-
Notifications
You must be signed in to change notification settings - Fork 15
/
cmd.go
152 lines (133 loc) · 3.79 KB
/
cmd.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
/*
Copyright © 2021 GUILLAUME FOURNIER
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package run
import (
"github.com/Gui774ume/ebpfkit-monitor/pkg/model"
"github.com/spf13/cobra"
)
// EBPFKitMonitor represents the base command of ebpfkit-monitor
var EBPFKitMonitor = &cobra.Command{
Use: "ebpfkit-monitor",
}
var prog = &cobra.Command{
Use: "prog",
Short: "prints information about one or multiple programs",
Long: "prints information about one or multiple programs from the provided ELF file",
RunE: progCmd,
}
var m = &cobra.Command{
Use: "map",
Short: "prints information about one or multiple maps",
Long: "prints information about one or multiple maps from the provided ELF file",
RunE: mapCmd,
}
var report = &cobra.Command{
Use: "report",
Short: "prints summarized information about the maps and programs",
Long: "prints summarized information about the maps and programs in the provided ELF file",
RunE: reportCmd,
}
var graph = &cobra.Command{
Use: "graph",
Short: "graph generates a graphviz representation of the ELF file",
Long: "graph generates a graphviz representation of the ELF file",
RunE: graphCmd,
}
var start = &cobra.Command{
Use: "start",
Short: "start monitoring the bpf syscall at runtime",
Long: "start monitoring the bpf syscall at runtime and look for malicious behavior",
RunE: startCmd,
}
var options model.EBPFKitOptions
func init() {
EBPFKitMonitor.PersistentFlags().VarP(
model.NewLogLevelSanitizer(&options.LogLevel),
"log-level",
"l",
`log level (options: panic, fatal, error, warn, info, debug or trace). Set to "debug" to see bpf events.`)
prog.Flags().StringVarP(
&options.Section,
"section",
"s",
"",
"program section to dump")
prog.Flags().StringVar(
&options.Helper,
"helper",
"",
"program section eBPF helper selector")
prog.Flags().StringVar(
&options.Map,
"map",
"",
"map section selector")
prog.Flags().BoolVarP(
&options.Dump,
"dump",
"d",
false,
"dump the program bytecode")
prog.Flags().StringVarP(
&options.EBPFAssetPath,
"asset",
"a",
"",
"path to the eBPF asset (ELF format expected)")
_ = prog.MarkFlagRequired("asset")
m.Flags().StringVarP(
&options.Section,
"section",
"s",
"",
"map section to dump")
m.Flags().StringVarP(
&options.EBPFAssetPath,
"asset",
"a",
"",
"path to the eBPF asset (ELF format expected)")
_ = m.MarkFlagRequired("asset")
graph.Flags().StringVarP(
&options.EBPFAssetPath,
"asset",
"a",
"",
"path to the eBPF asset (ELF format expected)")
_ = graph.MarkFlagRequired("asset")
report.Flags().StringVarP(
&options.EBPFAssetPath,
"asset",
"a",
"",
"path to the eBPF asset (ELF format expected)")
_ = report.MarkFlagRequired("asset")
start.Flags().StringArrayVar(
&options.AllowedProcesses,
"allowed-processes",
[]string{},
"defines the list of binary paths which processes are allowed to use the bpf syscall. Each path will be truncated past its first 350 characters. When this parameter is not set, any process can use the bpf syscall.",
)
start.Flags().StringVarP(
&options.OutputDirectory,
"output",
"o",
"",
"output directory for the collected events (json)",
)
EBPFKitMonitor.AddCommand(prog)
EBPFKitMonitor.AddCommand(m)
EBPFKitMonitor.AddCommand(report)
EBPFKitMonitor.AddCommand(graph)
EBPFKitMonitor.AddCommand(start)
}