fsmon

package
v0.0.0-test Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2024 License: Apache-2.0 Imports: 23 Imported by: 12

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DefaultContainerConf share.CLUSFileMonitorProfile = share.CLUSFileMonitorProfile{
	Filters: ImportantFiles,
}
View Source 
var ImportantFiles []share.CLUSFileMonitorFilter = []share.CLUSFileMonitorFilter{
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/dpkg/status", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/rpm/Packages", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib/apk/db/installed", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/rpm/Packages.db", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/hosts", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/passwd", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/shadow", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/resolv\\.conf", Regex: ""},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/home/.*/\\.ssh", Regex: ".*"},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "ld-linux\\..*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "libc\\..*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "libpthread.*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "ld-linux.*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "libc\\..*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "libpthread.*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/bin", Regex: ".*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/sbin", Regex: ".*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/bin", Regex: ".*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/sbin", Regex: ".*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/local/bin", Regex: ".*", Recursive: true},
	{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/local/sbin", Regex: ".*", Recursive: true},
}

Functions

func ParseMonitorPath 

func ParseMonitorPath(path string) (int, string, error)

use the path prefix for container index

Types

type EstimateRuleSrcCallback 

type EstimateRuleSrcCallback func(id, path string, bBlocked bool) string

type FaMonProbeData 

type FaMonProbeData struct {
	NRoots    int
	NMntRoots int
	NDirMarks int
	NRules    int
	NPaths    int
	NDirs     int
}

type FaNotify 

type FaNotify struct {
	// contains filtered or unexported fields
}

func NewFaNotify 

func NewFaNotify(endFaChan chan bool, cb PidLookupCallback, nvrpt SendNVrptCallback, sys *system.SystemTools, bNvProtect bool) (*FaNotify, error)

func (*FaNotify) AddMonitorDirFile 

func (fn *FaNotify) AddMonitorDirFile(path string, filter interface{}, protect, userAdded bool, files map[string]interface{}, cb NotifyCallback, params interface{}) bool

///

func (*FaNotify) AddMonitorFile 

func (fn *FaNotify) AddMonitorFile(path string, filter interface{}, protect, userAdded bool, cb NotifyCallback, params interface{}) bool

//

func (*FaNotify) AddMonitorFileOnTheFly 

func (fn *FaNotify) AddMonitorFileOnTheFly(path string, filter interface{}, protect, userAdded bool, cb NotifyCallback, params interface{}) bool

// TODO

func (*FaNotify) Close 

func (fn *FaNotify) Close()

///

func (*FaNotify) ContainerCleanup 

func (fn *FaNotify) ContainerCleanup(rootPid int)

func (*FaNotify) GetProbeData 

func (fn *FaNotify) GetProbeData(m *FaMonProbeData)

//////

func (*FaNotify) GetWatchFileList 

func (fn *FaNotify) GetWatchFileList(rootPid int) []*share.CLUSFileMonitorFile

func (*FaNotify) GetWatches 

func (fn *FaNotify) GetWatches() []*share.CLUSFileMonitorFile

func (*FaNotify) MonitorFileEvents 

func (fn *FaNotify) MonitorFileEvents()

///

func (*FaNotify) RemoveMonitorFile 

func (fn *FaNotify) RemoveMonitorFile(path string)

////

func (*FaNotify) SetMode 

func (fn *FaNotify) SetMode(rootPid int, access, perm, capBlock, bNeuvectorSvc bool)

set file monitor policy mode. but not update the watches. the upper layer need to re-add the watches.

func (*FaNotify) StartMonitor 

func (fn *FaNotify) StartMonitor(rootPid int) bool

///

func (*FaNotify) UpdateAccessRule 

func (fn *FaNotify) UpdateAccessRule(rootPid int, conf *share.CLUSFileAccessRule) error

type FileMonitorConfig 

type FileMonitorConfig struct {
	ProfileEnable  bool
	IsAufs         bool
	EnableTrace    bool
	NVProtect      bool
	EndChan        chan bool
	WalkerTask     *workerlet.Tasker
	PidLookup      PidLookupCallback
	SendReport     SendAggregateReportCallback
	SendAccessRule SendFileAccessRuleCallback
	EstRule        EstimateRuleSrcCallback
}

type FileWatch 

type FileWatch struct {
	// contains filtered or unexported fields
}

func NewFileWatcher 

func NewFileWatcher(config *FileMonitorConfig, logLevel string) (*FileWatch, error)

func (*FileWatch) Close 

func (w *FileWatch) Close()

func (*FileWatch) ContainerCleanup 

func (w *FileWatch) ContainerCleanup(rootPid int, bLeave bool)

func (*FileWatch) GetAllFileMonitorFile 

func (w *FileWatch) GetAllFileMonitorFile() []*share.CLUSFileMonitorFile

func (*FileWatch) GetProbeData 

func (w *FileWatch) GetProbeData() *FmonProbeData

//////

func (*FileWatch) GetWatchFileList 

func (w *FileWatch) GetWatchFileList(rootPid int) []*share.CLUSFileMonitorFile

func (*FileWatch) HandleWatchedFiles 

func (w *FileWatch) HandleWatchedFiles()

func (*FileWatch) SendNVProcessAlert 

func (w *FileWatch) SendNVProcessAlert(rootPid, ppid int, cid, path, ppath string)

func (*FileWatch) SetMonitorTrace 

func (w *FileWatch) SetMonitorTrace(bEnable bool, logLevel string)

func (*FileWatch) SetNVProtectFlag 

func (w *FileWatch) SetNVProtectFlag(bEnabled bool)

func (*FileWatch) StartWatch 

func (w *FileWatch) StartWatch(id string, rootPid int, conf *FsmonConfig, capBlock, bNeuvectorSvc bool)

func (*FileWatch) UpdateAccessRules 

func (w *FileWatch) UpdateAccessRules(name string, rootPid int, conf *share.CLUSFileAccessRule)

type FmonProbeData 

type FmonProbeData struct {
	NFileEvents int
	NGroups     int
	Fan         FaMonProbeData
	Ino         IMonProbeData
}

type FsmonConfig 

type FsmonConfig struct {
	Profile *share.CLUSFileMonitorProfile
	Rule    *share.CLUSFileAccessRule
}

type IFile 

type IFile struct {
	// contains filtered or unexported fields
}

type IMonProbeData 

type IMonProbeData struct {
	NWds   int
	NPaths int
	NDirs  int
}

type Inotify 

type Inotify struct {
	// contains filtered or unexported fields
}

func NewInotify 

func NewInotify() (*Inotify, error)

func (*Inotify) AddMonitorDirFile 

func (n *Inotify) AddMonitorDirFile(path string, files map[string]interface{}, cb NotifyCallback, params interface{}) bool

func (*Inotify) AddMonitorFile 

func (n *Inotify) AddMonitorFile(path string, cb NotifyCallback, params interface{}) bool

func (*Inotify) CheckMonitorFileExist 

func (n *Inotify) CheckMonitorFileExist(path string) (interface{}, bool)

func (*Inotify) Close 

func (n *Inotify) Close()

func (*Inotify) ContainerCleanup 

func (n *Inotify) ContainerCleanup(rootPid int)

func (*Inotify) GetProbeData 

func (n *Inotify) GetProbeData(m *IMonProbeData)

//////

func (*Inotify) GetWatchCount 

func (n *Inotify) GetWatchCount() uint32

func (*Inotify) GetWatchFileList 

func (n *Inotify) GetWatchFileList(rootPid int) []string

func (*Inotify) GetWatches 

func (n *Inotify) GetWatches() []string

func (*Inotify) MonitorFileEvents 

func (n *Inotify) MonitorFileEvents()

func (*Inotify) RemoveMonitorFile 

func (n *Inotify) RemoveMonitorFile(path string)

type MonitorMessage 

type MonitorMessage struct {
	ID        string
	Path      string
	Package   bool
	ProcName  string
	ProcPath  string
	ProcCmds  []string
	ProcPid   int
	ProcEUid  int
	ProcEUser string
	ProcPPid  int
	ProcPName string
	ProcPPath string
	Group     string
	Msg       string
	Count     int
	StartAt   time.Time
	Action    string
}

type NotifyCallback 

type NotifyCallback func(path string, mask uint32, params interface{}, pInfo *ProcInfo)

type PidLookupCallback 

type PidLookupCallback func(pid int) *ProcInfo

type ProcInfo 

type ProcInfo struct {
	RootPid   int
	Name      string
	Path      string
	Cmds      []string
	Pid       int
	EUid      int
	EUser     string
	PPid      int
	PName     string
	PPath     string
	Deny      bool
	InProfile bool
}

type SendAggregateReportCallback 

type SendAggregateReportCallback func(fsmsg *MonitorMessage) bool

var packageFile utils.Set = utils.NewSet( 

"/var/lib/dpkg/status",
"/var/lib/rpm/Packages",
"/var/lib/rpm/Packages.db",
"/lib/apk/db/installed")

type SendFileAccessRuleCallback 

type SendFileAccessRuleCallback func(rules []*share.CLUSFileAccessRuleReq) error

type SendNVrptCallback 

type SendNVrptCallback func(rootPid, ppid int, cid, path, ppath string)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.