derive

package
v0.22.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ProcModules uint32 = 1 << 0 // A hidden module detected by /proc/modules logic

	NewMod = 1 << 3 // A new modules only scan - without HiddenModule flag on, this is not yet a detection. See newModsCheckForHidden

	FullScan     = 1 << 30 // Do a full scan - received after a new module was loaded (and finished running his init function)
	HiddenModule = 1 << 31 // Submit the module as event to user
)
View Source
const (
	IPPROTO_TCP uint8 = 6
	IPPROTO_UDP uint8 = 17
)

Variables

View Source
var NetSeqOps = [6]string{
	"tcp4_seq_ops",
	"tcp6_seq_ops",
	"udp_seq_ops",
	"udp6_seq_ops",
	"raw_seq_ops",
	"raw6_seq_ops",
}

Struct names for the interfaces HookedSeqOpsEventID checks for hooks The show,start,next and stop operation function pointers will be checked for each of those

View Source
var NetSeqOpsFuncs = [4]string{
	"show",
	"start",
	"next",
	"stop",
}

Functions

func ClearModulesState added in v0.13.0

func ClearModulesState() error

ClearModulesState clears the map (while not scanning)

func FillModulesFromProcFs added in v0.13.0

func FillModulesFromProcFs() error

FillModulesFromProcFs fills a map with modules from /proc/modules, to be checked in kernel-space for inconsistencies.

func GetWakeupChannelRead added in v0.15.0

func GetWakeupChannelRead() <-chan ScanRequest

GetWakeupChannelRead returns the reading-end of the channel

func InitHiddenKernelModules added in v0.15.0

func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deletedModMap *bpf.BPFMap) error

InitHiddenKernelModules initializes the module components

func InitHookedSyscall added in v0.19.0

func InitHookedSyscall() error

InitHookedSyscall initialize lru

Types

type DeriveFunction added in v0.11.0

type DeriveFunction func(trace.Event) ([]trace.Event, []error)

DeriveFunction is a function prototype for a function that receives an event as argument and may produce a new event if relevant. It returns a derived or empty event, depending on successful derivation, and an error if one occurred.

func ContainerCreate

func ContainerCreate(cts *containers.Containers) DeriveFunction

ContainerCreate receives a containers as a closure argument to track it's containers. If it receives a cgroup_mkdir event, it can derive a container_create event from it.

func ContainerRemove

func ContainerRemove(cts *containers.Containers) DeriveFunction

ContainerRemove receives a containers.Containers object as a closure argument to track it's containers. If it receives a cgroup_rmdir event, it can derive a container_remove event from it.

func DetectHookedSyscall

func DetectHookedSyscall(kernelSymbols *environment.KernelSymbolTable) DeriveFunction

func HiddenKernelModule added in v0.13.0

func HiddenKernelModule() DeriveFunction

func HookedSeqOps

func HookedSeqOps(kernelSymbols *environment.KernelSymbolTable) DeriveFunction

func NetFlowTCPBegin added in v0.20.0

func NetFlowTCPBegin(cache *dnscache.DNSCache) DeriveFunction

func NetFlowTCPEnd added in v0.20.0

func NetFlowTCPEnd(cache *dnscache.DNSCache) DeriveFunction

func NetPacketDNS added in v0.10.0

func NetPacketDNS() DeriveFunction

func NetPacketDNSRequest added in v0.10.0

func NetPacketDNSRequest() DeriveFunction

func NetPacketDNSResponse added in v0.10.0

func NetPacketDNSResponse() DeriveFunction

func NetPacketHTTP added in v0.11.0

func NetPacketHTTP() DeriveFunction

func NetPacketHTTPRequest added in v0.11.0

func NetPacketHTTPRequest() DeriveFunction

func NetPacketHTTPResponse added in v0.11.0

func NetPacketHTTPResponse() DeriveFunction

func NetPacketICMP added in v0.10.0

func NetPacketICMP() DeriveFunction

func NetPacketICMPv6 added in v0.10.0

func NetPacketICMPv6() DeriveFunction

func NetPacketIPv4 added in v0.10.0

func NetPacketIPv4() DeriveFunction

func NetPacketIPv6 added in v0.10.0

func NetPacketIPv6() DeriveFunction

func NetPacketTCP added in v0.10.0

func NetPacketTCP() DeriveFunction

func NetPacketUDP added in v0.10.0

func NetPacketUDP() DeriveFunction

func NetTCPConnect added in v0.20.0

func NetTCPConnect(cache *dnscache.DNSCache) DeriveFunction

func SymbolsCollision added in v0.12.0

func SymbolsCollision(
	soLoader sharedobjs.DynamicSymbolsLoader,
	pManager *policy.PolicyManager,
) DeriveFunction

func SymbolsLoaded added in v0.8.1

func SymbolsLoaded(
	soLoader sharedobjs.DynamicSymbolsLoader,
	pManager *policy.PolicyManager,
) DeriveFunction

type ExecFailedGenerator added in v0.21.0

type ExecFailedGenerator struct {
	// contains filtered or unexported fields
}

ExecFailedGenerator is the object which implement the ProcessExecuteFailed event derivation

func InitProcessExecuteFailedGenerator added in v0.21.0

func InitProcessExecuteFailedGenerator() (*ExecFailedGenerator, error)

InitProcessExecuteFailedGenerator initialize a new generator for the ProcessExecuteFailed event.

func (*ExecFailedGenerator) ProcessExecuteFailed added in v0.21.0

func (gen *ExecFailedGenerator) ProcessExecuteFailed() DeriveFunction

ProcessExecuteFailed return the DeriveFunction for the "process_execute_failed" event.

type ScanRequest added in v0.15.0

type ScanRequest struct {
	Address uint64
	Flags   uint32
}

ScanRequest the structure that is passed in the wake up channel

type SymbolsCollisionArgsGenerator added in v0.12.0

type SymbolsCollisionArgsGenerator struct {
	// contains filtered or unexported fields
}

SymbolsCollisionArgsGenerator creates the shared object symbols collisions derived events. To do so, it uses multiple caches to accelerate performance and reduce chances for failure.

type Table added in v0.8.3

type Table map[events.ID]map[events.ID]struct {
	DeriveFunction DeriveFunction
	Enabled        func() bool
}

Table defines a table between events and events they can be derived into corresponding to a deriveFunction The Enabled flag is used in order to skip derivation of unneeded events.

func (Table) DeriveEvent added in v0.11.0

func (t Table) DeriveEvent(event trace.Event) ([]trace.Event, []error)

DeriveEvent takes a trace.Event and checks if it can derive additional events from it as defined by a derivationTable.

func (Table) Register added in v0.11.0

func (t Table) Register(deriveFrom, deriveTo events.ID, deriveCondition func() bool, deriveLogic DeriveFunction) error

Register registers a new derivation handler

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL