Documentation ¶
Index ¶
- Constants
- Variables
- func ClearModulesState() error
- func FillModulesFromProcFs() error
- func GetWakeupChannelRead() <-chan ScanRequest
- func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deletedModMap *bpf.BPFMap) error
- func InitHookedSyscall() error
- type DeriveFunction
- func ContainerCreate(cts *containers.Containers) DeriveFunction
- func ContainerRemove(cts *containers.Containers) DeriveFunction
- func DetectHookedSyscall(kernelSymbols *environment.KernelSymbolTable) DeriveFunction
- func HiddenKernelModule() DeriveFunction
- func HookedSeqOps(kernelSymbols *environment.KernelSymbolTable) DeriveFunction
- func NetFlowTCPBegin(cache *dnscache.DNSCache) DeriveFunction
- func NetFlowTCPEnd(cache *dnscache.DNSCache) DeriveFunction
- func NetPacketDNS() DeriveFunction
- func NetPacketDNSRequest() DeriveFunction
- func NetPacketDNSResponse() DeriveFunction
- func NetPacketHTTP() DeriveFunction
- func NetPacketHTTPRequest() DeriveFunction
- func NetPacketHTTPResponse() DeriveFunction
- func NetPacketICMP() DeriveFunction
- func NetPacketICMPv6() DeriveFunction
- func NetPacketIPv4() DeriveFunction
- func NetPacketIPv6() DeriveFunction
- func NetPacketTCP() DeriveFunction
- func NetPacketUDP() DeriveFunction
- func NetTCPConnect(cache *dnscache.DNSCache) DeriveFunction
- func SymbolsCollision(soLoader sharedobjs.DynamicSymbolsLoader, pManager *policy.PolicyManager) DeriveFunction
- func SymbolsLoaded(soLoader sharedobjs.DynamicSymbolsLoader, pManager *policy.PolicyManager) DeriveFunction
- type ExecFailedGenerator
- type ScanRequest
- type SymbolsCollisionArgsGenerator
- type Table
Constants ¶
const ( ProcModules uint32 = 1 << 0 // A hidden module detected by /proc/modules logic NewMod = 1 << 3 // A new modules only scan - without HiddenModule flag on, this is not yet a detection. See newModsCheckForHidden FullScan = 1 << 30 // Do a full scan - received after a new module was loaded (and finished running his init function) HiddenModule = 1 << 31 // Submit the module as event to user )
const ( IPPROTO_TCP uint8 = 6 IPPROTO_UDP uint8 = 17 )
Variables ¶
var NetSeqOps = [6]string{
"tcp4_seq_ops",
"tcp6_seq_ops",
"udp_seq_ops",
"udp6_seq_ops",
"raw_seq_ops",
"raw6_seq_ops",
}
Struct names for the interfaces HookedSeqOpsEventID checks for hooks The show,start,next and stop operation function pointers will be checked for each of those
var NetSeqOpsFuncs = [4]string{
"show",
"start",
"next",
"stop",
}
Functions ¶
func ClearModulesState ¶ added in v0.13.0
func ClearModulesState() error
ClearModulesState clears the map (while not scanning)
func FillModulesFromProcFs ¶ added in v0.13.0
func FillModulesFromProcFs() error
FillModulesFromProcFs fills a map with modules from /proc/modules, to be checked in kernel-space for inconsistencies.
func GetWakeupChannelRead ¶ added in v0.15.0
func GetWakeupChannelRead() <-chan ScanRequest
GetWakeupChannelRead returns the reading-end of the channel
func InitHiddenKernelModules ¶ added in v0.15.0
func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deletedModMap *bpf.BPFMap) error
InitHiddenKernelModules initializes the module components
func InitHookedSyscall ¶ added in v0.19.0
func InitHookedSyscall() error
InitHookedSyscall initialize lru
Types ¶
type DeriveFunction ¶ added in v0.11.0
DeriveFunction is a function prototype for a function that receives an event as argument and may produce a new event if relevant. It returns a derived or empty event, depending on successful derivation, and an error if one occurred.
func ContainerCreate ¶
func ContainerCreate(cts *containers.Containers) DeriveFunction
ContainerCreate receives a containers as a closure argument to track it's containers. If it receives a cgroup_mkdir event, it can derive a container_create event from it.
func ContainerRemove ¶
func ContainerRemove(cts *containers.Containers) DeriveFunction
ContainerRemove receives a containers.Containers object as a closure argument to track it's containers. If it receives a cgroup_rmdir event, it can derive a container_remove event from it.
func DetectHookedSyscall ¶
func DetectHookedSyscall(kernelSymbols *environment.KernelSymbolTable) DeriveFunction
func HiddenKernelModule ¶ added in v0.13.0
func HiddenKernelModule() DeriveFunction
func HookedSeqOps ¶
func HookedSeqOps(kernelSymbols *environment.KernelSymbolTable) DeriveFunction
func NetFlowTCPBegin ¶ added in v0.20.0
func NetFlowTCPBegin(cache *dnscache.DNSCache) DeriveFunction
func NetFlowTCPEnd ¶ added in v0.20.0
func NetFlowTCPEnd(cache *dnscache.DNSCache) DeriveFunction
func NetPacketDNS ¶ added in v0.10.0
func NetPacketDNS() DeriveFunction
func NetPacketDNSRequest ¶ added in v0.10.0
func NetPacketDNSRequest() DeriveFunction
func NetPacketDNSResponse ¶ added in v0.10.0
func NetPacketDNSResponse() DeriveFunction
func NetPacketHTTP ¶ added in v0.11.0
func NetPacketHTTP() DeriveFunction
func NetPacketHTTPRequest ¶ added in v0.11.0
func NetPacketHTTPRequest() DeriveFunction
func NetPacketHTTPResponse ¶ added in v0.11.0
func NetPacketHTTPResponse() DeriveFunction
func NetPacketICMP ¶ added in v0.10.0
func NetPacketICMP() DeriveFunction
func NetPacketICMPv6 ¶ added in v0.10.0
func NetPacketICMPv6() DeriveFunction
func NetPacketIPv4 ¶ added in v0.10.0
func NetPacketIPv4() DeriveFunction
func NetPacketIPv6 ¶ added in v0.10.0
func NetPacketIPv6() DeriveFunction
func NetPacketTCP ¶ added in v0.10.0
func NetPacketTCP() DeriveFunction
func NetPacketUDP ¶ added in v0.10.0
func NetPacketUDP() DeriveFunction
func NetTCPConnect ¶ added in v0.20.0
func NetTCPConnect(cache *dnscache.DNSCache) DeriveFunction
func SymbolsCollision ¶ added in v0.12.0
func SymbolsCollision( soLoader sharedobjs.DynamicSymbolsLoader, pManager *policy.PolicyManager, ) DeriveFunction
func SymbolsLoaded ¶ added in v0.8.1
func SymbolsLoaded( soLoader sharedobjs.DynamicSymbolsLoader, pManager *policy.PolicyManager, ) DeriveFunction
type ExecFailedGenerator ¶ added in v0.21.0
type ExecFailedGenerator struct {
// contains filtered or unexported fields
}
ExecFailedGenerator is the object which implement the ProcessExecuteFailed event derivation
func InitProcessExecuteFailedGenerator ¶ added in v0.21.0
func InitProcessExecuteFailedGenerator() (*ExecFailedGenerator, error)
InitProcessExecuteFailedGenerator initialize a new generator for the ProcessExecuteFailed event.
func (*ExecFailedGenerator) ProcessExecuteFailed ¶ added in v0.21.0
func (gen *ExecFailedGenerator) ProcessExecuteFailed() DeriveFunction
ProcessExecuteFailed return the DeriveFunction for the "process_execute_failed" event.
type ScanRequest ¶ added in v0.15.0
ScanRequest the structure that is passed in the wake up channel
type SymbolsCollisionArgsGenerator ¶ added in v0.12.0
type SymbolsCollisionArgsGenerator struct {
// contains filtered or unexported fields
}
SymbolsCollisionArgsGenerator creates the shared object symbols collisions derived events. To do so, it uses multiple caches to accelerate performance and reduce chances for failure.
type Table ¶ added in v0.8.3
Table defines a table between events and events they can be derived into corresponding to a deriveFunction The Enabled flag is used in order to skip derivation of unneeded events.
func (Table) DeriveEvent ¶ added in v0.11.0
DeriveEvent takes a trace.Event and checks if it can derive additional events from it as defined by a derivationTable.