Documentation ¶
Index ¶
- Constants
- func FindingToEvent(f detect.Finding) (*trace.Event, error)
- func GetCaptureEventsList(cfg config.Config) map[events.ID]events.EventState
- func GetEssentialEventsList() map[events.ID]events.EventState
- func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol
- func MergeErrors(cs ...<-chan error) <-chan error
- func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helpers.KernelSymbol) error
- func ValidateKsymbolsTable(ksyms helpers.KernelSymbolTable) bool
- type BPFLog
- func (b BPFLog) CPU() uint32
- func (b BPFLog) Count() uint32
- func (b *BPFLog) Decode(rawBuffer []byte) error
- func (b BPFLog) Error() string
- func (b BPFLog) File() []byte
- func (b BPFLog) FileAsString() string
- func (b BPFLog) ID() uint32
- func (b BPFLog) Line() uint32
- func (b BPFLog) LogLevel() logger.Level
- func (b BPFLog) Return() int64
- func (b BPFLog) Size() int
- func (b BPFLog) Type() BPFLogType
- type BPFLogType
- type InitValues
- type Tracker
- func (t *Tracker) AddReadyCallback(f func(ctx gocontext.Context))
- func (t *Tracker) Close()
- func (t *Tracker) Init() error
- func (t *Tracker) NewKernelSymbols() error
- func (t *Tracker) PrepareBuiltinDataSources() []detect.DataSource
- func (t *Tracker) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, ...) error
- func (t *Tracker) RegisterEventProcessor(id events.ID, proc func(evt *trace.Event) error) error
- func (t *Tracker) Run(ctx gocontext.Context) error
- func (t *Tracker) Running() bool
- func (t *Tracker) Stats() *metrics.Stats
- func (t *Tracker) UpdateBPFKsymbolsMap() error
- func (t *Tracker) UpdateKallsyms() error
- func (t *Tracker) UpdateKernelSymbols() error
- func (t *Tracker) WaitForPipeline(errs ...<-chan error) error
Constants ¶
const ( Iterate )
const BPFMaxLogFileLen = 72 // BPF_MAX_LOG_FILE_LEN
Variables ¶
This section is empty.
Functions ¶
func FindingToEvent ¶
FindingToEvent converts a detect.Finding into a trace.Event This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding
func GetCaptureEventsList ¶
GetCaptureEventsList sets events used to capture data
func GetEssentialEventsList ¶
func GetEssentialEventsList() map[events.ID]events.EventState
GetEssentialEventsList sets the default events used by tracker
func LoadKallsymsValues ¶
func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol
func MergeErrors ¶
MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.
func SendKsymbolsToMap ¶
func ValidateKsymbolsTable ¶
func ValidateKsymbolsTable(ksyms helpers.KernelSymbolTable) bool
ValidateKsymbolsTable checks if the addresses in the table are valid by checking a specific symbol address. The reason for the addresses to be invalid is if the capabilities required to read the kallsyms file are not given. The chosen symbol used here is "security_file_open" because it is a must-have symbol for tracker to run.
Types ¶
type BPFLog ¶
type BPFLog struct {
// contains filtered or unexported fields
}
BPFLog struct contains aggregated data about a bpf log origin
func (BPFLog) FileAsString ¶
func (BPFLog) Type ¶
func (b BPFLog) Type() BPFLogType
type BPFLogType ¶
type BPFLogType uint32
const ( BPFLogIDUnspec BPFLogType = iota // BPF_LOG_ID_UNSPEC // tracker functions BPFLogIDInitContext // BPF_LOG_ID_INIT_CONTEXT // bpf helpers functions BPFLogIDMapLookupElem // BPF_LOG_ID_MAP_LOOKUP_ELEM BPFLogIDMapUpdateElem // BPF_LOG_ID_MAP_UPDATE_ELEM BPFLogIDMapDeleteElem // BPF_LOG_ID_MAP_DELETE_ELEM BPFLogIDGetCurrentComm // BPF_LOG_ID_GET_CURRENT_COMM BPFLogIDTailCall // BPF_LOG_ID_TAIL_CALL BPFLogIDMemRead // BPF_LOG_ID_MEM_READ )
func (BPFLogType) String ¶
func (b BPFLogType) String() string
type InitValues ¶
type InitValues struct {
Kallsyms bool
}
InitValues determines if to initialize values that might be needed by eBPF programs
type Tracker ¶
type Tracker struct { OutDir *os.File // use utils.XXX functions to create or write to this file // BPF Maps StackAddressesMap *bpf.BPFMap FDArgPathMap *bpf.BPFMap // contains filtered or unexported fields }
Tracker traces system calls and system events using eBPF
func New ¶
New creates a new Tracker instance based on a given valid Config. It is expected that it won't cause external system side effects (reads, writes, etc.)
func (*Tracker) AddReadyCallback ¶
AddReadyCallback sets a callback function to be called when the tracker started all its probes and is ready to receive events
func (*Tracker) Init ¶
Init initialize tracker instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().
func (*Tracker) NewKernelSymbols ¶
func (*Tracker) PrepareBuiltinDataSources ¶
func (t *Tracker) PrepareBuiltinDataSources() []detect.DataSource
PrepareBuiltinDataSources returns a list of all data sources tracker makes available built-in
func (*Tracker) RegisterEventDerivation ¶
func (t *Tracker) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, deriveLogic derive.DeriveFunction) error
RegisterEventDerivation registers an event derivation handler for tracker to use in the event pipeline
func (*Tracker) RegisterEventProcessor ¶
RegisterEventProcessor registers a pipeline processing handler for an event
func (*Tracker) UpdateBPFKsymbolsMap ¶
func (*Tracker) UpdateKallsyms ¶
func (*Tracker) UpdateKernelSymbols ¶
func (*Tracker) WaitForPipeline ¶
WaitForPipeline waits for results from all error channels.