Documentation
¶
Overview ¶
Package events provides event structures and data through eBPF.
Exec provides data on execve calls. This code is modified from iovisor/gobpf examples.
Index ¶
- Variables
- func CStr(cString []byte) string
- func ExecBPF(evChan chan Event, ctx Ctx)
- func ListenBPF(evChan chan Event, ctx Ctx)
- func Log(e Event)
- func OpenBPF(evChan chan Event, ctx Ctx)
- func ReadlineBPF(evChan chan Event, ctx Ctx)
- func TypeHeader(e Event) string
- type Ctx
- type Event
- type Exec
- func (e *Exec) FetchOther() interface{}
- func (e *Exec) FetchPid() uint32
- func (e *Exec) FetchPwd() string
- func (e *Exec) FetchRetVal() int32
- func (e *Exec) FetchUid() uint32
- func (e *Exec) IsOther() bool
- func (e *Exec) IsPwd() bool
- func (e *Exec) IsRet() bool
- func (e *Exec) Print() string
- func (e *Exec) SetOther(args []interface{})
- func (e *Exec) SetPwd(tmp string)
- func (e *Exec) SetRetVal(val int32)
- func (e *Exec) Write(data []byte) (Event, error)
- type File
- func (e *File) FetchOther() interface{}
- func (e *File) FetchPid() uint32
- func (e *File) FetchPwd() string
- func (e *File) FetchRetVal() int32
- func (e *File) FetchUid() uint32
- func (e *File) IsOther() bool
- func (e *File) IsPwd() bool
- func (e *File) IsRet() bool
- func (e *File) Print() string
- func (e *File) SetOther(input []interface{})
- func (e *File) SetPwd(tmp string)
- func (e *File) SetRetVal(val int32)
- func (e *File) Write(data []byte) (Event, error)
- type Listen
- func (e *Listen) FetchOther() interface{}
- func (e *Listen) FetchPid() uint32
- func (e *Listen) FetchPwd() string
- func (e *Listen) FetchRetVal() int32
- func (e *Listen) FetchUid() uint32
- func (e *Listen) IsOther() bool
- func (e *Listen) IsPwd() bool
- func (e *Listen) IsRet() bool
- func (e Listen) Print() string
- func (e *Listen) SetOther(input []interface{})
- func (e *Listen) SetPwd(tmp string)
- func (e *Listen) SetRetVal(val int32)
- func (e *Listen) Write(data []byte) (Event, error)
- type LogItem
- type Open
- func (e *Open) FetchOther() interface{}
- func (e *Open) FetchPid() uint32
- func (e *Open) FetchPwd() string
- func (e *Open) FetchRetVal() int32
- func (e *Open) FetchUid() uint32
- func (e *Open) IsOther() bool
- func (e *Open) IsPwd() bool
- func (e *Open) IsRet() bool
- func (e *Open) Print() string
- func (e *Open) SetOther(input []interface{})
- func (e *Open) SetPwd(tmp string)
- func (e *Open) SetRetVal(val int32)
- func (e *Open) Write(data []byte) (Event, error)
- type Process
- func (e *Process) FetchOther() interface{}
- func (e *Process) FetchPid() uint32
- func (e *Process) FetchPwd() string
- func (e *Process) FetchRetVal() int32
- func (e *Process) FetchUid() uint32
- func (e *Process) IsOther() bool
- func (e *Process) IsPwd() bool
- func (e *Process) IsRet() bool
- func (e *Process) Print() string
- func (e *Process) SetOther(input []interface{})
- func (e *Process) SetPwd(tmp string)
- func (e *Process) SetRetVal(val int32)
- func (e *Process) Write(data []byte) (Event, error)
- type Readline
- func (e *Readline) FetchOther() interface{}
- func (e *Readline) FetchPid() uint32
- func (e *Readline) FetchPwd() string
- func (e *Readline) FetchRetVal() int32
- func (e *Readline) FetchUid() uint32
- func (e *Readline) IsOther() bool
- func (e *Readline) IsPwd() bool
- func (e *Readline) IsRet() bool
- func (e *Readline) Print() string
- func (e *Readline) SetOther(input []interface{})
- func (e *Readline) SetPwd(tmp string)
- func (e *Readline) SetRetVal(val int32)
- func (e *Readline) Write(data []byte) (Event, error)
- type User
- func (e *User) FetchOther() interface{}
- func (e *User) FetchPid() uint32
- func (e *User) FetchPwd() string
- func (e *User) FetchRetVal() int32
- func (e *User) FetchUid() uint32
- func (e *User) IsOther() bool
- func (e *User) IsPwd() bool
- func (e *User) IsRet() bool
- func (e *User) Print() string
- func (e *User) SetOther(input []interface{})
- func (e *User) SetPwd(tmp string)
- func (e *User) SetRetVal(val int32)
- func (e *User) Write(data []byte) (Event, error)
Constants ¶
This section is empty.
Variables ¶
View Source
var EventLog = ring.New(1000)
Contains the most recent 1000 events
Functions ¶
func ListenBPF ¶
Credit to https://blog.yadutaf.fr/2016/03/30/turn-any-syscall-into-event-introducing-ebpf-kernel-probes/
func ReadlineBPF ¶
func TypeHeader ¶
Types ¶
type Ctx ¶
func NewContext ¶
func NewContext() Ctx
type Event ¶
type Exec ¶
type Exec struct {
Comm [commLen]byte
Argv [argSize]byte
// contains filtered or unexported fields
}
func (*Exec) FetchOther ¶
func (e *Exec) FetchOther() interface{}
func (*Exec) FetchRetVal ¶
func (e *Exec) FetchRetVal() int32
type File ¶
type File struct {
Filename string
// contains filtered or unexported fields
}
func (*File) FetchOther ¶
func (e *File) FetchOther() interface{}
func (*File) FetchRetVal ¶
func (e *File) FetchRetVal() int32
type Listen ¶
type Listen struct {
Addr uint32
Port uint16
SockType int16
Backlog int32
// contains filtered or unexported fields
}
func (*Listen) FetchOther ¶
func (e *Listen) FetchOther() interface{}
func (*Listen) FetchRetVal ¶
func (e *Listen) FetchRetVal() int32
type Open ¶
type Open struct {
Dfd int16
Filename [fileNameSize]byte
Flags int32
// contains filtered or unexported fields
}
func (*Open) FetchOther ¶
func (e *Open) FetchOther() interface{}
func (*Open) FetchRetVal ¶
func (e *Open) FetchRetVal() int32
type Process ¶
type Process struct {
// contains filtered or unexported fields
}
func (*Process) FetchOther ¶
func (e *Process) FetchOther() interface{}
func (*Process) FetchRetVal ¶
func (e *Process) FetchRetVal() int32
type Readline ¶
type Readline struct {
Str [80]byte
// contains filtered or unexported fields
}
func (*Readline) FetchOther ¶
func (e *Readline) FetchOther() interface{}
func (*Readline) FetchRetVal ¶
func (e *Readline) FetchRetVal() int32
type User ¶
type User struct {
// contains filtered or unexported fields
}
func (*User) FetchOther ¶
func (e *User) FetchOther() interface{}
func (*User) FetchRetVal ¶
func (e *User) FetchRetVal() int32
Source Files
Click to show internal directories.
Click to hide internal directories.