id of the file to a username
func (*EBPFLessFieldHandlers) ResolveFileFilesystem ¶
ResolveFileFilesystem resolves the filesystem a file resides in
func (*EBPFLessFieldHandlers) ResolveFilePath ¶
ResolveFilePath resolves the inode to a full path
func (*EBPFLessFieldHandlers) ResolveHashes ¶
func (fh *EBPFLessFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string
ResolveHashes resolves the hash of the provided file
func (*EBPFLessFieldHandlers) ResolveHashesFromEvent ¶
func (fh *EBPFLessFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string
ResolveHashesFromEvent resolves the hashes of the requested event
func (*EBPFLessFieldHandlers) ResolveK8SGroups ¶
func (fh *EBPFLessFieldHandlers) ResolveK8SGroups(_ *model.Event, e *model.UserSessionContext) []string
ResolveK8SGroups resolves the k8s groups of the event
func (*EBPFLessFieldHandlers) ResolveK8SUID ¶
func (fh *EBPFLessFieldHandlers) ResolveK8SUID(_ *model.Event, e *model.UserSessionContext) string
ResolveK8SUID resolves the k8s UID of the event
func (*EBPFLessFieldHandlers) ResolveK8SUsername ¶
func (fh *EBPFLessFieldHandlers) ResolveK8SUsername(_ *model.Event, e *model.UserSessionContext) string
ResolveK8SUsername resolves the k8s username of the event
func (*EBPFLessFieldHandlers) ResolveModuleArgs ¶
func (fh *EBPFLessFieldHandlers) ResolveModuleArgs(_ *model.Event, e *model.LoadModuleEvent) string
ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args
func (*EBPFLessFieldHandlers) ResolveModuleArgv ¶
func (fh *EBPFLessFieldHandlers) ResolveModuleArgv(_ *model.Event, e *model.LoadModuleEvent) []string
ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.
func (*EBPFLessFieldHandlers) ResolveMountPointPath ¶
func (fh *EBPFLessFieldHandlers) ResolveMountPointPath(_ *model.Event, e *model.MountEvent) string
ResolveMountPointPath resolves a mount point path
func (*EBPFLessFieldHandlers) ResolveMountRootPath ¶
func (fh *EBPFLessFieldHandlers) ResolveMountRootPath(_ *model.Event, e *model.MountEvent) string
ResolveMountRootPath resolves a mount root path
func (*EBPFLessFieldHandlers) ResolveMountSourcePath ¶
func (fh *EBPFLessFieldHandlers) ResolveMountSourcePath(_ *model.Event, e *model.MountEvent) string
ResolveMountSourcePath resolves a mount source path
func (*EBPFLessFieldHandlers) ResolveNetworkDeviceIfName ¶
func (fh *EBPFLessFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, e *model.NetworkDeviceContext) string
ResolveNetworkDeviceIfName returns the network iterface name from the network context
func (*EBPFLessFieldHandlers) ResolveOnDemandArg1Str ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg1Str(_ *model.Event, _ *model.OnDemandEvent) string
ResolveOnDemandArg1Str resolves the string value of the first argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg1Uint ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg1Uint(_ *model.Event, _ *model.OnDemandEvent) int
ResolveOnDemandArg1Uint resolves the uint value of the first argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg2Str ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg2Str(_ *model.Event, _ *model.OnDemandEvent) string
ResolveOnDemandArg2Str resolves the string value of the second argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg2Uint ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg2Uint(_ *model.Event, _ *model.OnDemandEvent) int
ResolveOnDemandArg2Uint resolves the uint value of the second argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg3Str ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg3Str(_ *model.Event, _ *model.OnDemandEvent) string
ResolveOnDemandArg3Str resolves the string value of the third argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg3Uint ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg3Uint(_ *model.Event, _ *model.OnDemandEvent) int
ResolveOnDemandArg3Uint resolves the uint value of the third argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg4Str ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg4Str(_ *model.Event, _ *model.OnDemandEvent) string
ResolveOnDemandArg4Str resolves the string value of the fourth argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandArg4Uint ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandArg4Uint(_ *model.Event, _ *model.OnDemandEvent) int
ResolveOnDemandArg4Uint resolves the uint value of the fourth argument of hooked function
func (*EBPFLessFieldHandlers) ResolveOnDemandName ¶
func (fh *EBPFLessFieldHandlers) ResolveOnDemandName(_ *model.Event, _ *model.OnDemandEvent) string
ResolveOnDemandName resolves the on-demand event name
func (*EBPFLessFieldHandlers) ResolvePackageName ¶
ResolvePackageName resolves the name of the package providing this file
func (*EBPFLessFieldHandlers) ResolvePackageSourceVersion ¶
func (fh *EBPFLessFieldHandlers) ResolvePackageSourceVersion(_ *model.Event, e *model.FileEvent) string
ResolvePackageSourceVersion resolves the version of the source package of the package providing this file
func (*EBPFLessFieldHandlers) ResolvePackageVersion ¶
ResolvePackageVersion resolves the version of the package providing this file
func (*EBPFLessFieldHandlers) ResolveProcessArgs ¶
ResolveProcessArgs resolves the args of the event
func (*EBPFLessFieldHandlers) ResolveProcessArgsFlags ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)
ResolveProcessArgsFlags resolves the arguments flags of the event
func (*EBPFLessFieldHandlers) ResolveProcessArgsOptions ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)
ResolveProcessArgsOptions resolves the arguments options of the event
func (*EBPFLessFieldHandlers) ResolveProcessArgsScrubbed ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string
ResolveProcessArgsScrubbed resolves the args of the event
func (*EBPFLessFieldHandlers) ResolveProcessArgsTruncated ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool
ResolveProcessArgsTruncated returns whether the args are truncated
func (*EBPFLessFieldHandlers) ResolveProcessArgv ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string
ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.
func (*EBPFLessFieldHandlers) ResolveProcessArgv0 ¶
ResolveProcessArgv0 resolves the first arg of the event
func (*EBPFLessFieldHandlers) ResolveProcessArgvScrubbed ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string
ResolveProcessArgvScrubbed resolves the args of the process as an array
func (*EBPFLessFieldHandlers) ResolveProcessCacheEntry ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ func(*model.ProcessCacheEntry, error)) (*model.ProcessCacheEntry, bool)
ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
func (*EBPFLessFieldHandlers) ResolveProcessCmdArgv ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessCmdArgv(ev *model.Event, process *model.Process) []string
ResolveProcessCmdArgv resolves the command line
func (*EBPFLessFieldHandlers) ResolveProcessContainerID ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessContainerID(ev *model.Event, _ *model.Process) string
ResolveProcessContainerID resolves the container ID of the event
func (*EBPFLessFieldHandlers) ResolveProcessCreatedAt ¶
ResolveProcessCreatedAt resolves process creation time
func (*EBPFLessFieldHandlers) ResolveProcessEnvp ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string
ResolveProcessEnvp resolves the envp of the event as an array
func (*EBPFLessFieldHandlers) ResolveProcessEnvs ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string
ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.
func (*EBPFLessFieldHandlers) ResolveProcessEnvsTruncated ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool
ResolveProcessEnvsTruncated returns whether the envs are truncated
func (*EBPFLessFieldHandlers) ResolveProcessIsThread ¶
func (fh *EBPFLessFieldHandlers) ResolveProcessIsThread(_ *model.Event, process *model.Process) bool
ResolveProcessIsThread returns true is the process is a thread
func (*EBPFLessFieldHandlers) ResolveRights ¶
func (fh *EBPFLessFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int
ResolveRights resolves the rights of a file
func (*EBPFLessFieldHandlers) ResolveSELinuxBoolName ¶
func (fh *EBPFLessFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string
ResolveSELinuxBoolName resolves the boolean name of the SELinux event
func (*EBPFLessFieldHandlers) ResolveSetgidEGroup ¶
func (fh *EBPFLessFieldHandlers) ResolveSetgidEGroup(_ *model.Event, e *model.SetgidEvent) string
ResolveSetgidEGroup resolves the effective group of the Setgid event
func (*EBPFLessFieldHandlers) ResolveSetgidFSGroup ¶
func (fh *EBPFLessFieldHandlers) ResolveSetgidFSGroup(_ *model.Event, e *model.SetgidEvent) string
ResolveSetgidFSGroup resolves the file-system group of the Setgid event
func (*EBPFLessFieldHandlers) ResolveSetgidGroup ¶
func (fh *EBPFLessFieldHandlers) ResolveSetgidGroup(_ *model.Event, e *model.SetgidEvent) string
ResolveSetgidGroup resolves the group of the Setgid event
func (*EBPFLessFieldHandlers) ResolveSetuidEUser ¶
func (fh *EBPFLessFieldHandlers) ResolveSetuidEUser(_ *model.Event, e *model.SetuidEvent) string
ResolveSetuidEUser resolves the effective user of the Setuid event
func (*EBPFLessFieldHandlers) ResolveSetuidFSUser ¶
func (fh *EBPFLessFieldHandlers) ResolveSetuidFSUser(_ *model.Event, e *model.SetuidEvent) string
ResolveSetuidFSUser resolves the file-system user of the Setuid event
func (*EBPFLessFieldHandlers) ResolveSetuidUser ¶
func (fh *EBPFLessFieldHandlers) ResolveSetuidUser(_ *model.Event, e *model.SetuidEvent) string
ResolveSetuidUser resolves the user of the Setuid event
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgs ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgs(_ *model.Event, e *model.SyscallContext)
ResolveSyscallCtxArgs resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt1 ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt1(_ *model.Event, e *model.SyscallContext) int
ResolveSyscallCtxArgsInt1 resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt2 ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt2(_ *model.Event, e *model.SyscallContext) int
ResolveSyscallCtxArgsInt2 resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt3 ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsInt3(_ *model.Event, e *model.SyscallContext) int
ResolveSyscallCtxArgsInt3 resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr1 ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr1(_ *model.Event, e *model.SyscallContext) string
ResolveSyscallCtxArgsStr1 resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr2 ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr2(_ *model.Event, e *model.SyscallContext) string
ResolveSyscallCtxArgsStr2 resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr3 ¶
func (fh *EBPFLessFieldHandlers) ResolveSyscallCtxArgsStr3(_ *model.Event, e *model.SyscallContext) string
ResolveSyscallCtxArgsStr3 resolve syscall ctx
func (*EBPFLessFieldHandlers) ResolveUserSessionContext ¶
func (fh *EBPFLessFieldHandlers) ResolveUserSessionContext(_ *model.UserSessionContext)
ResolveUserSessionContext resolves and updates the provided user session context
func (*EBPFLessFieldHandlers) ResolveXAttrName ¶
func (fh *EBPFLessFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string
ResolveXAttrName returns the string representation of the extended attribute name
func (*EBPFLessFieldHandlers) ResolveXAttrNamespace ¶
func (fh *EBPFLessFieldHandlers) ResolveXAttrNamespace(_ *model.Event, e *model.SetXAttrEvent) string
ResolveXAttrNamespace returns the string representation of the extended attribute namespace
type EBPFLessHelloMsgEvent ¶
type EBPFLessHelloMsgEvent struct { events.CustomEventCommonFields NSID uint64 `json:"nsid,omitempty"` Container struct { ID string `json:"id,omitempty"` Name string `json:"name,omitempty"` ImageShortName string `json:"short_name,omitempty"` ImageTag string `json:"image_tag,omitempty"` } `json:"workload_container,omitempty"` EntrypointArgs []string `json:"args,omitempty"` }
EBPFLessHelloMsgEvent defines a hello message easyjson:json
func (EBPFLessHelloMsgEvent) MarshalEasyJSON ¶
func (v EBPFLessHelloMsgEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (EBPFLessHelloMsgEvent) ToJSON ¶
func (e EBPFLessHelloMsgEvent) ToJSON() ([]byte, error)
ToJSON marshal using json format
func (*EBPFLessHelloMsgEvent) UnmarshalEasyJSON ¶
func (v *EBPFLessHelloMsgEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type EBPFLessProbe ¶
type EBPFLessProbe struct { sync.Mutex Resolvers *resolvers.EBPFLessResolvers // contains filtered or unexported fields }
EBPFLessProbe defines an eBPF less probe
func NewEBPFLessProbe ¶
NewEBPFLessProbe returns a new eBPF less probe
func (*EBPFLessProbe) AddDiscarderPushedCallback ¶
func (p *EBPFLessProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback)
AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
func (*EBPFLessProbe) ApplyRuleSet ¶
func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
ApplyRuleSet applies the new ruleset
func (*EBPFLessProbe) DispatchEvent ¶
func (p *EBPFLessProbe) DispatchEvent(event *model.Event)
DispatchEvent sends an event to the probe event handler
func (*EBPFLessProbe) DumpDiscarders ¶
func (p *EBPFLessProbe) DumpDiscarders() (string, error)
DumpDiscarders dump the discarders
func (*EBPFLessProbe) DumpProcessCache ¶
func (p *EBPFLessProbe) DumpProcessCache(withArgs bool) (string, error)
DumpProcessCache dumps the process cache
func (*EBPFLessProbe) EnableEnforcement ¶
func (p *EBPFLessProbe) EnableEnforcement(state bool)
EnableEnforcement sets the enforcement mode
func (*EBPFLessProbe) FlushDiscarders ¶
func (p *EBPFLessProbe) FlushDiscarders() error
FlushDiscarders flush the discarders
func (*EBPFLessProbe) GetAgentContainerContext ¶
func (p *EBPFLessProbe) GetAgentContainerContext() *events.AgentContainerContext
GetAgentContainerContext returns the agent container context
func (*EBPFLessProbe) GetClientsCount ¶
func (p *EBPFLessProbe) GetClientsCount() int
GetClientsCount returns the number of connected clients
func (*EBPFLessProbe) GetEventTags ¶
func (p *EBPFLessProbe) GetEventTags(containerID containerutils.ContainerID) []string
GetEventTags returns the event tags
func (*EBPFLessProbe) GetFieldHandlers ¶
func (p *EBPFLessProbe) GetFieldHandlers() model.FieldHandlers
GetFieldHandlers returns the field handlers
func (*EBPFLessProbe) GetProfileManager ¶
func (p *EBPFLessProbe) GetProfileManager() interface{}
GetProfileManager returns the Profile Managers
func (*EBPFLessProbe) HandleActions ¶
func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)
HandleActions handles the rule actions
func (*EBPFLessProbe) NewEvent ¶
func (p *EBPFLessProbe) NewEvent() *model.Event
NewEvent returns a new event
func (*EBPFLessProbe) NewModel ¶
func (p *EBPFLessProbe) NewModel() *model.Model
NewModel returns a new Model
func (*EBPFLessProbe) OnNewDiscarder ¶
func (p *EBPFLessProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
OnNewDiscarder handles discarders
func (*EBPFLessProbe) OnNewRuleSetLoaded ¶
func (p *EBPFLessProbe) OnNewRuleSetLoaded(rs *rules.RuleSet)
OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
func (*EBPFLessProbe) SendStats ¶
func (p *EBPFLessProbe) SendStats() error
SendStats send the stats
func (*EBPFLessProbe) Snapshot ¶
func (p *EBPFLessProbe) Snapshot() error
Snapshot the already existing entities
type EBPFMonitors ¶
type EBPFMonitors struct {
// contains filtered or unexported fields
}
EBPFMonitors regroups all the work we want to do to monitor the probes we pushed in the kernel
func NewEBPFMonitors ¶
func NewEBPFMonitors(p *EBPFProbe) *EBPFMonitors
NewEBPFMonitors returns a new instance of a ProbeMonitor
func (*EBPFMonitors) GetEventStreamMonitor ¶
func (m *EBPFMonitors) GetEventStreamMonitor() *eventstream.Monitor
GetEventStreamMonitor returns the perf buffer monitor
func (*EBPFMonitors) ProcessEvent ¶
func (m *EBPFMonitors) ProcessEvent(event *model.Event)
ProcessEvent processes an event through the various monitors and controllers of the probe
func (*EBPFMonitors) SendStats ¶
func (m *EBPFMonitors) SendStats() error
SendStats sends statistics about the probe to Datadog
type EBPFProbe ¶
type EBPFProbe struct { Resolvers *resolvers.EBPFResolvers Manager *manager.Manager // Approvers / discarders section Erpc *erpc.ERPC // contains filtered or unexported fields }
EBPFProbe defines a platform probe
func NewEBPFProbe ¶
NewEBPFProbe instantiates a new runtime security agent probe
func (*EBPFProbe) AddActivityDumpHandler ¶
func (p *EBPFProbe) AddActivityDumpHandler(handler dump.ActivityDumpHandler)
AddActivityDumpHandler set the probe activity dump handler
func (*EBPFProbe) AddDiscarderPushedCallback ¶
func (p *EBPFProbe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)
AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
func (*EBPFProbe) ApplyFilterPolicy ¶
ApplyFilterPolicy is called when a passing policy for an event type is applied
func (*EBPFProbe) ApplyRuleSet ¶
ApplyRuleSet apply the required update to handle the new ruleset
func (*EBPFProbe) DispatchEvent ¶
DispatchEvent sends an event to the probe event handler
func (*EBPFProbe) DumpDiscarders ¶
DumpDiscarders dump the discarders
func (*EBPFProbe) DumpProcessCache ¶
DumpProcessCache dumps the process cache
func (*EBPFProbe) EnableEnforcement ¶
EnableEnforcement sets the enforcement mode
func (*EBPFProbe) EventMarshallerCtor ¶
func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler
EventMarshallerCtor returns the event marshaller ctor
func (*EBPFProbe) FlushDiscarders ¶
FlushDiscarders flush the discarders
func (*EBPFProbe) FlushNetworkNamespace ¶
func (p *EBPFProbe) FlushNetworkNamespace(namespace *netns.NetworkNamespace)
FlushNetworkNamespace removes all references and stops all TC programs in the provided network namespace. This method flushes the network namespace in the network namespace resolver as well.
func (*EBPFProbe) GetAgentContainerContext ¶
func (p *EBPFProbe) GetAgentContainerContext() *events.AgentContainerContext
GetAgentContainerContext returns the agent container context
func (*EBPFProbe) GetConstantFetcherStatus ¶
func (p *EBPFProbe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error)
GetConstantFetcherStatus returns the status of the constant fetcher associated with this probe
func (*EBPFProbe) GetDiscarders ¶
func (p *EBPFProbe) GetDiscarders() (*DiscardersDump, error)
GetDiscarders retrieve the discarders
func (*EBPFProbe) GetEventTags ¶
func (p *EBPFProbe) GetEventTags(containerID containerutils.ContainerID) []string
GetEventTags returns the event tags
func (*EBPFProbe) GetFieldHandlers ¶
func (p *EBPFProbe) GetFieldHandlers() model.FieldHandlers
GetFieldHandlers returns the field handlers
func (*EBPFProbe) GetKernelVersion ¶
GetKernelVersion computes and returns the running kernel version
func (*EBPFProbe) GetMonitors ¶
func (p *EBPFProbe) GetMonitors() *EBPFMonitors
GetMonitors returns the monitor of the probe
func (*EBPFProbe) GetOffsetConstants ¶
GetOffsetConstants returns the offsets and struct sizes constants
func (*EBPFProbe) GetProfileManager ¶
func (p *EBPFProbe) GetProfileManager() interface{}
GetProfileManager returns the Profile Managers
func (*EBPFProbe) GetProfileManagers ¶
func (p *EBPFProbe) GetProfileManagers() *SecurityProfileManagers
GetProfileManagers returns the security profile managers
func (*EBPFProbe) HandleActions ¶
HandleActions handles the rule actions
func (*EBPFProbe) IsRuntimeCompiled ¶
IsRuntimeCompiled returns true if the eBPF programs where successfully runtime compiled
func (*EBPFProbe) OnNewDiscarder ¶
func (p *EBPFProbe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)
OnNewDiscarder handles new discarders
func (*EBPFProbe) OnNewRuleSetLoaded ¶
OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
func (*EBPFProbe) RefreshUserCache ¶
func (p *EBPFProbe) RefreshUserCache(containerID containerutils.ContainerID) error
RefreshUserCache refreshes the user cache
func (*EBPFProbe) Snapshot ¶
Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system
func (*EBPFProbe) UseRingBuffers ¶
UseRingBuffers returns true if eBPF ring buffers are supported and used
func (*EBPFProbe) VerifyEnvironment ¶
func (p *EBPFProbe) VerifyEnvironment() *multierror.Error
VerifyEnvironment returns an error if the current environment seems to be misconfigured
func (*EBPFProbe) VerifyOSVersion ¶
VerifyOSVersion returns an error if the current kernel version is not supported
type ErrDiscarderNotSupported ¶
type ErrDiscarderNotSupported struct {
Field string
}
ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them
func (ErrDiscarderNotSupported) Error ¶
func (e ErrDiscarderNotSupported) Error() string
type EventConsumer ¶
type EventConsumer struct {
// contains filtered or unexported fields
}
EventConsumer defines a probe event consumer
type EventConsumerHandler ¶
type EventConsumerHandler interface { IDer ChanSize() int HandleEvent(_ any) Copy(_ *model.Event) any EventTypes() []model.EventType }
EventConsumerHandler represents a handler for events sent by the probe. This handler makes a copy of the event upon receipt
type EventHandler ¶
EventHandler represents a handler for events sent by the probe that needs access to all the fields in the SECL model
type EventStream ¶
type EventStream interface { Init(*manager.Manager, *pconfig.Config) error SetMonitor(eventstream.LostEventCounter) Start(*sync.WaitGroup) error Pause() error Resume() error }
EventStream describes the interface implemented by reordered perf maps or ring buffers
type FileHasher ¶
FileHasher defines a file hasher structure
func NewFileHasher ¶
func NewFileHasher(cfg *config.Config, resolver *hash.Resolver) *FileHasher
NewFileHasher returns a new FileHasher
func (*FileHasher) AddPendingReports ¶
func (p *FileHasher) AddPendingReports(report *HashActionReport)
AddPendingReports add a pending reports
func (*FileHasher) FlushPendingReports ¶
func (p *FileHasher) FlushPendingReports()
FlushPendingReports flush pending reports
func (*FileHasher) HandleProcessExited ¶
func (p *FileHasher) HandleProcessExited(event *model.Event)
HandleProcessExited handles process exited events
func (*FileHasher) HashAndReport ¶
HashAndReport hash and report, returns true if the hash computation is supported for the given event
type HashActionReport ¶
type HashActionReport struct { sync.RWMutex Type string `json:"type"` Path string `json:"path"` State string `json:"state"` Trigger string `json:"trigger"` // contains filtered or unexported fields }
HashActionReport defines a hash action reports easyjson:json
func (*HashActionReport) IsMatchingRule ¶
func (k *HashActionReport) IsMatchingRule(ruleID eval.RuleID) bool
IsMatchingRule returns true if this action report is targeted at the given rule ID
func (*HashActionReport) IsResolved ¶
func (k *HashActionReport) IsResolved() error
IsResolved return if the action is resolved
func (HashActionReport) MarshalEasyJSON ¶
func (v HashActionReport) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*HashActionReport) PatchEvent ¶
func (k *HashActionReport) PatchEvent(ev *serializers.EventSerializer)
PatchEvent implements the EventSerializerPatcher interface
func (*HashActionReport) ToJSON ¶
func (k *HashActionReport) ToJSON() ([]byte, error)
ToJSON marshal the action
func (*HashActionReport) UnmarshalEasyJSON ¶
func (v *HashActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type IDer ¶
type IDer interface { // ID returns the ID of the event consumer ID() string }
IDer provides unique ID for each event consumer
type InodeDiscarderDump ¶
type InodeDiscarderDump struct { Index int `yaml:"index"` InodeDiscarderParams `yaml:"value"` FilePath string `yaml:"path"` Inode uint64 MountID uint32 `yaml:"mount_id"` }
InodeDiscarderDump describes a dump of an inode discarder
type InodeDiscarderEntry ¶
InodeDiscarderEntry describes a map entry
type InodeDiscarderMapEntry ¶
InodeDiscarderMapEntry describes a map entry
type InodeDiscarderParams ¶
type InodeDiscarderParams struct { DiscarderParams `yaml:"params"` Revision uint32 }
InodeDiscarderParams describes a map value
type JKillActionReport ¶
type JKillActionReport struct { Type string `json:"type"` Signal string `json:"signal"` Scope string `json:"scope"` Status string `json:"status"` DisarmerType string `json:"disarmer_type,omitempty"` CreatedAt utils.EasyjsonTime `json:"created_at"` DetectedAt utils.EasyjsonTime `json:"detected_at"` KilledAt *utils.EasyjsonTime `json:"killed_at,omitempty"` ExitedAt *utils.EasyjsonTime `json:"exited_at,omitempty"` TTR string `json:"ttr,omitempty"` }
JKillActionReport used to serialize date easyjson:json
func (JKillActionReport) MarshalEasyJSON ¶
func (v JKillActionReport) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*JKillActionReport) UnmarshalEasyJSON ¶
func (v *JKillActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type KillActionReport ¶
type KillActionReport struct { sync.RWMutex Signal string Scope string Status KillActionStatus CreatedAt time.Time DetectedAt time.Time KilledAt time.Time ExitedAt time.Time DisarmerType string // internal Pid uint32 // contains filtered or unexported fields }
KillActionReport defines a kill action reports
func (*KillActionReport) IsMatchingRule ¶
func (k *KillActionReport) IsMatchingRule(ruleID eval.RuleID) bool
IsMatchingRule returns true if this action report is targeted at the given rule ID
func (*KillActionReport) IsResolved ¶
func (k *KillActionReport) IsResolved() error
IsResolved return if the action is resolved
func (*KillActionReport) ToJSON ¶
func (k *KillActionReport) ToJSON() ([]byte, error)
ToJSON marshal the action
type KillActionStatus ¶
type KillActionStatus string
KillActionStatus defines the status of a kill action
const ( // KillActionStatusPerformed indicates the kill action was performed KillActionStatusPerformed KillActionStatus = "performed" // KillActionStatusRuleDisarmed indicates the kill action was skipped because the rule was disarmed KillActionStatusRuleDisarmed KillActionStatus = "rule_disarmed" )
type OnDemandProbesManager ¶
OnDemandProbesManager is the manager for on-demand probes
type Opts ¶
type Opts struct { // DontDiscardRuntime do not discard the runtime. Mostly used by functional tests DontDiscardRuntime bool // StatsdClient to be used for probe stats StatsdClient statsd.ClientInterface // PathResolutionEnabled defines if the path resolution is enabled PathResolutionEnabled bool // EnvsVarResolutionEnabled defines if environment variables resolution is enabled EnvsVarResolutionEnabled bool // Tagger will override the default one. Mainly here for tests. Tagger tags.Tagger // SyscallsMonitorEnabled enable syscalls map monitor SyscallsMonitorEnabled bool // TTYFallbackEnabled enable the tty procfs fallback TTYFallbackEnabled bool // EBPFLessEnabled use ebpfless source EBPFLessEnabled bool }
Opts defines some probe options
type PlatformProbe ¶
type PlatformProbe interface { Setup() error Init() error Start() error Stop() SendStats() error Snapshot() error Close() error NewModel() *model.Model DumpDiscarders() (string, error) FlushDiscarders() error ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) OnNewRuleSetLoaded(_ *rules.RuleSet) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType) HandleActions(_ *eval.Context, _ *rules.Rule) NewEvent() *model.Event GetFieldHandlers() model.FieldHandlers DumpProcessCache(_ bool) (string, error) AddDiscarderPushedCallback(_ DiscarderPushedCallback) GetEventTags(_ containerutils.ContainerID) []string GetProfileManager() interface{} EnableEnforcement(bool) }
PlatformProbe defines a platform dependant probe
type Probe ¶
type Probe struct { PlatformProbe PlatformProbe // Constants and configuration Opts Opts Config *config.Config StatsdClient statsd.ClientInterface // contains filtered or unexported fields }
Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel
func (*Probe) AddCustomEventHandler ¶
func (p *Probe) AddCustomEventHandler(eventType model.EventType, handler CustomEventHandler) error
AddCustomEventHandler set the probe event handler
func (*Probe) AddDiscarderPushedCallback ¶
func (p *Probe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)
AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
func (*Probe) AddEventConsumer ¶
func (p *Probe) AddEventConsumer(consumer EventConsumerHandler) error
AddEventConsumer sets a probe event consumer
func (*Probe) AddEventHandler ¶
func (p *Probe) AddEventHandler(handler EventHandler) error
AddEventHandler sets a probe event handler for the UnknownEventType which requires access to all the struct fields
func (*Probe) ApplyRuleSet ¶
ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
func (*Probe) DispatchCustomEvent ¶
func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent)
DispatchCustomEvent sends a custom event to the probe event handler
func (*Probe) DumpDiscarders ¶
DumpDiscarders removes all the discarders
func (*Probe) DumpProcessCache ¶
DumpProcessCache dump the process cache
func (*Probe) EnableEnforcement ¶
EnableEnforcement sets the enforcement mode
func (*Probe) FlushDiscarders ¶
FlushDiscarders invalidates all the discarders
func (*Probe) GetAgentContainerContext ¶
func (p *Probe) GetAgentContainerContext() *events.AgentContainerContext
GetAgentContainerContext returns the agent container context
func (*Probe) GetDebugStats ¶
GetDebugStats returns the debug stats
func (*Probe) GetEventTags ¶
func (p *Probe) GetEventTags(containerID containerutils.ContainerID) []string
GetEventTags returns the event tags
func (*Probe) GetService ¶
GetService returns the service name from the process tree
func (*Probe) HandleActions ¶
HandleActions executes the actions of a triggered rule
func (*Probe) IsActivityDumpEnabled ¶
IsActivityDumpEnabled returns whether activity dump is enabled
func (*Probe) IsActivityDumpTagRulesEnabled ¶
IsActivityDumpTagRulesEnabled returns whether rule tags is enabled for activity dumps
func (*Probe) IsNetworkEnabled ¶
IsNetworkEnabled returns whether network is enabled
func (*Probe) IsNetworkRawPacketEnabled ¶
IsNetworkRawPacketEnabled returns whether network raw packet is enabled
func (*Probe) IsSecurityProfileEnabled ¶
IsSecurityProfileEnabled returns whether security profile is enabled
func (*Probe) NewRuleSet ¶
NewRuleSet returns a new ruleset
func (*Probe) OnNewDiscarder ¶
func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)
OnNewDiscarder is called when a new discarder is found
func (*Probe) OnNewRuleSetLoaded ¶
OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
func (*Probe) Snapshot ¶
Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system
func (*Probe) StatsPollingInterval ¶
StatsPollingInterval returns the stats polling interval
type ProcessKiller ¶
ProcessKiller defines a process killer structure
func NewProcessKiller ¶
func NewProcessKiller(cfg *config.Config) (*ProcessKiller, error)
NewProcessKiller returns a new ProcessKiller
func (*ProcessKiller) AddPendingReports ¶
func (p *ProcessKiller) AddPendingReports(report *KillActionReport)
AddPendingReports add a pending reports
func (*ProcessKiller) FlushPendingReports ¶
func (p *ProcessKiller) FlushPendingReports()
FlushPendingReports flush pending reports
func (*ProcessKiller) HandleProcessExited ¶
func (p *ProcessKiller) HandleProcessExited(event *model.Event)
HandleProcessExited handles process exited events
func (*ProcessKiller) KillAndReport ¶
func (p *ProcessKiller) KillAndReport(kill *rules.KillDefinition, rule *rules.Rule, ev *model.Event, killFnc func(pid uint32, sig uint32) error) bool
KillAndReport kill and report, returns true if we did try to kill
func (*ProcessKiller) KillFromUserspace ¶
KillFromUserspace tries to kill from userspace
func (*ProcessKiller) Reset ¶
func (p *ProcessKiller) Reset(rs *rules.RuleSet)
Reset the state and statistics of the process killer
func (*ProcessKiller) SendStats ¶
func (p *ProcessKiller) SendStats(statsd statsd.ClientInterface)
SendStats sends runtime security enforcement statistics to Datadog
func (*ProcessKiller) SetState ¶
func (p *ProcessKiller) SetState(enabled bool)
SetState sets the state - enabled or disabled - for the process killer
type QueuedNetworkDeviceError ¶
type QueuedNetworkDeviceError struct {
// contains filtered or unexported fields
}
QueuedNetworkDeviceError is used to indicate that the new network device was queued until its namespace handle is resolved.
func (QueuedNetworkDeviceError) Error ¶
func (err QueuedNetworkDeviceError) Error() string
type SecurityProfileManagers ¶
type SecurityProfileManagers struct {
// contains filtered or unexported fields
}
SecurityProfileManagers holds the security profile managers
func NewSecurityProfileManagers ¶
func NewSecurityProfileManagers(p *EBPFProbe) (*SecurityProfileManagers, error)
NewSecurityProfileManagers returns a new manager object
func (*SecurityProfileManagers) AddActivityDumpHandler ¶
func (spm *SecurityProfileManagers) AddActivityDumpHandler(handler dump.ActivityDumpHandler)
AddActivityDumpHandler add a handler
func (*SecurityProfileManagers) DumpActivity ¶
func (spm *SecurityProfileManagers) DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)
DumpActivity handles an activity dump request
func (*SecurityProfileManagers) GenerateTranscoding ¶
func (spm *SecurityProfileManagers) GenerateTranscoding(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)
GenerateTranscoding encodes an activity dump following the input parameters
func (*SecurityProfileManagers) GetActivityDumpManager ¶
func (spm *SecurityProfileManagers) GetActivityDumpManager() *dump.ActivityDumpManager
GetActivityDumpManager returns the activity dump manager
func (*SecurityProfileManagers) GetActivityDumpTracedEventTypes ¶
func (spm *SecurityProfileManagers) GetActivityDumpTracedEventTypes() []model.EventType
GetActivityDumpTracedEventTypes returns traced event types
func (*SecurityProfileManagers) GetAnomalyDetectionEventTypes ¶
func (spm *SecurityProfileManagers) GetAnomalyDetectionEventTypes() []model.EventType
GetAnomalyDetectionEventTypes returns the event types that may generate anomaly detections
func (*SecurityProfileManagers) GetSecurityProfileManager ¶
func (spm *SecurityProfileManagers) GetSecurityProfileManager() *profile.SecurityProfileManager
GetSecurityProfileManager returns the security profile manager
func (*SecurityProfileManagers) ListActivityDumps ¶
func (spm *SecurityProfileManagers) ListActivityDumps(params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)
ListActivityDumps returns the list of active dumps
func (*SecurityProfileManagers) ListSecurityProfiles ¶
func (spm *SecurityProfileManagers) ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)
ListSecurityProfiles list the profiles
func (*SecurityProfileManagers) SaveSecurityProfile ¶
func (spm *SecurityProfileManagers) SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)
SaveSecurityProfile save a security profile
func (*SecurityProfileManagers) SendStats ¶
func (spm *SecurityProfileManagers) SendStats() error
SendStats sends statistics about the probe to Datadog
func (*SecurityProfileManagers) SnapshotTracedCgroups ¶
func (spm *SecurityProfileManagers) SnapshotTracedCgroups()
SnapshotTracedCgroups snapshots traced cgroups
func (*SecurityProfileManagers) Start ¶
func (spm *SecurityProfileManagers) Start(ctx context.Context, wg *sync.WaitGroup)
Start triggers the goroutine of all the underlying controllers and monitors of the Monitor
func (*SecurityProfileManagers) StopActivityDump ¶
func (spm *SecurityProfileManagers) StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)
StopActivityDump stops an active activity dump
Source Files ¶
- actions.go
- actions_easyjson.go
- actions_linux.go
- actions_linux_easyjson.go
- bpf.go
- coredump.go
- custom_events.go
- custom_events_easyjson.go
- discarders.go
- discarders_linux.go
- errors.go
- eventconsumer.go
- field_handlers.go
- field_handlers_ebpf.go
- field_handlers_ebpfless.go
- file_hasher.go
- model.go
- model_ebpf.go
- model_ebpfless.go
- on_demand.go
- opts_linux.go
- probe.go
- probe_ebpf.go
- probe_ebpfless.go
- probe_linux.go
- probe_monitor.go
- process_killer.go
- process_killer_linux.go
- scrubber.go
- security_profile.go
- stateful_probe_excluder.go
Directories ¶
Path | Synopsis |
---|---|
Package config holds config related files
|
Package config holds config related files |
Package constantfetch holds constantfetch related files
|
Package constantfetch holds constantfetch related files |
Package erpc holds erpc related files
|
Package erpc holds erpc related files |
Package eventstream holds eventstream related files
|
Package eventstream holds eventstream related files |
reorderer
Package reorderer holds reorderer related files
|
Package reorderer holds reorderer related files |
ringbuffer
Package ringbuffer holds ringbuffer related files
|
Package ringbuffer holds ringbuffer related files |
Package kfilters holds kfilters related files
|
Package kfilters holds kfilters related files |
Package managerhelper holds managerhelper related files
|
Package managerhelper holds managerhelper related files |
monitors
|
|
approver
Package approver holds approver related files
|
Package approver holds approver related files |
cgroups
Package cgroups holds cgroups related files
|
Package cgroups holds cgroups related files |
discarder
Package discarder holds discarder related files
|
Package discarder holds discarder related files |
runtime
Package runtime holds runtime related files
|
Package runtime holds runtime related files |
syscalls
Package syscalls holds syscalls related files
|
Package syscalls holds syscalls related files |
Package selftests holds selftests related files
|
Package selftests holds selftests related files |