procmon

package
v0.0.0-...-f54534b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2025 License: GPL-3.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MethodProc  = "proc"
	MethodAudit = "audit"
	MethodEbpf  = "ebpf"

	KernelConnection = "Kernel connection"
	ProcSelf         = "/proc/self/"

	HashMD5  = "process.hash.md5"
	HashSHA1 = "process.hash.sha1"
)

monitor method supported types

Variables

View Source 
var (
	Ctx, CancelTasks = context.WithCancel(context.Background())
)

Functions

func CacheCleanerTask 

func CacheCleanerTask()

CacheCleanerTask checks periodically if the inodes in the cache must be removed.

func GetInodeFromNetstat 

func GetInodeFromNetstat(netEntry *netstat.Entry, inodeList *[]int, protocol string, srcIP net.IP, srcPort uint, dstIP net.IP, dstPort uint) bool

GetInodeFromNetstat tries to obtain the inode of a connection from /proc/net/*

func GetMonitorMethod 

func GetMonitorMethod() string

GetMonitorMethod configures a new method for parsing connections.

func GetPIDFromINode 

func GetPIDFromINode(inode int, inodeKey string) int

GetPIDFromINode tries to get the PID from a socket inode following these steps: 1. Get the PID from the cache of Inodes. 2. Get the PID from the cache of PIDs. 3. Look for the PID using one of these methods:

  • audit: listening for socket creation from auditd.
  • proc: search /proc

If the PID is not found by one of the 2 first methods, it'll try it using /proc.

func MethodIsAudit 

func MethodIsAudit() bool

MethodIsAudit returns if the process monitor method is eBPF.

func MethodIsEbpf 

func MethodIsEbpf() bool

MethodIsEbpf returns if the process monitor method is eBPF.

func MethodIsProc 

func MethodIsProc() bool

func MonitorProcEvents 

func MonitorProcEvents(stop <-chan struct{})

MonitorProcEvents listen for process events from kernel, via netlink.

func SetMonitorMethod 

func SetMonitorMethod(newMonitorMethod string)

SetMonitorMethod configures a new method for parsing connections.

Types

type CacheInodes 

type CacheInodes struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

CacheInodes holds the cache of Inodes. The key is formed as follow: inode+srcip+srcport+dstip+dstport

func NewCacheOfInodes 

func NewCacheOfInodes() *CacheInodes

NewCacheOfInodes returns a new cache for inodes.

type CacheProcs 

type CacheProcs struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

CacheProcs holds the cache of processes that have established connections.

type EventsStore 

type EventsStore struct {
	// contains filtered or unexported fields
}

EventsStore is the cache of exec events 

var (
	// EventsCache is the cache of processes
	EventsCache *EventsStore
)

func NewEventsStore 

func NewEventsStore() *EventsStore

NewEventsStore creates a new store of events.

func (*EventsStore) Add 

func (e *EventsStore) Add(proc *Process)

Add adds a new process to cache. If computing checksums is enabled, new checksums will be computed if needed, or reused existing ones otherwise.

func (*EventsStore) AddChecksumHash 

func (e *EventsStore) AddChecksumHash(hash string)

AddChecksumHash adds a new hash algorithm to compute checksums

func (*EventsStore) ComputeChecksums 

func (e *EventsStore) ComputeChecksums(proc *Process) bool

ComputeChecksums obtains the checksums of the process

func (*EventsStore) DelChecksumHash 

func (e *EventsStore) DelChecksumHash(hash string)

DelChecksumHash deletes a hash algorithm from the list

func (*EventsStore) Delete 

func (e *EventsStore) Delete(key int)

Delete schedules an item to be deleted from cache.

func (*EventsStore) DeleteOldItems 

func (e *EventsStore) DeleteOldItems()

DeleteOldItems deletes items that have exited and exceeded the TTL. Keeping them in cache for a short period of time sometimes helps to link some connections to processes. Alived processes are not deleted.

func (*EventsStore) DisableChecksums 

func (e *EventsStore) DisableChecksums()

DisableChecksums disables computing checksums functionality.

func (*EventsStore) GetComputeChecksums 

func (e *EventsStore) GetComputeChecksums() bool

GetComputeChecksums returns if computing checksums is enabled or not. Disabled -> if there're no rules with checksum field. Disabled -> if events monitors are not available. Disabled -> if the user disables it globally. TODO: Disabled -> if there were n rules with checksums, but the user delete them.

func (*EventsStore) IsInStore 

func (e *EventsStore) IsInStore(key int, proc *Process) (item ExecEventItem, needsUpdate, found bool)

IsInStore checks if a PID is in the store. If the PID is in cache, we may need to update it if the PID is reusing the PID of the parent.

func (*EventsStore) IsInStoreByPID 

func (e *EventsStore) IsInStoreByPID(key int) (item ExecEventItem, found bool)

IsInStoreByPID checks if a pid exists in cache.

func (*EventsStore) Len 

func (e *EventsStore) Len() int

Len returns the number of items in cache.

func (*EventsStore) ReplaceItem 

func (e *EventsStore) ReplaceItem(oldProc, newProc *Process)

ReplaceItem replaces an existing process with a new one.

func (*EventsStore) SetComputeChecksums 

func (e *EventsStore) SetComputeChecksums(compute bool)

SetComputeChecksums configures if we compute checksums of processes. When enabling this functionality, some already stored process may don't have the checksums computed yet, so when enabling compute them.

func (*EventsStore) Update 

func (e *EventsStore) Update(oldProc, proc *Process)

Update ...

func (*EventsStore) UpdateItem 

func (e *EventsStore) UpdateItem(proc *Process)

UpdateItem updates a cache item

type ExecEventItem 

type ExecEventItem struct {
	//sync.RWMutex
	Proc     Process
	LastSeen int64
	TTL      int32
}

ExecEventItem represents an item of the cache

type InodeItem 

type InodeItem struct {
	FdPath   string
	Pid      int
	LastSeen int64
	sync.RWMutex
}

InodeItem represents an item of the InodesCache.

type MemoryMapping 

type MemoryMapping struct {
	StartAddr uint64
	EndAddr   uint64
}

MemoryMapping represents a memory mapping region

type ProcItem 

type ProcItem struct {
	FdPath      string
	Descriptors []string
	Pid         int
	LastSeen    int64
	sync.RWMutex
}

ProcItem represents an item of the pidsCache

type Process 

type Process struct {
	Statm     *procStatm
	Parent    *Process
	IOStats   *procIOstats
	NetStats  *procNetStats
	Env       map[string]string
	Checksums map[string]string
	Status    string
	Stat      string
	Stack     string
	Maps      string
	Comm      string

	// Path is the absolute path to the binary
	Path string

	// RealPath is the path to the binary taking into account its root fs.
	// The simplest form of accessing the RealPath is by prepending /proc/<pid>/root/ to the path:
	// /usr/bin/curl -> /proc/<pid>/root/usr/bin/curl
	RealPath    string
	CWD         string
	Tree        []*protocol.StringInt
	Descriptors []*procDescriptors
	// Args is the command that the user typed. It MAY contain the absolute path
	// of the binary:
	// $ curl https://...
	//   -> Path: /usr/bin/curl
	//   -> Args: curl https://....
	// $ /usr/bin/curl https://...
	//   -> Path: /usr/bin/curl
	//   -> Args: /usr/bin/curl https://....
	Args      []string
	Starttime int64
	ID        int
	PPID      int
	UID       int
	// contains filtered or unexported fields
}

Process holds the details of a process.

func FindProcess 

func FindProcess(pid int, interceptUnknown bool) *Process

FindProcess checks if a process exists given a PID. If it exists in /proc, a new Process{} object is returned with the details to identify a process (cmdline, name, environment variables, etc).

func NewProcess 

func NewProcess(pid int, comm string) *Process

NewProcess returns a new Process structure.

func NewProcessEmpty 

func NewProcessEmpty(pid int, comm string) *Process

NewProcessEmpty returns a new Process struct with no details.

func NewProcessWithParent 

func NewProcessWithParent(pid, ppid int, comm string) *Process

NewProcessWithParent returns a new Process structure.

func (*Process) BuildTree 

func (p *Process) BuildTree()

BuildTree returns all the parents of this process.

func (*Process) ChecksumsCount 

func (p *Process) ChecksumsCount() int

ChecksumsCount returns the number of checksums of this process.

func (*Process) CleanArgs 

func (p *Process) CleanArgs()

CleanArgs applies fixes on the cmdline arguments.

  • AppImages cmdline reports the execuable launched as /proc/self/exe, instead of the actual path to the binary.

func (*Process) CleanPath 

func (p *Process) CleanPath()

CleanPath applies fixes on the path to the binary:

  • Remove extra characters from the link that it points to. When a running process is deleted, the symlink has the bytes " (deleted") appended to the link.
  • If the path is /proc/self/exe, resolve the symlink that it points to.

func (*Process) ComputeChecksum 

func (p *Process) ComputeChecksum(algo string)

ComputeChecksum calculates the checksum of a the process path to the binary

func (*Process) ComputeChecksums 

func (p *Process) ComputeChecksums(hashes map[string]uint)

ComputeChecksums calculates the checksums of a the process path to the binary. Users may want to use different hashing alogrithms.

func (*Process) DumpImage 

func (p *Process) DumpImage() ([]byte, error)

DumpImage reads the memory of the current process, and returns it as byte array.

func (*Process) GetDetails 

func (p *Process) GetDetails() error

GetDetails collects information of a process.

func (*Process) GetExtraInfo 

func (p *Process) GetExtraInfo() error

GetExtraInfo collects information of a process.

func (*Process) GetParent 

func (p *Process) GetParent()

GetParent obtains the information of this process' parent.

func (*Process) IsAlive 

func (p *Process) IsAlive() bool

IsAlive checks if the process is still running

func (*Process) IsChild 

func (p *Process) IsChild() bool

IsChild determines if this process is child of its parent

func (*Process) Lock 

func (p *Process) Lock()

Lock locks this process for w+r

func (*Process) RLock 

func (p *Process) RLock()

RLock locks this process for r

func (*Process) RUnlock 

func (p *Process) RUnlock()

RUnlock unlocks reading from this process

func (*Process) ReadCmdline 

func (p *Process) ReadCmdline()

ReadCmdline reads the cmdline of the process from ProcFS /proc/<pid>/cmdline This file may be empty if the process is of a kernel task. It can also be empty for short-lived processes.

func (*Process) ReadComm 

func (p *Process) ReadComm() error

ReadComm reads the comm name from ProcFS /proc/<pid>/comm

func (*Process) ReadCwd 

func (p *Process) ReadCwd() error

ReadCwd reads the current working directory name from ProcFS /proc/<pid>/cwd

func (*Process) ReadEnv 

func (p *Process) ReadEnv()

ReadEnv reads and parses the environment variables of a process. 

func (p *Process) ReadExeLink() (string, error)

ReadExeLink reads the link that /proc/<pid>/exe points to. This is the real path to the path that was executed and loaded in memory. It may or not be the same binary that exists on disk (for example when a binary is executed, and later updated or deleted). If a process is launched from a chroot, this link will point to the absolute path, including the host path to the chroot.

func (*Process) ReadMaps 

func (p *Process) ReadMaps()

ReadMaps reads the /proc/<pid>/maps file.

func (*Process) ReadPPID 

func (p *Process) ReadPPID()

ReadPPID obtains the pid of the parent process

func (*Process) ReadPath 

func (p *Process) ReadPath() error

ReadPath reads the symbolic link that /proc/<pid>/exe points to. Note 1: this link might not exist on the root filesystem, it might have been executed from a container, so the real path would be: /proc/<pid>/root/<path that 'exe' points to>

Note 2: There're at least 3 things that a (regular) kernel connection meets from userspace POV: - /proc/<pid>/cmdline and /proc/<pid>/maps empty - /proc/<pid>/exe can't be read

func (*Process) ReadStatm 

func (p *Process) ReadStatm()

ReadStatm reads and parses the /proc/<pid>/statm file. Memory usage is measured in pages.

func (*Process) ResetChecksums 

func (p *Process) ResetChecksums()

ResetChecksums initializes checksums

func (*Process) Serialize 

func (p *Process) Serialize() *protocol.Process

Serialize transforms a Process object to gRPC protocol object

func (*Process) SetPath 

func (p *Process) SetPath(path string)

SetPath sets the path of the process, and fixes it if it's needed.

func (*Process) Unlock 

func (p *Process) Unlock()

Unlock unlocks reading from this process

type ProcessEvent 

type ProcessEvent struct {
	Filename string
	Args     string
	Comm     string
	PID      uint64
	PPID     uint64
	UID      uint64
}

ProcessEvent represents an process event

Source Files

View all Source files

Directories

Path Synopsis
Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections.
 Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳