external

package module

v1.6.9 Latest Latest Go to latest Published: Sep 30, 2021 License: Apache-2.0 Imports: 4 Imported by: 8

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grantseltzer/tracee

Documentation ¶

Index ¶

type ArgMeta
type Argument
- func (arg *Argument) UnmarshalJSON(b []byte) error
type Event
- func (e Event) ToUnstructured() (map[string]interface{}, error)
type SlimCred
type Stats

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ArgMeta ¶

type ArgMeta struct {
	Name string `json:"name"`
	Type string `json:"type"`
}

ArgMeta describes an argument

type Argument ¶

type Argument struct {
	ArgMeta
	Value interface{} `json:"value"`
}

Argument holds the information for one argument

func (*Argument) UnmarshalJSON ¶

func (arg *Argument) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type Event ¶

type Event struct {
	Timestamp           int        `json:"timestamp"`
	ProcessID           int        `json:"processId"`
	ThreadID            int        `json:"threadId"`
	ParentProcessID     int        `json:"parentProcessId"`
	HostProcessID       int        `json:"hostProcessId"`
	HostThreadID        int        `json:"hostThreadId"`
	HostParentProcessID int        `json:"hostParentProcessId"`
	UserID              int        `json:"userId"`
	MountNS             int        `json:"mountNamespace"`
	PIDNS               int        `json:"pidNamespace"`
	ProcessName         string     `json:"processName"`
	HostName            string     `json:"hostName"`
	ContainerID         string     `json:"containerId"`
	EventID             int        `json:"eventId,string"`
	EventName           string     `json:"eventName"`
	ArgsNum             int        `json:"argsNum"`
	ReturnValue         int        `json:"returnValue"`
	StackAddresses      []uint64   `json:"stackAddresses"`
	Args                []Argument `json:"args"` //Arguments are ordered according their appearance in the original event
}

Event is a user facing data structure representing a single event

func (Event) ToUnstructured ¶

func (e Event) ToUnstructured() (map[string]interface{}, error)

ToUnstructured returns a JSON compatible map with string, float, int, bool, []interface{}, or map[string]interface{} children.

It allows this Event to be manipulated generically. For example, it can be used as a parsed input with OPA SDK to avoid relatively expensive JSON encoding round trip.

type SlimCred ¶

type SlimCred struct {
	Uid            uint32 /* real UID of the task */
	Gid            uint32 /* real GID of the task */
	Suid           uint32 /* saved UID of the task */
	Sgid           uint32 /* saved GID of the task */
	Euid           uint32 /* effective UID of the task */
	Egid           uint32 /* effective GID of the task */
	Fsuid          uint32 /* UID for VFS ops */
	Fsgid          uint32 /* GID for VFS ops */
	CapInheritable uint64 /* caps our children can inherit */
	CapPermitted   uint64 /* caps we're permitted */
	CapEffective   uint64 /* caps we can actually use */
	CapBounding    uint64 /* capability bounding set */
	CapAmbient     uint64 /* Ambient capability set */
}

SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code.

type Stats ¶

type Stats struct {
	EventCount  int
	ErrorCount  int
	LostEvCount int
	LostWrCount int
	LostNtCount int
}

Source Files ¶

View all Source files

external.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL