Documentation
¶
Overview ¶
Package process fetches process and socket information from the operating system. It can find the process owning a network connection.
Index ¶
- Constants
- Variables
- func All() map[int]*Process
- func CleanProcessStorage(activePIDs map[int]struct{})
- func GetPidOfConnection(ctx context.Context, pktInfo *packet.Info) (pid int, connInbound bool, err error)
- func GetProcessGroupID(ctx context.Context, pid int) (int, error)
- func RegisterTagHandler(th TagHandler) error
- func SetDBController(controller *database.Controller)
- type MatchingData
- type Process
- func GetNetworkHost(ctx context.Context, remoteIP net.IP) (process *Process, err error)
- func GetOrFindProcess(ctx context.Context, pid int) (*Process, error)
- func GetProcessByRequestOrigin(ar *api.Request) (*Process, error)
- func GetProcessFromStorage(key string) (*Process, bool)
- func GetProcessWithProfile(ctx context.Context, pid int) (process *Process, err error)
- func GetProcessesWithProfile(ctx context.Context, profileSource profile.ProfileSource, profileID string, ...) []*Process
- func GetSystemProcess(ctx context.Context) *Process
- func GetUnidentifiedProcess(ctx context.Context) *Process
- func GetUnsolicitedProcess(ctx context.Context) *Process
- func (p *Process) CreateProfileCallback() *profile.Profile
- func (p *Process) Delete()
- func (p *Process) Equal(other *Process) bool
- func (p *Process) FindProcessGroupLeader(ctx context.Context) error
- func (p *Process) GetExecHash(algorithm string) (string, error)
- func (p *Process) GetKey() string
- func (p *Process) GetLastSeen() int64
- func (p *Process) GetProfile(ctx context.Context) (changed bool, err error)
- func (p *Process) GetTag(tagID string) (profile.Tag, bool)
- func (p *Process) HasValidPID() bool
- func (p *Process) IsIdentified() bool
- func (p *Process) IsSystemResolver() bool
- func (p *Process) Leader() *Process
- func (p *Process) MatchingData() *MatchingData
- func (p *Process) Profile() *profile.LayeredProfile
- func (p *Process) RefetchProfile(ctx context.Context) error
- func (p *Process) Save()
- func (p *Process) SetLastSeen(lastSeen int64)
- func (p *Process) String() string
- type TagDescription
- type TagHandler
Constants ¶
const ( // SystemProcessID is the PID of the System/Kernel itself. SystemProcessID = 0 // SystemInitID is the PID of the system init process. SystemInitID = 1 )
const ( // UndefinedProcessID is not used by any (virtual) process and signifies that // the PID is unset. UndefinedProcessID = -1 // UnidentifiedProcessID is the PID used for outgoing connections that could // not be attributed to a PID for any reason. UnidentifiedProcessID = -2 // UnsolicitedProcessID is the PID used for incoming connections that could // not be attributed to a PID for any reason. UnsolicitedProcessID = -3 // NetworkHostProcessID is the PID used for requests served to the network. NetworkHostProcessID = -255 )
Variables ¶
var (
CfgOptionEnableProcessDetectionKey = "core/enableProcessDetection"
)
Configuration Keys.
Functions ¶
func CleanProcessStorage ¶
func CleanProcessStorage(activePIDs map[int]struct{})
CleanProcessStorage cleans the storage from old processes.
func GetPidOfConnection ¶ added in v1.2.0
func GetPidOfConnection(ctx context.Context, pktInfo *packet.Info) (pid int, connInbound bool, err error)
GetPidOfConnection returns the PID of the process that owns the described connection. Always returns valid data. Errors are logged and returned for information or special handling purposes.
func GetProcessGroupID ¶ added in v1.6.4
GetProcessGroupID returns the process group ID of the given PID.
func RegisterTagHandler ¶ added in v0.9.9
func RegisterTagHandler(th TagHandler) error
RegisterTagHandler registers a tag handler.
func SetDBController ¶
func SetDBController(controller *database.Controller)
SetDBController sets the database controller and allows the package to push database updates on a save. It must be set by the package that registers the "network" database.
Types ¶
type MatchingData ¶ added in v0.9.9
type MatchingData struct {
// contains filtered or unexported fields
}
MatchingData provides a interface compatible view on the process for profile matching.
func (*MatchingData) Cmdline ¶ added in v0.9.9
func (md *MatchingData) Cmdline() string
Cmdline returns the command line of the process.
func (*MatchingData) Env ¶ added in v0.9.9
func (md *MatchingData) Env() map[string]string
Env returns process.Env.
func (*MatchingData) MatchingPath ¶ added in v0.9.9
func (md *MatchingData) MatchingPath() string
MatchingPath returns process.MatchingPath.
func (*MatchingData) Path ¶ added in v0.9.9
func (md *MatchingData) Path() string
Path returns process.Path.
func (*MatchingData) Tags ¶ added in v0.9.9
func (md *MatchingData) Tags() []profile.Tag
Tags returns process.Tags.
type Process ¶
type Process struct {
record.Base
sync.Mutex
Name string
UserID int
UserName string
UserHome string
Pid int
CreatedAt int64
ParentPid int
ParentCreatedAt int64
LeaderPid int
Path string
ExecName string
Cwd string
CmdLine string
FirstArg string
Env map[string]string
// Tags holds extended information about the (virtual) process, which is used
// to find a profile.
Tags []profile.Tag
// MatchingPath holds an alternative binary path that can be used to find a
// profile.
MatchingPath string
// PrimaryProfileID holds the scoped ID of the primary profile.
PrimaryProfileID string
FirstSeen int64
LastSeen int64
Error string // Cache errors
ExecHashes map[string]string
// contains filtered or unexported fields
}
A Process represents a process running on the operating system.
func GetNetworkHost ¶ added in v0.6.5
GetNetworkHost returns a *Process that represents a host on the network.
func GetOrFindProcess ¶
GetOrFindProcess returns the process for the given PID.
func GetProcessByRequestOrigin ¶ added in v0.9.1
GetProcessByRequestOrigin returns the process that initiated the API request ar.
func GetProcessFromStorage ¶
GetProcessFromStorage returns a process from the internal storage.
func GetProcessWithProfile ¶ added in v1.2.0
GetProcessWithProfile returns the process, including the profile. Always returns valid data. Errors are logged and returned for information or special handling purposes.
func GetProcessesWithProfile ¶ added in v1.6.4
func GetProcessesWithProfile(ctx context.Context, profileSource profile.ProfileSource, profileID string, preferProcessGroupLeader bool) []*Process
GetProcessesWithProfile returns all processes that use the given profile. If preferProcessGroupLeader is set, it returns the process group leader instead, if available.
func GetSystemProcess ¶ added in v0.4.1
GetSystemProcess returns the special process used for the Kernel.
func GetUnidentifiedProcess ¶ added in v0.4.1
GetUnidentifiedProcess returns the special process assigned to non-attributed outgoing connections.
func GetUnsolicitedProcess ¶ added in v0.8.6
GetUnsolicitedProcess returns the special process assigned to non-attributed incoming connections.
func (*Process) CreateProfileCallback ¶ added in v0.9.9
CreateProfileCallback attempts to create a profile on special attributes of the process.
func (*Process) Delete ¶
func (p *Process) Delete()
Delete deletes a process from the storage and propagates the change.
func (*Process) Equal ¶ added in v0.8.13
Equal returns if the two processes are both identified and have the same PID.
func (*Process) FindProcessGroupLeader ¶ added in v1.6.4
FindProcessGroupLeader returns the process that leads the process group. Returns nil when process ID is not valid (or virtual). If the process group leader is found, it is set on the process. If that process does not exist anymore, then the highest existing parent process is returned. If an error occurs, the best match is set.
func (*Process) GetExecHash ¶
GetExecHash returns the hash of the executable with the given algorithm.
func (*Process) GetKey ¶ added in v1.3.4
GetKey returns the key that is used internally to identify the process. The key consists of the PID and the start time of the process as reported by the system.
func (*Process) GetLastSeen ¶ added in v0.6.0
GetLastSeen returns the unix timestamp when the process was last seen.
func (*Process) GetProfile ¶ added in v0.4.0
GetProfile finds and assigns a profile set to the process.
func (*Process) HasValidPID ¶ added in v1.4.4
HasValidPID returns whether the process has valid PID of an actual process.
func (*Process) IsIdentified ¶ added in v0.8.13
IsIdentified returns whether the process has been identified or if it represents some kind of unidentified process.
func (*Process) IsSystemResolver ¶ added in v0.6.7
IsSystemResolver is a shortcut to check if the process is or belongs to the system resolver and needs special handling.
func (*Process) Leader ¶ added in v1.6.4
Leader returns the process group leader that is attached to the process. This will not trigger a new search for the process group leader, it only returns existing data.
func (*Process) MatchingData ¶ added in v0.9.9
func (p *Process) MatchingData() *MatchingData
MatchingData returns the matching data for the process.
func (*Process) Profile ¶ added in v0.4.0
func (p *Process) Profile() *profile.LayeredProfile
Profile returns the assigned layered profile.
func (*Process) RefetchProfile ¶ added in v1.6.0
RefetchProfile removes the profile and finds and assigns a new profile.
func (*Process) Save ¶
func (p *Process) Save()
Save saves the process to the internal state and pushes an update.
func (*Process) SetLastSeen ¶ added in v0.6.0
SetLastSeen sets the unix timestamp when the process was last seen.
type TagDescription ¶ added in v0.9.9
TagDescription describes a tag.
type TagHandler ¶ added in v0.9.9
type TagHandler interface {
// Name returns the tag handler name.
Name() string
// TagDescriptions returns a list of all possible tags and their description
// of this handler.
TagDescriptions() []TagDescription
// AddTags adds tags to the given process.
AddTags(p *Process)
// CreateProfile creates a profile based on the tags of the process.
// Returns nil to skip.
CreateProfile(p *Process) *profile.Profile
}
TagHandler is a collection of process tag related interfaces.
Source Files
Directories