-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
events.go
260 lines (244 loc) · 7.43 KB
/
events.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
package model
import "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
// EventType describes the type of an event sent from the kernel
type EventType uint32
const (
// UnknownEventType unknow event
UnknownEventType EventType = iota
// FileOpenEventType File open event
FileOpenEventType
// FileMkdirEventType Folder creation event
FileMkdirEventType
// FileLinkEventType Hard link creation event
FileLinkEventType
// FileRenameEventType File or folder rename event
FileRenameEventType
// FileUnlinkEventType Unlink event
FileUnlinkEventType
// FileRmdirEventType Rmdir event
FileRmdirEventType
// FileChmodEventType Chmod event
FileChmodEventType
// FileChownEventType Chown event
FileChownEventType
// FileUtimesEventType Utime event
FileUtimesEventType
// FileSetXAttrEventType Setxattr event
FileSetXAttrEventType
// FileRemoveXAttrEventType Removexattr event
FileRemoveXAttrEventType
// FileMountEventType Mount event
FileMountEventType
// FileUmountEventType Umount event
FileUmountEventType
// ForkEventType Fork event
ForkEventType
// ExecEventType Exec event
ExecEventType
// ExitEventType Exit event
ExitEventType
// InvalidateDentryEventType Dentry invalidated event
InvalidateDentryEventType
// SetuidEventType setuid event
SetuidEventType
// SetgidEventType setgid event
SetgidEventType
// CapsetEventType capset event
CapsetEventType
// ArgsEnvsEventType args and envs event
ArgsEnvsEventType
// MountReleasedEventType sent when a mount point is released
MountReleasedEventType
// SELinuxEventType selinux event
SELinuxEventType
// BPFEventType bpf event
BPFEventType
// PTraceEventType PTrace event
PTraceEventType
// MMapEventType MMap event
MMapEventType
// MProtectEventType MProtect event
MProtectEventType
// LoadModuleEventType LoadModule event
LoadModuleEventType
// UnloadModuleEventType UnloadModule evnt
UnloadModuleEventType
// SignalEventType Signal event
SignalEventType
// SpliceEventType Splice event
SpliceEventType
// CgroupTracingEventType is sent when a new cgroup is being traced
CgroupTracingEventType
// DNSEventType DNS event
DNSEventType
// NetDeviceEventType is sent for events on net devices
NetDeviceEventType
// VethPairEventType is sent when a new veth pair is created
VethPairEventType
// BindEventType Bind event
BindEventType
// UnshareMountNsEventType is sent when a new mount is created from a mount namespace copy
UnshareMountNsEventType
// SyscallsEventType Syscalls event
SyscallsEventType
// AnomalyDetectionSyscallEventType Anomaly Detection Syscall event
AnomalyDetectionSyscallEventType
// MaxKernelEventType is used internally to get the maximum number of kernel events.
MaxKernelEventType
// FirstEventType is the first valid event type
FirstEventType = FileOpenEventType
// LastEventType is the last valid event type
LastEventType = SyscallsEventType
// FirstDiscarderEventType first event that accepts discarders
FirstDiscarderEventType = FileOpenEventType
// LastDiscarderEventType last event that accepts discarders
LastDiscarderEventType = FileRemoveXAttrEventType
// CustomLostReadEventType is the custom event used to report lost events detected in user space
CustomLostReadEventType = iota
// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
CustomLostWriteEventType
// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
CustomRulesetLoadedEventType
// CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process
CustomNoisyProcessEventType
// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
CustomForkBombEventType
// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
CustomTruncatedParentsEventType
// CustomSelfTestEventType is the custom event used to report the results of a self test run
CustomSelfTestEventType
// MaxAllEventType is used internally to get the maximum number of events.
MaxAllEventType
)
func (t EventType) String() string {
switch t {
case FileOpenEventType:
return "open"
case FileMkdirEventType:
return "mkdir"
case FileLinkEventType:
return "link"
case FileRenameEventType:
return "rename"
case FileUnlinkEventType:
return "unlink"
case FileRmdirEventType:
return "rmdir"
case FileChmodEventType:
return "chmod"
case FileChownEventType:
return "chown"
case FileUtimesEventType:
return "utimes"
case FileMountEventType:
return "mount"
case FileUmountEventType:
return "umount"
case FileSetXAttrEventType:
return "setxattr"
case FileRemoveXAttrEventType:
return "removexattr"
case ForkEventType:
return "fork"
case ExecEventType:
return "exec"
case ExitEventType:
return "exit"
case InvalidateDentryEventType:
return "invalidate_dentry"
case SetuidEventType:
return "setuid"
case SetgidEventType:
return "setgid"
case CapsetEventType:
return "capset"
case ArgsEnvsEventType:
return "args_envs"
case MountReleasedEventType:
return "mount_released"
case SELinuxEventType:
return "selinux"
case BPFEventType:
return "bpf"
case PTraceEventType:
return "ptrace"
case MMapEventType:
return "mmap"
case MProtectEventType:
return "mprotect"
case LoadModuleEventType:
return "load_module"
case UnloadModuleEventType:
return "unload_module"
case SignalEventType:
return "signal"
case SpliceEventType:
return "splice"
case CgroupTracingEventType:
return "cgroup_tracing"
case DNSEventType:
return "dns"
case NetDeviceEventType:
return "net_device"
case VethPairEventType:
return "veth_pair"
case BindEventType:
return "bind"
case UnshareMountNsEventType:
return "unshare_mntns"
case SyscallsEventType:
return "syscalls"
case AnomalyDetectionSyscallEventType:
return "anomaly_detection_syscall"
case CustomLostReadEventType:
return "lost_events_read"
case CustomLostWriteEventType:
return "lost_events_write"
case CustomRulesetLoadedEventType:
return "ruleset_loaded"
case CustomNoisyProcessEventType:
return "noisy_process"
case CustomForkBombEventType:
return "fork_bomb"
case CustomTruncatedParentsEventType:
return "truncated_parents"
case CustomSelfTestEventType:
return "self_test"
default:
return "unknown"
}
}
// ParseEvalEventType convert a eval.EventType (string) to its uint64 representation
// the current algorithm is not efficient but allows us to reduce the number of conversion functions
func ParseEvalEventType(eventType eval.EventType) EventType {
for i := uint64(0); i != uint64(MaxAllEventType); i++ {
if EventType(i).String() == eventType {
return EventType(i)
}
}
return UnknownEventType
}
var (
eventTypeStrings = map[string]EventType{}
)
func init() {
var eventType EventType
for i := uint64(0); i != uint64(MaxKernelEventType); i++ {
eventType = EventType(i)
eventTypeStrings[eventType.String()] = eventType
}
}
// ParseEventTypeStringSlice converts a list
func ParseEventTypeStringSlice(eventTypes []string) []EventType {
var output []EventType
for _, eventTypeStr := range eventTypes {
if eventType := eventTypeStrings[eventTypeStr]; eventType != UnknownEventType {
output = append(output, eventType)
}
}
return output
}