Documentation ¶
Index ¶
- Constants
- func FindingToEvent(f detect.Finding) (*trace.Event, error)
- func GetCaptureEventsList(cfg config.Config) map[events.ID]events.EventState
- func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol
- func MergeErrors(cs ...<-chan error) <-chan error
- func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helpers.KernelSymbol) error
- type BPFLog
- func (b BPFLog) CPU() uint32
- func (b BPFLog) Count() uint32
- func (b *BPFLog) Decode(rawBuffer []byte) error
- func (b BPFLog) Error() string
- func (b BPFLog) File() []byte
- func (b BPFLog) FileAsString() string
- func (b BPFLog) ID() uint32
- func (b BPFLog) Line() uint32
- func (b BPFLog) LogLevel() logger.Level
- func (b BPFLog) Return() int64
- func (b BPFLog) Size() int
- func (b BPFLog) Type() BPFLogType
- type BPFLogType
- type InitValues
- type Tracee
- func (t *Tracee) AddReadyCallback(f func(ctx gocontext.Context))
- func (t *Tracee) Close()
- func (t *Tracee) DisableEvent(eventName string) error
- func (t *Tracee) DisableRule(policyNames []string, ruleId string) error
- func (t *Tracee) EnableEvent(eventName string) error
- func (t *Tracee) EnableRule(policyNames []string, ruleId string) error
- func (t *Tracee) Init(ctx gocontext.Context) error
- func (t *Tracee) NewKernelSymbols() error
- func (t *Tracee) PrepareBuiltinDataSources() []detect.DataSource
- func (t *Tracee) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, ...) error
- func (t *Tracee) RegisterEventProcessor(id events.ID, proc func(evt *trace.Event) error)
- func (t *Tracee) Run(ctx gocontext.Context) error
- func (t *Tracee) Running() bool
- func (t *Tracee) Stats() *metrics.Stats
- func (t *Tracee) Subscribe(policyNames []string) (*streams.Stream, error)
- func (t *Tracee) SubscribeAll() *streams.Stream
- func (t *Tracee) Unsubscribe(s *streams.Stream)
- func (t *Tracee) UpdateBPFKsymbolsMap() error
- func (t *Tracee) UpdateKallsyms() error
- func (t *Tracee) UpdateKernelSymbols() error
- func (t *Tracee) WaitForPipeline(errs ...<-chan error) error
Constants ¶
const ( Iterate )
const BPFMaxLogFileLen = 72 // BPF_MAX_LOG_FILE_LEN
Variables ¶
This section is empty.
Functions ¶
func FindingToEvent ¶ added in v0.10.0
FindingToEvent converts a detect.Finding into a trace.Event This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding
func GetCaptureEventsList ¶ added in v0.8.0
GetCaptureEventsList sets events used to capture data.
func LoadKallsymsValues ¶ added in v0.11.0
func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol
func MergeErrors ¶
MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.
func SendKsymbolsToMap ¶ added in v0.11.0
Types ¶
type BPFLog ¶ added in v0.11.0
type BPFLog struct {
// contains filtered or unexported fields
}
BPFLog struct contains aggregated data about a bpf log origin
func (BPFLog) FileAsString ¶ added in v0.11.0
func (BPFLog) Type ¶ added in v0.11.0
func (b BPFLog) Type() BPFLogType
type BPFLogType ¶ added in v0.11.0
type BPFLogType uint32
const ( BPFLogIDUnspec BPFLogType = iota // BPF_LOG_ID_UNSPEC // tracee functions BPFLogIDInitContext // BPF_LOG_ID_INIT_CONTEXT // bpf helpers functions BPFLogIDMapLookupElem // BPF_LOG_ID_MAP_LOOKUP_ELEM BPFLogIDMapUpdateElem // BPF_LOG_ID_MAP_UPDATE_ELEM BPFLogIDMapDeleteElem // BPF_LOG_ID_MAP_DELETE_ELEM BPFLogIDGetCurrentComm // BPF_LOG_ID_GET_CURRENT_COMM BPFLogIDTailCall // BPF_LOG_ID_TAIL_CALL BPFLogIDMemRead // BPF_LOG_ID_MEM_READ )
func (BPFLogType) String ¶ added in v0.11.0
func (b BPFLogType) String() string
type InitValues ¶ added in v0.8.1
type InitValues struct {
Kallsyms bool
}
InitValues determines if to initialize values that might be needed by eBPF programs
type Tracee ¶
type Tracee struct { OutDir *os.File // use utils.XXX functions to create or write to this file // BPF Maps StackAddressesMap *bpf.BPFMap FDArgPathMap *bpf.BPFMap // contains filtered or unexported fields }
Tracee traces system calls and system events using eBPF
func New ¶
New creates a new Tracee instance based on a given valid Config. It is expected that it won't cause external system side effects (reads, writes, etc).
func (*Tracee) AddReadyCallback ¶ added in v0.15.0
AddReadyCallback sets a callback function to be called when the tracee started all its probes and is ready to receive events
func (*Tracee) DisableEvent ¶ added in v0.18.0
func (*Tracee) DisableRule ¶ added in v0.18.0
DisableRule disables a rule in the specified policies
func (*Tracee) EnableEvent ¶ added in v0.18.0
func (*Tracee) EnableRule ¶ added in v0.18.0
EnableRule enables a rule in the specified policies
func (*Tracee) Init ¶ added in v0.8.1
Init initialize tracee instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().
func (*Tracee) NewKernelSymbols ¶ added in v0.11.0
func (*Tracee) PrepareBuiltinDataSources ¶ added in v0.17.0
func (t *Tracee) PrepareBuiltinDataSources() []detect.DataSource
PrepareBuiltinDataSources returns a list of all data sources tracee makes available built-in
func (*Tracee) RegisterEventDerivation ¶ added in v0.11.0
func (t *Tracee) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, deriveLogic derive.DeriveFunction) error
RegisterEventDerivation registers an event derivation handler for tracee to use in the event pipeline
func (*Tracee) RegisterEventProcessor ¶ added in v0.11.0
RegisterEventProcessor registers a new event processor for a specific event id.
func (*Tracee) Subscribe ¶ added in v0.18.0
Subscribe returns a stream subscribed to selected policies
func (*Tracee) SubscribeAll ¶ added in v0.18.0
SubscribeAll returns a stream subscribed to all policies
func (*Tracee) Unsubscribe ¶ added in v0.18.0
Unsubscribe unsubscribes stream
func (*Tracee) UpdateBPFKsymbolsMap ¶ added in v0.11.0
func (*Tracee) UpdateKallsyms ¶ added in v0.11.0
func (*Tracee) UpdateKernelSymbols ¶ added in v0.11.0
func (*Tracee) WaitForPipeline ¶
WaitForPipeline waits for results from all error channels.