serializers

type AnomalyDetectionSyscallEventSerializer struct {
	// Name of the syscall that triggered the anomaly detection event
	Syscall string `json:"syscall"`
}

type BPFEventSerializer struct {
	// BPF command
	Cmd string `json:"cmd"`
	// BPF map
	Map *BPFMapSerializer `json:"map,omitempty"`
	// BPF program
	Program *BPFProgramSerializer `json:"program,omitempty"`
}

type BPFMapSerializer struct {
	// Name of the BPF map
	Name string `json:"name,omitempty"`
	// Type of the BPF map
	MapType string `json:"map_type,omitempty"`
}

type BPFProgramSerializer struct {
	// Name of the BPF program
	Name string `json:"name,omitempty"`
	// Hash (sha1) of the BPF program
	Tag string `json:"tag,omitempty"`
	// Type of the BPF program
	ProgramType string `json:"program_type,omitempty"`
	// Attach type of the BPF program
	AttachType string `json:"attach_type,omitempty"`
	// List of helpers used by the BPF program
	Helpers []string `json:"helpers,omitempty"`
}

type BaseEventSerializer struct {
	EventContextSerializer `json:"evt,omitempty"`
	Date                   utils.EasyjsonTime `json:"date,omitempty"`

	*FileEventSerializer        `json:"file,omitempty"`
	*ExitEventSerializer        `json:"exit,omitempty"`
	*ProcessContextSerializer   `json:"process,omitempty"`
	*ContainerContextSerializer `json:"container,omitempty"`
}

type BindEventSerializer struct {
	// Bound address (if any)
	Addr IPPortFamilySerializer `json:"addr"`
}

type CapsetSerializer struct {
	// Effective Capability set
	CapEffective []string `json:"cap_effective"`
	// Permitted Capability set
	CapPermitted []string `json:"cap_permitted"`
}

type ContainerContextSerializer struct {
	// Container ID
	ID string `json:"id,omitempty"`
	// Creation time of the container
	CreatedAt *utils.EasyjsonTime `json:"created_at,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
}

type CredentialsSerializer struct {
	// User ID
	UID int `json:"uid"`
	// User name
	User string `json:"user,omitempty"`
	// Group ID
	GID int `json:"gid"`
	// Group name
	Group string `json:"group,omitempty"`
	// Effective User ID
	EUID int `json:"euid"`
	// Effective User name
	EUser string `json:"euser,omitempty"`
	// Effective Group ID
	EGID int `json:"egid"`
	// Effective Group name
	EGroup string `json:"egroup,omitempty"`
	// Filesystem User ID
	FSUID int `json:"fsuid"`
	// Filesystem User name
	FSUser string `json:"fsuser,omitempty"`
	// Filesystem Group ID
	FSGID int `json:"fsgid"`
	// Filesystem Group name
	FSGroup string `json:"fsgroup,omitempty"`
	// Effective Capability set
	CapEffective []string `json:"cap_effective"`
	// Permitted Capability set
	CapPermitted []string `json:"cap_permitted"`
}

type DDContextSerializer struct {
	// Span ID used for APM correlation
	SpanID uint64 `json:"span_id,omitempty"`
	// Trace ID used for APM correlation
	TraceID uint64 `json:"trace_id,omitempty"`
}

type DNSEventSerializer struct {
	// id is the unique identifier of the DNS request
	ID uint16 `json:"id"`
	// question is a DNS question for the DNS request
	Question DNSQuestionSerializer `json:"question"`
}

type DNSQuestionSerializer struct {
	// class is the class looked up by the DNS question
	Class string `json:"class"`
	// type is a two octet code which specifies the DNS question type
	Type string `json:"type"`
	// name is the queried domain name
	Name string `json:"name"`
	// size is the total DNS request size in bytes
	Size uint16 `json:"size"`
	// count is the total count of questions in the DNS request
	Count uint16 `json:"count"`
}

type EventContextSerializer struct {
	// Event name
	Name string `json:"name,omitempty"`
	// Event category
	Category string `json:"category,omitempty"`
	// Event outcome
	Outcome string `json:"outcome,omitempty"`
	// True if the event was asynchronous
	Async bool `json:"async,omitempty"`
	// The list of rules that the event matched (only valid in the context of an anomaly)
	MatchedRules []MatchedRuleSerializer `json:"matched_rules,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
}

type EventSerializer struct {
	*BaseEventSerializer

	*NetworkContextSerializer         `json:"network,omitempty"`
	*DDContextSerializer              `json:"dd,omitempty"`
	*SecurityProfileContextSerializer `json:"security_profile,omitempty"`

	*SELinuxEventSerializer                 `json:"selinux,omitempty"`
	*BPFEventSerializer                     `json:"bpf,omitempty"`
	*MMapEventSerializer                    `json:"mmap,omitempty"`
	*MProtectEventSerializer                `json:"mprotect,omitempty"`
	*PTraceEventSerializer                  `json:"ptrace,omitempty"`
	*ModuleEventSerializer                  `json:"module,omitempty"`
	*SignalEventSerializer                  `json:"signal,omitempty"`
	*SpliceEventSerializer                  `json:"splice,omitempty"`
	*DNSEventSerializer                     `json:"dns,omitempty"`
	*BindEventSerializer                    `json:"bind,omitempty"`
	*MountEventSerializer                   `json:"mount,omitempty"`
	*AnomalyDetectionSyscallEventSerializer `json:"anomaly_detection_syscall,omitempty"`
	*UserContextSerializer                  `json:"usr,omitempty"`
}

type ExitEventSerializer struct {
	// Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
	Cause string `json:"cause"`
	// Exit code of the process or number of the signal that caused the process to terminate
	Code uint32 `json:"code"`
}

type FileEventSerializer struct {
	FileSerializer
	// Target file information
	Destination *FileSerializer `json:"destination,omitempty"`

	// New Mount ID
	NewMountID uint32 `json:"new_mount_id,omitempty"`
	// Device associated with the file
	Device uint32 `json:"device,omitempty"`
	// Filesystem type
	FSType string `json:"fstype,omitempty"`
}

type FileSerializer struct {
	// File path
	Path string `json:"path,omitempty"`
	// File basename
	Name string `json:"name,omitempty"`
	// Error message from path resolution
	PathResolutionError string `json:"path_resolution_error,omitempty"`
	// File inode number
	Inode *uint64 `json:"inode,omitempty"`
	// File mode
	Mode *uint32 `json:"mode,omitempty"`
	// Indicator of file OverlayFS layer
	InUpperLayer *bool `json:"in_upper_layer,omitempty"`
	// File mount ID
	MountID *uint32 `json:"mount_id,omitempty"`
	// File filesystem name
	Filesystem string `json:"filesystem,omitempty"`
	// File User ID
	UID int64 `json:"uid"`
	// File Group ID
	GID int64 `json:"gid"`
	// File user
	User string `json:"user,omitempty"`
	// File group
	Group string `json:"group,omitempty"`
	// File extended attribute name
	XAttrName string `json:"attribute_name,omitempty"`
	// File extended attribute namespace
	XAttrNamespace string `json:"attribute_namespace,omitempty"`
	// File flags
	Flags []string `json:"flags,omitempty"`
	// File access time
	Atime *utils.EasyjsonTime `json:"access_time,omitempty"`
	// File modified time
	Mtime *utils.EasyjsonTime `json:"modification_time,omitempty"`
	// File change time
	Ctime *utils.EasyjsonTime `json:"change_time,omitempty"`
	// System package name
	PackageName string `json:"package_name,omitempty"`
	// System package version
	PackageVersion string `json:"package_version,omitempty"`
	// List of cryptographic hashes of the file
	Hashes []string `json:"hashes,omitempty"`
	// State of the hashes or reason why they weren't computed
	HashState string `json:"hash_state,omitempty"`
}

type IPPortFamilySerializer struct {
	// Address family
	Family string `json:"family"`
	// IP address
	IP string `json:"ip"`
	// Port number
	Port uint16 `json:"port"`
}

type IPPortSerializer struct {
	// IP address
	IP string `json:"ip"`
	// Port number
	Port uint16 `json:"port"`
}

type MMapEventSerializer struct {
	// memory segment address
	Address string `json:"address"`
	// file offset
	Offset uint64 `json:"offset"`
	// memory segment length
	Len uint32 `json:"length"`
	// memory segment protection
	Protection string `json:"protection"`
	// memory segment flags
	Flags string `json:"flags"`
}

type MProtectEventSerializer struct {
	// memory segment start address
	VMStart string `json:"vm_start"`
	// memory segment end address
	VMEnd string `json:"vm_end"`
	// initial memory segment protection
	VMProtection string `json:"vm_protection"`
	// new memory segment protection
	ReqProtection string `json:"req_protection"`
}

type MatchedRuleSerializer struct {
	// ID of the rule
	ID string `json:"id,omitempty"`
	// Version of the rule
	Version string `json:"version,omitempty"`
	// Tags of the rule
	Tags []string `json:"tags,omitempty"`
	// Name of the policy that introduced the rule
	PolicyName string `json:"policy_name,omitempty"`
	// Version of the policy that introduced the rule
	PolicyVersion string `json:"policy_version,omitempty"`
}

type ModuleEventSerializer struct {
	// module name
	Name string `json:"name"`
	// indicates if a module was loaded from memory, as opposed to a file
	LoadedFromMemory *bool    `json:"loaded_from_memory,omitempty"`
	Argv             []string `json:"argv,omitempty"`
	ArgsTruncated    *bool    `json:"args_truncated,omitempty"`
}

type MountEventSerializer struct {
	// Mount point file information
	MountPoint *FileSerializer `json:"mp,omitempty"`
	// Root file information
	Root *FileSerializer `json:"root,omitempty"`
	// Mount ID of the new mount
	MountID uint32 `json:"mount_id"`
	// Mount ID of the parent mount
	ParentMountID uint32 `json:"parent_mount_id"`
	// Mount ID of the source of a bind mount
	BindSrcMountID uint32 `json:"bind_src_mount_id"`
	// Device associated with the file
	Device uint32 `json:"device"`
	// Filesystem type
	FSType string `json:"fs_type,omitempty"`
	// Mount point path
	MountPointPath string `json:"mountpoint.path,omitempty"`
	// Mount source path
	MountSourcePath string `json:"source.path,omitempty"`
	// Mount point path error
	MountRootPathResolutionError string `json:"mountpoint.path_error,omitempty"`
	// Mount source path error
	MountSourcePathResolutionError string `json:"source.path_error,omitempty"`
}

type NetworkContextSerializer struct {
	// device is the network device on which the event was captured
	Device *NetworkDeviceSerializer `json:"device,omitempty"`

	// l3_protocol is the layer 3 protocol name
	L3Protocol string `json:"l3_protocol"`
	// l4_protocol is the layer 4 protocol name
	L4Protocol string `json:"l4_protocol"`
	// source is the emitter of the network event
	Source IPPortSerializer `json:"source"`
	// destination is the receiver of the network event
	Destination IPPortSerializer `json:"destination"`
	// size is the size in bytes of the network event
	Size uint32 `json:"size"`
}

type NetworkDeviceSerializer struct {
	// netns is the interface ifindex
	NetNS uint32 `json:"netns"`
	// ifindex is the network interface ifindex
	IfIndex uint32 `json:"ifindex"`
	// ifname is the network interface name
	IfName string `json:"ifname"`
}

type PTraceEventSerializer struct {
	// ptrace request
	Request string `json:"request"`
	// address at which the ptrace request was executed
	Address string `json:"address"`
	// process context of the tracee
	Tracee *ProcessContextSerializer `json:"tracee,omitempty"`
}

type ProcessContextSerializer struct {
	*ProcessSerializer
	// Parent process
	Parent *ProcessSerializer `json:"parent,omitempty"`
	// Ancestor processes
	Ancestors []*ProcessSerializer `json:"ancestors,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
}

type ProcessCredentialsSerializer struct {
	*CredentialsSerializer
	// Credentials after the operation
	Destination interface{} `json:"destination,omitempty"`
}

type ProcessSerializer struct {
	// Process ID
	Pid uint32 `json:"pid,omitempty"`
	// Parent Process ID
	PPid *uint32 `json:"ppid,omitempty"`
	// Thread ID
	Tid uint32 `json:"tid,omitempty"`
	// User ID
	UID int `json:"uid"`
	// Group ID
	GID int `json:"gid"`
	// User name
	User string `json:"user,omitempty"`
	// Group name
	Group string `json:"group,omitempty"`
	// Description of an error in the path resolution
	PathResolutionError string `json:"path_resolution_error,omitempty"`
	// Command name
	Comm string `json:"comm,omitempty"`
	// TTY associated with the process
	TTY string `json:"tty,omitempty"`
	// Fork time of the process
	ForkTime *utils.EasyjsonTime `json:"fork_time,omitempty"`
	// Exec time of the process
	ExecTime *utils.EasyjsonTime `json:"exec_time,omitempty"`
	// Exit time of the process
	ExitTime *utils.EasyjsonTime `json:"exit_time,omitempty"`
	// Credentials associated with the process
	Credentials *ProcessCredentialsSerializer `json:"credentials,omitempty"`
	// Context of the user session for this event
	UserSession *UserSessionContextSerializer `json:"user_session,omitempty"`
	// File information of the executable
	Executable *FileSerializer `json:"executable,omitempty"`
	// File information of the interpreter
	Interpreter *FileSerializer `json:"interpreter,omitempty"`
	// Container context
	Container *ContainerContextSerializer `json:"container,omitempty"`
	// First command line argument
	Argv0 string `json:"argv0,omitempty"`
	// Command line arguments
	Args []string `json:"args,omitempty"`
	// Indicator of arguments truncation
	ArgsTruncated bool `json:"args_truncated,omitempty"`
	// Environment variables of the process
	Envs []string `json:"envs,omitempty"`
	// Indicator of environments variable truncation
	EnvsTruncated bool `json:"envs_truncated,omitempty"`
	// Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)
	IsThread bool `json:"is_thread,omitempty"`
	// Indicates whether the process is a kworker
	IsKworker bool `json:"is_kworker,omitempty"`
	// Indicates whether the process is an exec following another exec
	IsExecExec bool `json:"is_exec_child,omitempty"`
	// Process source
	Source string `json:"source,omitempty"`
}

type SELinuxBoolChangeSerializer struct {
	// SELinux boolean name
	Name string `json:"name,omitempty"`
	// SELinux boolean state ('on' or 'off')
	State string `json:"state,omitempty"`
}

type SELinuxBoolCommitSerializer struct {
	// SELinux boolean commit operation
	State bool `json:"state,omitempty"`
}

type SELinuxEnforceStatusSerializer struct {
	// SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')
	Status string `json:"status,omitempty"`
}

type SELinuxEventSerializer struct {
	// SELinux boolean operation
	BoolChange *SELinuxBoolChangeSerializer `json:"bool,omitempty"`
	// SELinux enforcement change
	EnforceStatus *SELinuxEnforceStatusSerializer `json:"enforce,omitempty"`
	// SELinux boolean commit
	BoolCommit *SELinuxBoolCommitSerializer `json:"bool_commit,omitempty"`
}

type SecurityProfileContextSerializer struct {
	// Name of the security profile
	Name string `json:"name"`
	// Version of the profile in use
	Version string `json:"version"`
	// List of tags associated to this profile
	Tags []string `json:"tags"`
	// True if the corresponding event is part of this profile
	EventInProfile bool `json:"event_in_profile"`
}

type SetgidSerializer struct {
	// Group ID
	GID int `json:"gid"`
	// Group name
	Group string `json:"group,omitempty"`
	// Effective Group ID
	EGID int `json:"egid"`
	// Effective Group name
	EGroup string `json:"egroup,omitempty"`
	// Filesystem Group ID
	FSGID int `json:"fsgid"`
	// Filesystem Group name
	FSGroup string `json:"fsgroup,omitempty"`
}

type SetuidSerializer struct {
	// User ID
	UID int `json:"uid"`
	// User name
	User string `json:"user,omitempty"`
	// Effective User ID
	EUID int `json:"euid"`
	// Effective User name
	EUser string `json:"euser,omitempty"`
	// Filesystem User ID
	FSUID int `json:"fsuid"`
	// Filesystem User name
	FSUser string `json:"fsuser,omitempty"`
}

type SignalEventSerializer struct {
	// signal type
	Type string `json:"type"`
	// signal target pid
	PID uint32 `json:"pid"`
	// process context of the signal target
	Target *ProcessContextSerializer `json:"target,omitempty"`
}

type SpliceEventSerializer struct {
	// Entry flag of the fd_out pipe passed to the splice syscall
	PipeEntryFlag string `json:"pipe_entry_flag"`
	// Exit flag of the fd_out pipe passed to the splice syscall
	PipeExitFlag string `json:"pipe_exit_flag"`
}

type UserContextSerializer struct {
	// User name
	User string `json:"id,omitempty"`
	// Group name
	Group string `json:"group,omitempty"`
}

type UserSessionContextSerializer struct {
	// Unique identifier of the user session on the host
	ID string `json:"id,omitempty"`
	// Type of the user session
	SessionType string `json:"session_type,omitempty"`
	// Username of the Kubernetes "kubectl exec" session
	K8SUsername string `json:"k8s_username,omitempty"`
	// UID of the Kubernetes "kubectl exec" session
	K8SUID string `json:"k8s_uid,omitempty"`
	// Groups of the Kubernetes "kubectl exec" session
	K8SGroups []string `json:"k8s_groups,omitempty"`
	// Extra of the Kubernetes "kubectl exec" session
	K8SExtra map[string][]string `json:"k8s_extra,omitempty"`
}

type Variables map[string]interface{}