probe

package
v0.0.2-0...-4ce78c8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 17, 2021 License: Apache-2.0, Apache-2.0 Imports: 56 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// LostEventsRuleID is the rule ID for the lost_events_* events
	LostEventsRuleID = "lost_events"
	// RulesetLoadedRuleID is the rule ID for the ruleset_loaded events
	RulesetLoadedRuleID = "ruleset_loaded"
	// NoisyProcessRuleID is the rule ID for the noisy_process events
	NoisyProcessRuleID = "noisy_process"
	// AbnormalPathRuleID is the rule ID for the abnormal_path events
	AbnormalPathRuleID = "abnormal_path"
)
View Source 
const (
	// DiscardInodeOp discards an inode
	DiscardInodeOp = iota + 1
	// DiscardPidOp discards a pid
	DiscardPidOp
)
View Source 
const (
	FIMCategory     = "File Activity"
	ProcessActivity = "Process Activity"
)

Event categories for JSON serialization

View Source 
const (

	// DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace
	// pipeline for already deleted file in kernel space.
	DiscardRetention = 5 * time.Second
)
View Source 
const (

	// ERPCMaxDataSize maximum size of data of a request
	ERPCMaxDataSize = 256
)

Variables

View Source 
var (
	// DiscarderConstants ebpf constants
	DiscarderConstants = []manager.ConstantEditor{
		{
			Name:  "discarder_retention",
			Value: uint64(DiscardRetention.Nanoseconds()),
		},
	}
)
View Source 
var ErrEntryNotFound = errors.New("entry not found")

ErrEntryNotFound is thrown when a path key was not found in the cache

View Source 
var (
	// ErrMountNotFound is used when an unknown mount identifier is found
	ErrMountNotFound = errors.New("unknown mount ID")
)
View Source 
var InvalidDiscarders = map[eval.Field][]interface{}{
	"open.file.path":               dentryInvalidDiscarder,
	"unlink.file.path":             dentryInvalidDiscarder,
	"chmod.file.path":              dentryInvalidDiscarder,
	"chown.file.path":              dentryInvalidDiscarder,
	"mkdir.file.path":              dentryInvalidDiscarder,
	"rmdir.file.path":              dentryInvalidDiscarder,
	"rename.file.path":             dentryInvalidDiscarder,
	"rename.file.destination.path": dentryInvalidDiscarder,
	"utimes.file.path":             dentryInvalidDiscarder,
	"link.file.path":               dentryInvalidDiscarder,
	"link.file.destination.path":   dentryInvalidDiscarder,
	"process.file.path":            dentryInvalidDiscarder,
	"setxattr.file.path":           dentryInvalidDiscarder,
	"removexattr.file.path":        dentryInvalidDiscarder,
}

InvalidDiscarders exposes list of values that are not discarders

View Source 
var (

	// SupportedDiscarders lists all field which supports discarders
	SupportedDiscarders = make(map[eval.Field]bool)
)

Functions

func AllCustomRuleIDs 

func AllCustomRuleIDs() []string

AllCustomRuleIDs returns the list of custom rule IDs

func ExtractEventInfo 

func ExtractEventInfo(data []byte) (uint64, uint64, error)

ExtractEventInfo extracts cpu and timestamp from the raw data event

func GetCapababilities 

func GetCapababilities() map[eval.EventType]rules.FieldCapabilities

GetCapababilities returns all the filtering capabilities

func NewProcessCacheEntry 

func NewProcessCacheEntry() *model.ProcessCacheEntry

NewProcessCacheEntry returns an empty instance of ProcessCacheEntry

func TTYConstants 

func TTYConstants(probe *Probe) []manager.ConstantEditor

TTYConstants returns the tty constants

Types

type AbnormalPathEvent 

type AbnormalPathEvent struct {
	Timestamp           time.Time        `json:"date"`
	Event               *EventSerializer `json:"triggeringEvent"`
	PathResolutionError string           `json:"pathResolutionError"`
}

AbnormalPathEvent is used to report that a path resolution failed for a suspicious reason easyjson:json

func (AbnormalPathEvent) MarshalEasyJSON 

func (v AbnormalPathEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (AbnormalPathEvent) MarshalJSON 

func (v AbnormalPathEvent) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*AbnormalPathEvent) UnmarshalEasyJSON 

func (v *AbnormalPathEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*AbnormalPathEvent) UnmarshalJSON 

func (v *AbnormalPathEvent) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type Capabilities 

type Capabilities map[eval.Field]Capability

Capabilities represents the filtering capabilities for a set of fields

func (Capabilities) GetFieldCapabilities 

func (caps Capabilities) GetFieldCapabilities() rules.FieldCapabilities

GetFieldCapabilities returns the field capabilities for a set of capabilities

func (Capabilities) GetFields 

func (caps Capabilities) GetFields() []eval.Field

GetFields returns the fields associated with a set of capabilities

func (Capabilities) GetFlags 

func (caps Capabilities) GetFlags() PolicyFlag

GetFlags returns the policy flags for the set of capabilities

type Capability 

type Capability struct {
	PolicyFlags     PolicyFlag
	FieldValueTypes eval.FieldValueType
}

Capability represents the type of values we are able to filter kernel side

type CapsetSerializer 

type CapsetSerializer struct {
	CapEffective []string `json:"capEffective,omitempty"`
	CapPermitted []string `json:"capPermitted,omitempty"`
}

CapsetSerializer serializes a capset event easyjson:json

func (CapsetSerializer) MarshalEasyJSON 

func (v CapsetSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (CapsetSerializer) MarshalJSON 

func (v CapsetSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*CapsetSerializer) UnmarshalEasyJSON 

func (v *CapsetSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*CapsetSerializer) UnmarshalJSON 

func (v *CapsetSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type ContainerContextSerializer 

type ContainerContextSerializer struct {
	ID string `json:"id,omitempty"`
}

ContainerContextSerializer serializes a container context to JSON easyjson:json

func (ContainerContextSerializer) MarshalEasyJSON 

func (v ContainerContextSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (ContainerContextSerializer) MarshalJSON 

func (v ContainerContextSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*ContainerContextSerializer) UnmarshalEasyJSON 

func (v *ContainerContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*ContainerContextSerializer) UnmarshalJSON 

func (v *ContainerContextSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type ContainerResolver 

type ContainerResolver struct{}

ContainerResolver is used to resolve the container context of the events

func (*ContainerResolver) GetContainerID 

func (cr *ContainerResolver) GetContainerID(pid uint32) (utils.ContainerID, error)

GetContainerID returns the container id of the given pid

func (*ContainerResolver) ResolveLabels 

func (cr *ContainerResolver) ResolveLabels(containerID string) ([]string, error)

ResolveLabels resolves the label of a container from its container ID

type CredentialsSerializer 

type CredentialsSerializer struct {
	UID          int      `json:"uid"`
	User         string   `json:"user,omitempty"`
	GID          int      `json:"gid"`
	Group        string   `json:"group,omitempty"`
	EUID         int      `json:"euid"`
	EUser        string   `json:"euser,omitempty"`
	EGID         int      `json:"egid"`
	EGroup       string   `json:"egroup,omitempty"`
	FSUID        int      `json:"fsuid"`
	FSUser       string   `json:"fsuser,omitempty"`
	FSGID        int      `json:"fsgid"`
	FSGroup      string   `json:"fsgroup,omitempty"`
	CapEffective []string `json:"capEffective,omitempty"`
	CapPermitted []string `json:"capPermitted,omitempty"`
}

CredentialsSerializer serializes a set credentials to JSON easyjson:json

func (CredentialsSerializer) MarshalEasyJSON 

func (v CredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (CredentialsSerializer) MarshalJSON 

func (v CredentialsSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*CredentialsSerializer) UnmarshalEasyJSON 

func (v *CredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*CredentialsSerializer) UnmarshalJSON 

func (v *CredentialsSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type CustomEvent 

type CustomEvent struct {
	// contains filtered or unexported fields
}

CustomEvent is used to send custom security events to Datadog

func NewAbnormalPathEvent 

func NewAbnormalPathEvent(event *Event, pathResolutionError error) (*rules.Rule, *CustomEvent)

NewAbnormalPathEvent returns the rule and a populated custom event for a abnormalPath event

func NewEventLostReadEvent 

func NewEventLostReadEvent(mapName string, lost int64) (*rules.Rule, *CustomEvent)

NewEventLostReadEvent returns the rule and a populated custom event for a lost_events_read event

func NewEventLostWriteEvent 

func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *CustomEvent)

NewEventLostWriteEvent returns the rule and a populated custom event for a lost_events_write event

func NewNoisyProcessEvent 

func NewNoisyProcessEvent(eventType model.EventType,
	count uint64,
	threshold int64,
	controlPeriod time.Duration,
	discardedUntil time.Time,
	process *model.ProcessCacheEntry,
	resolvers *Resolvers,
	timestamp time.Time) (*rules.Rule, *CustomEvent)

NewNoisyProcessEvent returns the rule and a populated custom event for a noisy_process event

func NewRuleSetLoadedEvent 

func NewRuleSetLoadedEvent(rs *rules.RuleSet, err *multierror.Error) (*rules.Rule, *CustomEvent)

NewRuleSetLoadedEvent returns the rule and a populated custom event for a new_rules_loaded event

func (*CustomEvent) Clone 

func (ce *CustomEvent) Clone() CustomEvent

Clone returns a copy of the current CustomEvent

func (*CustomEvent) GetEventType 

func (ce *CustomEvent) GetEventType() model.EventType

GetEventType returns the event type

func (*CustomEvent) GetTags 

func (ce *CustomEvent) GetTags() []string

GetTags returns the tags of the custom event

func (*CustomEvent) GetType 

func (ce *CustomEvent) GetType() string

GetType returns the type of the custom event as a string

func (*CustomEvent) MarshalJSON 

func (ce *CustomEvent) MarshalJSON() ([]byte, error)

MarshalJSON is the JSON marshaller function of the custom event

func (*CustomEvent) String 

func (ce *CustomEvent) String() string

String returns the string representation of a custom event

type DentryResolver 

type DentryResolver struct {
	// contains filtered or unexported fields
}

DentryResolver resolves inode/mountID to full paths

func NewDentryResolver 

func NewDentryResolver(probe *Probe) (*DentryResolver, error)

NewDentryResolver returns a new dentry resolver

func (*DentryResolver) DelCacheEntries 

func (dr *DentryResolver) DelCacheEntries(mountID uint32)

DelCacheEntries removes all the entries belonging to a mountID

func (*DentryResolver) DelCacheEntry 

func (dr *DentryResolver) DelCacheEntry(mountID uint32, inode uint64)

DelCacheEntry removes an entry from the cache

func (*DentryResolver) GetName 

func (dr *DentryResolver) GetName(mountID uint32, inode uint64, pathID uint32) string

GetName resolves a couple of mountID/inode to a path

func (*DentryResolver) GetParent 

func (dr *DentryResolver) GetParent(mountID uint32, inode uint64, pathID uint32) (uint32, uint64, error)

GetParent - Return the parent mount_id/inode

func (*DentryResolver) Resolve 

func (dr *DentryResolver) Resolve(mountID uint32, inode uint64, pathID uint32) (string, error)

Resolve the pathname of a dentry, starting at the pathnameKey in the pathnames table

func (*DentryResolver) ResolveFromCache 

func (dr *DentryResolver) ResolveFromCache(mountID uint32, inode uint64) (filename string, err error)

ResolveFromCache resolve from the cache

func (*DentryResolver) ResolveFromMap 

func (dr *DentryResolver) ResolveFromMap(mountID uint32, inode uint64, pathID uint32) (string, error)

ResolveFromMap resolves from kernel map

func (*DentryResolver) Start 

func (dr *DentryResolver) Start() error

Start the dentry resolver

type Discarder 

type Discarder struct {
	Field eval.Field
}

Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules

type ERPC 

type ERPC struct {
	// contains filtered or unexported fields
}

ERPC defines a krpc object

func NewERPC 

func NewERPC() (*ERPC, error)

NewERPC returns a new ERPC object

func (*ERPC) GetConstants 

func (k *ERPC) GetConstants() []manager.ConstantEditor

GetConstants returns the ebpf constants

func (*ERPC) Request 

func (k *ERPC) Request(req *ERPCRequest) error

Request generates an ioctl syscall with the required request

type ERPCRequest 

type ERPCRequest struct {
	OP   uint8
	Data [ERPCMaxDataSize]byte
}

ERPCRequest defines a EPRC request

type ErrDiscarderNotSupported 

type ErrDiscarderNotSupported struct {
	Field string
}

ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them

func (ErrDiscarderNotSupported) Error 

func (e ErrDiscarderNotSupported) Error() string

type ErrInvalidKeyPath 

type ErrInvalidKeyPath struct {
	Inode   uint64
	MountID uint32
}

ErrInvalidKeyPath is returned when inode or mountid are not valid

func (*ErrInvalidKeyPath) Error 

func (e *ErrInvalidKeyPath) Error() string

type ErrTruncatedParents 

type ErrTruncatedParents struct{}

ErrTruncatedParents is used to notify that some parents of the path are missing

func (ErrTruncatedParents) Error 

func (err ErrTruncatedParents) Error() string

type ErrTruncatedSegment 

type ErrTruncatedSegment struct{}

ErrTruncatedSegment is used to notify that a segment of the path was truncated because it was too long

func (ErrTruncatedSegment) Error 

func (err ErrTruncatedSegment) Error() string

type Event 

type Event struct {
	model.Event
	// contains filtered or unexported fields
}

Event describes a probe event

func NewEvent 

func NewEvent(resolvers *Resolvers, scrubber *pconfig.DataScrubber) *Event

NewEvent returns a new event

func (*Event) Clone 

func (ev *Event) Clone() Event

Clone returns a copy on the event

func (*Event) GetFieldEventType 

func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)

func (*Event) GetFieldType 

func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)

func (*Event) GetFieldValue 

func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields 

func (e *Event) GetFields() []eval.Field

func (*Event) GetPathResolutionError 

func (ev *Event) GetPathResolutionError() error

GetPathResolutionError returns the path resolution error as a string if there is one

func (*Event) GetXAttrName 

func (ev *Event) GetXAttrName(e *model.SetXAttrEvent) string

GetXAttrName returns the string representation of the extended attribute name

func (*Event) GetXAttrNamespace 

func (ev *Event) GetXAttrNamespace(e *model.SetXAttrEvent) string

GetXAttrNamespace returns the string representation of the extended attribute namespace

func (*Event) MarshalJSON 

func (ev *Event) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoding of the event

func (*Event) ResolveChownGID 

func (ev *Event) ResolveChownGID(e *model.ChownEvent) string

ResolveChownGID resolves the group id of a chown event to a group name

func (*Event) ResolveChownUID 

func (ev *Event) ResolveChownUID(e *model.ChownEvent) string

ResolveChownUID resolves the user id of a chown event to a username

func (*Event) ResolveContainerID 

func (ev *Event) ResolveContainerID(e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*Event) ResolveCredentialsCapEffective 

func (ev *Event) ResolveCredentialsCapEffective(e *model.Credentials) int

ResolveCredentialsCapEffective resolves the cap_effective kernel capability of the process

func (*Event) ResolveCredentialsCapPermitted 

func (ev *Event) ResolveCredentialsCapPermitted(e *model.Credentials) int

ResolveCredentialsCapPermitted resolves the cap_permitted kernel capability of the process

func (*Event) ResolveCredentialsEGID 

func (ev *Event) ResolveCredentialsEGID(e *model.Credentials) int

ResolveCredentialsEGID resolves the effective group id of the process

func (*Event) ResolveCredentialsEGroup 

func (ev *Event) ResolveCredentialsEGroup(e *model.Credentials) string

ResolveCredentialsEGroup resolves the effective group id of the process to a group name

func (*Event) ResolveCredentialsEUID 

func (ev *Event) ResolveCredentialsEUID(e *model.Credentials) int

ResolveCredentialsEUID resolves the effective user id of the process

func (*Event) ResolveCredentialsEUser 

func (ev *Event) ResolveCredentialsEUser(e *model.Credentials) string

ResolveCredentialsEUser resolves the effective user id of the process to a username

func (*Event) ResolveCredentialsFSGID 

func (ev *Event) ResolveCredentialsFSGID(e *model.Credentials) int

ResolveCredentialsFSGID resolves the file-system group id of the process

func (*Event) ResolveCredentialsFSGroup 

func (ev *Event) ResolveCredentialsFSGroup(e *model.Credentials) string

ResolveCredentialsFSGroup resolves the file-system group id of the process to a group name

func (*Event) ResolveCredentialsFSUID 

func (ev *Event) ResolveCredentialsFSUID(e *model.Credentials) int

ResolveCredentialsFSUID resolves the file-system user id of the process

func (*Event) ResolveCredentialsFSUser 

func (ev *Event) ResolveCredentialsFSUser(e *model.Credentials) string

ResolveCredentialsFSUser resolves the file-system user id of the process to a username

func (*Event) ResolveCredentialsGID 

func (ev *Event) ResolveCredentialsGID(e *model.Credentials) int

ResolveCredentialsGID resolves the group id of the process

func (*Event) ResolveCredentialsGroup 

func (ev *Event) ResolveCredentialsGroup(e *model.Credentials) string

ResolveCredentialsGroup resolves the group id of the process to a group name

func (*Event) ResolveCredentialsUID 

func (ev *Event) ResolveCredentialsUID(e *model.Credentials) int

ResolveCredentialsUID resolves the user id of the process

func (*Event) ResolveCredentialsUser 

func (ev *Event) ResolveCredentialsUser(e *model.Credentials) string

ResolveCredentialsUser resolves the user id of the process to a username

func (*Event) ResolveEventTimestamp 

func (ev *Event) ResolveEventTimestamp() time.Time

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*Event) ResolveExecArgs 

func (ev *Event) ResolveExecArgs(e *model.ExecEvent) string

ResolveExecArgs resolves the args of the event

func (*Event) ResolveExecArgsFlags 

func (ev *Event) ResolveExecArgsFlags(e *model.ExecEvent) (flags []string)

ResolveExecArgsFlags resolves the arguments flags of the event

func (*Event) ResolveExecArgsOptions 

func (ev *Event) ResolveExecArgsOptions(e *model.ExecEvent) (options []string)

ResolveExecArgsOptions resolves the arguments options of the event

func (*Event) ResolveExecArgv 

func (ev *Event) ResolveExecArgv(e *model.ExecEvent) []string

ResolveExecArgv resolves the args of the event as an array

func (*Event) ResolveExecEnvs 

func (ev *Event) ResolveExecEnvs(e *model.ExecEvent) []string

ResolveExecEnvs resolves the envs of the event

func (*Event) ResolveFileBasename 

func (ev *Event) ResolveFileBasename(f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*Event) ResolveFileContainerPath 

func (ev *Event) ResolveFileContainerPath(f *model.FileEvent) string

ResolveFileContainerPath resolves the inode to a full path

func (*Event) ResolveFileFilesystem 

func (ev *Event) ResolveFileFilesystem(f *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*Event) ResolveFileInUpperLayer 

func (ev *Event) ResolveFileInUpperLayer(f *model.FileEvent) bool

ResolveFileInUpperLayer resolves whether the file is in an upper layer

func (*Event) ResolveFileInode 

func (ev *Event) ResolveFileInode(f *model.FileEvent) string

ResolveFileInode resolves the inode to a full path

func (*Event) ResolveGroup 

func (ev *Event) ResolveGroup(e *model.FileFields) string

ResolveGroup resolves the group id of the file to a group name

func (*Event) ResolveMountPoint 

func (ev *Event) ResolveMountPoint(e *model.MountEvent) string

ResolveMountPoint resolves the mountpoint to a full path

func (*Event) ResolveMountRoot 

func (ev *Event) ResolveMountRoot(e *model.MountEvent) string

ResolveMountRoot resolves the mountpoint to a full path

func (*Event) ResolveProcessBasename 

func (ev *Event) ResolveProcessBasename(e *model.Process) string

ResolveProcessBasename resolves the inode to a filename

func (*Event) ResolveProcessCacheEntry 

func (ev *Event) ResolveProcessCacheEntry() *model.ProcessCacheEntry

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessCacheEntry of the event

func (*Event) ResolveProcessComm 

func (ev *Event) ResolveProcessComm(e *model.Process) string

ResolveProcessComm resolves the comm of the process

func (*Event) ResolveProcessContainerPath 

func (ev *Event) ResolveProcessContainerPath(e *model.Process) string

ResolveProcessContainerPath resolves the inode to a path relative to the container

func (*Event) ResolveProcessContextGroup 

func (ev *Event) ResolveProcessContextGroup(p *model.ProcessContext) string

ResolveProcessContextGroup resolves the group id of the process to a group name

func (*Event) ResolveProcessContextUser 

func (ev *Event) ResolveProcessContextUser(p *model.ProcessContext) string

ResolveProcessContextUser resolves the user id of the process to a username

func (*Event) ResolveProcessCookie 

func (ev *Event) ResolveProcessCookie(e *model.Process) int

ResolveProcessCookie resolves the cookie of the process

func (*Event) ResolveProcessFilesystem 

func (ev *Event) ResolveProcessFilesystem(e *model.Process) string

ResolveProcessFilesystem resolves the filesystem an executable resides in

func (*Event) ResolveProcessInode 

func (ev *Event) ResolveProcessInode(e *model.Process) string

ResolveProcessInode resolves the executable inode to a full path

func (*Event) ResolveProcessPPID 

func (ev *Event) ResolveProcessPPID(e *model.Process) int

ResolveProcessPPID resolves the parent process ID

func (*Event) ResolveProcessTTY 

func (ev *Event) ResolveProcessTTY(e *model.Process) string

ResolveProcessTTY resolves the name of the process tty

func (*Event) ResolveRights 

func (ev *Event) ResolveRights(e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*Event) ResolveSetgidEGroup 

func (ev *Event) ResolveSetgidEGroup(e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*Event) ResolveSetgidFSGroup 

func (ev *Event) ResolveSetgidFSGroup(e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*Event) ResolveSetgidGroup 

func (ev *Event) ResolveSetgidGroup(e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*Event) ResolveSetuidEUser 

func (ev *Event) ResolveSetuidEUser(e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*Event) ResolveSetuidFSUser 

func (ev *Event) ResolveSetuidFSUser(e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*Event) ResolveSetuidUser 

func (ev *Event) ResolveSetuidUser(e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*Event) ResolveUser 

func (ev *Event) ResolveUser(e *model.FileFields) string

ResolveUser resolves the user id of the file to a username

func (*Event) SetFieldValue 

func (e *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) SetPathResolutionError 

func (ev *Event) SetPathResolutionError(err error)

SetPathResolutionError sets the Event.pathResolutionError

func (*Event) String 

func (ev *Event) String() string

func (*Event) UnmarshalProcess 

func (ev *Event) UnmarshalProcess(data []byte) (int, error)

UnmarshalProcess unmarshal a Process

type EventContextSerializer 

type EventContextSerializer struct {
	Name     string `json:"name,omitempty"`
	Category string `json:"category,omitempty"`
	Outcome  string `json:"outcome,omitempty"`
}

EventContextSerializer serializes an event context to JSON easyjson:json

func (EventContextSerializer) MarshalEasyJSON 

func (v EventContextSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventContextSerializer) MarshalJSON 

func (v EventContextSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*EventContextSerializer) UnmarshalEasyJSON 

func (v *EventContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*EventContextSerializer) UnmarshalJSON 

func (v *EventContextSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type EventHandler 

type EventHandler interface {
	HandleEvent(event *Event)
	HandleCustomEvent(rule *rules.Rule, event *CustomEvent)
}

EventHandler represents an handler for the events sent by the probe

type EventLostRead 

type EventLostRead struct {
	Timestamp time.Time `json:"date"`
	Name      string    `json:"map"`
	Lost      int64     `json:"lost"`
}

EventLostRead is the event used to report lost events detected from user space easyjson:json

func (EventLostRead) MarshalEasyJSON 

func (v EventLostRead) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventLostRead) MarshalJSON 

func (v EventLostRead) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*EventLostRead) UnmarshalEasyJSON 

func (v *EventLostRead) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*EventLostRead) UnmarshalJSON 

func (v *EventLostRead) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type EventLostWrite 

type EventLostWrite struct {
	Timestamp time.Time         `json:"date"`
	Name      string            `json:"map"`
	Lost      map[string]uint64 `json:"perEvent"`
}

EventLostWrite is the event used to report lost events detected from kernel space easyjson:json

func (EventLostWrite) MarshalEasyJSON 

func (v EventLostWrite) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventLostWrite) MarshalJSON 

func (v EventLostWrite) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*EventLostWrite) UnmarshalEasyJSON 

func (v *EventLostWrite) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*EventLostWrite) UnmarshalJSON 

func (v *EventLostWrite) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type EventSerializer 

type EventSerializer struct {
	*EventContextSerializer    `json:"evt,omitempty"`
	*FileEventSerializer       `json:"file,omitempty"`
	UserContextSerializer      UserContextSerializer       `json:"usr,omitempty"`
	ProcessContextSerializer   *ProcessContextSerializer   `json:"process,omitempty"`
	ContainerContextSerializer *ContainerContextSerializer `json:"container,omitempty"`
	Date                       time.Time                   `json:"date,omitempty"`
}

EventSerializer serializes an event to JSON easyjson:json

func (EventSerializer) MarshalEasyJSON 

func (v EventSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventSerializer) MarshalJSON 

func (v EventSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*EventSerializer) UnmarshalEasyJSON 

func (v *EventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*EventSerializer) UnmarshalJSON 

func (v *EventSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type FileEventSerializer 

type FileEventSerializer struct {
	FileSerializer `json:",omitempty"`
	Destination    *FileSerializer `json:"destination,omitempty"`

	// Specific to mount events
	NewMountID uint32 `json:"newMountId,omitempty"`
	GroupID    uint32 `json:"groupId,omitempty"`
	Device     uint32 `json:"device,omitempty"`
	FSType     string `json:"fstype,omitempty"`
}

FileEventSerializer serializes a file event to JSON easyjson:json

func (FileEventSerializer) MarshalEasyJSON 

func (v FileEventSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (FileEventSerializer) MarshalJSON 

func (v FileEventSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*FileEventSerializer) UnmarshalEasyJSON 

func (v *FileEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*FileEventSerializer) UnmarshalJSON 

func (v *FileEventSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type FileSerializer 

type FileSerializer struct {
	Path                string     `json:"path,omitempty"`
	Name                string     `json:"name,omitempty"`
	ContainerPath       string     `json:"containerPath,omitempty"`
	PathResolutionError string     `json:"pathResolutionError,omitempty"`
	Inode               *uint64    `json:"inode,omitempty"`
	Mode                *uint32    `json:"mode,omitempty"`
	InUpperLayer        *bool      `json:"inUpperLayer,omitempty"`
	MountID             *uint32    `json:"mountId,omitempty"`
	Filesystem          string     `json:"filesystem,omitempty"`
	UID                 uint32     `json:"uid,omitempty"`
	GID                 uint32     `json:"gid,omitempty"`
	User                string     `json:"user,omitempty"`
	Group               string     `json:"group,omitempty"`
	XAttrName           string     `json:"attributeName,omitempty"`
	XAttrNamespace      string     `json:"attributeNamespace,omitempty"`
	Flags               []string   `json:"flags,omitempty"`
	Atime               *time.Time `json:"accessTime,omitempty"`
	Mtime               *time.Time `json:"modificationTime,omitempty"`
	Ctime               *time.Time `json:"changeTime,omitempty"`
}

FileSerializer serializes a file to JSON easyjson:json

func (FileSerializer) MarshalEasyJSON 

func (v FileSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (FileSerializer) MarshalJSON 

func (v FileSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*FileSerializer) UnmarshalEasyJSON 

func (v *FileSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*FileSerializer) UnmarshalJSON 

func (v *FileSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type FilterPolicy 

type FilterPolicy struct {
	Mode  PolicyMode
	Flags PolicyFlag
}

FilterPolicy describes a filtering policy

func (*FilterPolicy) Bytes 

func (f *FilterPolicy) Bytes() ([]byte, error)

Bytes returns the binary representation of a FilterPolicy

type InodeInfo 

type InodeInfo struct {
	MountID uint32
	Flags   int32
}

InodeInfo holds information related to inode from kernel

func (*InodeInfo) UnmarshalBinary 

func (i *InodeInfo) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type KernelVersion 

type KernelVersion struct {
	// contains filtered or unexported fields
}

KernelVersion defines a kernel version helper

func NewKernelVersion 

func NewKernelVersion() (*KernelVersion, error)

NewKernelVersion returns a new kernel version helper

func (*KernelVersion) IsRH7Kernel 

func (k *KernelVersion) IsRH7Kernel() bool

IsRH7Kernel returns whether the kernel is a rh7 kernel

func (*KernelVersion) IsRH8Kernel 

func (k *KernelVersion) IsRH8Kernel() bool

IsRH8Kernel returns whether the kernel is a rh8 kernel

func (*KernelVersion) IsSLES12Kernel 

func (k *KernelVersion) IsSLES12Kernel() bool

IsSLES12Kernel returns whether the kernel is a sles 12 kernel

func (*KernelVersion) IsSLES15Kernel 

func (k *KernelVersion) IsSLES15Kernel() bool

IsSLES15Kernel returns whether the kernel is a sles 15 kernel

func (*KernelVersion) IsSuseKernel 

func (k *KernelVersion) IsSuseKernel() bool

IsSuseKernel returns whether the kernel is a suse kernel

type LoadController 

type LoadController struct {
	sync.RWMutex

	EventsCountThreshold int64
	DiscarderTimeout     time.Duration
	ControllerPeriod     time.Duration
	// contains filtered or unexported fields
}

LoadController is used to monitor and control the pressure put on the host

func NewLoadController 

func NewLoadController(probe *Probe, statsdClient *statsd.Client) (*LoadController, error)

NewLoadController instantiates a new load controller

func (*LoadController) Count 

func (lc *LoadController) Count(event *Event)

Count processes the provided events and ensures the load of the provided event type is within the configured limits

func (*LoadController) GenericCount 

func (lc *LoadController) GenericCount(event *Event)

GenericCount increments the event counter of the provided event type and pid

func (*LoadController) Start 

func (lc *LoadController) Start(ctx context.Context)

Start resets the internal counters periodically

type Model 

type Model struct {
	model.Model
}

Model describes the data model for the runtime security agent probe events

func (*Model) GetEvaluator 

func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes 

func (m *Model) GetEventTypes() []eval.EventType

func (*Model) GetIterator 

func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)

func (*Model) NewEvent 

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

type Monitor 

type Monitor struct {
	// contains filtered or unexported fields
}

Monitor regroups all the work we want to do to monitor the probes we pushed in the kernel

func NewMonitor 

func NewMonitor(p *Probe, client *statsd.Client) (*Monitor, error)

NewMonitor returns a new instance of a ProbeMonitor

func (*Monitor) GetPerfBufferMonitor 

func (m *Monitor) GetPerfBufferMonitor() *PerfBufferMonitor

GetPerfBufferMonitor returns the perf buffer monitor

func (*Monitor) GetStats 

func (m *Monitor) GetStats() (map[string]interface{}, error)

GetStats returns Stats according to the system-probe module format

func (*Monitor) ProcessEvent 

func (m *Monitor) ProcessEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap)

ProcessEvent processes an event through the various monitors and controllers of the probe

func (*Monitor) ProcessLostEvent 

func (m *Monitor) ProcessLostEvent(count uint64, cpu int, perfMap *manager.PerfMap)

ProcessLostEvent processes a lost event through the various monitors and controllers of the probe

func (*Monitor) ReportRuleSetLoaded 

func (m *Monitor) ReportRuleSetLoaded(ruleSet *rules.RuleSet, err *multierror.Error)

ReportRuleSetLoaded reports to Datadog that new ruleset was loaded

func (*Monitor) SendStats 

func (m *Monitor) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*Monitor) Start 

func (m *Monitor) Start(ctx context.Context) error

Start triggers the goroutine of all the underlying controllers and monitors of the Monitor

type MountResolver 

type MountResolver struct {
	// contains filtered or unexported fields
}

MountResolver represents a cache for mountpoints and the corresponding file systems

func NewMountResolver 

func NewMountResolver(probe *Probe) *MountResolver

NewMountResolver instantiates a new mount resolver

func (*MountResolver) Delete 

func (mr *MountResolver) Delete(mountID uint32) error

Delete a mount from the cache

func (*MountResolver) GetFilesystem 

func (mr *MountResolver) GetFilesystem(mountID uint32) string

GetFilesystem returns the name of the filesystem

func (*MountResolver) GetMountPath 

func (mr *MountResolver) GetMountPath(mountID uint32) (string, string, string, error)

GetMountPath returns the path of a mount identified by its mount ID. The first path is the container mount path if it exists

func (*MountResolver) Insert 

func (mr *MountResolver) Insert(e model.MountEvent)

Insert a new mount point in the cache

func (*MountResolver) IsOverlayFS 

func (mr *MountResolver) IsOverlayFS(mountID uint32) bool

IsOverlayFS returns the type of a mountID

func (*MountResolver) Start 

func (mr *MountResolver) Start(ctx context.Context)

Start starts the resolver

func (*MountResolver) SyncCache 

func (mr *MountResolver) SyncCache(proc *process.Process) error

SyncCache - Snapshots the current mount points of the system by reading through /proc/[pid]/mountinfo.

type NoisyProcessEvent 

type NoisyProcessEvent struct {
	Timestamp      time.Time                 `json:"date"`
	Event          string                    `json:"eventType"`
	Count          uint64                    `json:"pidCount"`
	Threshold      int64                     `json:"threshold"`
	ControlPeriod  time.Duration             `json:"controlPeriod"`
	DiscardedUntil time.Time                 `json:"discardedUntil"`
	Process        *ProcessContextSerializer `json:"process"`
}

NoisyProcessEvent is used to report that a noisy process was temporarily discarded easyjson:json

func (NoisyProcessEvent) MarshalEasyJSON 

func (v NoisyProcessEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (NoisyProcessEvent) MarshalJSON 

func (v NoisyProcessEvent) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*NoisyProcessEvent) UnmarshalEasyJSON 

func (v *NoisyProcessEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*NoisyProcessEvent) UnmarshalJSON 

func (v *NoisyProcessEvent) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type PathKey 

type PathKey struct {
	Inode   uint64
	MountID uint32
	PathID  uint32
}

PathKey identifies an entry in the dentry cache

func (*PathKey) IsNull 

func (p *PathKey) IsNull() bool

IsNull returns true if a key is invalid

func (*PathKey) MarshalBinary 

func (p *PathKey) MarshalBinary() ([]byte, error)

MarshalBinary returns the binary representation of a path key

func (*PathKey) String 

func (p *PathKey) String() string

func (*PathKey) Write 

func (p *PathKey) Write(buffer []byte)

type PathValue 

type PathValue struct {
	Parent PathKey
	Name   [model.MaxSegmentLength + 1]byte
}

PathValue describes a value of an entry of the cache

type PerfBufferMonitor 

type PerfBufferMonitor struct {
	// contains filtered or unexported fields
}

PerfBufferMonitor holds statistics about the number of lost and received events

func NewPerfBufferMonitor 

func NewPerfBufferMonitor(p *Probe, client *statsd.Client) (*PerfBufferMonitor, error)

NewPerfBufferMonitor instantiates a new event statistics counter

func (*PerfBufferMonitor) CountEvent 

func (pbm *PerfBufferMonitor) CountEvent(eventType model.EventType, timestamp uint64, count uint64, size uint64, m *manager.PerfMap, cpu int)

CountEvent adds `count` to the counter of received events of the specified type

func (*PerfBufferMonitor) CountLostEvent 

func (pbm *PerfBufferMonitor) CountLostEvent(count uint64, m *manager.PerfMap, cpu int)

CountLostEvent adds `count` to the counter of lost events

func (*PerfBufferMonitor) GetAndResetKernelLostCount 

func (pbm *PerfBufferMonitor) GetAndResetKernelLostCount(perfMap string, cpu int, evtTypes ...model.EventType) uint64

GetAndResetKernelLostCount returns the number of lost events for a given map and cpu. If a cpu of -1 is provided, the function will return the sum of all the lost events of all the cpus.

func (*PerfBufferMonitor) GetAndResetLostCount 

func (pbm *PerfBufferMonitor) GetAndResetLostCount(perfMap string, cpu int) uint64

GetAndResetLostCount returns the number of lost events and resets the counter for a given map and cpu. If a cpu of -1 is provided, the function will reset the counters of all the cpus for the provided map, and return the sum of all the lost events of all the cpus of the provided map.

func (*PerfBufferMonitor) GetEventStats 

func (pbm *PerfBufferMonitor) GetEventStats(eventType model.EventType, perfMap string, cpu int) PerfMapStats

GetEventStats returns the number of received events of the specified type and resets the counter

func (*PerfBufferMonitor) GetLostCount 

func (pbm *PerfBufferMonitor) GetLostCount(perfMap string, cpu int) uint64

GetLostCount returns the number of lost events for a given map and cpu. If a cpu of -1 is provided, the function will return the sum of all the lost events of all the cpus.

func (*PerfBufferMonitor) SendStats 

func (pbm *PerfBufferMonitor) SendStats() error

SendStats send event stats using the provided statsd client

type PerfMapStats 

type PerfMapStats struct {
	Bytes uint64
	Count uint64
	Lost  uint64
}

PerfMapStats contains the collected metrics for one event and one cpu in a perf buffer statistics map

func (*PerfMapStats) UnmarshalBinary 

func (s *PerfMapStats) UnmarshalBinary(data []byte) error

UnmarshalBinary parses a map entry and populates the current PerfMapStats instance

type PoliciesIgnored 

type PoliciesIgnored struct {
	Errors *multierror.Error
}

PoliciesIgnored holds the errors

func (*PoliciesIgnored) MarshalJSON 

func (r *PoliciesIgnored) MarshalJSON() ([]byte, error)

MarshalJSON custom marshaller

func (*PoliciesIgnored) UnmarshalJSON 

func (r *PoliciesIgnored) UnmarshalJSON(data []byte) error

UnmarshalJSON empty unmarshaller

type PolicyFlag 

type PolicyFlag uint8

PolicyFlag is a bitmask of the active filtering policies 

const (
	PolicyFlagBasename PolicyFlag = 1
	PolicyFlagFlags    PolicyFlag = 2
	PolicyFlagMode     PolicyFlag = 4

	// need to be aligned with the kernel size
	BasenameFilterSize = 255
)

Policy flags

func (PolicyFlag) MarshalJSON 

func (f PolicyFlag) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoding of the policy flags

type PolicyLoaded 

type PolicyLoaded struct {
	Version      string
	RulesLoaded  []*RuleLoaded  `json:"rulesLoaded"`
	RulesIgnored []*RuleIgnored `json:"rulesIgnored,omitempty"`
}

PolicyLoaded is used to report policy was loaded easyjson:json

func (PolicyLoaded) MarshalEasyJSON 

func (v PolicyLoaded) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (PolicyLoaded) MarshalJSON 

func (v PolicyLoaded) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*PolicyLoaded) UnmarshalEasyJSON 

func (v *PolicyLoaded) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*PolicyLoaded) UnmarshalJSON 

func (v *PolicyLoaded) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type PolicyMode 

type PolicyMode uint8

PolicyMode represents the policy mode (accept or deny) 

const (
	PolicyModeNoFilter PolicyMode = iota
	PolicyModeAccept
	PolicyModeDeny
)

Policy modes

func (PolicyMode) MarshalJSON 

func (m PolicyMode) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoding of the policy mode

func (PolicyMode) String 

func (m PolicyMode) String() string

type PolicyReport 

type PolicyReport struct {
	Mode      PolicyMode
	Flags     PolicyFlag
	Approvers rules.Approvers
}

PolicyReport describes the result of the kernel policy and the approvers for an event type

type Probe 

type Probe struct {
	// contains filtered or unexported fields
}

Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel

func NewProbe 

func NewProbe(config *config.Config, client *statsd.Client) (*Probe, error)

NewProbe instantiates a new runtime security agent probe

func (*Probe) ApplyFilterPolicy 

func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error

ApplyFilterPolicy is called when a passing policy for an event type is applied

func (*Probe) Close 

func (p *Probe) Close() error

Close the probe

func (*Probe) DispatchCustomEvent 

func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *CustomEvent)

DispatchCustomEvent sends a custom event to the probe event handler

func (*Probe) DispatchEvent 

func (p *Probe) DispatchEvent(event *Event, size uint64, CPU int, perfMap *manager.PerfMap)

DispatchEvent sends an event to the probe event handler

func (*Probe) FlushDiscarders 

func (p *Probe) FlushDiscarders() error

FlushDiscarders removes all the discarders

func (*Probe) GetDebugStats 

func (p *Probe) GetDebugStats() map[string]interface{}

GetDebugStats returns the debug stats

func (*Probe) GetMonitor 

func (p *Probe) GetMonitor() *Monitor

GetMonitor returns the monitor of the probe

func (*Probe) GetResolvers 

func (p *Probe) GetResolvers() *Resolvers

GetResolvers returns the resolvers of Probe

func (*Probe) Init 

func (p *Probe) Init(client *statsd.Client) error

Init initializes the probe

func (*Probe) Map 

func (p *Probe) Map(name string) (*lib.Map, error)

Map returns a map by its name

func (*Probe) NewRuleSet 

func (p *Probe) NewRuleSet(opts *rules.Opts) *rules.RuleSet

NewRuleSet returns a new rule set

func (*Probe) OnNewDiscarder 

func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, event *Event, field eval.Field, eventType eval.EventType) error

OnNewDiscarder is called when a new discarder is found

func (*Probe) SelectProbes 

func (p *Probe) SelectProbes(rs *rules.RuleSet) error

SelectProbes applies the loaded set of rules and returns a report of the applied approvers for it.

func (*Probe) SendStats 

func (p *Probe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*Probe) SetApprovers 

func (p *Probe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error

SetApprovers applies approvers and removes the unused ones

func (*Probe) SetEventHandler 

func (p *Probe) SetEventHandler(handler EventHandler)

SetEventHandler set the probe event handler

func (*Probe) Snapshot 

func (p *Probe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*Probe) Start 

func (p *Probe) Start() error

Start the runtime security probe

type ProcessCacheEntrySerializer 

type ProcessCacheEntrySerializer struct {
	Pid                 uint32                        `json:"pid,omitempty"`
	PPid                uint32                        `json:"ppid,omitempty"`
	Tid                 uint32                        `json:"tid,omitempty"`
	UID                 int                           `json:"uid"`
	GID                 int                           `json:"gid"`
	User                string                        `json:"user,omitempty"`
	Group               string                        `json:"group,omitempty"`
	ContainerPath       string                        `json:"executableContainerPath,omitempty"`
	Path                string                        `json:"executablePath,omitempty"`
	PathResolutionError string                        `json:"pathResolutionError,omitempty"`
	Comm                string                        `json:"comm,omitempty"`
	Inode               uint64                        `json:"executableInode,omitempty"`
	MountID             uint32                        `json:"executableMountId,omitempty"`
	Filesystem          string                        `json:"executableFilesystem,omitempty"`
	TTY                 string                        `json:"tty,omitempty"`
	ForkTime            *time.Time                    `json:"forkTime,omitempty"`
	ExecTime            *time.Time                    `json:"execTime,omitempty"`
	ExitTime            *time.Time                    `json:"exitTime,omitempty"`
	Credentials         *ProcessCredentialsSerializer `json:"credentials,omitempty"`
	Executable          *FileSerializer               `json:"executable,omitempty"`
	Container           *ContainerContextSerializer   `json:"container,omitempty"`
	Args                []string                      `json:"args,omitempty"`
	ArgsTruncated       bool                          `json:"argsTruncated,omitempty"`
	Envs                []string                      `json:"envs,omitempty"`
	EnvsTruncated       bool                          `json:"envsTruncated,omitempty"`
}

ProcessCacheEntrySerializer serializes a process cache entry to JSON easyjson:json

func (ProcessCacheEntrySerializer) MarshalEasyJSON 

func (v ProcessCacheEntrySerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (ProcessCacheEntrySerializer) MarshalJSON 

func (v ProcessCacheEntrySerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*ProcessCacheEntrySerializer) UnmarshalEasyJSON 

func (v *ProcessCacheEntrySerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*ProcessCacheEntrySerializer) UnmarshalJSON 

func (v *ProcessCacheEntrySerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type ProcessContextSerializer 

type ProcessContextSerializer struct {
	*ProcessCacheEntrySerializer
	Parent    *ProcessCacheEntrySerializer   `json:"parent,omitempty"`
	Ancestors []*ProcessCacheEntrySerializer `json:"ancestors,omitempty"`
}

ProcessContextSerializer serializes a process context to JSON easyjson:json

func (ProcessContextSerializer) MarshalEasyJSON 

func (v ProcessContextSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (ProcessContextSerializer) MarshalJSON 

func (v ProcessContextSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*ProcessContextSerializer) UnmarshalEasyJSON 

func (v *ProcessContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*ProcessContextSerializer) UnmarshalJSON 

func (v *ProcessContextSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type ProcessCredentialsSerializer 

type ProcessCredentialsSerializer struct {
	*CredentialsSerializer `json:",omitempty"`
	Destination            interface{} `json:"destination,omitempty"`
}

ProcessCredentialsSerializer serializes the process credentials to JSON easyjson:json

func (ProcessCredentialsSerializer) MarshalEasyJSON 

func (v ProcessCredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (ProcessCredentialsSerializer) MarshalJSON 

func (v ProcessCredentialsSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*ProcessCredentialsSerializer) UnmarshalEasyJSON 

func (v *ProcessCredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*ProcessCredentialsSerializer) UnmarshalJSON 

func (v *ProcessCredentialsSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type ProcessPath 

type ProcessPath struct {
	PathRaw [256]byte
	Path    string
}

ProcessPath contains a process path as its binary representation

func (*ProcessPath) IsEmpty 

func (p *ProcessPath) IsEmpty() bool

IsEmpty returns true if the current instance of ProcessPath is empty

func (*ProcessPath) UnmarshalBinary 

func (p *ProcessPath) UnmarshalBinary(data []byte) error

UnmarshalBinary unmarshals a binary representation of a ProcessSyscall

type ProcessResolver 

type ProcessResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

ProcessResolver resolved process context

func NewProcessResolver 

func NewProcessResolver(probe *Probe, resolvers *Resolvers, client *statsd.Client, opts ProcessResolverOpts) (*ProcessResolver, error)

NewProcessResolver returns a new process resolver

func (*ProcessResolver) AddExecEntry 

func (p *ProcessResolver) AddExecEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*ProcessResolver) AddForkEntry 

func (p *ProcessResolver) AddForkEntry(pid uint32, entry *model.ProcessCacheEntry) *model.ProcessCacheEntry

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*ProcessResolver) DeleteEntry 

func (p *ProcessResolver) DeleteEntry(pid uint32, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*ProcessResolver) Dump 

func (p *ProcessResolver) Dump() (string, error)

Dump create a temp file and dump the cache

func (*ProcessResolver) Get 

func (p *ProcessResolver) Get(pid uint32) *model.ProcessCacheEntry

Get returns the cache entry for a specified pid

func (*ProcessResolver) GetCacheSize 

func (p *ProcessResolver) GetCacheSize() float64

GetCacheSize returns the cache size of the process resolver

func (*ProcessResolver) GetEntryCacheSize 

func (p *ProcessResolver) GetEntryCacheSize() float64

GetEntryCacheSize returns the cache size of the process resolver

func (*ProcessResolver) Resolve 

func (p *ProcessResolver) Resolve(pid, tid uint32) *model.ProcessCacheEntry

Resolve returns the cache entry for the given pid

func (*ProcessResolver) SendStats 

func (p *ProcessResolver) SendStats() error

SendStats sends process resolver metrics

func (*ProcessResolver) SetProcessArgs 

func (p *ProcessResolver) SetProcessArgs(pce *model.ProcessCacheEntry)

SetProcessArgs set arguments to cache entry

func (*ProcessResolver) SetProcessContainerPath 

func (p *ProcessResolver) SetProcessContainerPath(entry *model.ProcessCacheEntry) string

SetProcessContainerPath resolves container path

func (*ProcessResolver) SetProcessEnvs 

func (p *ProcessResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)

SetProcessEnvs set environment variables to cache entry

func (*ProcessResolver) SetProcessPath 

func (p *ProcessResolver) SetProcessPath(entry *model.ProcessCacheEntry) (string, error)

SetProcessPath resolves process file path

func (*ProcessResolver) SetTTY 

func (p *ProcessResolver) SetTTY(pce *model.ProcessCacheEntry) string

SetTTY resolves TTY and cache the result

func (*ProcessResolver) Start 

func (p *ProcessResolver) Start(ctx context.Context) error

Start starts the resolver

func (*ProcessResolver) SyncCache 

func (p *ProcessResolver) SyncCache(proc *process.Process) bool

SyncCache snapshots /proc for the provided pid. This method returns true if it updated the process cache.

func (*ProcessResolver) UpdateArgsEnvs 

func (p *ProcessResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)

UpdateArgsEnvs updates arguments or environment variables of the given id

func (*ProcessResolver) UpdateCapset 

func (p *ProcessResolver) UpdateCapset(pid uint32, e *Event)

UpdateCapset updates the credentials of the provided pid

func (*ProcessResolver) UpdateGID 

func (p *ProcessResolver) UpdateGID(pid uint32, e *Event)

UpdateGID updates the credentials of the provided pid

func (*ProcessResolver) UpdateUID 

func (p *ProcessResolver) UpdateUID(pid uint32, e *Event)

UpdateUID updates the credentials of the provided pid

type ProcessResolverOpts 

type ProcessResolverOpts struct {
	DebugCacheSize bool
}

ProcessResolverOpts options of resolver

func NewProcessResolverOpts 

func NewProcessResolverOpts(debug bool, cookieCacheSize int) ProcessResolverOpts

NewProcessResolverOpts returns a new set of process resolver options

type ProcessSyscall 

type ProcessSyscall struct {
	Process string
	Pid     uint32
	ID      uint32
}

ProcessSyscall represents a syscall made by a process

func (*ProcessSyscall) IsNull 

func (p *ProcessSyscall) IsNull() bool

IsNull returns true if a ProcessSyscall instance is empty

func (*ProcessSyscall) UnmarshalBinary 

func (p *ProcessSyscall) UnmarshalBinary(data []byte) error

UnmarshalBinary unmarshals a binary representation of a ProcessSyscall

type ReOrderer 

type ReOrderer struct {
	Metrics chan ReOrdererMetric
	// contains filtered or unexported fields
}

ReOrderer defines an event re-orderer

func NewReOrderer 

func NewReOrderer(handler func(cpu uint64, data []byte), extractInfo func(data []byte) (uint64, uint64, error), opts ReOrdererOpts) *ReOrderer

NewReOrderer returns a new ReOrderer

func (*ReOrderer) HandleEvent 

func (r *ReOrderer) HandleEvent(CPU int, data []byte, perfMap *manager.PerfMap, manager *manager.Manager)

HandleEvent handle event form perf ring

func (*ReOrderer) Start 

func (r *ReOrderer) Start(ctx context.Context)

Start event handler loop

type ReOrdererMetric 

type ReOrdererMetric struct {
	TotalOp    uint64
	TotalDepth uint64
	QueueSize  uint64
}

ReOrdererMetric holds reordering metrics

type ReOrdererOpts 

type ReOrdererOpts struct {
	QueueSize  uint64        // size of the chan where the perf data are pushed
	Rate       time.Duration // delay between two time based iterations
	Retention  uint64        // bucket to keep before dequeueing
	MetricRate time.Duration // delay between two metric samples
}

ReOrdererOpts options to pass when creating a new instance of ReOrderer

type ReordererMonitor 

type ReordererMonitor struct {
	// contains filtered or unexported fields
}

ReordererMonitor represents a reorderer monitor

func NewReOrderMonitor 

func NewReOrderMonitor(p *Probe, client *statsd.Client) (*ReordererMonitor, error)

NewReOrderMonitor instantiates a new reorder statistics counter

func (*ReordererMonitor) Start 

func (r *ReordererMonitor) Start(ctx context.Context)

Start the reorderer monitor

type Report 

type Report struct {
	Policies map[string]*PolicyReport
}

Report describes the event types and their associated policy reports

func NewReport 

func NewReport() *Report

NewReport returns a new report

type Reporter 

type Reporter struct {
	// contains filtered or unexported fields
}

Reporter describes a reporter of policy application

func NewReporter 

func NewReporter() *Reporter

NewReporter instantiates a new reporter

func (*Reporter) GetReport 

func (r *Reporter) GetReport() *Report

GetReport returns the report

func (*Reporter) SetApprovers 

func (r *Reporter) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error

SetApprovers is called when approvers are applied for an event type

func (*Reporter) SetFilterPolicy 

func (r *Reporter) SetFilterPolicy(eventType eval.EventType, mode PolicyMode, flags PolicyFlag) error

SetFilterPolicy is called when a passing policy for an event type is applied

type Resolvers 

type Resolvers struct {
	DentryResolver    *DentryResolver
	MountResolver     *MountResolver
	ContainerResolver *ContainerResolver
	TimeResolver      *TimeResolver
	ProcessResolver   *ProcessResolver
	UserGroupResolver *UserGroupResolver
	// contains filtered or unexported fields
}

Resolvers holds the list of the event attribute resolvers

func NewResolvers 

func NewResolvers(probe *Probe, client *statsd.Client) (*Resolvers, error)

NewResolvers creates a new instance of Resolvers

func (*Resolvers) ResolveCredentialsEGroup 

func (r *Resolvers) ResolveCredentialsEGroup(e *model.Credentials) string

ResolveCredentialsEGroup resolves the effective group id of the process to a group name

func (*Resolvers) ResolveCredentialsEUser 

func (r *Resolvers) ResolveCredentialsEUser(e *model.Credentials) string

ResolveCredentialsEUser resolves the effective user id of the process to a username

func (*Resolvers) ResolveCredentialsFSGroup 

func (r *Resolvers) ResolveCredentialsFSGroup(e *model.Credentials) string

ResolveCredentialsFSGroup resolves the file-system group id of the process to a group name

func (*Resolvers) ResolveCredentialsFSUser 

func (r *Resolvers) ResolveCredentialsFSUser(e *model.Credentials) string

ResolveCredentialsFSUser resolves the file-system user id of the process to a username

func (*Resolvers) ResolveCredentialsGroup 

func (r *Resolvers) ResolveCredentialsGroup(e *model.Credentials) string

ResolveCredentialsGroup resolves the group id of the process to a group name

func (*Resolvers) ResolveCredentialsUser 

func (r *Resolvers) ResolveCredentialsUser(e *model.Credentials) string

ResolveCredentialsUser resolves the user id of the process to a username

func (*Resolvers) ResolveGroup 

func (r *Resolvers) ResolveGroup(e *model.FileFields) string

ResolveGroup resolves the group id of the file to a group name

func (*Resolvers) ResolveInode 

func (r *Resolvers) ResolveInode(e *model.FileEvent) string

ResolveInode resolves the inode to a full path. Returns the path and true if it was entirely resolved

func (*Resolvers) ResolveProcessContextGroup 

func (r *Resolvers) ResolveProcessContextGroup(p *model.ProcessContext) string

ResolveProcessContextGroup resolves the group id of the process to a group name

func (*Resolvers) ResolveProcessContextUser 

func (r *Resolvers) ResolveProcessContextUser(p *model.ProcessContext) string

ResolveProcessContextUser resolves the user id of the process to a username

func (*Resolvers) ResolveUser 

func (r *Resolvers) ResolveUser(e *model.FileFields) string

ResolveUser resolves the user id of the file to a username

func (*Resolvers) Snapshot 

func (r *Resolvers) Snapshot() error

Snapshot collects data on the current state of the system to populate user space and kernel space caches.

func (*Resolvers) Start 

func (r *Resolvers) Start(ctx context.Context) error

Start the resolvers

type RuleIgnored 

type RuleIgnored struct {
	ID         string `json:"id"`
	Version    string `json:"version,omitempty"`
	Expression string `json:"expression"`
	Reason     string `json:"reason"`
}

RuleIgnored defines a ignored easyjson:json

func (RuleIgnored) MarshalEasyJSON 

func (v RuleIgnored) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (RuleIgnored) MarshalJSON 

func (v RuleIgnored) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*RuleIgnored) UnmarshalEasyJSON 

func (v *RuleIgnored) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*RuleIgnored) UnmarshalJSON 

func (v *RuleIgnored) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type RuleLoaded 

type RuleLoaded struct {
	ID         string `json:"id"`
	Version    string `json:"version,omitempty"`
	Expression string `json:"expression"`
}

RuleLoaded defines a loaded rule easyjson:json

func (RuleLoaded) MarshalEasyJSON 

func (v RuleLoaded) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (RuleLoaded) MarshalJSON 

func (v RuleLoaded) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*RuleLoaded) UnmarshalEasyJSON 

func (v *RuleLoaded) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*RuleLoaded) UnmarshalJSON 

func (v *RuleLoaded) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type RuleSetApplier 

type RuleSetApplier struct {
	// contains filtered or unexported fields
}

RuleSetApplier defines a rule set applier. It applies rules using an Applier

func NewRuleSetApplier 

func NewRuleSetApplier(cfg *config.Config, probe *Probe) *RuleSetApplier

NewRuleSetApplier returns a new RuleSetApplier

func (*RuleSetApplier) Apply 

func (rsa *RuleSetApplier) Apply(rs *rules.RuleSet, approvers map[eval.EventType]rules.Approvers) (*Report, error)

Apply setup the filters for the provided set of rules and returns the policy report.

type RulesetLoadedEvent 

type RulesetLoadedEvent struct {
	Timestamp       time.Time        `json:"date"`
	PoliciesLoaded  []*PolicyLoaded  `json:"policies"`
	PoliciesIgnored *PoliciesIgnored `json:"policiesIgnored,omitempty"`
	MacrosLoaded    []rules.MacroID  `json:"macrosLoaded"`
}

RulesetLoadedEvent is used to report that a new ruleset was loaded easyjson:json

func (RulesetLoadedEvent) MarshalEasyJSON 

func (v RulesetLoadedEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (RulesetLoadedEvent) MarshalJSON 

func (v RulesetLoadedEvent) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*RulesetLoadedEvent) UnmarshalEasyJSON 

func (v *RulesetLoadedEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*RulesetLoadedEvent) UnmarshalJSON 

func (v *RulesetLoadedEvent) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type SetgidSerializer 

type SetgidSerializer struct {
	GID     int    `json:"gid"`
	Group   string `json:"group,omitempty"`
	EGID    int    `json:"egid"`
	EGroup  string `json:"egroup,omitempty"`
	FSGID   int    `json:"fsgid"`
	FSGroup string `json:"fsgroup,omitempty"`
}

SetgidSerializer serializes a setgid event easyjson:json

func (SetgidSerializer) MarshalEasyJSON 

func (v SetgidSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (SetgidSerializer) MarshalJSON 

func (v SetgidSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*SetgidSerializer) UnmarshalEasyJSON 

func (v *SetgidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*SetgidSerializer) UnmarshalJSON 

func (v *SetgidSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type SetuidSerializer 

type SetuidSerializer struct {
	UID    int    `json:"uid"`
	User   string `json:"user,omitempty"`
	EUID   int    `json:"euid"`
	EUser  string `json:"euser,omitempty"`
	FSUID  int    `json:"fsuid"`
	FSUser string `json:"fsuser,omitempty"`
}

SetuidSerializer serializes a setuid event easyjson:json

func (SetuidSerializer) MarshalEasyJSON 

func (v SetuidSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (SetuidSerializer) MarshalJSON 

func (v SetuidSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*SetuidSerializer) UnmarshalEasyJSON 

func (v *SetuidSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*SetuidSerializer) UnmarshalJSON 

func (v *SetuidSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type Syscall 

type Syscall int

Syscall represents a syscall identifier 

const (
	SysRead Syscall = iota
	SysWrite
	SysOpen
	SysClose
	SysStat
	SysFstat
	SysLstat
	SysPoll
	SysLseek
	SysMmap
	SysMprotect
	SysMunmap
	SysBrk
	SysRtSigaction
	SysRtSigprocmask
	SysRtSigreturn
	SysIoctl
	SysPread64
	SysPwrite64
	SysReadv
	SysWritev
	SysAccess
	SysPipe
	SysSelect
	SysSchedYield
	SysMremap
	SysMsync
	SysMincore
	SysMadvise
	SysShmget
	SysShmat
	SysShmctl
	SysDup
	SysDup2
	SysPause
	SysNanosleep
	SysGetitimer
	SysAlarm
	SysSetitimer
	SysGetpid
	SysSendfile
	SysSocket
	SysConnect
	SysAccept
	SysSendto
	SysRecvfrom
	SysSendmsg
	SysRecvmsg
	SysShutdown
	SysBind
	SysListen
	SysGetsockname
	SysGetpeername
	SysSocketpair
	SysSetsockopt
	SysGetsockopt
	SysClone
	SysFork
	SysVfork
	SysExecve
	SysExit
	SysWait4
	SysKill
	SysUname
	SysSemget
	SysSemop
	SysSemctl
	SysShmdt
	SysMsgget
	SysMsgsnd
	SysMsgrcv
	SysMsgctl
	SysFcntl
	SysFlock
	SysFsync
	SysFdatasync
	SysTruncate
	SysFtruncate
	SysGetdents
	SysGetcwd
	SysChdir
	SysFchdir
	SysRename
	SysMkdir
	SysRmdir
	SysCreat
	SysLink
	SysUnlink
	SysSymlink
	SysReadlink
	SysChmod
	SysFchmod
	SysChown
	SysFchown
	SysLchown
	SysUmask
	SysGettimeofday
	SysGetrlimit
	SysGetrusage
	SysSysinfo
	SysTimes
	SysPtrace
	SysGetuid
	SysSyslog
	SysGetgid
	SysSetuid
	SysSetgid
	SysGeteuid
	SysGetegid
	SysSetpgid
	SysGetppid
	SysGetpgrp
	SysSetsid
	SysSetreuid
	SysSetregid
	SysGetgroups
	SysSetgroups
	SysSetresuid
	SysGetresuid
	SysSetresgid
	SysGetresgid
	SysGetpgid
	SysSetfsuid
	SysSetfsgid
	SysGetsid
	SysCapget
	SysCapset
	SysRtSigpending
	SysRtSigtimedwait
	SysRtSigqueueinfo
	SysRtSigsuspend
	SysSigaltstack
	SysUtime
	SysMknod
	SysUselib
	SysPersonality
	SysUstat
	SysStatfs
	SysFstatfs
	SysSysfs
	SysGetpriority
	SysSetpriority
	SysSchedSetparam
	SysSchedGetparam
	SysSchedSetscheduler
	SysSchedGetscheduler
	SysSchedGetPriorityMax
	SysSchedGetPriorityMin
	SysSchedRrGetInterval
	SysMlock
	SysMunlock
	SysMlockall
	SysMunlockall
	SysVhangup
	SysModifyLdt
	SysPivotRoot
	SysSysctl
	SysPrctl
	SysArchPrctl
	SysAdjtimex
	SysSetrlimit
	SysChroot
	SysSync
	SysAcct
	SysSettimeofday
	SysMount
	SysUmount2
	SysSwapon
	SysSwapoff
	SysReboot
	SysSethostname
	SysSetdomainname
	SysIopl
	SysIoperm
	SysCreateModule
	SysInitModule
	SysDeleteModule
	SysGetKernelSyms
	SysQueryModule
	SysQuotactl
	SysNfsservctl
	SysGetpmsg
	SysPutpmsg
	SysAfsSyscall
	SysTuxcall
	SysSecurity
	SysGettid
	SysReadahead
	SysSetxattr
	SysLsetxattr
	SysFsetxattr
	SysGetxattr
	SysLgetxattr
	SysFgetxattr
	SysListxattr
	SysLlistxattr
	SysFlistxattr
	SysRemovexattr
	SysLremovexattr
	SysFremovexattr
	SysTkill
	SysTime
	SysFutex
	SysSchedSetaffinity
	SysSchedGetaffinity
	SysSetThreadArea
	SysIoSetup
	SysIoDestroy
	SysIoGetevents
	SysIoSubmit
	SysIoCancel
	SysGetThreadArea
	SysLookupDcookie
	SysEpollCreate
	SysEpollCtlOld
	SysEpollWaitOld
	SysRemapFilePages
	SysGetdents64
	SysSetTidAddress
	SysRestartSyscall
	SysSemtimedop
	SysFadvise64
	SysTimerCreate
	SysTimerSettime
	SysTimersysReadGettime
	SysTimerGetoverrun
	SysTimerDelete
	SysClockSettime
	SysClockGettime
	SysClockGetres
	SysClockNanosleep
	SysExitGroup
	SysEpollWait
	SysEpollCtl
	SysTgkill
	SysUtimes
	SysVserver
	SysMbind
	SysSetMempolicy
	SysGetMempolicy
	SysMqOpen
	SysMqUnlink
	SysMqTimedsend
	SysMqTimedreceive
	SysMqNotify
	SysMqGetsetattr
	SysKexecLoad
	SysWaitid
	SysAddKey
	SysRequestKey
	SysKeyctl
	SysIoprioSet
	SysIoprioGet
	SysInotifyInit
	SysInotifyAddWatch
	SysInotifyRmWatch
	SysMigratePages
	SysOpenat
	SysMkdirat
	SysMknodat
	SysFchownat
	SysFutimesat
	SysNewfstatat
	SysUnlinkat
	SysRenameat
	SysLinkat
	SysSymlinkat
	SysReadlinkat
	SysFchmodat
	SysFaccessat
	SysPselect6
	SysPpoll
	SysUnshare
	SysSetRobustList
	SysGetRobustList
	SysSplice
	SysTee
	SysSyncFileRange
	SysVmsplice
	SysMovePages
	SysUtimensat
	SysEpollPwait
	SysSignalfd
	SysTimerfdCreate
	SysEventfd
	SysFallocate
	SysTimerfdSettime
	SysTimerfdGettime
	SysAccept4
	SysSignalfd4
	SysEventfd2
	SysEpollCreate1
	SysDup3
	SysPipe2
	SysInotifyInit1
	SysPreadv
	SysPwritev
	SysRtTgsigqueueinfo
	SysPerfEventOpen
	SysRecvmmsg
	SysFanotifyInit
	SysFanotifyMark
	SysPrlimit64
)

Linux syscall identifiers

func (Syscall) MarshalText 

func (s Syscall) MarshalText() ([]byte, error)

MarshalText maps the syscall identifier to UTF-8-encoded text and returns the result

func (Syscall) String 

func (i Syscall) String() string

type SyscallMonitor 

type SyscallMonitor struct {
	// contains filtered or unexported fields
}

SyscallMonitor monitors syscalls using eBPF maps filled using kernel tracepoints

func NewSyscallMonitor 

func NewSyscallMonitor(manager *manager.Manager) (*SyscallMonitor, error)

NewSyscallMonitor instantiates a new syscall monitor

func (*SyscallMonitor) CollectStats 

func (sm *SyscallMonitor) CollectStats(collector SyscallStatsCollector) error

CollectStats fetches the syscall statistics from the eBPF maps

func (*SyscallMonitor) GetStats 

func (sm *SyscallMonitor) GetStats() (*SyscallStats, error)

GetStats returns the syscall statistics

func (*SyscallMonitor) SendStats 

func (sm *SyscallMonitor) SendStats(statsdClient *statsd.Client) error

SendStats sends the syscall statistics to statsd

type SyscallStats 

type SyscallStats map[Syscall]map[string]uint64

SyscallStats collects syscall statistics and store them in memory

func (*SyscallStats) CountConcurrentSyscalls 

func (s *SyscallStats) CountConcurrentSyscalls(count int64) error

CountConcurrentSyscalls counts the number of syscalls that are currently being executed

func (*SyscallStats) CountExec 

func (s *SyscallStats) CountExec(process string, count uint64) error

CountExec counts the number times a process was executed

func (*SyscallStats) CountSyscall 

func (s *SyscallStats) CountSyscall(process string, syscallID Syscall, count uint64) error

CountSyscall counts the number of calls of a syscall by a process

type SyscallStatsCollector 

type SyscallStatsCollector interface {
	CountSyscall(process string, syscallID Syscall, count uint64) error
	CountExec(process string, count uint64) error
	CountConcurrentSyscalls(count int64) error
}

SyscallStatsCollector is the interface implemented by an object that collect syscall statistics

type SyscallStatsdCollector 

type SyscallStatsdCollector struct {
	// contains filtered or unexported fields
}

SyscallStatsdCollector collects syscall statistics and sends them to statsd

func (*SyscallStatsdCollector) CountConcurrentSyscalls 

func (s *SyscallStatsdCollector) CountConcurrentSyscalls(count int64) error

CountConcurrentSyscalls counts the number of syscalls that are currently being executed

func (*SyscallStatsdCollector) CountExec 

func (s *SyscallStatsdCollector) CountExec(process string, count uint64) error

CountExec counts the number times a process was executed

func (*SyscallStatsdCollector) CountSyscall 

func (s *SyscallStatsdCollector) CountSyscall(process string, syscallID Syscall, count uint64) error

CountSyscall counts the number of calls of a syscall by a process

type TimeResolver 

type TimeResolver struct {
	// contains filtered or unexported fields
}

TimeResolver converts kernel monotonic timestamps to absolute times

func NewTimeResolver 

func NewTimeResolver() (*TimeResolver, error)

NewTimeResolver returns a new time resolver

func (*TimeResolver) ComputeMonotonicTimestamp 

func (tr *TimeResolver) ComputeMonotonicTimestamp(timestamp time.Time) int64

ComputeMonotonicTimestamp converts an absolute time to a kernel monotonic timestamp

func (*TimeResolver) ResolveMonotonicTimestamp 

func (tr *TimeResolver) ResolveMonotonicTimestamp(timestamp uint64) time.Time

ResolveMonotonicTimestamp converts a kernel monotonic timestamp to an absolute time

type UserContextSerializer 

type UserContextSerializer struct {
	User  string `json:"id,omitempty"`
	Group string `json:"group,omitempty"`
}

UserContextSerializer serializes a user context to JSON easyjson:json

func (UserContextSerializer) MarshalEasyJSON 

func (v UserContextSerializer) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (UserContextSerializer) MarshalJSON 

func (v UserContextSerializer) MarshalJSON() ([]byte, error)

MarshalJSON supports json.Marshaler interface

func (*UserContextSerializer) UnmarshalEasyJSON 

func (v *UserContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

func (*UserContextSerializer) UnmarshalJSON 

func (v *UserContextSerializer) UnmarshalJSON(data []byte) error

UnmarshalJSON supports json.Unmarshaler interface

type UserGroupResolver 

type UserGroupResolver struct {
	// contains filtered or unexported fields
}

UserGroupResolver resolves user and group ids to names

func NewUserGroupResolver 

func NewUserGroupResolver() (*UserGroupResolver, error)

NewUserGroupResolver instantiates a new user and group resolver

func (*UserGroupResolver) ResolveGroup 

func (r *UserGroupResolver) ResolveGroup(gid int) (string, error)

ResolveGroup resolves a group id to a group name

func (*UserGroupResolver) ResolveUser 

func (r *UserGroupResolver) ResolveUser(uid int) (string, error)

ResolveUser resolves a user id to a username

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.