eventauditor

package
v0.0.0-...-c365bfc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 26, 2021 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CodeGenSourcePrefix = "./BPF/codegen_"
	CodeGenSourceSuffix = ".bpf.c"
	CodeGenObjectPrefix = "codegen_"
	CodeGenObjectSuffix = ".bpf.o"
)

Configuration

View Source 
const (
	KAEASysExecveProg      KABPFProgName    = "ka_ea_sched_process_exec"
	KAEASysExecveEvent     KABPFEventName   = "sched/sched_process_exec"
	KAEASysExecveTailProg0 KABPFProgName    = "ka_ea_sched_process_exec_0"
	KAEASysExecveTailProg1 KABPFProgName    = "ka_ea_sched_process_exec_1"
	KAEASysExecveProgFile  KABPFObjFileName = "ka_ea_process.bpf.o"

	KAEASysExitProg     KABPFProgName    = "ka_ea_sched_process_exit"
	KAEASysExitEvent    KABPFEventName   = "sched/sched_process_exit"
	KAEASysExitProgFile KABPFObjFileName = "ka_ea_process.bpf.o"
)

KubeArmor Event Auditor Programs

View Source 
const (
	KAEAProcessJMPMap     KABPFMapName     = "ka_ea_process_jmp_map"
	KAEAProcessJMPMapFile KABPFObjFileName = "ka_ea_process.bpf.o"

	KAEAPatternMap     KABPFMapName     = "ka_ea_pattern_map"
	KAEAPatternMapFile KABPFObjFileName = "ka_ea_process.bpf.o"

	KAEAProcessSpecMap     KABPFMapName     = "ka_ea_process_spec_map"
	KAEAProcessSpecMapFile KABPFObjFileName = "ka_ea_process.bpf.o"

	KAEAProcessFilterMap     KABPFMapName     = "ka_ea_process_filter_map"
	KAEAProcessFilterMapFile KABPFObjFileName = "ka_ea_process.bpf.o"

	KAEAEventMap     KABPFMapName     = "ka_ea_event_map"
	KAEAEventMapFile KABPFObjFileName = "ka_ea_entrypoint.bpf.o"

	KAEAEventFilterMap     KABPFMapName     = "ka_ea_event_filter_map"
	KAEAEventFilterMapFile KABPFObjFileName = "ka_ea_entrypoint.bpf.o"

	KAEAEventJumpTable     KABPFMapName     = "ka_ea_event_jmp_table"
	KAEAEventJumpTableFile KABPFObjFileName = "ka_ea_entrypoint.bpf.o"
)

KubeArmor Event Auditor Maps

View Source 
const KABPFPinBasePath = "/sys/fs/bpf/"

KABPFPinBasePath constant

View Source 
const PatternMaxLen = int(C.MAX_PATTERN_LEN)

PatternMaxLen constant

Variables

This section is empty.

Functions

This section is empty.

Types

type EventAuditor 

type EventAuditor struct {
	// logs
	Logger *fd.Feeder

	// containers
	Containers     *map[string]tp.Container
	ContainersLock **sync.RWMutex

	// endpoints
	EndPoints     *[]tp.EndPoint
	EndPointsLock **sync.RWMutex

	// audit policies
	AuditPolicies     *map[string]tp.AuditPolicy
	AuditPoliciesLock **sync.RWMutex

	// bpf
	BPFManager *KABPFManager

	// all entrypoints that KubeArmor supports
	SupportedEntryPoints map[string]uint32

	// entrypoint arguments
	EntryPointParameters map[string][]string

	// all entrypoints in the audit policy
	ActiveEntryPoints []string

	// patterns and process specs
	Patterns     map[PatternElement]bool
	ProcessSpecs map[ProcessSpecElement]bool

	// cache for compiled rules
	// map[eventString]codeBlock
	EventCodeBlockCache map[string]string

	// cache for loaded programs
	// map[sourceCode]jumpTableIndex
	EventProgramCache map[string]uint32

	// next index to use
	NextJumpTableIndex uint32

	// lock for caches and index count
	CacheIndexLock *sync.RWMutex
}

EventAuditor Structure

func NewEventAuditor 

func NewEventAuditor(feeder *fd.Feeder, containers *map[string]tp.Container, containersLock **sync.RWMutex,
	endPoints *[]tp.EndPoint, endPointsLock **sync.RWMutex, auditPolicies *map[string]tp.AuditPolicy, auditPoliciesLock **sync.RWMutex) *EventAuditor

NewEventAuditor Function

func (*EventAuditor) DestroyEntryPointPrograms 

func (ea *EventAuditor) DestroyEntryPointPrograms(bman *KABPFManager) error

DestroyEntryPointPrograms Function

func (*EventAuditor) DestroyEntryPoints 

func (ea *EventAuditor) DestroyEntryPoints() bool

DestroyEntryPoints Function

func (*EventAuditor) DestroyEventAuditor 

func (ea *EventAuditor) DestroyEventAuditor() error

DestroyEventAuditor Function

func (*EventAuditor) DestroyProcessMaps 

func (ea *EventAuditor) DestroyProcessMaps(bman *KABPFManager) error

DestroyProcessMaps Function

func (*EventAuditor) DestroyProcessPrograms 

func (ea *EventAuditor) DestroyProcessPrograms(bman *KABPFManager) error

DestroyProcessPrograms Function

func (*EventAuditor) DisableEntryPoint 

func (ea *EventAuditor) DisableEntryPoint(probe string)

DisableEntryPoint Function

func (*EventAuditor) EnableEntryPoint 

func (ea *EventAuditor) EnableEntryPoint(probe string)

EnableEntryPoint Function

func (*EventAuditor) GenerateAuditProgram 

func (ea *EventAuditor) GenerateAuditProgram(probe string, codeBlocks []string) string

GenerateAuditProgram Function

func (*EventAuditor) GenerateCodeBlock 

func (ea *EventAuditor) GenerateCodeBlock(auditEvent tp.AuditEventType) (string, error)

GenerateCodeBlock Function

func (*EventAuditor) InitializeEntryPointPrograms 

func (ea *EventAuditor) InitializeEntryPointPrograms(bman *KABPFManager) error

InitializeEntryPointPrograms Function

func (*EventAuditor) InitializeEntryPoints 

func (ea *EventAuditor) InitializeEntryPoints() bool

InitializeEntryPoints Function

func (*EventAuditor) InitializeProcessMaps 

func (ea *EventAuditor) InitializeProcessMaps(bman *KABPFManager) error

InitializeProcessMaps Function

func (*EventAuditor) InitializeProcessPrograms 

func (ea *EventAuditor) InitializeProcessPrograms(bman *KABPFManager) error

InitializeProcessPrograms Function

func (*EventAuditor) LoadAuditProgram 

func (ea *EventAuditor) LoadAuditProgram(source string, probe string) (uint32, error)

LoadAuditProgram Function

func (*EventAuditor) PopulateProcessJMPMap 

func (ea *EventAuditor) PopulateProcessJMPMap(bman *KABPFManager) error

PopulateProcessJMPMap Function

func (*EventAuditor) SaveRuntimeInfo 

func (ea *EventAuditor) SaveRuntimeInfo() error

SaveRuntimeInfo Function

func (*EventAuditor) UpdateAuditPrograms 

func (ea *EventAuditor) UpdateAuditPrograms()

UpdateAuditPrograms Function

func (*EventAuditor) UpdateEntryPoints 

func (ea *EventAuditor) UpdateEntryPoints()

UpdateEntryPoints Function

func (*EventAuditor) UpdateProcessMaps 

func (ea *EventAuditor) UpdateProcessMaps()

UpdateProcessMaps Function

type EventElement 

type EventElement struct {
	Key   uint32
	Value uint32
}

EventElement Structure

func (*EventElement) KeyPointer 

func (ee *EventElement) KeyPointer() unsafe.Pointer

KeyPointer Function (EventElement)

func (*EventElement) MapName 

func (ee *EventElement) MapName() string

MapName Function (EventElement)

func (*EventElement) SetFoundValue 

func (ee *EventElement) SetFoundValue(value []byte)

SetFoundValue Function (EventElement)

func (*EventElement) SetKey 

func (ee *EventElement) SetKey(eventID uint32)

SetKey Function (EventElement)

func (*EventElement) SetValue 

func (ee *EventElement) SetValue(flag uint32)

SetValue Function (EventElement)

func (*EventElement) ValuePointer 

func (ee *EventElement) ValuePointer() unsafe.Pointer

ValuePointer Function (EventElement)

type EventFilterElement 

type EventFilterElement struct {
	Key   EventFilterKey
	Value EventFilterValue
}

EventFilterElement Structure

func (*EventFilterElement) KeyPointer 

func (efe *EventFilterElement) KeyPointer() unsafe.Pointer

KeyPointer Function (EventFilterElement)

func (*EventFilterElement) MapName 

func (efe *EventFilterElement) MapName() string

MapName Function (EventFilterElement)

func (*EventFilterElement) SetFoundValue 

func (efe *EventFilterElement) SetFoundValue(value []byte)

SetFoundValue Function (EventFilterElement)

func (*EventFilterElement) SetKey 

func (efe *EventFilterElement) SetKey(pidNS, mntNS, eventID uint32)

SetKey Function (EventFilterElement)

func (*EventFilterElement) SetValue 

func (efe *EventFilterElement) SetValue(jumpIdx uint32)

SetValue Function (EventFilterElement)

func (*EventFilterElement) ValuePointer 

func (efe *EventFilterElement) ValuePointer() unsafe.Pointer

ValuePointer Function (EventFilterElement)

type EventFilterKey 

type EventFilterKey struct {
	PidNS   uint32
	MntNS   uint32
	EventID uint32
}

EventFilterKey Structure

type EventFilterValue 

type EventFilterValue struct {
	JumpIdx uint32
}

EventFilterValue Structure

type EventJumpTableElement 

type EventJumpTableElement struct {
	JumpIdx uint32
	ProgFD  uint32
}

EventJumpTableElement Structure

func (*EventJumpTableElement) KeyPointer 

func (ejte *EventJumpTableElement) KeyPointer() unsafe.Pointer

KeyPointer Function (EventJumpTableElement)

func (*EventJumpTableElement) MapName 

func (ejte *EventJumpTableElement) MapName() string

MapName Function (EventJumpTableElement)

func (*EventJumpTableElement) SetFoundValue 

func (ejte *EventJumpTableElement) SetFoundValue(value []byte)

SetFoundValue Function (EventFilterElement)

func (*EventJumpTableElement) SetKey 

func (ejte *EventJumpTableElement) SetKey(jumpIdx uint32)

SetKey Function (EventJumpTableElement)

func (*EventJumpTableElement) SetValue 

func (ejte *EventJumpTableElement) SetValue(progFd uint32)

SetValue Function (EventJumpTableElement)

func (*EventJumpTableElement) ValuePointer 

func (ejte *EventJumpTableElement) ValuePointer() unsafe.Pointer

ValuePointer Function (EventJumpTableElement)

type KABPFEventName 

type KABPFEventName string

KABPFEventName type

type KABPFManager 

type KABPFManager struct {
	// contains filtered or unexported fields
}

KABPFManager Structure

func NewKABPFManager 

func NewKABPFManager() *KABPFManager

NewKABPFManager Fucntion

func (*KABPFManager) AttachProgram 

func (bm *KABPFManager) AttachProgram(kaProg KABPFProg) error

AttachProgram Function

func (*KABPFManager) DestroyMap 

func (bm *KABPFManager) DestroyMap(kaMap KABPFMap) error

DestroyMap Function

func (*KABPFManager) DestroyProgram 

func (bm *KABPFManager) DestroyProgram(kaProg KABPFProg) error

DestroyProgram Function

func (*KABPFManager) DetachProgram 

func (bm *KABPFManager) DetachProgram(kaProg KABPFProg) error

DetachProgram Function

func (*KABPFManager) InitMap 

func (bm *KABPFManager) InitMap(kaMap KABPFMap, pin bool) error

InitMap Function

func (*KABPFManager) InitProgram 

func (bm *KABPFManager) InitProgram(kaProg KABPFProg) error

InitProgram Function

func (*KABPFManager) MapDeleteElement 

func (bm *KABPFManager) MapDeleteElement(e lbpf.KABPFMapElement) error

MapDeleteElement Function

func (*KABPFManager) MapLookupElement 

func (bm *KABPFManager) MapLookupElement(e lbpf.KABPFMapElement) ([]byte, error)

MapLookupElement Function

func (*KABPFManager) MapUpdateElement 

func (bm *KABPFManager) MapUpdateElement(e lbpf.KABPFMapElement) error

MapUpdateElement Function

func (*KABPFManager) SetObjsMapsPath 

func (bm *KABPFManager) SetObjsMapsPath(path string) error

SetObjsMapsPath Function

func (*KABPFManager) SetObjsProgsPath 

func (bm *KABPFManager) SetObjsProgsPath(path string) error

SetObjsProgsPath Function

type KABPFMap 

type KABPFMap struct {
	Name     KABPFMapName
	FileName KABPFObjFileName
}

KABPFMap structure

func KAEAGetMap 

func KAEAGetMap(name KABPFMapName) KABPFMap

KAEAGetMap Function

type KABPFMapName 

type KABPFMapName string

KABPFMapName type

type KABPFObjFileName 

type KABPFObjFileName string

KABPFObjFileName type

type KABPFProg 

type KABPFProg struct {
	Name      KABPFProgName
	EventName KABPFEventName
	EventType lbpf.KABPFLinkType
	TailProgs []KABPFTailProg
	FileName  KABPFObjFileName
}

KABPFProg structure

func KAEAGetEntryPointProg 

func KAEAGetEntryPointProg(name string) KABPFProg

KAEAGetEntryPointProg Function

func KAEAGetProg 

func KAEAGetProg(name KABPFProgName) KABPFProg

KAEAGetProg Function

type KABPFProgName 

type KABPFProgName string

KABPFProgName type

type KABPFTailProg 

type KABPFTailProg struct {
	Name  KABPFProgName
	Index uint32
}

KABPFTailProg structure

type PatternElement 

type PatternElement struct {
	Key   PatternMapKey
	Value PatternMapValue
}

PatternElement Structure

func (*PatternElement) KeyPointer 

func (pme *PatternElement) KeyPointer() unsafe.Pointer

KeyPointer Function (PatternElement)

func (*PatternElement) MapName 

func (pme *PatternElement) MapName() string

MapName Function (PatternElement)

func (*PatternElement) SetFoundValue 

func (pme *PatternElement) SetFoundValue(value []byte)

SetFoundValue Function (PatternElement)

func (*PatternElement) SetKey 

func (pme *PatternElement) SetKey(pattern string)

SetKey Function (PatternElement)

func (*PatternElement) SetValue 

func (pme *PatternElement) SetValue(patternID uint32)

SetValue Function (PatternElement)

func (*PatternElement) ValuePointer 

func (pme *PatternElement) ValuePointer() unsafe.Pointer

ValuePointer Function (PatternElement)

type PatternMapKey 

type PatternMapKey struct {
	Pattern [PatternMaxLen]byte
}

PatternMapKey Structure

type PatternMapValue 

type PatternMapValue struct {
	PatternID uint32
}

PatternMapValue Structure

type ProcessFilterElement 

type ProcessFilterElement struct {
	Key   ProcessFilterKey
	Value ProcessFilterValue
}

ProcessFilterElement Structure

func (*ProcessFilterElement) KeyPointer 

func (pfe *ProcessFilterElement) KeyPointer() unsafe.Pointer

KeyPointer Function (ProcessFilterElement)

func (*ProcessFilterElement) MapName 

func (pfe *ProcessFilterElement) MapName() string

MapName Function (ProcessFilterElement)

func (*ProcessFilterElement) SetFoundValue 

func (pfe *ProcessFilterElement) SetFoundValue(value []byte)

SetFoundValue Function (ProcessFilterElement)

func (*ProcessFilterElement) SetKey 

func (pfe *ProcessFilterElement) SetKey(pidNS, mntNS, hostPID uint32)

SetKey Function (ProcessFilterElement)

func (*ProcessFilterElement) SetValue 

func (pfe *ProcessFilterElement) SetValue(inspect bool)

SetValue Function (ProcessFilterElement)

func (*ProcessFilterElement) ValuePointer 

func (pfe *ProcessFilterElement) ValuePointer() unsafe.Pointer

ValuePointer Function (ProcessFilterElement)

type ProcessFilterKey 

type ProcessFilterKey struct {
	PidNS   uint32
	MntNS   uint32
	HostPID uint32
}

ProcessFilterKey Structure

type ProcessFilterValue 

type ProcessFilterValue struct {
	Inspect bool
}

ProcessFilterValue Structure

type ProcessJMPElement 

type ProcessJMPElement struct {
	Key   uint32
	Value uint32
}

ProcessJMPElement Structure

func (*ProcessJMPElement) KeyPointer 

func (pme *ProcessJMPElement) KeyPointer() unsafe.Pointer

KeyPointer Function (ProcessJMPElement)

func (*ProcessJMPElement) MapName 

func (pme *ProcessJMPElement) MapName() string

MapName Function (ProcessJMPElement)

func (*ProcessJMPElement) SetFoundValue 

func (pme *ProcessJMPElement) SetFoundValue(value []byte)

SetFoundValue Function (ProcessJMPElement)

func (*ProcessJMPElement) SetKey 

func (pme *ProcessJMPElement) SetKey(index uint32)

SetKey Function (ProcessJMPElement)

func (*ProcessJMPElement) SetValue 

func (pme *ProcessJMPElement) SetValue(progFD uint32)

SetValue Function (ProcessJMPElement)

func (*ProcessJMPElement) ValuePointer 

func (pme *ProcessJMPElement) ValuePointer() unsafe.Pointer

ValuePointer Function (ProcessJMPElement)

type ProcessSpecElement 

type ProcessSpecElement struct {
	Key   ProcessSpecKey
	Value ProcessSpecValue
}

ProcessSpecElement Structure

func (*ProcessSpecElement) KeyPointer 

func (pse *ProcessSpecElement) KeyPointer() unsafe.Pointer

KeyPointer Function (ProcessSpecElement)

func (*ProcessSpecElement) MapName 

func (pse *ProcessSpecElement) MapName() string

MapName Function (ProcessSpecElement)

func (*ProcessSpecElement) SetFoundValue 

func (pse *ProcessSpecElement) SetFoundValue(value []byte)

SetFoundValue Function (ProcessSpecElement)

func (*ProcessSpecElement) SetKey 

func (pse *ProcessSpecElement) SetKey(pidNS, mntNS, patternID uint32)

SetKey Function (ProcessSpecElement)

func (*ProcessSpecElement) SetValue 

func (pse *ProcessSpecElement) SetValue(inspect bool)

SetValue Function (ProcessSpecElement)

func (*ProcessSpecElement) ValuePointer 

func (pse *ProcessSpecElement) ValuePointer() unsafe.Pointer

ValuePointer Function (ProcessSpecElement)

type ProcessSpecKey 

type ProcessSpecKey struct {
	PidNS     uint32
	MntNS     uint32
	PatternID uint32
}

ProcessSpecKey Structure

type ProcessSpecValue 

type ProcessSpecValue struct {
	Inspect bool
}

ProcessSpecValue Structure

type Token 

type Token struct {
	Type  TokenType
	Value TokenValue
}

Token Structure

type TokenType 

type TokenType int64

TokenType Type 

const (
	Undefined TokenType = iota
	Number
	Range
	Glob
)

TokenTypes

type TokenValue 

type TokenValue interface{}

TokenValue Type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.