engine

package
v0.22.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 7 Imported by: 1

Documentation

Index

Constants

View Source
const ALL_EVENT_ORIGINS = "*"
View Source
const ALL_EVENT_TYPES = "*"
View Source
const EVENT_CONTAINER_ORIGIN = "container"
View Source
const EVENT_HOST_ORIGIN = "host"

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// Engine-in-Pipeline related configuration
	Enabled          bool             // Enables the signatures engine to run in the events pipeline
	SigNameToEventID map[string]int32 // Cache of loaded signature event names to event ids, used to filter in dispatching

	// Callback from tracee to determine if event should be dispatched to signature.
	// This is done as a callback becaues importing the events package breaks compilation for the
	// tracee-rules binary.
	// When tracee-rules is removed, and the policy coordinator is implemented (PR #3305)
	// this solution should be abandoned in favor of using it alongside the engine.
	ShouldDispatchEvent func(eventIdInt32 int32) bool

	// General engine configuration
	SignatureBufferSize uint
	Signatures          []detect.Signature
	DataSources         []detect.DataSource
}

Config defines the engine's configurable values

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

Engine is a signatures-engine that can process events coming from a set of input sources against a set of loaded signatures, and report the signatures' findings

func NewEngine

func NewEngine(config Config, sources EventSources, output chan *detect.Finding) (*Engine, error)

NewEngine creates a new signatures-engine with the given arguments inputs and outputs are given as channels created by the consumer Signatures are not loaded at this point, Init must be called to perform config side effects.

func (*Engine) GetDataSource added in v0.15.0

func (engine *Engine) GetDataSource(namespace string, id string) (detect.DataSource, bool)

func (*Engine) GetSelectedEvents

func (engine *Engine) GetSelectedEvents() []detect.SignatureEventSelector

GetSelectedEvents returns the event selectors that are relevant to the currently loaded signatures

func (*Engine) Init added in v0.17.0

func (engine *Engine) Init() error

Init loads and initializes signatures and data sources passed in NewEngine. The split allows the loading of additional signatures and data sources between NewEngine and Start if needed.

func (*Engine) LoadSignature

func (engine *Engine) LoadSignature(signature detect.Signature) (string, error)

TODO: This method seems not to be used, let's confirm inside the team and remove it if not needed LoadSignature will call the internal signature loading logic and activate its handling business logics. It will return the signature ID as well as error.

func (*Engine) RegisterDataSource added in v0.15.0

func (engine *Engine) RegisterDataSource(dataSource detect.DataSource) error

func (*Engine) Start

func (engine *Engine) Start(ctx context.Context)

Start starts processing events and detecting signatures it runs continuously until stopped by the done channel once done, it cleans all internal resources, which means the engine is not reusable note that the input and output channels are created by the consumer and therefore are not closed

func (*Engine) Stats

func (engine *Engine) Stats() *metrics.Stats

func (*Engine) UnloadSignature

func (engine *Engine) UnloadSignature(signatureId string) error

UnloadSignature will remove from Engine data structures the given signature and stop its handling goroutine

type EventSources

type EventSources struct {
	Tracee chan protocol.Event
}

EventSources is a bundle of input sources used to configure the Engine

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL