Documentation
¶
Index ¶
- Constants
- Variables
- func AllCustomRuleIDs() []string
- func ExtractEventInfo(data []byte) (uint64, uint64, error)
- func GetCapababilities() map[eval.EventType]rules.FieldCapabilities
- func IsFakeInode(inode uint64) bool
- func TTYConstants(probe *Probe) []manager.ConstantEditor
- type AbnormalPathEvent
- type ArgsEnvsPool
- type BPFEventSerializer
- type BPFMapSerializer
- type BPFProgramSerializer
- type Capabilities
- type Capability
- type CapsetSerializer
- type ContainerContextSerializer
- type ContainerResolver
- type CredentialsSerializer
- type CustomEvent
- func NewAbnormalPathEvent(event *Event, pathResolutionError error) (*rules.Rule, *CustomEvent)
- func NewEventLostReadEvent(mapName string, lost float64) (*rules.Rule, *CustomEvent)
- func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *CustomEvent)
- func NewNoisyProcessEvent(count uint64, threshold int64, controlPeriod time.Duration, ...) (*rules.Rule, *CustomEvent)
- func NewRuleSetLoadedEvent(rs *rules.RuleSet, err *multierror.Error) (*rules.Rule, *CustomEvent)
- type DDContextSerializer
- type DentryResolver
- func (dr *DentryResolver) BumpCacheGenerations()
- func (dr *DentryResolver) Close() error
- func (dr *DentryResolver) DelCacheEntries(mountID uint32)
- func (dr *DentryResolver) DelCacheEntry(mountID uint32, inode uint64)
- func (dr *DentryResolver) GetName(mountID uint32, inode uint64, pathID uint32) string
- func (dr *DentryResolver) GetNameFromERPC(mountID uint32, inode uint64, pathID uint32) (string, error)
- func (dr *DentryResolver) GetNameFromMap(mountID uint32, inode uint64, pathID uint32) (string, error)
- func (dr *DentryResolver) GetParent(mountID uint32, inode uint64, pathID uint32) (uint32, uint64, error)
- func (dr *DentryResolver) Resolve(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error)
- func (dr *DentryResolver) ResolveFromCache(mountID uint32, inode uint64) (string, error)
- func (dr *DentryResolver) ResolveFromERPC(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error)
- func (dr *DentryResolver) ResolveFromMap(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error)
- func (dr *DentryResolver) SendStats() error
- func (dr *DentryResolver) Start(probe *Probe) error
- type Discarder
- type ERPC
- type ERPCRequest
- type ErrDentryPathKeyNotFound
- type ErrDiscarderNotSupported
- type ErrERPCRequestNotProcessed
- type ErrERPCResolution
- type ErrInvalidKeyPath
- type ErrKernelMapResolution
- type ErrTruncatedParents
- type ErrTruncatedParentsERPC
- type Event
- func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)
- func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)
- func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)
- func (e *Event) GetFields() []eval.Field
- func (ev *Event) GetPathResolutionError() error
- func (ev *Event) GetProcessServiceTag() string
- func (ev *Event) MarshalJSON() ([]byte, error)
- func (ev *Event) Release()
- func (ev *Event) ResolveChownGID(e *model.ChownEvent) string
- func (ev *Event) ResolveChownUID(e *model.ChownEvent) string
- func (ev *Event) ResolveContainerID(e *model.ContainerContext) string
- func (ev *Event) ResolveContainerTags(e *model.ContainerContext) []string
- func (ev *Event) ResolveEventTimestamp() time.Time
- func (ev *Event) ResolveExecArgs(e *model.ExecEvent) string
- func (ev *Event) ResolveExecArgsFlags(e *model.ExecEvent) (flags []string)
- func (ev *Event) ResolveExecArgsOptions(e *model.ExecEvent) (options []string)
- func (ev *Event) ResolveExecArgsTruncated(e *model.ExecEvent) bool
- func (ev *Event) ResolveExecArgv(e *model.ExecEvent) []string
- func (ev *Event) ResolveExecEnvs(e *model.ExecEvent) []string
- func (ev *Event) ResolveExecEnvsTruncated(e *model.ExecEvent) bool
- func (ev *Event) ResolveFileBasename(f *model.FileEvent) string
- func (ev *Event) ResolveFileFieldsGroup(e *model.FileFields) string
- func (ev *Event) ResolveFileFieldsInUpperLayer(f *model.FileFields) bool
- func (ev *Event) ResolveFileFieldsUser(e *model.FileFields) string
- func (ev *Event) ResolveFileFilesystem(f *model.FileEvent) string
- func (ev *Event) ResolveFilePath(f *model.FileEvent) string
- func (ev *Event) ResolveHelpers(e *model.BPFProgram) []uint32
- func (ev *Event) ResolveMountPoint(e *model.MountEvent) string
- func (ev *Event) ResolveMountRoot(e *model.MountEvent) string
- func (ev *Event) ResolveProcessCacheEntry() *model.ProcessCacheEntry
- func (ev *Event) ResolveProcessCreatedAt(e *model.Process) uint64
- func (ev *Event) ResolveRights(e *model.FileFields) int
- func (ev *Event) ResolveSELinuxBoolName(e *model.SELinuxEvent) string
- func (ev *Event) ResolveSetgidEGroup(e *model.SetgidEvent) string
- func (ev *Event) ResolveSetgidFSGroup(e *model.SetgidEvent) string
- func (ev *Event) ResolveSetgidGroup(e *model.SetgidEvent) string
- func (ev *Event) ResolveSetuidEUser(e *model.SetuidEvent) string
- func (ev *Event) ResolveSetuidFSUser(e *model.SetuidEvent) string
- func (ev *Event) ResolveSetuidUser(e *model.SetuidEvent) string
- func (ev *Event) ResolveXAttrName(e *model.SetXAttrEvent) string
- func (ev *Event) ResolveXAttrNamespace(e *model.SetXAttrEvent) string
- func (ev *Event) Retain() Event
- func (e *Event) SetFieldValue(field eval.Field, value interface{}) error
- func (ev *Event) SetMountPoint(e *model.MountEvent)
- func (ev *Event) SetMountRoot(e *model.MountEvent)
- func (ev *Event) SetPathResolutionError(err error)
- func (ev *Event) String() string
- func (ev *Event) UnmarshalProcess(data []byte) (int, error)
- type EventContextSerializer
- type EventHandler
- type EventLostRead
- type EventLostWrite
- type EventSerializer
- type FileEventSerializer
- type FileSerializer
- type FilterPolicy
- type LoadController
- type Model
- type Monitor
- func (m *Monitor) GetPerfBufferMonitor() *PerfBufferMonitor
- func (m *Monitor) GetStats() (map[string]interface{}, error)
- func (m *Monitor) PrepareRuleSetLoadedReport(ruleSet *rules.RuleSet, err *multierror.Error) RuleSetLoadedReport
- func (m *Monitor) ProcessEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap)
- func (m *Monitor) ProcessLostEvent(count uint64, cpu int, perfMap *manager.PerfMap)
- func (m *Monitor) ReportRuleSetLoaded(report RuleSetLoadedReport)
- func (m *Monitor) SendStats() error
- func (m *Monitor) Start(ctx context.Context, wg *sync.WaitGroup) error
- type MountResolver
- func (mr *MountResolver) Delete(mountID uint32) error
- func (mr *MountResolver) GetFilesystem(mountID uint32) string
- func (mr *MountResolver) GetMountPath(mountID uint32) (string, string, string, error)
- func (mr *MountResolver) Insert(e model.MountEvent) error
- func (mr *MountResolver) IsOverlayFS(mountID uint32) bool
- func (mr *MountResolver) Start(ctx context.Context)
- func (mr *MountResolver) SyncCache(proc *process.Process) error
- type NoisyProcessEvent
- type PathEntry
- type PathKey
- type PathLeaf
- type PerfBufferMonitor
- func (pbm *PerfBufferMonitor) CountEvent(eventType model.EventType, timestamp uint64, count uint64, size uint64, ...)
- func (pbm *PerfBufferMonitor) CountLostEvent(count uint64, m *manager.PerfMap, cpu int)
- func (pbm *PerfBufferMonitor) GetAndResetLostCount(perfMap string, cpu int) uint64
- func (pbm *PerfBufferMonitor) GetEventStats(eventType model.EventType, perfMap string, cpu int) (PerfMapStats, PerfMapStats)
- func (pbm *PerfBufferMonitor) GetKernelLostCount(perfMap string, cpu int, evtTypes ...model.EventType) uint64
- func (pbm *PerfBufferMonitor) GetLostCount(perfMap string, cpu int) uint64
- func (pbm *PerfBufferMonitor) SendStats() error
- type PerfMapStats
- type PoliciesIgnored
- type PolicyFlag
- type PolicyLoaded
- type PolicyMode
- type PolicyReport
- type Probe
- func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error
- func (p *Probe) Close() error
- func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *CustomEvent)
- func (p *Probe) DispatchEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap)
- func (p *Probe) FlushDiscarders() error
- func (p *Probe) GetDebugStats() map[string]interface{}
- func (p *Probe) GetMonitor() *Monitor
- func (p *Probe) GetResolvers() *Resolvers
- func (p *Probe) Init(client *statsd.Client) error
- func (p *Probe) Map(name string) (*lib.Map, error)
- func (p *Probe) NewRuleSet(opts *rules.Opts) *rules.RuleSet
- func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, event *Event, field eval.Field, eventType eval.EventType) error
- func (p *Probe) OnRuleMatch(rule *rules.Rule, event *Event)
- func (p *Probe) SelectProbes(rs *rules.RuleSet) error
- func (p *Probe) SendStats() error
- func (p *Probe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error
- func (p *Probe) SetEventHandler(handler EventHandler)
- func (p *Probe) Snapshot() error
- func (p *Probe) Start() error
- func (p *Probe) VerifyOSVersion() error
- type ProcessCacheEntryPool
- type ProcessCacheEntrySerializer
- type ProcessContextSerializer
- type ProcessCredentialsSerializer
- type ProcessPath
- type ProcessResolver
- func (p *ProcessResolver) AddExecEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
- func (p *ProcessResolver) AddForkEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
- func (p *ProcessResolver) ApplyBootTime(entry *model.ProcessCacheEntry)
- func (p *ProcessResolver) DeleteEntry(pid uint32, exitTime time.Time)
- func (p *ProcessResolver) DequeueExited()
- func (p *ProcessResolver) Dump() (string, error)
- func (p *ProcessResolver) Get(pid uint32) *model.ProcessCacheEntry
- func (p *ProcessResolver) GetCacheSize() float64
- func (p *ProcessResolver) GetEntryCacheSize() float64
- func (p *ProcessResolver) GetProcessArgv(pr *model.Process) ([]string, bool)
- func (p *ProcessResolver) GetProcessEnvs(pr *model.Process) (map[string]string, bool)
- func (p *ProcessResolver) NewProcessCacheEntry() *model.ProcessCacheEntry
- func (p *ProcessResolver) Resolve(pid, tid uint32) *model.ProcessCacheEntry
- func (p *ProcessResolver) SendStats() error
- func (p *ProcessResolver) SetProcessArgs(pce *model.ProcessCacheEntry)
- func (p *ProcessResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)
- func (p *ProcessResolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) string
- func (p *ProcessResolver) SetProcessPath(entry *model.ProcessCacheEntry) (string, error)
- func (p *ProcessResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string
- func (p *ProcessResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry)
- func (p *ProcessResolver) SetState(state int64)
- func (p *ProcessResolver) Start(ctx context.Context) error
- func (p *ProcessResolver) SyncCache(proc *process.Process) bool
- func (p *ProcessResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)
- func (p *ProcessResolver) UpdateCapset(pid uint32, e *Event)
- func (p *ProcessResolver) UpdateGID(pid uint32, e *Event)
- func (p *ProcessResolver) UpdateUID(pid uint32, e *Event)
- type ProcessResolverOpts
- type ProcessSyscall
- type ReOrderer
- type ReOrdererMetric
- type ReOrdererOpts
- type ReordererMonitor
- type Report
- type Reporter
- type Resolvers
- func (r *Resolvers) Close() error
- func (r *Resolvers) ResolveCredentialsEGroup(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsEUser(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsFSGroup(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsFSUser(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsGroup(e *model.Credentials) string
- func (r *Resolvers) ResolveCredentialsUser(e *model.Credentials) string
- func (r *Resolvers) ResolveFileFieldsGroup(e *model.FileFields) string
- func (r *Resolvers) ResolveFileFieldsUser(e *model.FileFields) string
- func (r *Resolvers) Snapshot() error
- func (r *Resolvers) Start(ctx context.Context) error
- type RuleIgnored
- type RuleLoaded
- type RuleSetApplier
- type RuleSetLoadedReport
- type RulesetLoadedEvent
- type SELinuxEventSerializer
- type SetgidSerializer
- type SetuidSerializer
- type Syscall
- type SyscallMonitor
- type SyscallStats
- type SyscallStatsCollector
- type SyscallStatsdCollector
- type Tagger
- type TagsResolver
- type TimeResolver
- type UserContextSerializer
- type UserGroupResolver
Constants ¶
const ( // LostEventsRuleID is the rule ID for the lost_events_* events LostEventsRuleID = "lost_events" // RulesetLoadedRuleID is the rule ID for the ruleset_loaded events RulesetLoadedRuleID = "ruleset_loaded" // NoisyProcessRuleID is the rule ID for the noisy_process events NoisyProcessRuleID = "noisy_process" // AbnormalPathRuleID is the rule ID for the abnormal_path events AbnormalPathRuleID = "abnormal_path" )
const ( // DiscardInodeOp discards an inode DiscardInodeOp = iota + 1 // DiscardPidOp discards a pid DiscardPidOp // ResolveSegmentOp resolves the requested segment ResolveSegmentOp // ResolvePathOp resolves the requested path ResolvePathOp // ResolveParentOp resolves the parent of the provide path key ResolveParentOp // RegisterSpanTLSOP is used for span TLS registration RegisterSpanTLSOP //nolint:deadcode,unused // ExpireInodeDiscarderOp is used to expire an inode discarder ExpireInodeDiscarderOp )
const ( // SELinuxStatusDisableKey represents the key in the kernel map managing the current SELinux disable status SELinuxStatusDisableKey uint32 = 0 // SELinuxStatusEnforceKey represents the key in the kernel map managing the current SELinux enforce status SELinuxStatusEnforceKey uint32 = 1 )
const ( FIMCategory = "File Activity" ProcessActivity = "Process Activity" KernelActivity = "Kernel Activity" )
Event categories for JSON serialization
const ( // DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace // pipeline for already deleted file in kernel space. DiscardRetention = 5 * time.Second )
const (
// ERPCMaxDataSize maximum size of data of a request
ERPCMaxDataSize = 256
)
const (
// ServiceEnvVar environment variable used to report service
ServiceEnvVar = "DD_SERVICE"
)
Variables ¶
var ( // DiscarderConstants ebpf constants DiscarderConstants = []manager.ConstantEditor{ { Name: "discarder_retention", Value: uint64(DiscardRetention.Nanoseconds()), }, } )
var ErrEntryNotFound = errors.New("entry not found")
ErrEntryNotFound is thrown when a path key was not found in the cache
var ( // ErrMountNotFound is used when an unknown mount identifier is found ErrMountNotFound = errors.New("unknown mount ID") )
var InvalidDiscarders = map[eval.Field][]interface{}{
"open.file.path": dentryInvalidDiscarder,
"unlink.file.path": dentryInvalidDiscarder,
"chmod.file.path": dentryInvalidDiscarder,
"chown.file.path": dentryInvalidDiscarder,
"mkdir.file.path": dentryInvalidDiscarder,
"rmdir.file.path": dentryInvalidDiscarder,
"rename.file.path": dentryInvalidDiscarder,
"rename.file.destination.path": dentryInvalidDiscarder,
"utimes.file.path": dentryInvalidDiscarder,
"link.file.path": dentryInvalidDiscarder,
"link.file.destination.path": dentryInvalidDiscarder,
"process.file.path": dentryInvalidDiscarder,
"setxattr.file.path": dentryInvalidDiscarder,
"removexattr.file.path": dentryInvalidDiscarder,
}
InvalidDiscarders exposes list of values that are not discarders
var ( // SECLVariables set of variables SECLVariables = map[string]eval.VariableValue{ "process.pid": { IntFnc: func(ctx *eval.Context) int { return int((*Event)(ctx.Object).ProcessContext.Process.Pid) }, }, } )
var ( // SupportedDiscarders lists all field which supports discarders SupportedDiscarders = make(map[eval.Field]bool) )
Functions ¶
func AllCustomRuleIDs ¶
func AllCustomRuleIDs() []string
AllCustomRuleIDs returns the list of custom rule IDs
func ExtractEventInfo ¶
ExtractEventInfo extracts cpu and timestamp from the raw data event
func GetCapababilities ¶
func GetCapababilities() map[eval.EventType]rules.FieldCapabilities
GetCapababilities returns all the filtering capabilities
func IsFakeInode ¶
IsFakeInode returns whether the given inode is a fake inode
func TTYConstants ¶
func TTYConstants(probe *Probe) []manager.ConstantEditor
TTYConstants returns the tty constants
Types ¶
type AbnormalPathEvent ¶
type AbnormalPathEvent struct {
Timestamp time.Time `json:"date"`
Event *EventSerializer `json:"triggering_event"`
PathResolutionError string `json:"path_resolution_error"`
}
AbnormalPathEvent is used to report that a path resolution failed for a suspicious reason easyjson:json
func (AbnormalPathEvent) MarshalEasyJSON ¶
func (v AbnormalPathEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*AbnormalPathEvent) UnmarshalEasyJSON ¶
func (v *AbnormalPathEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type ArgsEnvsPool ¶
type ArgsEnvsPool struct {
// contains filtered or unexported fields
}
ArgsEnvsPool defines a pool for args/envs allocations
func NewArgsEnvsPool ¶
func NewArgsEnvsPool() *ArgsEnvsPool
NewArgsEnvsPool returns a new ArgsEnvEntry pool
func (*ArgsEnvsPool) Get ¶
func (a *ArgsEnvsPool) Get() *model.ArgsEnvsCacheEntry
Get returns a cache entry
func (*ArgsEnvsPool) GetFrom ¶
func (a *ArgsEnvsPool) GetFrom(event *model.ArgsEnvsEvent) *model.ArgsEnvsCacheEntry
GetFrom returns a new entry with value from the given entry
func (*ArgsEnvsPool) Put ¶
func (a *ArgsEnvsPool) Put(entry *model.ArgsEnvsCacheEntry)
Put returns a cache entry to the pool
type BPFEventSerializer ¶
type BPFEventSerializer struct {
Cmd string `json:"cmd" jsonschema_description:"BPF command"`
Map *BPFMapSerializer `json:"map,omitempty" jsonschema_description:"BPF map"`
Program *BPFProgramSerializer `json:"program,omitempty" jsonschema_description:"BPF program"`
}
BPFEventSerializer serializes a BPF event to JSON easyjson:json
func (BPFEventSerializer) MarshalEasyJSON ¶
func (v BPFEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*BPFEventSerializer) UnmarshalEasyJSON ¶
func (v *BPFEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type BPFMapSerializer ¶
type BPFMapSerializer struct {
Name string `json:"name,omitempty" jsonschema_description:"Name of the BPF map"`
MapType string `json:"map_type,omitempty" jsonschema_description:"Type of the BPF map"`
}
BPFMapSerializer serializes a BPF map to JSON easyjson:json
func (BPFMapSerializer) MarshalEasyJSON ¶
func (v BPFMapSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*BPFMapSerializer) UnmarshalEasyJSON ¶
func (v *BPFMapSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type BPFProgramSerializer ¶
type BPFProgramSerializer struct {
Name string `json:"name,omitempty" jsonschema_description:"Name of the BPF program"`
ProgramType string `json:"program_type,omitempty" jsonschema_description:"Type of the BPF program"`
AttachType string `json:"attach_type,omitempty" jsonschema_description:"Attach type of the BPF program"`
Helpers []string `json:"helpers,omitempty" jsonschema_description:"List of helpers used by the BPF program"`
}
BPFProgramSerializer serializes a BPF map to JSON easyjson:json
func (BPFProgramSerializer) MarshalEasyJSON ¶
func (v BPFProgramSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*BPFProgramSerializer) UnmarshalEasyJSON ¶
func (v *BPFProgramSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type Capabilities ¶
type Capabilities map[eval.Field]Capability
Capabilities represents the filtering capabilities for a set of fields
func (Capabilities) GetFieldCapabilities ¶
func (caps Capabilities) GetFieldCapabilities() rules.FieldCapabilities
GetFieldCapabilities returns the field capabilities for a set of capabilities
func (Capabilities) GetFields ¶
func (caps Capabilities) GetFields() []eval.Field
GetFields returns the fields associated with a set of capabilities
func (Capabilities) GetFlags ¶
func (caps Capabilities) GetFlags() PolicyFlag
GetFlags returns the policy flags for the set of capabilities
type Capability ¶
type Capability struct {
PolicyFlags PolicyFlag
FieldValueTypes eval.FieldValueType
ValidateFnc func(value rules.FilterValue) bool
}
Capability represents the type of values we are able to filter kernel side
type CapsetSerializer ¶
type CapsetSerializer struct {
CapEffective []string `json:"cap_effective" jsonschema_description:"Effective Capacity set"`
CapPermitted []string `json:"cap_permitted" jsonschema_description:"Permitted Capacity set"`
}
CapsetSerializer serializes a capset event easyjson:json
func (CapsetSerializer) MarshalEasyJSON ¶
func (v CapsetSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*CapsetSerializer) UnmarshalEasyJSON ¶
func (v *CapsetSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type ContainerContextSerializer ¶
type ContainerContextSerializer struct {
ID string `json:"id,omitempty" jsonschema_description:"Container ID"`
}
ContainerContextSerializer serializes a container context to JSON easyjson:json
func (ContainerContextSerializer) MarshalEasyJSON ¶
func (v ContainerContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*ContainerContextSerializer) UnmarshalEasyJSON ¶
func (v *ContainerContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type ContainerResolver ¶
type ContainerResolver struct{}
ContainerResolver is used to resolve the container context of the events
func (*ContainerResolver) GetContainerID ¶
func (cr *ContainerResolver) GetContainerID(pid uint32) (utils.ContainerID, error)
GetContainerID returns the container id of the given pid
type CredentialsSerializer ¶
type CredentialsSerializer struct {
UID int `json:"uid" jsonschema_description:"User ID"`
User string `json:"user,omitempty" jsonschema_description:"User name"`
GID int `json:"gid" jsonschema_description:"Group ID"`
Group string `json:"group,omitempty" jsonschema_description:"Group name"`
EUID int `json:"euid" jsonschema_description:"Effective User ID"`
EUser string `json:"euser,omitempty" jsonschema_description:"Effective User name"`
EGID int `json:"egid" jsonschema_description:"Effective Group ID"`
EGroup string `json:"egroup,omitempty" jsonschema_description:"Effective Group name"`
FSUID int `json:"fsuid" jsonschema_description:"Filesystem User ID"`
FSUser string `json:"fsuser,omitempty" jsonschema_description:"Filesystem User name"`
FSGID int `json:"fsgid" jsonschema_description:"Filesystem Group ID"`
FSGroup string `json:"fsgroup,omitempty" jsonschema_description:"Filesystem Group name"`
CapEffective []string `json:"cap_effective" jsonschema_description:"Effective Capacity set"`
CapPermitted []string `json:"cap_permitted" jsonschema_description:"Permitted Capacity set"`
}
CredentialsSerializer serializes a set credentials to JSON easyjson:json
func (CredentialsSerializer) MarshalEasyJSON ¶
func (v CredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*CredentialsSerializer) UnmarshalEasyJSON ¶
func (v *CredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type CustomEvent ¶
type CustomEvent struct {
// contains filtered or unexported fields
}
CustomEvent is used to send custom security events to Datadog
func NewAbnormalPathEvent ¶
func NewAbnormalPathEvent(event *Event, pathResolutionError error) (*rules.Rule, *CustomEvent)
NewAbnormalPathEvent returns the rule and a populated custom event for a abnormal_path event
func NewEventLostReadEvent ¶
func NewEventLostReadEvent(mapName string, lost float64) (*rules.Rule, *CustomEvent)
NewEventLostReadEvent returns the rule and a populated custom event for a lost_events_read event
func NewEventLostWriteEvent ¶
func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *CustomEvent)
NewEventLostWriteEvent returns the rule and a populated custom event for a lost_events_write event
func NewNoisyProcessEvent ¶
func NewNoisyProcessEvent(count uint64, threshold int64, controlPeriod time.Duration, discardedUntil time.Time, process *model.ProcessCacheEntry, resolvers *Resolvers, timestamp time.Time) (*rules.Rule, *CustomEvent)
NewNoisyProcessEvent returns the rule and a populated custom event for a noisy_process event
func NewRuleSetLoadedEvent ¶
func NewRuleSetLoadedEvent(rs *rules.RuleSet, err *multierror.Error) (*rules.Rule, *CustomEvent)
NewRuleSetLoadedEvent returns the rule and a populated custom event for a new_rules_loaded event
func (*CustomEvent) Clone ¶
func (ce *CustomEvent) Clone() CustomEvent
Clone returns a copy of the current CustomEvent
func (*CustomEvent) GetEventType ¶
func (ce *CustomEvent) GetEventType() model.EventType
GetEventType returns the event type
func (*CustomEvent) GetTags ¶
func (ce *CustomEvent) GetTags() []string
GetTags returns the tags of the custom event
func (*CustomEvent) GetType ¶
func (ce *CustomEvent) GetType() string
GetType returns the type of the custom event as a string
func (*CustomEvent) MarshalJSON ¶
func (ce *CustomEvent) MarshalJSON() ([]byte, error)
MarshalJSON is the JSON marshaller function of the custom event
func (*CustomEvent) String ¶
func (ce *CustomEvent) String() string
String returns the string representation of a custom event
type DDContextSerializer ¶
type DDContextSerializer struct {
SpanID uint64 `json:"span_id,omitempty" jsonschema_description:"Span ID used for APM correlation"`
TraceID uint64 `json:"trace_id,omitempty" jsonschema_description:"Trace ID used for APM correlation"`
}
DDContextSerializer serializes a span context to JSON easyjson:json
func (DDContextSerializer) MarshalEasyJSON ¶
func (v DDContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*DDContextSerializer) UnmarshalEasyJSON ¶
func (v *DDContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type DentryResolver ¶
type DentryResolver struct {
// contains filtered or unexported fields
}
DentryResolver resolves inode/mountID to full paths
func NewDentryResolver ¶
func NewDentryResolver(probe *Probe) (*DentryResolver, error)
NewDentryResolver returns a new dentry resolver
func (*DentryResolver) BumpCacheGenerations ¶
func (dr *DentryResolver) BumpCacheGenerations()
BumpCacheGenerations bumps the generations of all the mount points
func (*DentryResolver) Close ¶
func (dr *DentryResolver) Close() error
Close cleans up the eRPC segment
func (*DentryResolver) DelCacheEntries ¶
func (dr *DentryResolver) DelCacheEntries(mountID uint32)
DelCacheEntries removes all the entries belonging to a mountID
func (*DentryResolver) DelCacheEntry ¶
func (dr *DentryResolver) DelCacheEntry(mountID uint32, inode uint64)
DelCacheEntry removes an entry from the cache
func (*DentryResolver) GetName ¶
func (dr *DentryResolver) GetName(mountID uint32, inode uint64, pathID uint32) string
GetName resolves a couple of mountID/inode to a path
func (*DentryResolver) GetNameFromERPC ¶
func (dr *DentryResolver) GetNameFromERPC(mountID uint32, inode uint64, pathID uint32) (string, error)
GetNameFromERPC resolves the name of the provided inode / mount id / path id
func (*DentryResolver) GetNameFromMap ¶
func (dr *DentryResolver) GetNameFromMap(mountID uint32, inode uint64, pathID uint32) (string, error)
GetNameFromMap resolves the name of the provided inode
func (*DentryResolver) GetParent ¶
func (dr *DentryResolver) GetParent(mountID uint32, inode uint64, pathID uint32) (uint32, uint64, error)
GetParent returns the parent mount_id/inode
func (*DentryResolver) Resolve ¶
func (dr *DentryResolver) Resolve(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error)
Resolve the pathname of a dentry, starting at the pathnameKey in the pathnames table
func (*DentryResolver) ResolveFromCache ¶
func (dr *DentryResolver) ResolveFromCache(mountID uint32, inode uint64) (string, error)
ResolveFromCache resolves path from the cache
func (*DentryResolver) ResolveFromERPC ¶
func (dr *DentryResolver) ResolveFromERPC(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error)
ResolveFromERPC resolves the path of the provided inode / mount id / path id
func (*DentryResolver) ResolveFromMap ¶
func (dr *DentryResolver) ResolveFromMap(mountID uint32, inode uint64, pathID uint32, cache bool) (string, error)
ResolveFromMap resolves the path of the provided inode / mount id / path id
func (*DentryResolver) SendStats ¶
func (dr *DentryResolver) SendStats() error
SendStats sends the dentry resolver metrics
func (*DentryResolver) Start ¶
func (dr *DentryResolver) Start(probe *Probe) error
Start the dentry resolver
type Discarder ¶
Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules
type ERPC ¶
type ERPC struct {
// contains filtered or unexported fields
}
ERPC defines a krpc object
func (*ERPC) Request ¶
func (k *ERPC) Request(req *ERPCRequest) error
Request generates an ioctl syscall with the required request
type ERPCRequest ¶
type ERPCRequest struct {
OP uint8
Data [ERPCMaxDataSize]byte
}
ERPCRequest defines a EPRC request
type ErrDentryPathKeyNotFound ¶
type ErrDentryPathKeyNotFound struct{}
ErrDentryPathKeyNotFound is used to notify that the request key is missing from the kernel maps
func (ErrDentryPathKeyNotFound) Error ¶
func (err ErrDentryPathKeyNotFound) Error() string
type ErrDiscarderNotSupported ¶
type ErrDiscarderNotSupported struct {
Field string
}
ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them
func (ErrDiscarderNotSupported) Error ¶
func (e ErrDiscarderNotSupported) Error() string
type ErrERPCRequestNotProcessed ¶
type ErrERPCRequestNotProcessed struct{}
ErrERPCRequestNotProcessed is used to notify that the eRPC request was not processed
func (ErrERPCRequestNotProcessed) Error ¶
func (err ErrERPCRequestNotProcessed) Error() string
type ErrERPCResolution ¶
type ErrERPCResolution struct{}
ErrERPCResolution is used to notify that the eRPC resolution failed
func (ErrERPCResolution) Error ¶
func (err ErrERPCResolution) Error() string
type ErrInvalidKeyPath ¶
ErrInvalidKeyPath is returned when inode or mountid are not valid
func (*ErrInvalidKeyPath) Error ¶
func (e *ErrInvalidKeyPath) Error() string
type ErrKernelMapResolution ¶
type ErrKernelMapResolution struct{}
ErrKernelMapResolution is used to notify that the Kernel maps resolution failed
func (ErrKernelMapResolution) Error ¶
func (err ErrKernelMapResolution) Error() string
type ErrTruncatedParents ¶
type ErrTruncatedParents struct{}
ErrTruncatedParents is used to notify that some parents of the path are missing
func (ErrTruncatedParents) Error ¶
func (err ErrTruncatedParents) Error() string
type ErrTruncatedParentsERPC ¶
type ErrTruncatedParentsERPC struct{}
ErrTruncatedParentsERPC is used to notify that some parents of the path are missing
func (ErrTruncatedParentsERPC) Error ¶
func (err ErrTruncatedParentsERPC) Error() string
type Event ¶
Event describes a probe event
func NewEvent ¶
func NewEvent(resolvers *Resolvers, scrubber *pconfig.DataScrubber) *Event
NewEvent returns a new event
func (*Event) GetFieldEventType ¶
func (*Event) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
func (*Event) GetProcessServiceTag ¶
GetProcessServiceTag returns the service tag based on the process context
func (*Event) MarshalJSON ¶
MarshalJSON returns the JSON encoding of the event
func (*Event) ResolveChownGID ¶
func (ev *Event) ResolveChownGID(e *model.ChownEvent) string
ResolveChownGID resolves the group id of a chown event to a group name
func (*Event) ResolveChownUID ¶
func (ev *Event) ResolveChownUID(e *model.ChownEvent) string
ResolveChownUID resolves the user id of a chown event to a username
func (*Event) ResolveContainerID ¶
func (ev *Event) ResolveContainerID(e *model.ContainerContext) string
ResolveContainerID resolves the container ID of the event
func (*Event) ResolveContainerTags ¶
func (ev *Event) ResolveContainerTags(e *model.ContainerContext) []string
ResolveContainerTags resolves the container tags of the event
func (*Event) ResolveEventTimestamp ¶
ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time
func (*Event) ResolveExecArgs ¶
ResolveExecArgs resolves the args of the event
func (*Event) ResolveExecArgsFlags ¶
ResolveExecArgsFlags resolves the arguments flags of the event
func (*Event) ResolveExecArgsOptions ¶
ResolveExecArgsOptions resolves the arguments options of the event
func (*Event) ResolveExecArgsTruncated ¶
ResolveExecArgsTruncated returns whether the args are truncated
func (*Event) ResolveExecArgv ¶
ResolveExecArgv resolves the args of the event as an array
func (*Event) ResolveExecEnvs ¶
ResolveExecEnvs resolves the envs of the event
func (*Event) ResolveExecEnvsTruncated ¶
ResolveExecEnvsTruncated returns whether the envs are truncated
func (*Event) ResolveFileBasename ¶
ResolveFileBasename resolves the inode to a full path
func (*Event) ResolveFileFieldsGroup ¶
func (ev *Event) ResolveFileFieldsGroup(e *model.FileFields) string
ResolveFileFieldsGroup resolves the group id of the file to a group name
func (*Event) ResolveFileFieldsInUpperLayer ¶
func (ev *Event) ResolveFileFieldsInUpperLayer(f *model.FileFields) bool
ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer
func (*Event) ResolveFileFieldsUser ¶
func (ev *Event) ResolveFileFieldsUser(e *model.FileFields) string
ResolveFileFieldsUser resolves the user id of the file to a username
func (*Event) ResolveFileFilesystem ¶
ResolveFileFilesystem resolves the filesystem a file resides in
func (*Event) ResolveFilePath ¶
ResolveFilePath resolves the inode to a full path
func (*Event) ResolveHelpers ¶
func (ev *Event) ResolveHelpers(e *model.BPFProgram) []uint32
ResolveHelpers returns the list of eBPF helpers used by the current program
func (*Event) ResolveMountPoint ¶
func (ev *Event) ResolveMountPoint(e *model.MountEvent) string
ResolveMountPoint resolves the mountpoint to a full path
func (*Event) ResolveMountRoot ¶
func (ev *Event) ResolveMountRoot(e *model.MountEvent) string
ResolveMountRoot resolves the mountpoint to a full path
func (*Event) ResolveProcessCacheEntry ¶
func (ev *Event) ResolveProcessCacheEntry() *model.ProcessCacheEntry
ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessCacheEntry of the event
func (*Event) ResolveProcessCreatedAt ¶
ResolveProcessCreatedAt resolves process creation time
func (*Event) ResolveRights ¶
func (ev *Event) ResolveRights(e *model.FileFields) int
ResolveRights resolves the rights of a file
func (*Event) ResolveSELinuxBoolName ¶
func (ev *Event) ResolveSELinuxBoolName(e *model.SELinuxEvent) string
ResolveSELinuxBoolName resolves the boolean name of the SELinux event
func (*Event) ResolveSetgidEGroup ¶
func (ev *Event) ResolveSetgidEGroup(e *model.SetgidEvent) string
ResolveSetgidEGroup resolves the effective group of the Setgid event
func (*Event) ResolveSetgidFSGroup ¶
func (ev *Event) ResolveSetgidFSGroup(e *model.SetgidEvent) string
ResolveSetgidFSGroup resolves the file-system group of the Setgid event
func (*Event) ResolveSetgidGroup ¶
func (ev *Event) ResolveSetgidGroup(e *model.SetgidEvent) string
ResolveSetgidGroup resolves the group of the Setgid event
func (*Event) ResolveSetuidEUser ¶
func (ev *Event) ResolveSetuidEUser(e *model.SetuidEvent) string
ResolveSetuidEUser resolves the effective user of the Setuid event
func (*Event) ResolveSetuidFSUser ¶
func (ev *Event) ResolveSetuidFSUser(e *model.SetuidEvent) string
ResolveSetuidFSUser resolves the file-system user of the Setuid event
func (*Event) ResolveSetuidUser ¶
func (ev *Event) ResolveSetuidUser(e *model.SetuidEvent) string
ResolveSetuidUser resolves the user of the Setuid event
func (*Event) ResolveXAttrName ¶
func (ev *Event) ResolveXAttrName(e *model.SetXAttrEvent) string
ResolveXAttrName returns the string representation of the extended attribute name
func (*Event) ResolveXAttrNamespace ¶
func (ev *Event) ResolveXAttrNamespace(e *model.SetXAttrEvent) string
ResolveXAttrNamespace returns the string representation of the extended attribute namespace
func (*Event) SetFieldValue ¶
func (*Event) SetMountPoint ¶
func (ev *Event) SetMountPoint(e *model.MountEvent)
SetMountPoint set the mount point information
func (*Event) SetMountRoot ¶
func (ev *Event) SetMountRoot(e *model.MountEvent)
SetMountRoot set the mount point information
func (*Event) SetPathResolutionError ¶
SetPathResolutionError sets the Event.pathResolutionError
type EventContextSerializer ¶
type EventContextSerializer struct {
Name string `json:"name,omitempty" jsonschema_description:"Event name"`
Category string `json:"category,omitempty" jsonschema_description:"Event category"`
Outcome string `json:"outcome,omitempty" jsonschema_description:"Event outcome"`
}
EventContextSerializer serializes an event context to JSON easyjson:json
func (EventContextSerializer) MarshalEasyJSON ¶
func (v EventContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*EventContextSerializer) UnmarshalEasyJSON ¶
func (v *EventContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type EventHandler ¶
type EventHandler interface {
HandleEvent(event *Event)
HandleCustomEvent(rule *rules.Rule, event *CustomEvent)
}
EventHandler represents an handler for the events sent by the probe
type EventLostRead ¶
type EventLostRead struct {
Timestamp time.Time `json:"date"`
Name string `json:"map"`
Lost float64 `json:"lost"`
}
EventLostRead is the event used to report lost events detected from user space easyjson:json
func (EventLostRead) MarshalEasyJSON ¶
func (v EventLostRead) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*EventLostRead) UnmarshalEasyJSON ¶
func (v *EventLostRead) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type EventLostWrite ¶
type EventLostWrite struct {
Timestamp time.Time `json:"date"`
Name string `json:"map"`
Lost map[string]uint64 `json:"per_event"`
}
EventLostWrite is the event used to report lost events detected from kernel space easyjson:json
func (EventLostWrite) MarshalEasyJSON ¶
func (v EventLostWrite) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*EventLostWrite) UnmarshalEasyJSON ¶
func (v *EventLostWrite) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type EventSerializer ¶
type EventSerializer struct {
EventContextSerializer `json:"evt,omitempty"`
*FileEventSerializer `json:"file,omitempty"`
*SELinuxEventSerializer `json:"selinux,omitempty"`
*BPFEventSerializer `json:"bpf,omitempty"`
UserContextSerializer UserContextSerializer `json:"usr,omitempty"`
ProcessContextSerializer ProcessContextSerializer `json:"process,omitempty"`
DDContextSerializer DDContextSerializer `json:"dd,omitempty"`
ContainerContextSerializer *ContainerContextSerializer `json:"container,omitempty"`
Date time.Time `json:"date,omitempty"`
}
EventSerializer serializes an event to JSON easyjson:json
func NewEventSerializer ¶
func NewEventSerializer(event *Event) *EventSerializer
NewEventSerializer creates a new event serializer based on the event type
func (EventSerializer) MarshalEasyJSON ¶
func (v EventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*EventSerializer) UnmarshalEasyJSON ¶
func (v *EventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type FileEventSerializer ¶
type FileEventSerializer struct {
FileSerializer
Destination *FileSerializer `json:"destination,omitempty" jsonschema_description:"Target file information"`
// Specific to mount events
NewMountID uint32 `json:"new_mount_id,omitempty" jsonschema_description:"New Mount ID"`
GroupID uint32 `json:"group_id,omitempty" jsonschema_description:"Group ID"`
Device uint32 `json:"device,omitempty" jsonschema_description:"Device associated with the file"`
FSType string `json:"fstype,omitempty" jsonschema_description:"Filesystem type"`
}
FileEventSerializer serializes a file event to JSON easyjson:json
func (FileEventSerializer) MarshalEasyJSON ¶
func (v FileEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*FileEventSerializer) UnmarshalEasyJSON ¶
func (v *FileEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type FileSerializer ¶
type FileSerializer struct {
Path string `json:"path,omitempty" jsonschema_description:"File path"`
Name string `json:"name,omitempty" jsonschema_description:"File basename"`
PathResolutionError string `json:"path_resolution_error,omitempty" jsonschema_description:"Error message from path resolution"`
Inode *uint64 `json:"inode,omitempty" jsonschema_description:"File inode number"`
Mode *uint32 `json:"mode,omitempty" jsonschema_description:"File mode"`
InUpperLayer *bool `json:"in_upper_layer,omitempty" jsonschema_description:"Indicator of file OverlayFS layer"`
MountID *uint32 `json:"mount_id,omitempty" jsonschema_description:"File mount ID"`
Filesystem string `json:"filesystem,omitempty" jsonschema_description:"File filesystem name"`
UID uint32 `json:"uid" jsonschema_description:"File User ID"`
GID uint32 `json:"gid" jsonschema_description:"File Group ID"`
User string `json:"user,omitempty" jsonschema_description:"File user"`
Group string `json:"group,omitempty" jsonschema_description:"File group"`
XAttrName string `json:"attribute_name,omitempty" jsonschema_description:"File extended attribute name"`
XAttrNamespace string `json:"attribute_namespace,omitempty" jsonschema_description:"File extended attribute namespace"`
Flags []string `json:"flags,omitempty" jsonschema_description:"File flags"`
Atime *time.Time `json:"access_time,omitempty" jsonschema_descrition:"File access time"`
Mtime *time.Time `json:"modification_time,omitempty" jsonschema_description:"File modified time"`
Ctime *time.Time `json:"change_time,omitempty" jsonschema_description:"File change time"`
}
FileSerializer serializes a file to JSON easyjson:json
func (FileSerializer) MarshalEasyJSON ¶
func (v FileSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*FileSerializer) UnmarshalEasyJSON ¶
func (v *FileSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type FilterPolicy ¶
type FilterPolicy struct {
Mode PolicyMode
Flags PolicyFlag
}
FilterPolicy describes a filtering policy
func (*FilterPolicy) Bytes ¶
func (f *FilterPolicy) Bytes() ([]byte, error)
Bytes returns the binary representation of a FilterPolicy
type LoadController ¶
type LoadController struct {
sync.RWMutex
EventsCountThreshold int64
DiscarderTimeout time.Duration
ControllerPeriod time.Duration
// contains filtered or unexported fields
}
LoadController is used to monitor and control the pressure put on the host
func NewLoadController ¶
func NewLoadController(probe *Probe, statsdClient *statsd.Client) (*LoadController, error)
NewLoadController instantiates a new load controller
func (*LoadController) Count ¶
func (lc *LoadController) Count(event *Event)
Count processes the provided events and ensures the load of the provided event type is within the configured limits
func (*LoadController) GenericCount ¶
func (lc *LoadController) GenericCount(event *Event)
GenericCount increments the event counter of the provided event type and pid
func (*LoadController) SendStats ¶
func (lc *LoadController) SendStats() error
SendStats sends load controller stats
type Model ¶
Model describes the data model for the runtime security agent probe events
func (*Model) GetEvaluator ¶
func (*Model) GetEventTypes ¶
type Monitor ¶
type Monitor struct {
// contains filtered or unexported fields
}
Monitor regroups all the work we want to do to monitor the probes we pushed in the kernel
func NewMonitor ¶
NewMonitor returns a new instance of a ProbeMonitor
func (*Monitor) GetPerfBufferMonitor ¶
func (m *Monitor) GetPerfBufferMonitor() *PerfBufferMonitor
GetPerfBufferMonitor returns the perf buffer monitor
func (*Monitor) PrepareRuleSetLoadedReport ¶
func (m *Monitor) PrepareRuleSetLoadedReport(ruleSet *rules.RuleSet, err *multierror.Error) RuleSetLoadedReport
PrepareRuleSetLoadedReport prepares a report of new loaded ruleset
func (*Monitor) ProcessEvent ¶
ProcessEvent processes an event through the various monitors and controllers of the probe
func (*Monitor) ProcessLostEvent ¶
ProcessLostEvent processes a lost event through the various monitors and controllers of the probe
func (*Monitor) ReportRuleSetLoaded ¶
func (m *Monitor) ReportRuleSetLoaded(report RuleSetLoadedReport)
ReportRuleSetLoaded reports to Datadog that new ruleset was loaded
type MountResolver ¶
type MountResolver struct {
// contains filtered or unexported fields
}
MountResolver represents a cache for mountpoints and the corresponding file systems
func NewMountResolver ¶
func NewMountResolver(probe *Probe) *MountResolver
NewMountResolver instantiates a new mount resolver
func (*MountResolver) Delete ¶
func (mr *MountResolver) Delete(mountID uint32) error
Delete a mount from the cache
func (*MountResolver) GetFilesystem ¶
func (mr *MountResolver) GetFilesystem(mountID uint32) string
GetFilesystem returns the name of the filesystem
func (*MountResolver) GetMountPath ¶
GetMountPath returns the path of a mount identified by its mount ID. The first path is the container mount path if it exists, the second parameter is the mount point path, and the third parameter is the root path.
func (*MountResolver) Insert ¶
func (mr *MountResolver) Insert(e model.MountEvent) error
Insert a new mount point in the cache
func (*MountResolver) IsOverlayFS ¶
func (mr *MountResolver) IsOverlayFS(mountID uint32) bool
IsOverlayFS returns the type of a mountID
func (*MountResolver) Start ¶
func (mr *MountResolver) Start(ctx context.Context)
Start starts the resolver
type NoisyProcessEvent ¶
type NoisyProcessEvent struct {
Timestamp time.Time `json:"date"`
Count uint64 `json:"pid_count"`
Threshold int64 `json:"threshold"`
ControlPeriod time.Duration `json:"control_period"`
DiscardedUntil time.Time `json:"discarded_until"`
Process ProcessContextSerializer `json:"process"`
}
NoisyProcessEvent is used to report that a noisy process was temporarily discarded easyjson:json
func (NoisyProcessEvent) MarshalEasyJSON ¶
func (v NoisyProcessEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*NoisyProcessEvent) UnmarshalEasyJSON ¶
func (v *NoisyProcessEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type PathKey ¶
PathKey identifies an entry in the dentry cache
func (*PathKey) MarshalBinary ¶
MarshalBinary returns the binary representation of a path key
type PathLeaf ¶
type PathLeaf struct {
Parent PathKey
Name [model.MaxSegmentLength + 1]byte
Len uint16
}
PathLeaf is the go representation of the eBPF path_leaf_t structure
type PerfBufferMonitor ¶
type PerfBufferMonitor struct {
// contains filtered or unexported fields
}
PerfBufferMonitor holds statistics about the number of lost and received events
func NewPerfBufferMonitor ¶
func NewPerfBufferMonitor(p *Probe, client *statsd.Client) (*PerfBufferMonitor, error)
NewPerfBufferMonitor instantiates a new event statistics counter
func (*PerfBufferMonitor) CountEvent ¶
func (pbm *PerfBufferMonitor) CountEvent(eventType model.EventType, timestamp uint64, count uint64, size uint64, m *manager.PerfMap, cpu int)
CountEvent adds `count` to the counter of received events of the specified type
func (*PerfBufferMonitor) CountLostEvent ¶
func (pbm *PerfBufferMonitor) CountLostEvent(count uint64, m *manager.PerfMap, cpu int)
CountLostEvent adds `count` to the counter of lost events
func (*PerfBufferMonitor) GetAndResetLostCount ¶
func (pbm *PerfBufferMonitor) GetAndResetLostCount(perfMap string, cpu int) uint64
GetAndResetLostCount returns the number of lost events and resets the counter for a given map and cpu. If a cpu of -1 is provided, the function will reset the counters of all the cpus for the provided map, and return the sum of all the lost events of all the cpus of the provided map.
func (*PerfBufferMonitor) GetEventStats ¶
func (pbm *PerfBufferMonitor) GetEventStats(eventType model.EventType, perfMap string, cpu int) (PerfMapStats, PerfMapStats)
GetEventStats returns the number of received events of the specified type
func (*PerfBufferMonitor) GetKernelLostCount ¶
func (pbm *PerfBufferMonitor) GetKernelLostCount(perfMap string, cpu int, evtTypes ...model.EventType) uint64
GetKernelLostCount returns the number of lost events for a given map and cpu. If a cpu of -1 is provided, the function will return the sum of all the lost events of all the cpus.
func (*PerfBufferMonitor) GetLostCount ¶
func (pbm *PerfBufferMonitor) GetLostCount(perfMap string, cpu int) uint64
GetLostCount returns the number of lost events for a given map and cpu. If a cpu of -1 is provided, the function will return the sum of all the lost events of all the cpus.
func (*PerfBufferMonitor) SendStats ¶
func (pbm *PerfBufferMonitor) SendStats() error
SendStats send event stats using the provided statsd client
type PerfMapStats ¶
PerfMapStats contains the collected metrics for one event and one cpu in a perf buffer statistics map
func (*PerfMapStats) UnmarshalBinary ¶
func (s *PerfMapStats) UnmarshalBinary(data []byte) error
UnmarshalBinary parses a map entry and populates the current PerfMapStats instance
type PoliciesIgnored ¶
type PoliciesIgnored struct {
Errors *multierror.Error
}
PoliciesIgnored holds the errors
func (*PoliciesIgnored) MarshalJSON ¶
func (r *PoliciesIgnored) MarshalJSON() ([]byte, error)
MarshalJSON custom marshaller
func (*PoliciesIgnored) UnmarshalJSON ¶
func (r *PoliciesIgnored) UnmarshalJSON(data []byte) error
UnmarshalJSON empty unmarshaller
type PolicyFlag ¶
type PolicyFlag uint8
PolicyFlag is a bitmask of the active filtering policies
const ( PolicyFlagBasename PolicyFlag = 1 PolicyFlagFlags PolicyFlag = 2 PolicyFlagMode PolicyFlag = 4 // need to be aligned with the kernel size BasenameFilterSize = 256 )
Policy flags
func (PolicyFlag) MarshalJSON ¶
func (f PolicyFlag) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON encoding of the policy flags
type PolicyLoaded ¶
type PolicyLoaded struct {
Version string
RulesLoaded []*RuleLoaded `json:"rules_loaded"`
RulesIgnored []*RuleIgnored `json:"rules_ignored,omitempty"`
}
PolicyLoaded is used to report policy was loaded easyjson:json
func (PolicyLoaded) MarshalEasyJSON ¶
func (v PolicyLoaded) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*PolicyLoaded) UnmarshalEasyJSON ¶
func (v *PolicyLoaded) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type PolicyMode ¶
type PolicyMode uint8
PolicyMode represents the policy mode (accept or deny)
const ( PolicyModeNoFilter PolicyMode = iota PolicyModeAccept PolicyModeDeny )
Policy modes
func (PolicyMode) MarshalJSON ¶
func (m PolicyMode) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON encoding of the policy mode
func (PolicyMode) String ¶
func (m PolicyMode) String() string
type PolicyReport ¶
type PolicyReport struct {
Mode PolicyMode
Flags PolicyFlag
Approvers rules.Approvers
}
PolicyReport describes the result of the kernel policy and the approvers for an event type
type Probe ¶
type Probe struct {
// contains filtered or unexported fields
}
Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel
func (*Probe) ApplyFilterPolicy ¶
func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error
ApplyFilterPolicy is called when a passing policy for an event type is applied
func (*Probe) DispatchCustomEvent ¶
func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *CustomEvent)
DispatchCustomEvent sends a custom event to the probe event handler
func (*Probe) DispatchEvent ¶
DispatchEvent sends an event to the probe event handler
func (*Probe) FlushDiscarders ¶
FlushDiscarders removes all the discarders
func (*Probe) GetDebugStats ¶
GetDebugStats returns the debug stats
func (*Probe) GetMonitor ¶
GetMonitor returns the monitor of the probe
func (*Probe) GetResolvers ¶
GetResolvers returns the resolvers of Probe
func (*Probe) NewRuleSet ¶
NewRuleSet returns a new rule set
func (*Probe) OnNewDiscarder ¶
func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, event *Event, field eval.Field, eventType eval.EventType) error
OnNewDiscarder is called when a new discarder is found
func (*Probe) OnRuleMatch ¶
OnRuleMatch is called when a rule matches just before sending
func (*Probe) SelectProbes ¶
SelectProbes applies the loaded set of rules and returns a report of the applied approvers for it.
func (*Probe) SetApprovers ¶
SetApprovers applies approvers and removes the unused ones
func (*Probe) SetEventHandler ¶
func (p *Probe) SetEventHandler(handler EventHandler)
SetEventHandler set the probe event handler
func (*Probe) Snapshot ¶
Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system
func (*Probe) VerifyOSVersion ¶
VerifyOSVersion returns an error if the current kernel version is not supported
type ProcessCacheEntryPool ¶
type ProcessCacheEntryPool struct {
// contains filtered or unexported fields
}
ProcessCacheEntryPool defines a pool for process entry allocations
func NewProcessCacheEntryPool ¶
func NewProcessCacheEntryPool(p *ProcessResolver) *ProcessCacheEntryPool
NewProcessCacheEntryPool returns a new ProcessCacheEntryPool pool
func (*ProcessCacheEntryPool) Get ¶
func (p *ProcessCacheEntryPool) Get() *model.ProcessCacheEntry
Get returns a cache entry
func (*ProcessCacheEntryPool) Put ¶
func (p *ProcessCacheEntryPool) Put(pce *model.ProcessCacheEntry)
Put returns a cache entry
type ProcessCacheEntrySerializer ¶
type ProcessCacheEntrySerializer struct {
Pid uint32 `json:"pid,omitempty" jsonschema_description:"Process ID"`
PPid uint32 `json:"ppid,omitempty" jsonschema_description:"Parent Process ID"`
Tid uint32 `json:"tid,omitempty" jsonschema_description:"Thread ID"`
UID int `json:"uid" jsonschema_description:"User ID"`
GID int `json:"gid" jsonschema_description:"Group ID"`
User string `json:"user,omitempty" jsonschema_description:"User name"`
Group string `json:"group,omitempty" jsonschema_description:"Group name"`
PathResolutionError string `json:"path_resolution_error,omitempty" jsonschema_description:"Description of an error in the path resolution"`
Comm string `json:"comm,omitempty" jsonschema_description:"Command name"`
TTY string `json:"tty,omitempty" jsonschema_description:"TTY associated with the process"`
ForkTime *time.Time `json:"fork_time,omitempty" jsonschema_description:"Fork time of the process"`
ExecTime *time.Time `json:"exec_time,omitempty" jsonschema_description:"Exec time of the process"`
ExitTime *time.Time `json:"exit_time,omitempty" jsonschema_description:"Exit time of the process"`
Credentials *ProcessCredentialsSerializer `json:"credentials,omitempty" jsonschema_description:"Credentials associated with the process"`
Executable *FileSerializer `json:"executable,omitempty" jsonschema_description:"File information of the executable"`
Container *ContainerContextSerializer `json:"container,omitempty" jsonschema_description:"Container context"`
Args []string `json:"args,omitempty" jsonschema_description:"Command line arguments"`
ArgsTruncated bool `json:"args_truncated,omitempty" jsonschema_description:"Indicator of arguments truncation"`
Envs []string `json:"envs,omitempty" jsonschema_description:"Environment variables of the process"`
EnvsTruncated bool `json:"envs_truncated,omitempty" jsonschema_description:"Indicator of environments variable truncation"`
}
ProcessCacheEntrySerializer serializes a process cache entry to JSON easyjson:json
func (ProcessCacheEntrySerializer) MarshalEasyJSON ¶
func (v ProcessCacheEntrySerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*ProcessCacheEntrySerializer) UnmarshalEasyJSON ¶
func (v *ProcessCacheEntrySerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type ProcessContextSerializer ¶
type ProcessContextSerializer struct {
*ProcessCacheEntrySerializer
Parent *ProcessCacheEntrySerializer `json:"parent,omitempty" jsonschema_description:"Parent process"`
Ancestors []*ProcessCacheEntrySerializer `json:"ancestors,omitempty" jsonschema_description:"Ancestor processes"`
}
ProcessContextSerializer serializes a process context to JSON easyjson:json
func (ProcessContextSerializer) MarshalEasyJSON ¶
func (v ProcessContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*ProcessContextSerializer) UnmarshalEasyJSON ¶
func (v *ProcessContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type ProcessCredentialsSerializer ¶
type ProcessCredentialsSerializer struct {
*CredentialsSerializer
Destination interface{} `json:"destination,omitempty" jsonschema_description:"Credentials after the operation"`
}
ProcessCredentialsSerializer serializes the process credentials to JSON easyjson:json
func (ProcessCredentialsSerializer) MarshalEasyJSON ¶
func (v ProcessCredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*ProcessCredentialsSerializer) UnmarshalEasyJSON ¶
func (v *ProcessCredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type ProcessPath ¶
ProcessPath contains a process path as its binary representation
func (*ProcessPath) IsEmpty ¶
func (p *ProcessPath) IsEmpty() bool
IsEmpty returns true if the current instance of ProcessPath is empty
func (*ProcessPath) UnmarshalBinary ¶
func (p *ProcessPath) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshalls a binary representation of a ProcessSyscall
type ProcessResolver ¶
ProcessResolver resolved process context
func NewProcessResolver ¶
func NewProcessResolver(probe *Probe, resolvers *Resolvers, client *statsd.Client, opts ProcessResolverOpts) (*ProcessResolver, error)
NewProcessResolver returns a new process resolver
func (*ProcessResolver) AddExecEntry ¶
func (p *ProcessResolver) AddExecEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
AddExecEntry adds an entry to the local cache and returns the newly created entry
func (*ProcessResolver) AddForkEntry ¶
func (p *ProcessResolver) AddForkEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry
AddForkEntry adds an entry to the local cache and returns the newly created entry
func (*ProcessResolver) ApplyBootTime ¶
func (p *ProcessResolver) ApplyBootTime(entry *model.ProcessCacheEntry)
ApplyBootTime realign timestamp from the boot time
func (*ProcessResolver) DeleteEntry ¶
func (p *ProcessResolver) DeleteEntry(pid uint32, exitTime time.Time)
DeleteEntry tries to delete an entry in the process cache
func (*ProcessResolver) DequeueExited ¶
func (p *ProcessResolver) DequeueExited()
DequeueExited dequeue exited process
func (*ProcessResolver) Dump ¶
func (p *ProcessResolver) Dump() (string, error)
Dump create a temp file and dump the cache
func (*ProcessResolver) Get ¶
func (p *ProcessResolver) Get(pid uint32) *model.ProcessCacheEntry
Get returns the cache entry for a specified pid
func (*ProcessResolver) GetCacheSize ¶
func (p *ProcessResolver) GetCacheSize() float64
GetCacheSize returns the cache size of the process resolver
func (*ProcessResolver) GetEntryCacheSize ¶
func (p *ProcessResolver) GetEntryCacheSize() float64
GetEntryCacheSize returns the cache size of the process resolver
func (*ProcessResolver) GetProcessArgv ¶
func (p *ProcessResolver) GetProcessArgv(pr *model.Process) ([]string, bool)
GetProcessArgv returns the args of the event as an array
func (*ProcessResolver) GetProcessEnvs ¶
GetProcessEnvs returns the envs of the event
func (*ProcessResolver) NewProcessCacheEntry ¶
func (p *ProcessResolver) NewProcessCacheEntry() *model.ProcessCacheEntry
NewProcessCacheEntry returns a new process cache entry
func (*ProcessResolver) Resolve ¶
func (p *ProcessResolver) Resolve(pid, tid uint32) *model.ProcessCacheEntry
Resolve returns the cache entry for the given pid
func (*ProcessResolver) SendStats ¶
func (p *ProcessResolver) SendStats() error
SendStats sends process resolver metrics
func (*ProcessResolver) SetProcessArgs ¶
func (p *ProcessResolver) SetProcessArgs(pce *model.ProcessCacheEntry)
SetProcessArgs set arguments to cache entry
func (*ProcessResolver) SetProcessEnvs ¶
func (p *ProcessResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)
SetProcessEnvs set envs to cache entry
func (*ProcessResolver) SetProcessFilesystem ¶
func (p *ProcessResolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) string
SetProcessFilesystem resolves process file system
func (*ProcessResolver) SetProcessPath ¶
func (p *ProcessResolver) SetProcessPath(entry *model.ProcessCacheEntry) (string, error)
SetProcessPath resolves process file path
func (*ProcessResolver) SetProcessTTY ¶
func (p *ProcessResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string
SetProcessTTY resolves TTY and cache the result
func (*ProcessResolver) SetProcessUsersGroups ¶
func (p *ProcessResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry)
SetProcessUsersGroups resolves and set users and groups
func (*ProcessResolver) SetState ¶
func (p *ProcessResolver) SetState(state int64)
SetState sets the process resolver state
func (*ProcessResolver) Start ¶
func (p *ProcessResolver) Start(ctx context.Context) error
Start starts the resolver
func (*ProcessResolver) SyncCache ¶
func (p *ProcessResolver) SyncCache(proc *process.Process) bool
SyncCache snapshots /proc for the provided pid. This method returns true if it updated the process cache.
func (*ProcessResolver) UpdateArgsEnvs ¶
func (p *ProcessResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)
UpdateArgsEnvs updates arguments or environment variables of the given id
func (*ProcessResolver) UpdateCapset ¶
func (p *ProcessResolver) UpdateCapset(pid uint32, e *Event)
UpdateCapset updates the credentials of the provided pid
func (*ProcessResolver) UpdateGID ¶
func (p *ProcessResolver) UpdateGID(pid uint32, e *Event)
UpdateGID updates the credentials of the provided pid
func (*ProcessResolver) UpdateUID ¶
func (p *ProcessResolver) UpdateUID(pid uint32, e *Event)
UpdateUID updates the credentials of the provided pid
type ProcessResolverOpts ¶
type ProcessResolverOpts struct{}
ProcessResolverOpts options of resolver
func NewProcessResolverOpts ¶
func NewProcessResolverOpts(cookieCacheSize int) ProcessResolverOpts
NewProcessResolverOpts returns a new set of process resolver options
type ProcessSyscall ¶
ProcessSyscall represents a syscall made by a process
func (*ProcessSyscall) IsNull ¶
func (p *ProcessSyscall) IsNull() bool
IsNull returns true if a ProcessSyscall instance is empty
func (*ProcessSyscall) UnmarshalBinary ¶
func (p *ProcessSyscall) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshalls a binary representation of a ProcessSyscall
type ReOrderer ¶
type ReOrderer struct {
Metrics chan ReOrdererMetric
// contains filtered or unexported fields
}
ReOrderer defines an event re-orderer
func NewReOrderer ¶
func NewReOrderer(ctx context.Context, handler func(cpu uint64, data []byte), extractInfo func(data []byte) (uint64, uint64, error), opts ReOrdererOpts) *ReOrderer
NewReOrderer returns a new ReOrderer
type ReOrdererMetric ¶
ReOrdererMetric holds reordering metrics
type ReOrdererOpts ¶
type ReOrdererOpts struct {
QueueSize uint64 // size of the chan where the perf data are pushed
Rate time.Duration // delay between two time based iterations
Retention uint64 // bucket to keep before dequeueing
MetricRate time.Duration // delay between two metric samples
}
ReOrdererOpts options to pass when creating a new instance of ReOrderer
type ReordererMonitor ¶
type ReordererMonitor struct {
// contains filtered or unexported fields
}
ReordererMonitor represents a reorderer monitor
func NewReOrderMonitor ¶
func NewReOrderMonitor(p *Probe, client *statsd.Client) (*ReordererMonitor, error)
NewReOrderMonitor instantiates a new reorder statistics counter
type Report ¶
type Report struct {
Policies map[string]*PolicyReport
}
Report describes the event types and their associated policy reports
type Reporter ¶
type Reporter struct {
// contains filtered or unexported fields
}
Reporter describes a reporter of policy application
func (*Reporter) SetApprovers ¶
SetApprovers is called when approvers are applied for an event type
func (*Reporter) SetFilterPolicy ¶
func (r *Reporter) SetFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error
SetFilterPolicy is called when a passing policy for an event type is applied
type Resolvers ¶
type Resolvers struct {
DentryResolver *DentryResolver
MountResolver *MountResolver
ContainerResolver *ContainerResolver
TimeResolver *TimeResolver
ProcessResolver *ProcessResolver
UserGroupResolver *UserGroupResolver
TagsResolver *TagsResolver
// contains filtered or unexported fields
}
Resolvers holds the list of the event attribute resolvers
func NewResolvers ¶
NewResolvers creates a new instance of Resolvers
func (*Resolvers) ResolveCredentialsEGroup ¶
func (r *Resolvers) ResolveCredentialsEGroup(e *model.Credentials) string
ResolveCredentialsEGroup resolves the effective group id of the process to a group name
func (*Resolvers) ResolveCredentialsEUser ¶
func (r *Resolvers) ResolveCredentialsEUser(e *model.Credentials) string
ResolveCredentialsEUser resolves the effective user id of the process to a username
func (*Resolvers) ResolveCredentialsFSGroup ¶
func (r *Resolvers) ResolveCredentialsFSGroup(e *model.Credentials) string
ResolveCredentialsFSGroup resolves the file-system group id of the process to a group name
func (*Resolvers) ResolveCredentialsFSUser ¶
func (r *Resolvers) ResolveCredentialsFSUser(e *model.Credentials) string
ResolveCredentialsFSUser resolves the file-system user id of the process to a username
func (*Resolvers) ResolveCredentialsGroup ¶
func (r *Resolvers) ResolveCredentialsGroup(e *model.Credentials) string
ResolveCredentialsGroup resolves the group id of the process to a group name
func (*Resolvers) ResolveCredentialsUser ¶
func (r *Resolvers) ResolveCredentialsUser(e *model.Credentials) string
ResolveCredentialsUser resolves the user id of the process to a username
func (*Resolvers) ResolveFileFieldsGroup ¶
func (r *Resolvers) ResolveFileFieldsGroup(e *model.FileFields) string
ResolveFileFieldsGroup resolves the group id of the file to a group name
func (*Resolvers) ResolveFileFieldsUser ¶
func (r *Resolvers) ResolveFileFieldsUser(e *model.FileFields) string
ResolveFileFieldsUser resolves the user id of the file to a username
type RuleIgnored ¶
type RuleIgnored struct {
ID string `json:"id"`
Version string `json:"version,omitempty"`
Expression string `json:"expression"`
Reason string `json:"reason"`
}
RuleIgnored defines a ignored easyjson:json
func (RuleIgnored) MarshalEasyJSON ¶
func (v RuleIgnored) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*RuleIgnored) UnmarshalEasyJSON ¶
func (v *RuleIgnored) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type RuleLoaded ¶
type RuleLoaded struct {
ID string `json:"id"`
Version string `json:"version,omitempty"`
Expression string `json:"expression"`
}
RuleLoaded defines a loaded rule easyjson:json
func (RuleLoaded) MarshalEasyJSON ¶
func (v RuleLoaded) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*RuleLoaded) UnmarshalEasyJSON ¶
func (v *RuleLoaded) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type RuleSetApplier ¶
type RuleSetApplier struct {
// contains filtered or unexported fields
}
RuleSetApplier defines a rule set applier. It applies rules using an Applier
func NewRuleSetApplier ¶
func NewRuleSetApplier(cfg *config.Config, probe *Probe) *RuleSetApplier
NewRuleSetApplier returns a new RuleSetApplier
type RuleSetLoadedReport ¶
type RuleSetLoadedReport struct {
Rule *rules.Rule
Event *CustomEvent
}
RuleSetLoadedReport represents the rule and the custom event related to a RuleSetLoaded event, ready to be dispatched
type RulesetLoadedEvent ¶
type RulesetLoadedEvent struct {
Timestamp time.Time `json:"date"`
PoliciesLoaded []*PolicyLoaded `json:"policies"`
PoliciesIgnored *PoliciesIgnored `json:"policies_ignored,omitempty"`
MacrosLoaded []rules.MacroID `json:"macros_loaded"`
}
RulesetLoadedEvent is used to report that a new ruleset was loaded easyjson:json
func (RulesetLoadedEvent) MarshalEasyJSON ¶
func (v RulesetLoadedEvent) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*RulesetLoadedEvent) UnmarshalEasyJSON ¶
func (v *RulesetLoadedEvent) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type SELinuxEventSerializer ¶
type SELinuxEventSerializer struct {
BoolChange *selinuxBoolChangeSerializer `json:"bool,omitempty" jsonschema_description:"SELinux boolean operation"`
EnforceStatus *selinuxEnforceStatusSerializer `json:"enforce,omitempty" jsonschema_description:"SELinux enforcement change"`
BoolCommit *selinuxBoolCommitSerializer `json:"bool_commit,omitempty" jsonschema_description:"SELinux boolean commit"`
}
SELinuxEventSerializer serializes a SELinux context to JSON easyjson:json
func (SELinuxEventSerializer) MarshalEasyJSON ¶
func (v SELinuxEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*SELinuxEventSerializer) UnmarshalEasyJSON ¶
func (v *SELinuxEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type SetgidSerializer ¶
type SetgidSerializer struct {
GID int `json:"gid" jsonschema_description:"Group ID"`
Group string `json:"group,omitempty" jsonschema_description:"Group name"`
EGID int `json:"egid" jsonschema_description:"Effective Group ID"`
EGroup string `json:"egroup,omitempty" jsonschema_description:"Effective Group name"`
FSGID int `json:"fsgid" jsonschema_description:"Filesystem Group ID"`
FSGroup string `json:"fsgroup,omitempty" jsonschema_description:"Filesystem Group name"`
}
SetgidSerializer serializes a setgid event easyjson:json
func (SetgidSerializer) MarshalEasyJSON ¶
func (v SetgidSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*SetgidSerializer) UnmarshalEasyJSON ¶
func (v *SetgidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type SetuidSerializer ¶
type SetuidSerializer struct {
UID int `json:"uid" jsonschema_description:"User ID"`
User string `json:"user,omitempty" jsonschema_description:"User name"`
EUID int `json:"euid" jsonschema_description:"Effective User ID"`
EUser string `json:"euser,omitempty" jsonschema_description:"Effective User name"`
FSUID int `json:"fsuid" jsonschema_description:"Filesystem User ID"`
FSUser string `json:"fsuser,omitempty" jsonschema_description:"Filesystem User name"`
}
SetuidSerializer serializes a setuid event easyjson:json
func (SetuidSerializer) MarshalEasyJSON ¶
func (v SetuidSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*SetuidSerializer) UnmarshalEasyJSON ¶
func (v *SetuidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type Syscall ¶
type Syscall int
Syscall represents a syscall identifier
const ( SysRead Syscall = 0 SysWrite Syscall = 1 SysOpen Syscall = 2 SysClose Syscall = 3 SysStat Syscall = 4 SysFstat Syscall = 5 SysLstat Syscall = 6 SysPoll Syscall = 7 SysLseek Syscall = 8 SysMmap Syscall = 9 SysMprotect Syscall = 10 SysMunmap Syscall = 11 SysBrk Syscall = 12 SysRtSigaction Syscall = 13 SysRtSigprocmask Syscall = 14 SysRtSigreturn Syscall = 15 SysIoctl Syscall = 16 SysPread64 Syscall = 17 SysPwrite64 Syscall = 18 SysReadv Syscall = 19 SysWritev Syscall = 20 SysAccess Syscall = 21 SysPipe Syscall = 22 SysSelect Syscall = 23 SysSchedYield Syscall = 24 SysMremap Syscall = 25 SysMsync Syscall = 26 SysMincore Syscall = 27 SysMadvise Syscall = 28 SysShmget Syscall = 29 SysShmat Syscall = 30 SysShmctl Syscall = 31 SysDup Syscall = 32 SysDup2 Syscall = 33 SysPause Syscall = 34 SysNanosleep Syscall = 35 SysGetitimer Syscall = 36 SysAlarm Syscall = 37 SysSetitimer Syscall = 38 SysGetpid Syscall = 39 SysSendfile Syscall = 40 SysSocket Syscall = 41 SysConnect Syscall = 42 SysAccept Syscall = 43 SysSendto Syscall = 44 SysRecvfrom Syscall = 45 SysSendmsg Syscall = 46 SysRecvmsg Syscall = 47 SysShutdown Syscall = 48 SysBind Syscall = 49 SysListen Syscall = 50 SysGetsockname Syscall = 51 SysGetpeername Syscall = 52 SysSocketpair Syscall = 53 SysSetsockopt Syscall = 54 SysGetsockopt Syscall = 55 SysClone Syscall = 56 SysFork Syscall = 57 SysVfork Syscall = 58 SysExecve Syscall = 59 SysExit Syscall = 60 SysWait4 Syscall = 61 SysKill Syscall = 62 SysUname Syscall = 63 SysSemget Syscall = 64 SysSemop Syscall = 65 SysSemctl Syscall = 66 SysShmdt Syscall = 67 SysMsgget Syscall = 68 SysMsgsnd Syscall = 69 SysMsgrcv Syscall = 70 SysMsgctl Syscall = 71 SysFcntl Syscall = 72 SysFlock Syscall = 73 SysFsync Syscall = 74 SysFdatasync Syscall = 75 SysTruncate Syscall = 76 SysFtruncate Syscall = 77 SysGetdents Syscall = 78 SysGetcwd Syscall = 79 SysChdir Syscall = 80 SysFchdir Syscall = 81 SysRename Syscall = 82 SysMkdir Syscall = 83 SysRmdir Syscall = 84 SysCreat Syscall = 85 SysLink Syscall = 86 SysUnlink Syscall = 87 SysSymlink Syscall = 88 SysReadlink Syscall = 89 SysChmod Syscall = 90 SysFchmod Syscall = 91 SysChown Syscall = 92 SysFchown Syscall = 93 SysLchown Syscall = 94 SysUmask Syscall = 95 SysGettimeofday Syscall = 96 SysGetrlimit Syscall = 97 SysGetrusage Syscall = 98 SysSysinfo Syscall = 99 SysTimes Syscall = 100 SysPtrace Syscall = 101 SysGetuid Syscall = 102 SysSyslog Syscall = 103 SysGetgid Syscall = 104 SysSetuid Syscall = 105 SysSetgid Syscall = 106 SysGeteuid Syscall = 107 SysGetegid Syscall = 108 SysSetpgid Syscall = 109 SysGetppid Syscall = 110 SysGetpgrp Syscall = 111 SysSetsid Syscall = 112 SysSetreuid Syscall = 113 SysSetregid Syscall = 114 SysGetgroups Syscall = 115 SysSetgroups Syscall = 116 SysSetresuid Syscall = 117 SysGetresuid Syscall = 118 SysSetresgid Syscall = 119 SysGetresgid Syscall = 120 SysGetpgid Syscall = 121 SysSetfsuid Syscall = 122 SysSetfsgid Syscall = 123 SysGetsid Syscall = 124 SysCapget Syscall = 125 SysCapset Syscall = 126 SysRtSigpending Syscall = 127 SysRtSigtimedwait Syscall = 128 SysRtSigqueueinfo Syscall = 129 SysRtSigsuspend Syscall = 130 SysSigaltstack Syscall = 131 SysUtime Syscall = 132 SysMknod Syscall = 133 SysUselib Syscall = 134 SysPersonality Syscall = 135 SysUstat Syscall = 136 SysStatfs Syscall = 137 SysFstatfs Syscall = 138 SysSysfs Syscall = 139 SysGetpriority Syscall = 140 SysSetpriority Syscall = 141 SysSchedSetparam Syscall = 142 SysSchedGetparam Syscall = 143 SysSchedSetscheduler Syscall = 144 SysSchedGetscheduler Syscall = 145 SysSchedGetPriorityMax Syscall = 146 SysSchedGetPriorityMin Syscall = 147 SysSchedRrGetInterval Syscall = 148 SysMlock Syscall = 149 SysMunlock Syscall = 150 SysMlockall Syscall = 151 SysMunlockall Syscall = 152 SysVhangup Syscall = 153 SysModifyLdt Syscall = 154 SysPivotRoot Syscall = 155 SysSysctl Syscall = 156 SysPrctl Syscall = 157 SysArchPrctl Syscall = 158 SysAdjtimex Syscall = 159 SysSetrlimit Syscall = 160 SysChroot Syscall = 161 SysSync Syscall = 162 SysAcct Syscall = 163 SysSettimeofday Syscall = 164 SysMount Syscall = 165 SysUmount2 Syscall = 166 SysSwapon Syscall = 167 SysSwapoff Syscall = 168 SysReboot Syscall = 169 SysSethostname Syscall = 170 SysSetdomainname Syscall = 171 SysIopl Syscall = 172 SysIoperm Syscall = 173 SysCreateModule Syscall = 174 SysInitModule Syscall = 175 SysDeleteModule Syscall = 176 SysGetKernelSyms Syscall = 177 SysQueryModule Syscall = 178 SysQuotactl Syscall = 179 SysNfsservctl Syscall = 180 SysGetpmsg Syscall = 181 SysPutpmsg Syscall = 182 SysAfsSyscall Syscall = 183 SysTuxcall Syscall = 184 SysSecurity Syscall = 185 SysGettid Syscall = 186 SysReadahead Syscall = 187 SysSetxattr Syscall = 188 SysLsetxattr Syscall = 189 SysFsetxattr Syscall = 190 SysGetxattr Syscall = 191 SysLgetxattr Syscall = 192 SysFgetxattr Syscall = 193 SysListxattr Syscall = 194 SysLlistxattr Syscall = 195 SysFlistxattr Syscall = 196 SysRemovexattr Syscall = 197 SysLremovexattr Syscall = 198 SysFremovexattr Syscall = 199 SysTkill Syscall = 200 SysTime Syscall = 201 SysFutex Syscall = 202 SysSchedSetaffinity Syscall = 203 SysSchedGetaffinity Syscall = 204 SysSetThreadArea Syscall = 205 SysIoSetup Syscall = 206 SysIoDestroy Syscall = 207 SysIoGetevents Syscall = 208 SysIoSubmit Syscall = 209 SysIoCancel Syscall = 210 SysGetThreadArea Syscall = 211 SysEpollCreate Syscall = 213 SysEpollCtlOld Syscall = 214 SysEpollWaitOld Syscall = 215 SysRemapFilePages Syscall = 216 SysGetdents64 Syscall = 217 SysSetTidAddress Syscall = 218 SysRestartSyscall Syscall = 219 SysSemtimedop Syscall = 220 SysFadvise64 Syscall = 221 SysTimerCreate Syscall = 222 SysTimerSettime Syscall = 223 SysTimerGettime Syscall = 224 SysTimerGetoverrun Syscall = 225 SysTimerDelete Syscall = 226 SysClockSettime Syscall = 227 SysClockGettime Syscall = 228 SysClockGetres Syscall = 229 SysClockNanosleep Syscall = 230 SysExitGroup Syscall = 231 SysEpollWait Syscall = 232 SysEpollCtl Syscall = 233 SysTgkill Syscall = 234 SysUtimes Syscall = 235 SysVserver Syscall = 236 SysMbind Syscall = 237 SysSetMempolicy Syscall = 238 SysGetMempolicy Syscall = 239 SysMqOpen Syscall = 240 SysMqUnlink Syscall = 241 SysMqTimedsend Syscall = 242 SysMqTimedreceive Syscall = 243 SysMqNotify Syscall = 244 SysMqGetsetattr Syscall = 245 SysKexecLoad Syscall = 246 SysWaitid Syscall = 247 SysAddKey Syscall = 248 SysRequestKey Syscall = 249 SysKeyctl Syscall = 250 SysIoprioSet Syscall = 251 SysIoprioGet Syscall = 252 SysInotifyInit Syscall = 253 SysInotifyAddWatch Syscall = 254 SysInotifyRmWatch Syscall = 255 SysMigratePages Syscall = 256 SysOpenat Syscall = 257 SysMkdirat Syscall = 258 SysMknodat Syscall = 259 SysFchownat Syscall = 260 SysFutimesat Syscall = 261 SysNewfstatat Syscall = 262 SysUnlinkat Syscall = 263 SysRenameat Syscall = 264 SysLinkat Syscall = 265 SysSymlinkat Syscall = 266 SysReadlinkat Syscall = 267 SysFchmodat Syscall = 268 SysFaccessat Syscall = 269 SysPselect6 Syscall = 270 SysPpoll Syscall = 271 SysSetRobustList Syscall = 273 SysGetRobustList Syscall = 274 SysSplice Syscall = 275 SysTee Syscall = 276 SysSyncFileRange Syscall = 277 SysVmsplice Syscall = 278 SysMovePages Syscall = 279 SysUtimensat Syscall = 280 SysEpollPwait Syscall = 281 SysSignalfd Syscall = 282 SysTimerfdCreate Syscall = 283 SysEventfd Syscall = 284 SysFallocate Syscall = 285 SysTimerfdSettime Syscall = 286 SysTimerfdGettime Syscall = 287 SysAccept4 Syscall = 288 SysSignalfd4 Syscall = 289 SysEventfd2 Syscall = 290 SysEpollCreate1 Syscall = 291 SysDup3 Syscall = 292 SysPipe2 Syscall = 293 SysInotifyInit1 Syscall = 294 SysPreadv Syscall = 295 SysPwritev Syscall = 296 SysRtTgsigqueueinfo Syscall = 297 SysPerfEventOpen Syscall = 298 SysRecvmmsg Syscall = 299 SysFanotifyInit Syscall = 300 SysFanotifyMark Syscall = 301 SysPrlimit64 Syscall = 302 SysNameToHandleAt Syscall = 303 SysOpenByHandleAt Syscall = 304 SysClockAdjtime Syscall = 305 SysSyncfs Syscall = 306 SysSendmmsg Syscall = 307 SysSetns Syscall = 308 SysGetcpu Syscall = 309 SysProcessVmReadv Syscall = 310 SysProcessVmWritev Syscall = 311 SysKcmp Syscall = 312 SysFinitModule Syscall = 313 SysSchedSetattr Syscall = 314 SysSchedGetattr Syscall = 315 SysRenameat2 Syscall = 316 SysSeccomp Syscall = 317 SysGetrandom Syscall = 318 SysMemfdCreate Syscall = 319 SysKexecFileLoad Syscall = 320 SysBpf Syscall = 321 SysExecveat Syscall = 322 SysUserfaultfd Syscall = 323 SysMembarrier Syscall = 324 SysMlock2 Syscall = 325 SysCopyFileRange Syscall = 326 SysPreadv2 Syscall = 327 SysPwritev2 Syscall = 328 SysPkeyMprotect Syscall = 329 SysPkeyAlloc Syscall = 330 SysPkeyFree Syscall = 331 SysStatx Syscall = 332 SysIoPgetevents Syscall = 333 SysRseq Syscall = 334 SysPidfdSendSignal Syscall = 424 SysIoUringSetup Syscall = 425 SysIoUringEnter Syscall = 426 SysIoUringRegister Syscall = 427 SysOpenTree Syscall = 428 SysMoveMount Syscall = 429 SysFsopen Syscall = 430 SysFsconfig Syscall = 431 SysFsmount Syscall = 432 SysFspick Syscall = 433 SysPidfdOpen Syscall = 434 SysClone3 Syscall = 435 SysCloseRange Syscall = 436 SysOpenat2 Syscall = 437 SysPidfdGetfd Syscall = 438 SysFaccessat2 Syscall = 439 SysProcessMadvise Syscall = 440 SysEpollPwait2 Syscall = 441 SysMountSetattr Syscall = 442 SysQuotactlFd Syscall = 443 SysLandlockCreateRuleset Syscall = 444 SysLandlockAddRule Syscall = 445 SysLandlockRestrictSelf Syscall = 446 SysMemfdSecret Syscall = 447 )
Linux syscall identifiers
func (Syscall) MarshalText ¶
MarshalText maps the syscall identifier to UTF-8-encoded text and returns the result
type SyscallMonitor ¶
type SyscallMonitor struct {
// contains filtered or unexported fields
}
SyscallMonitor monitors syscalls using eBPF maps filled using kernel tracepoints
func NewSyscallMonitor ¶
func NewSyscallMonitor(manager *manager.Manager) (*SyscallMonitor, error)
NewSyscallMonitor instantiates a new syscall monitor
func (*SyscallMonitor) CollectStats ¶
func (sm *SyscallMonitor) CollectStats(collector SyscallStatsCollector) error
CollectStats fetches the syscall statistics from the eBPF maps
func (*SyscallMonitor) GetStats ¶
func (sm *SyscallMonitor) GetStats() (*SyscallStats, error)
GetStats returns the syscall statistics
type SyscallStats ¶
SyscallStats collects syscall statistics and store them in memory
func (*SyscallStats) CountConcurrentSyscalls ¶
func (s *SyscallStats) CountConcurrentSyscalls(count int64) error
CountConcurrentSyscalls counts the number of syscalls that are currently being executed
func (*SyscallStats) CountExec ¶
func (s *SyscallStats) CountExec(process string, count uint64) error
CountExec counts the number times a process was executed
func (*SyscallStats) CountSyscall ¶
func (s *SyscallStats) CountSyscall(process string, syscallID Syscall, count uint64) error
CountSyscall counts the number of calls of a syscall by a process
type SyscallStatsCollector ¶
type SyscallStatsCollector interface {
CountSyscall(process string, syscallID Syscall, count uint64) error
CountExec(process string, count uint64) error
CountConcurrentSyscalls(count int64) error
}
SyscallStatsCollector is the interface implemented by an object that collect syscall statistics
type SyscallStatsdCollector ¶
type SyscallStatsdCollector struct {
// contains filtered or unexported fields
}
SyscallStatsdCollector collects syscall statistics and sends them to statsd
func (*SyscallStatsdCollector) CountConcurrentSyscalls ¶
func (s *SyscallStatsdCollector) CountConcurrentSyscalls(count int64) error
CountConcurrentSyscalls counts the number of syscalls that are currently being executed
func (*SyscallStatsdCollector) CountExec ¶
func (s *SyscallStatsdCollector) CountExec(process string, count uint64) error
CountExec counts the number times a process was executed
func (*SyscallStatsdCollector) CountSyscall ¶
func (s *SyscallStatsdCollector) CountSyscall(process string, syscallID Syscall, count uint64) error
CountSyscall counts the number of calls of a syscall by a process
type Tagger ¶
type Tagger interface {
Init() error
Stop() error
Tag(entity string, cardinality collectors.TagCardinality) ([]string, error)
}
Tagger defines a Tagger for the Tags Resolver
type TagsResolver ¶
type TagsResolver struct {
// contains filtered or unexported fields
}
TagsResolver represents a cache resolver
func NewTagsResolver ¶
func NewTagsResolver(config *config.Config) *TagsResolver
NewTagsResolver returns a new tags resolver
func (*TagsResolver) GetValue ¶
func (t *TagsResolver) GetValue(id string, tag string) string
GetValue return the tag value for the given id and tag name
func (*TagsResolver) Resolve ¶
func (t *TagsResolver) Resolve(id string) []string
Resolve returns the tags for the given id
type TimeResolver ¶
type TimeResolver struct {
// contains filtered or unexported fields
}
TimeResolver converts kernel monotonic timestamps to absolute times
func NewTimeResolver ¶
func NewTimeResolver() (*TimeResolver, error)
NewTimeResolver returns a new time resolver
func (*TimeResolver) ApplyBootTime ¶
func (tr *TimeResolver) ApplyBootTime(timestamp time.Time) time.Time
ApplyBootTime return the time re-aligned from the boot time
func (*TimeResolver) ComputeMonotonicTimestamp ¶
func (tr *TimeResolver) ComputeMonotonicTimestamp(timestamp time.Time) int64
ComputeMonotonicTimestamp converts an absolute time to a kernel monotonic timestamp
func (*TimeResolver) ResolveMonotonicTimestamp ¶
func (tr *TimeResolver) ResolveMonotonicTimestamp(timestamp uint64) time.Time
ResolveMonotonicTimestamp converts a kernel monotonic timestamp to an absolute time
type UserContextSerializer ¶
type UserContextSerializer struct {
User string `json:"id,omitempty" jsonschema_description:"User name"`
Group string `json:"group,omitempty" jsonschema_description:"Group name"`
}
UserContextSerializer serializes a user context to JSON easyjson:json
func (UserContextSerializer) MarshalEasyJSON ¶
func (v UserContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*UserContextSerializer) UnmarshalEasyJSON ¶
func (v *UserContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type UserGroupResolver ¶
type UserGroupResolver struct {
// contains filtered or unexported fields
}
UserGroupResolver resolves user and group ids to names
func NewUserGroupResolver ¶
func NewUserGroupResolver() (*UserGroupResolver, error)
NewUserGroupResolver instantiates a new user and group resolver
func (*UserGroupResolver) ResolveGroup ¶
func (r *UserGroupResolver) ResolveGroup(gid int) (string, error)
ResolveGroup resolves a group id to a group name
func (*UserGroupResolver) ResolveUser ¶
func (r *UserGroupResolver) ResolveUser(uid int) (string, error)
ResolveUser resolves a user id to a username
Source Files
¶
- accessors.go
- applier.go
- approvers.go
- bpf.go
- capabilities.go
- compile_unsupported.go
- container_resolver.go
- custom_events.go
- custom_events_easyjson.go
- dentry_resolver.go
- discarders.go
- erpc.go
- kfilters.go
- kfilters_bpf.go
- load_controller.go
- model.go
- mount_resolver.go
- open.go
- perf_buffer_monitor.go
- policy.go
- probe.go
- probe_monitor.go
- process_resolver.go
- reorderer.go
- reorderer_monitor.go
- report.go
- resolvers.go
- selinux_resolver.go
- serializers.go
- serializers_easyjson.go
- syscall_stats.go
- syscalls.go
- syscalls_linux_amd64.go
- syscalls_string_linux_amd64.go
- tags_resolver.go
- time_resolver.go
- user_resolver.go
- variables.go
Directories