-
-
Notifications
You must be signed in to change notification settings - Fork 26
Expand file tree
/
Copy pathcontainer_report.go
More file actions
248 lines (214 loc) · 7.33 KB
/
container_report.go
File metadata and controls
248 lines (214 loc) · 7.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
package report
import (
"bytes"
"encoding/json"
"os"
)
const (
ContainerReportDT = "doc.report.container"
OVContainerReport = "ov/container/1.1"
TTContainer = "container"
)
func NewContainerReport() *ContainerReport {
return &ContainerReport{
Document: ContainerReportDT,
Version: OVContainerReport,
}
}
// ArtifactType is an artifact type ID
type ArtifactType int
// Artifact type ID constants
const (
DirArtifactType ArtifactType = 1
FileArtifactType ArtifactType = 2
SymlinkArtifactType ArtifactType = 3
UnknownArtifactType ArtifactType = 99
)
const (
DirArtifactTypeName = "dir"
FileArtifactTypeName = "file"
SymlinkArtifactTypeName = "symlink"
HardlinkArtifactTypeName = "hardlink"
UnknownArtifactTypeName = "unknown"
UnexpectedArtifactTypeName = "unexpected"
)
// DefaultContainerReportFileName is the default container report file name
const DefaultContainerReportFileName = "creport.json"
var artifactTypeNames = map[ArtifactType]string{
DirArtifactType: DirArtifactTypeName,
FileArtifactType: FileArtifactTypeName,
SymlinkArtifactType: SymlinkArtifactTypeName,
UnknownArtifactType: UnknownArtifactTypeName,
}
// String converts the artifact type ID to a string
func (t ArtifactType) String() string {
return artifactTypeNames[t]
}
var artifactTypeValues = map[string]ArtifactType{
DirArtifactTypeName: DirArtifactType,
FileArtifactTypeName: FileArtifactType,
SymlinkArtifactTypeName: SymlinkArtifactType,
UnknownArtifactTypeName: UnknownArtifactType,
}
// GetArtifactTypeValue maps an artifact type name to an artifact type ID
func GetArtifactTypeValue(s string) ArtifactType {
return artifactTypeValues[s]
}
// ProcessInfo contains various process object metadata
type ProcessInfo struct {
Pid int32 `json:"pid"`
Name string `json:"name"`
Path string `json:"path"`
Cmd string `json:"cmd"`
Cwd string `json:"cwd"`
Root string `json:"root"`
ParentPid int32 `json:"ppid"`
}
// FileInfo contains various file object and activity metadata
type FileInfo struct {
EventCount uint32 `json:"event_count"`
FirstEventID uint32 `json:"first_eid"`
Name string `json:"-"`
ReadCount uint32 `json:"reads,omitempty"`
WriteCount uint32 `json:"writes,omitempty"`
ExeCount uint32 `json:"execs,omitempty"`
}
// FanMonitorReport is a file monitoring report
type FanMonitorReport struct {
MonitorPid int `json:"monitor_pid"`
MonitorParentPid int `json:"monitor_ppid"`
EventCount uint32 `json:"event_count"`
MainProcess *ProcessInfo `json:"main_process"`
Processes map[string]*ProcessInfo `json:"processes"`
ProcessFiles map[string]map[string]*FileInfo `json:"process_files"`
}
// PeMonitorReport is a processing monitoring report
type PeMonitorReport struct {
Children map[int][]int
Parents map[int]int
}
// SyscallStatInfo contains various system call activity metadata
type SyscallStatInfo struct {
Number uint32 `json:"num"`
Name string `json:"name"`
Count uint64 `json:"count"`
}
// PtMonitorReport contains various process execution metadata
type PtMonitorReport struct {
Enabled bool `json:"enabled"`
ArchName string `json:"arch_name"`
SyscallCount uint64 `json:"syscall_count"`
SyscallNum uint32 `json:"syscall_num"`
SyscallStats map[string]SyscallStatInfo `json:"syscall_stats"`
FSActivity map[string]*FSActivityInfo `json:"fs_activity"`
}
type FSActivityInfo struct {
OpsAll uint64 `json:"ops_all"`
OpsCheckFile uint64 `json:"ops_checkfile"`
Syscalls map[int]struct{} `json:"syscalls"`
Pids map[int]struct{} `json:"pids"`
IsSubdir bool `json:"is_subdir"`
}
// ArtifactProps contains various file system artifact properties
type ArtifactProps struct {
FileType ArtifactType `json:"-"` //todo
FilePath string `json:"file_path"`
Mode os.FileMode `json:"modex"` //todo
ModeText string `json:"mode"`
LinkRef string `json:"link_ref,omitempty"`
Flags map[string]bool `json:"flags,omitempty"`
DataType string `json:"data_type,omitempty"`
FileSize int64 `json:"file_size"`
Sha1Hash string `json:"sha1_hash,omitempty"`
AppType string `json:"app_type,omitempty"`
FileInode uint64 `json:"in,omitempty"` //todo
FSActivity *FSActivityInfo `json:"-"`
UID int `json:"uid"`
GID int `json:"gid"`
}
// UnmarshalJSON decodes artifact property data
func (p *ArtifactProps) UnmarshalJSON(data []byte) error {
type artifactPropsType ArtifactProps
props := &struct {
FileTypeStr string `json:"file_type"`
*artifactPropsType
}{
artifactPropsType: (*artifactPropsType)(p),
}
if err := json.Unmarshal(data, &props); err != nil {
return err
}
p.FileType = GetArtifactTypeValue(props.FileTypeStr)
return nil
}
// MarshalJSON encodes artifact property data
func (p *ArtifactProps) MarshalJSON() ([]byte, error) {
type artifactPropsType ArtifactProps
var out bytes.Buffer
encoder := json.NewEncoder(&out)
encoder.SetEscapeHTML(false)
err := encoder.Encode(
&struct {
FileTypeStr string `json:"file_type"`
*artifactPropsType
}{
FileTypeStr: p.FileType.String(),
artifactPropsType: (*artifactPropsType)(p),
})
return out.Bytes(), err
}
// ImageReport contains image report fields
type ImageReport struct {
Files []*ArtifactProps `json:"files"`
}
// MonitorReports contains monitoring report fields
type MonitorReports struct {
Fan *FanMonitorReport `json:"fan"`
Pt *PtMonitorReport `json:"pt"`
}
// SystemReport provides a basic system report for the container environment
type SystemReport struct {
Type string `json:"type"`
Release string `json:"release"`
Distro DistroInfo `json:"distro"`
}
// SensorReport provides a basic sensor report for the container environment
type SensorReport struct {
Version string `json:"version"`
Args []string `json:"args"`
}
// StartCommandReport provides a basic start command report for the container environment
type StartCommandReport struct {
AppName string `json:"app_name"`
AppArgs []string `json:"app_args,omitempty"`
AppEntrypoint []string `json:"app_entrypoint,omitempty"`
AppCmd []string `json:"app_cmd,omitempty"`
AppUser string `json:"app_user,omitempty"`
}
// ContainerReport contains container report fields
type ContainerReport struct {
Document string `json:"document"`
Version string `json:"version"`
TargetType string `json:"target_type"`
TargetID string `json:"target_id"`
ImageID string `json:"image_id"`
StartCommand *StartCommandReport `json:"start_command"`
Sensor *SensorReport `json:"sensor"`
System SystemReport `json:"system"`
Monitors MonitorReports `json:"monitors"`
Image ImageReport `json:"image"`
}
// PermSetFromFlags maps artifact flags to permissions
func PermSetFromFlags(flags map[string]bool) string {
var b bytes.Buffer
if flags["R"] {
b.WriteString("r")
}
if flags["W"] {
b.WriteString("w")
}
if flags["X"] {
b.WriteString("ix")
}
return b.String()
}