external

Documentation

Index

• type ArgMeta
• type Argument
  • func (arg *Argument) UnmarshalJSON(b []byte) error
• type Event
  • func (e Event) ToUnstructured() (map[string]interface{}, error)
• type MemProtAlert
  • func (alert MemProtAlert) String() string
• type SlimCred
• type Stats

Types

type ArgMeta

type ArgMeta struct {
	Name string `json:"name"`
	Type string `json:"type"`
}

ArgMeta describes an argument

type Argument

type Argument struct {
	ArgMeta
	Value interface{} `json:"value"`
}

Argument holds the information for one argument

func (*Argument) UnmarshalJSON

func (arg *Argument) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type Event

type Event struct {
	Timestamp           int        `json:"timestamp"`
	ProcessID           int        `json:"processId"`
	ThreadID            int        `json:"threadId"`
	ParentProcessID     int        `json:"parentProcessId"`
	HostProcessID       int        `json:"hostProcessId"`
	HostThreadID        int        `json:"hostThreadId"`
	HostParentProcessID int        `json:"hostParentProcessId"`
	UserID              int        `json:"userId"`
	MountNS             int        `json:"mountNamespace"`
	PIDNS               int        `json:"pidNamespace"`
	ProcessName         string     `json:"processName"`
	HostName            string     `json:"hostName"`
	ContainerID         string     `json:"containerId"`
	EventID             int        `json:"eventId,string"`
	EventName           string     `json:"eventName"`
	ArgsNum             int        `json:"argsNum"`
	ReturnValue         int        `json:"returnValue"`
	StackAddresses      []uint64   `json:"stackAddresses"`
	Args                []Argument `json:"args"` //Arguments are ordered according their appearance in the original event
}

Event is a user facing data structure representing a single event

func (Event) ToUnstructured

func (e Event) ToUnstructured() (map[string]interface{}, error)

ToUnstructured returns a JSON compatible map with string, float, int, bool, []interface{}, or map[string]interface{} children.

It allows this Event to be manipulated generically. For example, it can be used as a parsed input with OPA SDK to avoid relatively expensive JSON encoding round trip.

type MemProtAlert

type MemProtAlert uint32

Message is an enum of possible messages that can be sent by an event to pass some extra information about the event.

const (
	ProtAlertUnknown MemProtAlert = iota
	ProtAlertMmapWX
	ProtAlertMprotectToX
	ProtAlertMprotectXToWX
	ProtAlertMprotectWXToX
	ProtAlertLast
)

func (MemProtAlert) String

func (alert MemProtAlert) String() string

type SlimCred

type SlimCred struct {
	Uid            uint32 /* real UID of the task */
	Gid            uint32 /* real GID of the task */
	Suid           uint32 /* saved UID of the task */
	Sgid           uint32 /* saved GID of the task */
	Euid           uint32 /* effective UID of the task */
	Egid           uint32 /* effective GID of the task */
	Fsuid          uint32 /* UID for VFS ops */
	Fsgid          uint32 /* GID for VFS ops */
	UserNamespace  uint32 /* User Namespace of the of the event */
	SecureBits     uint32 /* SUID-less security management */
	CapInheritable uint64 /* caps our children can inherit */
	CapPermitted   uint64 /* caps we're permitted */
	CapEffective   uint64 /* caps we can actually use */
	CapBounding    uint64 /* capability bounding set */
	CapAmbient     uint64 /* Ambient capability set */
}

SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code.

type Stats

type Stats struct {
	EventCount  int
	ErrorCount  int
	LostEvCount int
	LostWrCount int
	LostNtCount int
}