Documentation
¶
Index ¶
- Constants
- Variables
- func MergeErrors(cs ...<-chan error) <-chan error
- func Print16BytesSliceIP(in []byte) string
- func PrintAccessMode(mode uint32) string
- func PrintAlert(alert alert) string
- func PrintCapability(cap int32) string
- func PrintCloneFlags(flags uint64) string
- func PrintExecFlags(flags uint32) string
- func PrintInodeMode(mode uint32) string
- func PrintMemProt(prot uint32) string
- func PrintOpenFlags(flags uint32) string
- func PrintPrctlOption(op int32) string
- func PrintPtraceRequest(req int32) string
- func PrintSocketDomain(sd uint32) string
- func PrintSocketType(st uint32) string
- func PrintUint32IP(in uint32) string
- type Argument
- type Event
- type EventConfig
- type RawEvent
- type Tracee
- type TraceeConfig
Constants ¶
const ( TagNone argTag = iota TagFd TagFilename TagPathname TagArgv TagEnvp TagDev TagInode TagDirfd TagFlags TagCap TagSyscall TagCount TagPos TagAlert TagMode TagAddr TagLength TagProt TagOffset TagPkey TagName TagOldfd TagNewfd TagDomain TagType TagProtocol TagRequest TagPid TagSig TagSockfd TagBacklog TagOption TagArg2 TagArg3 TagArg4 TagArg5 TagData TagLocalIov TagLiovcnt TagRemoteIov TagRiovcnt TagModuleImage TagLen TagParamValues TagTarget TagNewdirfd TagLinkpath TagSource TagFilesystemtype TagMountflags TagUid TagGid TagFsuid TagFsgid TagRuid TagEuid TagRgid TagEgid TagSuid TagSgid TagOwner TagGroup )
const ( ReadEventID int32 = iota WriteEventID OpenEventID CloseEventID StatEventID FstatEventID LstatEventID PollEventID LseekEventID MmapEventID MprotectEventID MunmapEventID BrkEventID RtSigactionEventID RtSigprocmaskEventID RtSigreturnEventID IoctlEventID Pread64EventID Pwrite64EventID ReadvEventID WritevEventID AccessEventID PipeEventID SelectEventID SchedYieldEventID MremapEventID MsyncEventID MincoreEventID MadviseEventID ShmgetEventID ShmatEventID ShmctlEventID DupEventID Dup2EventID PauseEventID NanosleepEventID GetitimerEventID AlarmEventID SetitimerEventID GetpidEventID SendfileEventID SocketEventID ConnectEventID AcceptEventID SendtoEventID RecvfromEventID SendmsgEventID RecvmsgEventID ShutdownEventID BindEventID ListenEventID GetsocknameEventID GetpeernameEventID SocketpairEventID SetsockoptEventID GetsockoptEventID CloneEventID ForkEventID VforkEventID ExecveEventID ExitEventID Wait4EventID KillEventID UnameEventID SemgetEventID SemopEventID SemctlEventID ShmdtEventID MsggetEventID MsgsndEventID MsgrcvEventID MsgctlEventID FcntlEventID FlockEventID FsyncEventID FdatasyncEventID TruncateEventID FtruncateEventID GetdentsEventID GetcwdEventID ChdirEventID FchdirEventID RenameEventID MkdirEventID RmdirEventID CreatEventID LinkEventID UnlinkEventID SymlinkEventID ReadlinkEventID ChmodEventID FchmodEventID ChownEventID FchownEventID LchownEventID UmaskEventID GettimeofdayEventID GetrlimitEventID GetrusageEventID SysinfoEventID TimesEventID PtraceEventID GetuidEventID SyslogEventID GetgidEventID SetuidEventID SetgidEventID GeteuidEventID GetegidEventID SetpgidEventID GetppidEventID GetpgrpEventID SetsidEventID SetreuidEventID SetregidEventID GetgroupsEventID SetgroupsEventID SetresuidEventID GetresuidEventID SetresgidEventID GetresgidEventID GetpgidEventID SetfsuidEventID SetfsgidEventID GetsidEventID CapgetEventID CapsetEventID RtSigpendingEventID RtSigtimedwaitEventID RtSigqueueinfoEventID RtSigsuspendEventID SigaltstackEventID UtimeEventID MknodEventID UselibEventID PersonalityEventID UstatEventID StatfsEventID FstatfsEventID SysfsEventID GetpriorityEventID SetpriorityEventID SchedSetparamEventID SchedGetparamEventID SchedSetschedulerEventID SchedGetschedulerEventID SchedGetPriorityMaxEventID SchedGetPriorityMinEventID SchedRrGetIntervalEventID MlockEventID MunlockEventID MlockallEventID MunlockallEventID VhangupEventID ModifyLdtEventID PivotRootEventID SysctlEventID PrctlEventID ArchPrctlEventID AdjtimexEventID SetrlimitEventID ChrootEventID SyncEventID AcctEventID SettimeofdayEventID MountEventID UmountEventID SwaponEventID SwapoffEventID RebootEventID SethostnameEventID SetdomainnameEventID IoplEventID IopermEventID CreateModuleEventID InitModuleEventID DeleteModuleEventID GetKernelSymsEventID QueryModuleEventID QuotactlEventID NfsservctlEventID GetpmsgEventID PutpmsgEventID AfsEventID TuxcallEventID SecurityEventID GettidEventID ReadaheadEventID SetxattrEventID LsetxattrEventID FsetxattrEventID GetxattrEventID LgetxattrEventID FgetxattrEventID ListxattrEventID LlistxattrEventID FlistxattrEventID RemovexattrEventID LremovexattrEventID FremovexattrEventID TkillEventID TimeEventID FutexEventID SchedSetaffinityEventID SchedGetaffinityEventID SetThreadAreaEventID IoSetupEventID IoDestroyEventID IoGeteventsEventID IoSubmitEventID IoCancelEventID GetThreadAreaEventID EpollCreateEventID EpollCtlOldEventID EpollWaitOldEventID RemapFilePagesEventID Getdents64EventID SetTidAddressEventID RestartSyscallEventID SemtimedopEventID Fadvise64EventID TimerCreateEventID TimerSettimeEventID TimerGettimeEventID TimerGetoverrunEventID TimerDeleteEventID ClockSettimeEventID ClockGettimeEventID ClockGetresEventID ClockNanosleepEventID ExitGroupEventID EpollWaitEventID EpollCtlEventID TgkillEventID UtimesEventID VserverEventID MbindEventID SetMempolicyEventID GetMempolicyEventID MqOpenEventID MqUnlinkEventID MqTimedsendEventID MqTimedreceiveEventID MqNotifyEventID MqGetsetattrEventID KexecLoadEventID WaitidEventID AddKeyEventID RequestKeyEventID KeyctlEventID IoprioSetEventID IoprioGetEventID InotifyInitEventID InotifyAddWatchEventID InotifyRmWatchEventID MigratePagesEventID OpenatEventID MkdiratEventID MknodatEventID FchownatEventID FutimesatEventID NewfstatatEventID UnlinkatEventID RenameatEventID LinkatEventID SymlinkatEventID ReadlinkatEventID FchmodatEventID FaccessatEventID Pselect6EventID PpollEventID SetRobustListEventID GetRobustListEventID SpliceEventID TeeEventID SyncFileRangeEventID VmspliceEventID MovePagesEventID UtimensatEventID EpollPwaitEventID SignalfdEventID TimerfdCreateEventID EventfdEventID FallocateEventID TimerfdSettimeEventID TimerfdGettimeEventID Accept4EventID Signalfd4EventID Eventfd2EventID EpollCreate1EventID Dup3EventID Pipe2EventID IonotifyInit1EventID PreadvEventID PwritevEventID RtTgsigqueueinfoEventID PerfEventOpenEventID RecvmmsgEventID FanotifyInitEventID FanotifyMarkEventID Prlimit64EventID NameTohandleAtEventID OpenByHandleAtEventID ClockAdjtimeEventID SycnfsEventID SendmmsgEventID SetnsEventID GetcpuEventID ProcessVmReadvEventID ProcessVmWritevEventID KcmpEventID FinitModuleEventID SchedSetattrEventID SchedGetattrEventID Renameat2EventID SeccompEventID GetrandomEventID MemfdCreateEventID KexecFileLoadEventID BpfEventID ExecveatEventID UserfaultfdEventID MembarrierEventID Mlock2EventID CopyFileRangeEventID Preadv2EventID Pwritev2EventID PkeyMprotectEventID PkeyAllocEventID PkeyFreeEventID StatxEventID IoPgeteventsEventID RseqEventID Reserved335EventID Reserved336EventID Reserved337EventID Reserved338EventID Reserved339EventID Reserved340EventID Reserved341EventID Reserved342EventID Reserved343EventID Reserved344EventID Reserved345EventID Reserved346EventID Reserved347EventID Reserved348EventID Reserved349EventID RawSyscallsEventID DoExitEventID CapCapableEventID SecurityBprmCheckEventID SecurityFileOpenEventID VfsWriteEventID MemProtAlertEventID )
events should match defined values in ebpf code
Variables ¶
var EventsIDToEvent = map[int32]EventConfig{}/* 357 elements not displayed */
EventsIDToEvent is list of supported events, indexed by their ID
Functions ¶
func MergeErrors ¶ added in v0.0.3
MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.
func Print16BytesSliceIP ¶
Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would case unnecessary memory copying and type conversions
func PrintAccessMode ¶
http://man7.org/linux/man-pages/man2/access.2.html https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/unistd.h.html#tag_13_77_03_04
func PrintAlert ¶ added in v0.0.2
func PrintAlert(alert alert) string
PrintAlert prints the encoded alert message and output file path if required
func PrintCapability ¶
PrintCapability prints the `capability` bitmask argument of the `cap_capable` function include/uapi/linux/capability.h
func PrintCloneFlags ¶ added in v0.0.3
PrintCloneFlags prints the `flags` bitmask argument of the `clone` syscall https://man7.org/linux/man-pages/man2/clone.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/sched.h
func PrintExecFlags ¶
PrintExecFlags prints the `flags` bitmask argument of the `execve` syscall http://man7.org/linux/man-pages/man2/axecveat.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fcntl.h#L94
func PrintInodeMode ¶
PrintInodeMode prints the `mode` bitmask argument of the `mknod` syscall http://man7.org/linux/man-pages/man7/inode.7.html
func PrintMemProt ¶
PrintMemProt prints the `prot` bitmask argument of the `mmap` syscall http://man7.org/linux/man-pages/man2/mmap.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/mman-common.h#L10
func PrintOpenFlags ¶
PrintOpenFlags prints the `flags` bitmask argument of the `open` syscall http://man7.org/linux/man-pages/man2/open.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/fcntl.h
func PrintPrctlOption ¶
PrintPrctlOption prints the `option` argument of the `prctl` syscall http://man7.org/linux/man-pages/man2/prctl.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/prctl.h
func PrintPtraceRequest ¶
PrintPtraceRequest prints the `request` argument of the `ptrace` syscall http://man7.org/linux/man-pages/man2/ptrace.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/ptrace.h
func PrintSocketDomain ¶
PrintSocketDomain prints the `domain` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html
func PrintSocketType ¶
PrintSocketType prints the `type` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html https://elixir.bootlin.com/linux/v5.5.3/source/arch/mips/include/asm/socket.h
func PrintUint32IP ¶
PrintUint32IP prints the IP address encoded as a uint32
Types ¶
type Argument ¶ added in v0.0.3
type Argument struct {
Name string `json:"name"`
Value interface{} `json:"value"`
}
Argument holds the information for one argument
type Event ¶ added in v0.0.2
type Event struct {
Timestamp float64 `json:"timestamp"`
ProcessID int `json:"processId"`
ThreadID int `json:"threadId"`
ParentProcessID int `json:"parentProcessId"`
HostProcessID int `json:"hostProcessId"`
HostThreadID int `json:"hostThreadId"`
HostParentProcessID int `json:"hostParentProcessId"`
UserID int `json:"userId"`
MountNS int `json:"mountNamespace"`
PIDNS int `json:"pidNamespace"`
ProcessName string `json:"processName"`
HostName string `json:"hostName"`
EventID int `json:"eventId,string"`
EventName string `json:"eventName"`
ArgsNum int `json:"argsNum"`
ReturnValue int `json:"returnValue"`
Args []Argument `json:"args"` //Arguments are ordered according their appearance in the original event
}
Event is a user facing data structure representing a single event
type EventConfig ¶ added in v0.0.2
type EventConfig struct {
ID int32
Name string
Probes []probe
EnabledByDefault bool
EssentialEvent bool
}
EventConfig is a struct describing an event configuration
type RawEvent ¶ added in v0.0.3
type RawEvent struct {
Ctx context
RawArgs map[argTag]interface{}
ArgsTags []argTag
}
type Tracee ¶
type Tracee struct {
// contains filtered or unexported fields
}
Tracee traces system calls and system events using eBPF
func New ¶
func New(cfg TraceeConfig) (*Tracee, error)
New creates a new Tracee instance based on a given valid TraceeConfig
func (*Tracee) WaitForPipeline ¶ added in v0.0.3
WaitForPipeline waits for results from all error channels.
type TraceeConfig ¶
type TraceeConfig struct {
EventsToTrace []int32
ContainerMode bool
PidsToTrace []int
DetectOriginalSyscall bool
ShowExecEnv bool
OutputFormat string
PerfBufferSize int
BlobPerfBufferSize int
OutputPath string
CaptureWrite bool
CaptureExec bool
CaptureMem bool
FilterFileWrite []string
SecurityAlerts bool
EventsFile *os.File
ErrorsFile *os.File
}
TraceeConfig is a struct containing user defined configuration of tracee
func (TraceeConfig) Validate ¶
func (tc TraceeConfig) Validate() error
Validate does static validation of the configuration
Source Files