-
Notifications
You must be signed in to change notification settings - Fork 2
/
events.go
167 lines (157 loc) · 2.74 KB
/
events.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
package events
const (
Sys32Undefined ID = 0xfffffff - 1 // u32 overflows are compiler implementation dependent.
Undefined ID = 0xfffffff
Unsupported ID = 10000
)
type ID uint32
// NOTE: Events should match defined values in ebpf code.
// Common events (used by all architectures).
const (
NetPacketBase ID = iota + 700
NetPacketIPBase
NetPacketTCPBase
NetPacketUDPBase
NetPacketICMPBase
NetPacketICMPv6Base
NetPacketDNSBase
NetPacketHTTPBase
NetPacketSOCKS5Base
NetPacketCapture
NetCaptureBase
NetFlowBase
MaxNetID // network base events go ABOVE this item
SysEnter
SysExit
SchedProcessFork
SchedProcessExec
SchedProcessExit
SchedSwitch
DoExit
CapCapable
VfsWrite
VfsWritev
VfsRead
VfsReadv
MemProtAlert
CommitCreds
SwitchTaskNS
MagicWrite
CgroupAttachTask
CgroupMkdir
CgroupRmdir
SecurityBprmCheck
SecurityFileOpen
SecurityInodeUnlink
SecuritySocketCreate
SecuritySocketListen
SecuritySocketConnect
SecuritySocketAccept
SecuritySocketBind
SecuritySocketSetsockopt
SecuritySbMount
SecurityBPF
SecurityBPFMap
SecurityKernelReadFile
SecurityInodeMknod
SecurityPostReadFile
SecurityInodeSymlinkEventId
SecurityMmapFile
SecurityFileMprotect
SocketDup
HiddenInodes
KernelWrite
ProcCreate
KprobeAttach
CallUsermodeHelper
DirtyPipeSplice
DebugfsCreateFile
PrintSyscallTable
DebugfsCreateDir
DeviceAdd
RegisterChrdev
SharedObjectLoaded
DoInitModule
SocketAccept
LoadElfPhdrs
HookedProcFops
PrintNetSeqOps
TaskRename
SecurityInodeRename
DoSigaction
BpfAttach
KallsymsLookupName
DoMmap
PrintMemDump
VfsUtimes
DoTruncate
FileModification
InotifyWatch
SecurityBpfProg
ProcessExecuteFailed
SecurityPathNotify
HiddenKernelModuleSeeker
ModuleLoad
ModuleFree
SockSetState
MaxCommonID
ProcessOomKilled
TtyOpen
)
// Events originated from user-space
const (
NetPacketIPv4 ID = iota + 2000
NetPacketIPv6
NetPacketTCP
NetPacketUDP
NetPacketICMP
NetPacketICMPv6
NetPacketDNS
NetPacketDNSRequest
NetPacketDNSResponse
NetPacketHTTP
NetPacketHTTPRequest
NetPacketHTTPResponse
MaxUserNetID
InitNamespaces
ContainerCreate
ContainerRemove
ExistingContainer
HookedSyscalls
HookedSeqOps
SymbolsLoaded
SymbolsCollision
HiddenKernelModule
MaxUserSpace
)
// Capture meta-events
const (
CaptureFileWrite ID = iota + 4000
CaptureExec
CaptureModule
CaptureMem
CapturePcap
CaptureNetPacket
CaptureBpf
CaptureFileRead
)
// Special events for stats aggregations and metrics.
const (
TrackSyscallStats ID = iota + 4100
)
// Signal meta-events
const (
SignalCgroupMkdir ID = iota + 5000
SignalCgroupRmdir
SignalSchedProcessFork
SignalSchedProcessExec
SignalSchedProcessExit
)
// Signature events
const (
StartSignatureID ID = 6000
MaxSignatureID ID = 6999
)
const (
TestEvent ID = 9999
)