Documentation
¶
Overview ¶
Package trace defines the public types exported through the EBPF code and produced outwards from tracee-ebpf
Package trace defines the public types exported through the EBPF code and produced outwards from tracee-ebpf
Index ¶
- Constants
- type ArgMeta
- type Argument
- type Container
- type ContextFlags
- type DnsAnswer
- type DnsQueryData
- type DnsResponseData
- type Event
- type EventOrigin
- type HiddenKernelModule
- type HookedSymbolData
- type KernelReadType
- type Kubernetes
- type MemProtAlert
- type Metadata
- type PktMeta
- type ProtoDNS
- type ProtoDNSMX
- type ProtoDNSOPT
- type ProtoDNSQuestion
- type ProtoDNSResourceRecord
- type ProtoDNSSOA
- type ProtoDNSSRV
- type ProtoDNSURI
- type ProtoHTTP
- type ProtoHTTPRequest
- type ProtoHTTPResponse
- type ProtoICMP
- type ProtoICMPv6
- type ProtoIPv4
- type ProtoIPv6
- type ProtoTCP
- type ProtoUDP
- type SlimCred
Constants ¶
View Source
const (
EventSource = "tracee"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Argument ¶
type Argument struct {
ArgMeta
Value interface{} `json:"value"`
}
Argument holds the information for one argument
func (*Argument) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface.
type ContextFlags ¶
type ContextFlags struct {
ContainerStarted bool `json:"containerStarted"`
IsCompat bool `json:"isCompat"`
}
ContextFlags are flags representing event context
type DnsQueryData ¶
type DnsResponseData ¶
type DnsResponseData struct {
QueryData DnsQueryData `json:"query_data"`
DnsAnswer []DnsAnswer `json:"dns_answer"`
}
type Event ¶
type Event struct {
Timestamp int `json:"timestamp"`
ThreadStartTime int `json:"threadStartTime"`
ProcessorID int `json:"processorId"`
ProcessID int `json:"processId"`
CgroupID uint `json:"cgroupId"`
ThreadID int `json:"threadId"`
ParentProcessID int `json:"parentProcessId"`
HostProcessID int `json:"hostProcessId"`
HostThreadID int `json:"hostThreadId"`
HostParentProcessID int `json:"hostParentProcessId"`
UserID int `json:"userId"`
MountNS int `json:"mountNamespace"`
PIDNS int `json:"pidNamespace"`
ProcessName string `json:"processName"`
HostName string `json:"hostName"`
Container Container `json:"container,omitempty"`
Kubernetes Kubernetes `json:"kubernetes,omitempty"`
EventID int `json:"eventId,string"`
EventName string `json:"eventName"`
MatchedPolicies uint64 `json:"-"` // omit bitmask of matched policies
MatchedPoliciesNames []string `json:"matchedPolicies,omitempty"`
ArgsNum int `json:"argsNum"`
ReturnValue int `json:"returnValue"`
Syscall string `json:"syscall"`
StackAddresses []uint64 `json:"stackAddresses"`
ContextFlags ContextFlags `json:"contextFlags"`
Args []Argument `json:"args"` // Arguments are ordered according their appearance in the original event
Metadata *Metadata `json:"metadata,omitempty"`
}
Event is a single result of an ebpf event process. It is used as a payload later delivered to tracee-rules.
func (Event) Origin ¶
func (e Event) Origin() EventOrigin
Origin derive the EventOrigin of a trace.Event
func (Event) ToProtocol ¶
Converts a trace.Event into a protocol.Event that the rules engine can consume
type EventOrigin ¶
type EventOrigin string
EventOrigin is where a trace.Event occured, it can either be from the host machine or from a container
const ( ContainerOrigin EventOrigin = "container" // Events originated from within a container, starting with the entry-point execution HostOrigin EventOrigin = "host" // Events originated from the host ContainerInitOrigin EventOrigin = "container-init" // Events originated from within container, before entry-point execution )
type HiddenKernelModule ¶
type HookedSymbolData ¶
type KernelReadType ¶
type KernelReadType int
const ( KernelReadUnknown KernelReadType = iota KernelReadFirmware KernelReadKernelModule KernelReadKExecImage KernelReadKExecInitRAMFS KernelReadSecurityPolicy KernelReadx509Certificate )
func (KernelReadType) String ¶
func (readType KernelReadType) String() string
type Kubernetes ¶
type MemProtAlert ¶
type MemProtAlert uint32
MemProtAlert is an enum of possible messages that can be sent by an event to pass some extra information about the event.
const ( ProtAlertUnknown MemProtAlert = iota ProtAlertMmapWX ProtAlertMprotectToX ProtAlertMprotectXToWX ProtAlertMprotectWXToX ProtAlertLast )
func (MemProtAlert) String ¶
func (alert MemProtAlert) String() string
type Metadata ¶
type Metadata struct {
Version string
Description string
Tags []string
Properties map[string]interface{}
}
Metadata is a struct that holds metadata about an event
type ProtoDNS ¶
type ProtoDNS struct {
ID uint16 `json:"ID"`
QR uint8 `json:"QR"`
OpCode string `json:"opCode"`
AA uint8 `json:"AA"`
TC uint8 `json:"TC"`
RD uint8 `json:"RD"`
RA uint8 `json:"RA"`
Z uint8 `json:"Z"`
ResponseCode string `json:"responseCode"`
QDCount uint16 `json:"QDCount"`
ANCount uint16 `json:"ANCount"`
NSCount uint16 `json:"NSCount"`
ARCount uint16 `json:"ARCount"`
Questions []ProtoDNSQuestion `json:"questions"`
Answers []ProtoDNSResourceRecord `json:"answers"`
Authorities []ProtoDNSResourceRecord `json:"authorities"`
Additionals []ProtoDNSResourceRecord `json:"additionals"`
}
type ProtoDNSMX ¶
type ProtoDNSOPT ¶
type ProtoDNSQuestion ¶
type ProtoDNSResourceRecord ¶
type ProtoDNSResourceRecord struct {
Name string `json:"name"`
Type string `json:"type"`
Class string `json:"class"`
TTL uint32 `json:"TTL"`
IP string `json:"IP"`
NS string `json:"NS"`
CNAME string `json:"CNAME"`
PTR string `json:"PTR"`
TXTs []string `json:"TXTs"`
SOA ProtoDNSSOA `json:"SOA"`
SRV ProtoDNSSRV `json:"SRV"`
MX ProtoDNSMX `json:"MX"`
OPT []ProtoDNSOPT `json:"OPT"`
URI ProtoDNSURI `json:"URI"`
TXT string `json:"TXT"`
}
type ProtoDNSSOA ¶
type ProtoDNSSRV ¶
type ProtoDNSURI ¶
type ProtoHTTP ¶
type ProtoHTTP struct {
Direction string `json:"direction"`
Method string `json:"method"`
Protocol string `json:"protocol"`
Host string `json:"host"`
URIPath string `json:"uri_path"`
Status string `json:"status"`
StatusCode int `json:"status_code"`
Headers http.Header `json:"headers"`
ContentLength int64 `json:"content_length"`
}
type ProtoHTTPRequest ¶
type ProtoHTTPResponse ¶
type ProtoICMPv6 ¶
type ProtoIPv4 ¶
type ProtoIPv4 struct {
Version uint8 `json:"version"`
IHL uint8 `json:"IHL"`
TOS uint8 `json:"TOS"`
Length uint16 `json:"length"`
Id uint16 `json:"id"`
Flags uint8 `json:"flags"`
FragOffset uint16 `json:"fragOffset"`
TTL uint8 `json:"TTL"`
Protocol string `json:"protocol"`
Checksum uint16 `json:"checksum"`
SrcIP string `json:"srcIP"`
DstIP string `json:"dstIP"`
}
type ProtoTCP ¶
type ProtoTCP struct {
SrcPort uint16 `json:"srcPort"`
DstPort uint16 `json:"dstPort"`
Seq uint32 `json:"seq"`
Ack uint32 `json:"ack"`
DataOffset uint8 `json:"dataOffset"`
FIN uint8 `json:"FIN"`
SYN uint8 `json:"SYN"`
RST uint8 `json:"RST"`
PSH uint8 `json:"PSH"`
ACK uint8 `json:"ACK"`
URG uint8 `json:"URG"`
ECE uint8 `json:"ECE"`
CWR uint8 `json:"CWR"`
NS uint8 `json:"NS"`
Window uint16 `json:"window"`
Checksum uint16 `json:"checksum"`
Urgent uint16 `json:"urgent"`
}
type SlimCred ¶
type SlimCred struct {
Uid uint32 /* real UID of the task */
Gid uint32 /* real GID of the task */
Suid uint32 /* saved UID of the task */
Sgid uint32 /* saved GID of the task */
Euid uint32 /* effective UID of the task */
Egid uint32 /* effective GID of the task */
Fsuid uint32 /* UID for VFS ops */
Fsgid uint32 /* GID for VFS ops */
UserNamespace uint32 /* User Namespace of the of the event */
SecureBits uint32 /* SUID-less security management */
CapInheritable uint64 /* caps our children can inherit */
CapPermitted uint64 /* caps we're permitted */
CapEffective uint64 /* caps we can actually use */
CapBounding uint64 /* capability bounding set */
CapAmbient uint64 /* Ambient capability set */
}
SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code. ANY CHANGE TO THIS STRUCT WILL BE REQUIRED ALSO TO bufferdecoder.SlimCred
Source Files
Click to show internal directories.
Click to hide internal directories.