probe

package
v5.0.0-preview.1+incom... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 13, 2022 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	RTMGRP_LINK        uint32 = 0x1
	RTMGRP_IPV4_IFADDR uint32 = 0x10
	RTMGRP_IPV6_IFADDR uint32 = 0x100
)
View Source 
const (
	PROBE_PROCESS_CHANGE = iota
	PROBE_CONTAINER_START
	PROBE_CONTAINER_STOP
	PROBE_CONTAINER_NEW_IP
	PROBE_REPORT_ESCALATION
	PROBE_REPORT_SUSPICIOUS
	PROBE_REPORT_TUNNEL
	PROBE_REPORT_FILE_MODIFIED
	PROBE_REPORT_PROCESS_VIOLATION
	PROBE_REPORT_PROCESS_DENIED
)
View Source 
const INET_DIAG_INFO = 2

Variables

View Source 
var ProbeMsgName = []string{
	PROBE_PROCESS_CHANGE:           "process_change",
	PROBE_CONTAINER_START:          "container_start",
	PROBE_CONTAINER_STOP:           "container_stop",
	PROBE_CONTAINER_NEW_IP:         "container_new_ip",
	PROBE_REPORT_ESCALATION:        "escalation",
	PROBE_REPORT_SUSPICIOUS:        "suspicious_process",
	PROBE_REPORT_TUNNEL:            "tunnel_connection",
	PROBE_REPORT_FILE_MODIFIED:     "file_modified",
	PROBE_REPORT_PROCESS_VIOLATION: "process_profile_violation",
	PROBE_REPORT_PROCESS_DENIED:    "process_profile_denied",
}
View Source 
var ProcFilters = []bpf.Instruction{
	bpf.LoadAbsolute{Off: posProcEventWhat, Size: 4},

	bpf.JumpIf{Val: utils.Htonl(netlink.PROC_EVENT_FORK), SkipFalse: 7},
	bpf.LoadAbsolute{Off: posForkChildPid, Size: 4},
	bpf.StoreScratch{Src: bpf.RegA, N: 0},
	bpf.LoadScratch{Dst: bpf.RegX, N: 0},
	bpf.LoadAbsolute{Off: posForkChildTgid, Size: 4},
	bpf.JumpIfX{SkipFalse: 1},
	bpf.RetConstant{Val: 0xffffffff},
	bpf.RetConstant{Val: 0x0},

	bpf.JumpIf{Val: utils.Htonl(netlink.PROC_EVENT_EXIT), SkipFalse: 7},
	bpf.LoadAbsolute{Off: posExitProcessPid, Size: 4},
	bpf.StoreScratch{Src: bpf.RegA, N: 0},
	bpf.LoadScratch{Dst: bpf.RegX, N: 0},
	bpf.LoadAbsolute{Off: posExitProcessTgid, Size: 4},
	bpf.JumpIfX{SkipFalse: 1},
	bpf.RetConstant{Val: 0xffffffff},
	bpf.RetConstant{Val: 0x0},

	bpf.RetConstant{Val: 0xfffffff},
}

berkeley packet filter (BPF) Filter out unused fork/exit thread's packets

Functions

This section is empty.

Types

type FileAccessCtrl 

type FileAccessCtrl struct {
	// contains filtered or unexported fields
}

global control data

func NewFileAccessCtrl 

func NewFileAccessCtrl(p *Probe) (*FileAccessCtrl, bool)

//////////

func (*FileAccessCtrl) AddBlackListOnTheFly 

func (fa *FileAccessCtrl) AddBlackListOnTheFly(id string, list []string) bool

///

func (*FileAccessCtrl) AddContainerControlByPolicyOrder 

func (fa *FileAccessCtrl) AddContainerControlByPolicyOrder(id, setting string, rootpid int, process []*share.CLUSProcessProfileEntry) bool

///

func (*FileAccessCtrl) Close 

func (fa *FileAccessCtrl) Close()

///

func (*FileAccessCtrl) GetProbeData 

func (fa *FileAccessCtrl) GetProbeData() *FileAccessProbeData

///

func (*FileAccessCtrl) RemoveContainerControl 

func (fa *FileAccessCtrl) RemoveContainerControl(id string) bool

type FileAccessProbeData 

type FileAccessProbeData struct {
	// contains filtered or unexported fields
}

type FileNotificationCtr 

type FileNotificationCtr struct {
	// contains filtered or unexported fields
}

global control data

func NewFsnCenter 

func NewFsnCenter(p *Probe, rtStorageDriver string) (*FileNotificationCtr, bool)

//////////

func (*FileNotificationCtr) AddContainer 

func (fsn *FileNotificationCtr) AddContainer(id, cPath string, pid int) (bool, map[string]*fileInfo)

func (*FileNotificationCtr) Close 

func (fsn *FileNotificationCtr) Close()

func (*FileNotificationCtr) GetUpperFileInfo 

func (fsn *FileNotificationCtr) GetUpperFileInfo(id, file string) (*fileInfo, bool)

must be valid as a new file

func (*FileNotificationCtr) IsNotExistingImageFile 

func (fsn *FileNotificationCtr) IsNotExistingImageFile(id, file string) (*fileInfo, bool)

func (*FileNotificationCtr) RemoveContainer 

func (fsn *FileNotificationCtr) RemoveContainer(id, cPath string) bool

type Probe 

type Probe struct {
	FaEndChan chan bool
	// contains filtered or unexported fields
}

func New 

func New(pc *ProbeConfig) (*Probe, error)

func (*Probe) BuildProcessFamilyGroups 

func (p *Probe) BuildProcessFamilyGroups(id string, rootPid int)

func (*Probe) CheckDNSTunneling 

func (p *Probe) CheckDNSTunneling(ids []string, clientPort share.CLUSProtoPort, locIp, remIp net.IP, locPort, remPort uint16) bool

func (*Probe) Close 

func (p *Probe) Close()

func (*Probe) FsnExecFileChanged 

func (p *Probe) FsnExecFileChanged(id, file string, bNewFile bool, finfo fileInfo)

func (*Probe) GetContainerAppPorts 

func (p *Probe) GetContainerAppPorts(id string) (utils.Set, map[share.CLUSProtoPort]*share.CLUSApp)

get a container's listen ports and application map

func (*Probe) GetContainerMap 

func (p *Probe) GetContainerMap() []*share.CLUSProbeContainer

func (*Probe) GetContainerProcHistory 

func (p *Probe) GetContainerProcHistory(id string) []*share.CLUSProcess

func (*Probe) GetContainerProcs 

func (p *Probe) GetContainerProcs(id string) []*share.CLUSProcess

func (*Probe) GetHostModeSessions 

func (p *Probe) GetHostModeSessions(ids utils.Set) []*share.CLUSSession

func (*Probe) GetProbeSummary 

func (p *Probe) GetProbeSummary() *share.CLUSProbeSummary

func (*Probe) GetProcessInfo 

func (p *Probe) GetProcessInfo(pid int) (*procInternal, bool)

func (*Probe) GetProcessMap 

func (p *Probe) GetProcessMap() []*share.CLUSProbeProcess

func (*Probe) HandleAnchorModeChange 

func (p *Probe) HandleAnchorModeChange(bAdd bool, id, cPath string, rootPid int)

func (*Probe) HandleProcessPolicyChange 

func (p *Probe) HandleProcessPolicyChange(id string, pid int, pg *share.CLUSProcessProfile, bAddContainer, bBlocking bool)

////

func (*Probe) IsAllowedShieldProcess 

func (p *Probe) IsAllowedShieldProcess(id, mode string, proc *procInternal, ppe *share.CLUSProcessProfileEntry, bFromPmon bool) bool

func (*Probe) IsConnectionMonitored 

func (p *Probe) IsConnectionMonitored() bool

func (*Probe) NotifyPolicyChange 

func (p *Probe) NotifyPolicyChange(containerSet utils.Set)

func (*Probe) PatchContainerProcess 

func (p *Probe) PatchContainerProcess(pid int, bEval bool) bool

PatchContainerProcess() Fixed the missing process table, caused by the netlink recv errors, no process record is available. Current patch is only for important init-process of a container

func (*Probe) ProcessLookup 

func (p *Probe) ProcessLookup(pid int) *fsmon.ProcInfo

func (*Probe) PutBeginningProcEventsBackToWork 

func (p *Probe) PutBeginningProcEventsBackToWork(id string) int

Patch for newly created conatiners, not for host

func (*Probe) RemoveProcessControl 

func (p *Probe) RemoveProcessControl(id string)

///

func (*Probe) ReportDockerCp 

func (p *Probe) ReportDockerCp(id, containerName string, toContainer bool)

func (*Probe) SendAggregateFsMonReport 

func (p *Probe) SendAggregateFsMonReport(pmsg *fsmon.MonitorMessage) bool

///

func (*Probe) SendAggregateProbeReport 

func (p *Probe) SendAggregateProbeReport(pmsg *ProbeMessage, bExtOp bool) bool

func (*Probe) SetFileMonitor 

func (p *Probe) SetFileMonitor(fm *fsmon.FileWatch)

func (*Probe) SetMonitorTrace 

func (p *Probe) SetMonitorTrace(bEnable bool)

func (*Probe) SetNvProtect 

func (p *Probe) SetNvProtect(bDisable bool)

func (*Probe) StartMonitorConnection 

func (p *Probe) StartMonitorConnection()

func (*Probe) StartMonitorInterface 

func (p *Probe) StartMonitorInterface(id string, pid int, timeout time.Duration)

func (*Probe) StopMonitorInterface 

func (p *Probe) StopMonitorInterface(id string)

func (*Probe) UpdateFromAllowRule 

func (p *Probe) UpdateFromAllowRule(id, path string)

type ProbeConfig 

type ProbeConfig struct {
	Pid                  int
	PidMode              string
	DpTaskCallback       dp.DPTaskCallback
	NotifyTaskChan       chan *ProbeMessage
	NotifyFsTaskChan     chan *fsmon.MonitorMessage
	PolicyLookupFunc     func(conn *dp.Connection) (uint32, uint8, bool)
	ProcPolicyLookupFunc func(id, riskType, pname, ppath string, pid, pgid, shellCmd int, proc *share.CLUSProcessProfileEntry) (string, string, string, string, bool, error)
	ReportLearnProc      func(svcGroup string, proc *share.CLUSProcessProfileEntry)
	ContainerInContainer bool
	GetContainerPid      func(id string) int
	GetAllContainerList  func() utils.Set
	RerunKubeBench       func(string, string)
	GetEstimateProcGroup func(id, name, path string) (string, string)
	GetServiceGroupName  func(id string) (string, bool, bool)
	CapKubeBench         bool
	FAEndChan            chan bool
	EnableTrace          bool
	DeferContStartRpt    bool
	KubePlatform         bool
	WalkHelper           *workerlet.Tasker
}

type ProbeEscalation 

type ProbeEscalation struct {
	ID       string
	Pid      int
	Name     string
	Path     string
	Cmds     []string
	RUid     int
	EUid     int
	RealUser string
	EffUser  string

	// parent info
	ParentPid  int
	ParentName string
	ParentPath string
	ParentCmds []string

	Msg string
}

type ProbeMessage 

type ProbeMessage struct {
	Type         int
	Count        int
	StartAt      time.Time
	Connections  []*dp.Connection
	ContainerIDs utils.Set
	Escalation   *ProbeEscalation
	Process      *ProbeProcess
}

type ProbeProcess 

type ProbeProcess struct {
	ID          string
	Name        string
	Path        string
	Cmds        []string
	Pid         int
	EUid        int
	EUser       string
	PPid        int
	PName       string
	PPath       string
	Connection  *osutil.Connection
	ConnIngress bool
	RuleID      string
	Group       string
	Msg         string
}

Source Files

View all Source files

Directories

Path Synopsis
package ringbuffer implements a sequential compact FIFO and LILO.
 package ringbuffer implements a sequential compact FIFO and LILO.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.