Documentation ¶
Overview ¶
Package process fetches process and socket information from the operating system. It can find the process owning a network connection.
Index ¶
- Constants
- Variables
- func All() map[int]*Process
- func CleanProcessStorage(activePIDs map[int]struct{})
- func GetPidOfConnection(ctx context.Context, pktInfo *packet.Info) (pid int, connInbound bool, err error)
- func RegisterTagHandler(th TagHandler) error
- func SetDBController(controller *database.Controller)
- type MatchingData
- type Process
- func GetNetworkHost(ctx context.Context, remoteIP net.IP) (process *Process, err error)
- func GetOrFindProcess(ctx context.Context, pid int) (*Process, error)
- func GetProcessByRequestOrigin(ar *api.Request) (*Process, error)
- func GetProcessFromStorage(key string) (*Process, bool)
- func GetProcessWithProfile(ctx context.Context, pid int) (process *Process, err error)
- func GetSystemProcess(ctx context.Context) *Process
- func GetUnidentifiedProcess(ctx context.Context) *Process
- func GetUnsolicitedProcess(ctx context.Context) *Process
- func (p *Process) CreateProfileCallback() *profile.Profile
- func (p *Process) Delete()
- func (p *Process) Equal(other *Process) bool
- func (p *Process) GetExecHash(algorithm string) (string, error)
- func (p *Process) GetID() string
- func (p *Process) GetLastSeen() int64
- func (p *Process) GetProfile(ctx context.Context) (changed bool, err error)
- func (p *Process) GetTag(tagID string) (profile.Tag, bool)
- func (p *Process) IsIdentified() bool
- func (p *Process) IsSystemResolver() bool
- func (p *Process) MatchingData() *MatchingData
- func (p *Process) Profile() *profile.LayeredProfile
- func (p *Process) Save()
- func (p *Process) SetLastSeen(lastSeen int64)
- func (p *Process) String() string
- type TagDescription
- type TagHandler
Constants ¶
const ( // UndefinedProcessID is not used by any (virtual) process and signifies that // the PID is unset. UndefinedProcessID = -1 // UnidentifiedProcessID is the PID used for outgoing connections that could // not be attributed to a PID for any reason. UnidentifiedProcessID = -2 // UnsolicitedProcessID is the PID used for incoming connections that could // not be attributed to a PID for any reason. UnsolicitedProcessID = -3 // NetworkHostProcessID is the PID used for requests served to the network. NetworkHostProcessID = -255 )
const SystemProcessID = 0
SystemProcessID is the PID of the System/Kernel itself.
Variables ¶
var (
CfgOptionEnableProcessDetectionKey = "core/enableProcessDetection"
)
Configuration Keys.
Functions ¶
func CleanProcessStorage ¶
func CleanProcessStorage(activePIDs map[int]struct{})
CleanProcessStorage cleans the storage from old processes.
func GetPidOfConnection ¶ added in v1.2.0
func GetPidOfConnection(ctx context.Context, pktInfo *packet.Info) (pid int, connInbound bool, err error)
GetPidOfConnection returns the PID of the process that owns the described connection. Always returns valid data. Errors are logged and returned for information or special handling purposes.
func RegisterTagHandler ¶ added in v0.9.9
func RegisterTagHandler(th TagHandler) error
RegisterTagHandler registers a tag handler.
func SetDBController ¶
func SetDBController(controller *database.Controller)
SetDBController sets the database controller and allows the package to push database updates on a save. It must be set by the package that registers the "network" database.
Types ¶
type MatchingData ¶ added in v0.9.9
type MatchingData struct {
// contains filtered or unexported fields
}
MatchingData provides a interface compatible view on the process for profile matching.
func (*MatchingData) Cmdline ¶ added in v0.9.9
func (md *MatchingData) Cmdline() string
Cmdline returns the command line of the process.
func (*MatchingData) Env ¶ added in v0.9.9
func (md *MatchingData) Env() map[string]string
Env returns process.Env.
func (*MatchingData) MatchingPath ¶ added in v0.9.9
func (md *MatchingData) MatchingPath() string
MatchingPath returns process.MatchingPath.
func (*MatchingData) Path ¶ added in v0.9.9
func (md *MatchingData) Path() string
Path returns process.Path.
func (*MatchingData) Tags ¶ added in v0.9.9
func (md *MatchingData) Tags() []profile.Tag
Tags returns process.Tags.
type Process ¶
type Process struct { record.Base sync.Mutex Name string UserID int UserName string UserHome string Pid int CreatedAt int64 ParentPid int ParentCreatedAt int64 Path string ExecName string Cwd string CmdLine string FirstArg string Env map[string]string // Tags holds extended information about the (virtual) process, which is used // to find a profile. Tags []profile.Tag // MatchingPath holds an alternative binary path that can be used to find a // profile. MatchingPath string // PrimaryProfileID holds the scoped ID of the primary profile. PrimaryProfileID string FirstSeen int64 LastSeen int64 Error string // Cache errors ExecHashes map[string]string // contains filtered or unexported fields }
A Process represents a process running on the operating system.
func GetNetworkHost ¶ added in v0.6.5
GetNetworkHost returns a *Process that represents a host on the network.
func GetOrFindProcess ¶
GetOrFindProcess returns the process for the given PID.
func GetProcessByRequestOrigin ¶ added in v0.9.1
GetProcessByRequestOrigin returns the process that initiated the API request ar.
func GetProcessFromStorage ¶
GetProcessFromStorage returns a process from the internal storage.
func GetProcessWithProfile ¶ added in v1.2.0
GetProcessWithProfile returns the process, including the profile. Always returns valid data. Errors are logged and returned for information or special handling purposes.
func GetSystemProcess ¶ added in v0.4.1
GetSystemProcess returns the special process used for the Kernel.
func GetUnidentifiedProcess ¶ added in v0.4.1
GetUnidentifiedProcess returns the special process assigned to non-attributed outgoing connections.
func GetUnsolicitedProcess ¶ added in v0.8.6
GetUnsolicitedProcess returns the special process assigned to non-attributed incoming connections.
func (*Process) CreateProfileCallback ¶ added in v0.9.9
CreateProfileCallback attempts to create a profile on special attributes of the process.
func (*Process) Delete ¶
func (p *Process) Delete()
Delete deletes a process from the storage and propagates the change.
func (*Process) Equal ¶ added in v0.8.13
Equal returns if the two processes are both identified and have the same PID.
func (*Process) GetExecHash ¶
GetExecHash returns the hash of the executable with the given algorithm.
func (*Process) GetID ¶ added in v1.3.0
GetID returns the key that is used internally to identify the process. The ID consists of the PID and the start time of the process as reported by the system.
func (*Process) GetLastSeen ¶ added in v0.6.0
GetLastSeen returns the unix timestamp when the process was last seen.
func (*Process) GetProfile ¶ added in v0.4.0
GetProfile finds and assigns a profile set to the process.
func (*Process) IsIdentified ¶ added in v0.8.13
IsIdentified returns whether the process has been identified or if it represents some kind of unidentified process.
func (*Process) IsSystemResolver ¶ added in v0.6.7
IsSystemResolver is a shortcut to check if the process is or belongs to the system resolver and needs special handling.
func (*Process) MatchingData ¶ added in v0.9.9
func (p *Process) MatchingData() *MatchingData
MatchingData returns the matching data for the process.
func (*Process) Profile ¶ added in v0.4.0
func (p *Process) Profile() *profile.LayeredProfile
Profile returns the assigned layered profile.
func (*Process) Save ¶
func (p *Process) Save()
Save saves the process to the internal state and pushes an update.
func (*Process) SetLastSeen ¶ added in v0.6.0
SetLastSeen sets the unix timestamp when the process was last seen.
type TagDescription ¶ added in v0.9.9
TagDescription describes a tag.
type TagHandler ¶ added in v0.9.9
type TagHandler interface { // Name returns the tag handler name. Name() string // TagDescriptions returns a list of all possible tags and their description // of this handler. TagDescriptions() []TagDescription // AddTags adds tags to the given process. AddTags(p *Process) // CreateProfile creates a profile based on the tags of the process. // Returns nil to skip. CreateProfile(p *Process) *profile.Profile }
TagHandler is a collection of process tag related interfaces.