Documentation
¶
Overview ¶
Package trace defines the public types exported through the EBPF code and produced outwards from tracee-ebpf
Package trace defines the public types exported through the EBPF code and produced outwards from tracee-ebpf
Index ¶
- Constants
- type ArgMeta
- type Argument
- type Container
- type ContextFlags
- type DnsAnswer
- type DnsQueryData
- type DnsResponseData
- type Event
- type EventOrigin
- type File
- type HiddenKernelModule
- type HookedSymbolData
- type KernelReadType
- type Kubernetes
- type MemProtAlert
- type Metadata
- type PacketDirection
- type PacketMetadata
- type PktMeta
- type ProtoDNS
- type ProtoDNSMX
- type ProtoDNSOPT
- type ProtoDNSQuestion
- type ProtoDNSResourceRecord
- type ProtoDNSSOA
- type ProtoDNSSRV
- type ProtoDNSURI
- type ProtoHTTP
- type ProtoHTTPRequest
- type ProtoHTTPResponse
- type ProtoICMP
- type ProtoICMPv6
- type ProtoIPv4
- type ProtoIPv6
- type ProtoTCP
- type ProtoUDP
- type SlimCred
Constants ¶
View Source
const (
EventSource = "tracee"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Argument ¶
type Argument struct {
ArgMeta
Value interface{} `json:"value"`
}
Argument holds the information for one argument
func (*Argument) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface. All the values in this function should be supported in finding.go in the `getCType` function and vice versa.
type ContextFlags ¶
type ContextFlags struct {
ContainerStarted bool `json:"containerStarted"`
IsCompat bool `json:"isCompat"`
}
ContextFlags are flags representing event context
type DnsQueryData ¶
type DnsResponseData ¶
type DnsResponseData struct {
QueryData DnsQueryData `json:"query_data"`
DnsAnswer []DnsAnswer `json:"dns_answer"`
}
type Event ¶
type Event struct {
Timestamp int `json:"timestamp"`
ThreadStartTime int `json:"threadStartTime"`
ProcessorID int `json:"processorId"`
ProcessID int `json:"processId"`
CgroupID uint `json:"cgroupId"`
ThreadID int `json:"threadId"`
ParentProcessID int `json:"parentProcessId"`
HostProcessID int `json:"hostProcessId"`
HostThreadID int `json:"hostThreadId"`
HostParentProcessID int `json:"hostParentProcessId"`
UserID int `json:"userId"`
MountNS int `json:"mountNamespace"`
PIDNS int `json:"pidNamespace"`
ProcessName string `json:"processName"`
Executable File `json:"executable"`
HostName string `json:"hostName"`
ContainerID string `json:"containerId"`
Container Container `json:"container,omitempty"`
Kubernetes Kubernetes `json:"kubernetes,omitempty"`
EventID int `json:"eventId,string"`
EventName string `json:"eventName"`
PoliciesVersion uint16 `json:"-"`
MatchedPoliciesKernel uint64 `json:"-"`
MatchedPoliciesUser uint64 `json:"-"`
MatchedPolicies []string `json:"matchedPolicies,omitempty"`
ArgsNum int `json:"argsNum"`
ReturnValue int `json:"returnValue"`
Syscall string `json:"syscall"`
StackAddresses []uint64 `json:"stackAddresses"`
ContextFlags ContextFlags `json:"contextFlags"`
ThreadEntityId uint32 `json:"threadEntityId"` // thread task unique identifier (*)
ProcessEntityId uint32 `json:"processEntityId"` // process unique identifier (*)
ParentEntityId uint32 `json:"parentEntityId"` // parent process unique identifier (*)
Args []Argument `json:"args"` // args are ordered according their appearance in the original event
Metadata *Metadata `json:"metadata,omitempty"`
}
Event is a single result of an ebpf event process. It is used as a payload later delivered to tracee-rules.
func (Event) Origin ¶
func (e Event) Origin() EventOrigin
Origin derive the EventOrigin of a trace.Event
func (Event) ToProtocol ¶
Converts a trace.Event into a protocol.Event that the rules engine can consume
type EventOrigin ¶
type EventOrigin string
EventOrigin is where a trace.Event occured, it can either be from the host machine or from a container
const ( ContainerOrigin EventOrigin = "container" // Events originated from within a container, starting with the entry-point execution HostOrigin EventOrigin = "host" // Events originated from the host ContainerInitOrigin EventOrigin = "container-init" // Events originated from within container, before entry-point execution )
type HiddenKernelModule ¶
type HookedSymbolData ¶
type KernelReadType ¶
type KernelReadType int
const ( KernelReadUnknown KernelReadType = iota KernelReadFirmware KernelReadKernelModule KernelReadKExecImage KernelReadKExecInitRAMFS KernelReadSecurityPolicy KernelReadx509Certificate )
func (KernelReadType) String ¶
func (readType KernelReadType) String() string
type Kubernetes ¶
type MemProtAlert ¶
type MemProtAlert uint32
MemProtAlert is an enum of possible messages that can be sent by an event to pass some extra information about the event.
const ( ProtAlertUnknown MemProtAlert = iota ProtAlertMmapWX ProtAlertMprotectToX ProtAlertMprotectXToWX ProtAlertMprotectWXToX ProtAlertLast )
func (MemProtAlert) String ¶
func (alert MemProtAlert) String() string
type Metadata ¶
type Metadata struct {
Version string
Description string
Tags []string
Properties map[string]interface{}
}
Metadata is a struct that holds metadata about an event
type PacketDirection ¶
type PacketDirection uint8
const ( InvalidPacketDirection PacketDirection = iota PacketIngress PacketEgress )
func (*PacketDirection) String ¶
func (dir *PacketDirection) String() string
type PacketMetadata ¶
type PacketMetadata struct {
Direction PacketDirection `json:"direction"`
}
TODO: move all ip and port arguments from packet events here This can be done once this struct is filterable. In order to filter structs the move to the new event structure (from protobuf) will need to be done (see issue #2870). Once it is done, cel-go filtering can be added for struct fields.
type ProtoDNS ¶
type ProtoDNS struct {
ID uint16 `json:"ID"`
QR uint8 `json:"QR"`
OpCode string `json:"opCode"`
AA uint8 `json:"AA"`
TC uint8 `json:"TC"`
RD uint8 `json:"RD"`
RA uint8 `json:"RA"`
Z uint8 `json:"Z"`
ResponseCode string `json:"responseCode"`
QDCount uint16 `json:"QDCount"`
ANCount uint16 `json:"ANCount"`
NSCount uint16 `json:"NSCount"`
ARCount uint16 `json:"ARCount"`
Questions []ProtoDNSQuestion `json:"questions"`
Answers []ProtoDNSResourceRecord `json:"answers"`
Authorities []ProtoDNSResourceRecord `json:"authorities"`
Additionals []ProtoDNSResourceRecord `json:"additionals"`
}
type ProtoDNSMX ¶
type ProtoDNSOPT ¶
type ProtoDNSQuestion ¶
type ProtoDNSResourceRecord ¶
type ProtoDNSResourceRecord struct {
Name string `json:"name"`
Type string `json:"type"`
Class string `json:"class"`
TTL uint32 `json:"TTL"`
IP string `json:"IP"`
NS string `json:"NS"`
CNAME string `json:"CNAME"`
PTR string `json:"PTR"`
TXTs []string `json:"TXTs"`
SOA ProtoDNSSOA `json:"SOA"`
SRV ProtoDNSSRV `json:"SRV"`
MX ProtoDNSMX `json:"MX"`
OPT []ProtoDNSOPT `json:"OPT"`
URI ProtoDNSURI `json:"URI"`
TXT string `json:"TXT"`
}
type ProtoDNSSOA ¶
type ProtoDNSSRV ¶
type ProtoDNSURI ¶
type ProtoHTTP ¶
type ProtoHTTP struct {
Direction string `json:"direction"`
Method string `json:"method"`
Protocol string `json:"protocol"`
Host string `json:"host"`
URIPath string `json:"uri_path"`
Status string `json:"status"`
StatusCode int `json:"status_code"`
Headers http.Header `json:"headers"`
ContentLength int64 `json:"content_length"`
}
type ProtoHTTPRequest ¶
type ProtoHTTPResponse ¶
type ProtoICMPv6 ¶
type ProtoIPv4 ¶
type ProtoIPv4 struct {
Version uint8 `json:"version"`
IHL uint8 `json:"IHL"`
TOS uint8 `json:"TOS"`
Length uint16 `json:"length"`
Id uint16 `json:"id"`
Flags uint8 `json:"flags"`
FragOffset uint16 `json:"fragOffset"`
TTL uint8 `json:"TTL"`
Protocol string `json:"protocol"`
Checksum uint16 `json:"checksum"`
SrcIP string `json:"srcIP"`
DstIP string `json:"dstIP"`
}
type ProtoTCP ¶
type ProtoTCP struct {
SrcPort uint16 `json:"srcPort"`
DstPort uint16 `json:"dstPort"`
Seq uint32 `json:"seq"`
Ack uint32 `json:"ack"`
DataOffset uint8 `json:"dataOffset"`
FIN uint8 `json:"FIN"`
SYN uint8 `json:"SYN"`
RST uint8 `json:"RST"`
PSH uint8 `json:"PSH"`
ACK uint8 `json:"ACK"`
URG uint8 `json:"URG"`
ECE uint8 `json:"ECE"`
CWR uint8 `json:"CWR"`
NS uint8 `json:"NS"`
Window uint16 `json:"window"`
Checksum uint16 `json:"checksum"`
Urgent uint16 `json:"urgent"`
}
type SlimCred ¶
type SlimCred struct {
Uid uint32 /* real UID of the task */
Gid uint32 /* real GID of the task */
Suid uint32 /* saved UID of the task */
Sgid uint32 /* saved GID of the task */
Euid uint32 /* effective UID of the task */
Egid uint32 /* effective GID of the task */
Fsuid uint32 /* UID for VFS ops */
Fsgid uint32 /* GID for VFS ops */
UserNamespace uint32 /* User Namespace of the of the event */
SecureBits uint32 /* SUID-less security management */
CapInheritable uint64 /* caps our children can inherit */
CapPermitted uint64 /* caps we're permitted */
CapEffective uint64 /* caps we can actually use */
CapBounding uint64 /* capability bounding set */
CapAmbient uint64 /* Ambient capability set */
}
SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code. ANY CHANGE TO THIS STRUCT WILL BE REQUIRED ALSO TO bufferdecoder.SlimCred
Source Files
Click to show internal directories.
Click to hide internal directories.