Documentation ¶
Index ¶
Constants ¶
const ( MethodFtrace = "ftrace" MethodProc = "proc" MethodAudit = "audit" )
monitor method supported types
Variables ¶
This section is empty.
Functions ¶
func GetPIDFromINode ¶
GetPIDFromINode tries to get the PID from a socket inode follwing these steps: 1. Get the PID from the cache of Inodes. 2. Get the PID from the cache of PIDs. 3. Look for the PID using one of these methods:
- ftrace: listening processes execs/exits from /sys/kernel/debug/tracing/
- audit: listening for socket creation from auditd.
- proc: search /proc
If the PID is not found by one of the 2 first methods, it'll try it using /proc.
func IsWatcherAvailable ¶
func IsWatcherAvailable() bool
IsWatcherAvailable checks if ftrace (debugfs) is
func SetMonitorMethod ¶
func SetMonitorMethod(newMonitorMethod string)
SetMonitorMethod configures a new method for parsing connections.
Types ¶
type Inode ¶
Inode represents an item of the InodesCache. the key is formed as follow: inode+srcip+srcport+dstip+dstport
type Process ¶
type Process struct { ID int Path string Args []string Env map[string]string CWD string Descriptors []*procDescriptors IOStats *procIOstats Status string Stat string Statm *procStatm Stack string Maps string }
Process holds the details of a process.
func FindProcess ¶
FindProcess checks if a process exists given a PID. If it exists in /proc, a new Process{} object is returned with the details to identify a process (cmdline, name, environment variables, etc).
func NewProcess ¶
NewProcess returns a new Process structure.
Directories ¶
Path | Synopsis |
---|---|
Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections.
|
Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections. |