github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/events.go

github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/events.go (about)

     1  // Unless explicitly stated otherwise all files in this repository are licensed
     2  // under the Apache License Version 2.0.
     3  // This product includes software developed at Datadog (https://www.datadoghq.com/).
     4  // Copyright 2016-present Datadog, Inc.
     5  
     6  package model
     7  
     8  // EventType describes the type of an event sent from the kernel
     9  type EventType uint32
    10  
    11  const (
    12  	// UnknownEventType unknown event
    13  	UnknownEventType EventType = iota
    14  	// FileOpenEventType File open event
    15  	FileOpenEventType
    16  	// FileMkdirEventType Folder creation event
    17  	FileMkdirEventType
    18  	// FileLinkEventType Hard link creation event
    19  	FileLinkEventType
    20  	// FileRenameEventType File or folder rename event
    21  	FileRenameEventType
    22  	// FileUnlinkEventType Unlink event
    23  	FileUnlinkEventType
    24  	// FileRmdirEventType Rmdir event
    25  	FileRmdirEventType
    26  	// FileChmodEventType Chmod event
    27  	FileChmodEventType
    28  	// FileChownEventType Chown event
    29  	FileChownEventType
    30  	// FileUtimesEventType Utime event
    31  	FileUtimesEventType
    32  	// FileSetXAttrEventType Setxattr event
    33  	FileSetXAttrEventType
    34  	// FileRemoveXAttrEventType Removexattr event
    35  	FileRemoveXAttrEventType
    36  	// FileChdirEventType chdir event
    37  	FileChdirEventType
    38  	// FileMountEventType Mount event
    39  	FileMountEventType
    40  	// FileUmountEventType Umount event
    41  	FileUmountEventType
    42  	// ForkEventType Fork event
    43  	ForkEventType
    44  	// ExecEventType Exec event
    45  	ExecEventType
    46  	// ExitEventType Exit event
    47  	ExitEventType
    48  	// InvalidateDentryEventType Dentry invalidated event (DEPRECATED)
    49  	InvalidateDentryEventType
    50  	// SetuidEventType setuid event
    51  	SetuidEventType
    52  	// SetgidEventType setgid event
    53  	SetgidEventType
    54  	// CapsetEventType capset event
    55  	CapsetEventType
    56  	// ArgsEnvsEventType args and envs event
    57  	ArgsEnvsEventType
    58  	// MountReleasedEventType sent when a mount point is released
    59  	MountReleasedEventType
    60  	// SELinuxEventType selinux event
    61  	SELinuxEventType
    62  	// BPFEventType bpf event
    63  	BPFEventType
    64  	// PTraceEventType PTrace event
    65  	PTraceEventType
    66  	// MMapEventType MMap event
    67  	MMapEventType
    68  	// MProtectEventType MProtect event
    69  	MProtectEventType
    70  	// LoadModuleEventType LoadModule event
    71  	LoadModuleEventType
    72  	// UnloadModuleEventType UnloadModule evnt
    73  	UnloadModuleEventType
    74  	// SignalEventType Signal event
    75  	SignalEventType
    76  	// SpliceEventType Splice event
    77  	SpliceEventType
    78  	// CgroupTracingEventType is sent when a new cgroup is being traced
    79  	CgroupTracingEventType
    80  	// DNSEventType DNS event
    81  	DNSEventType
    82  	// NetDeviceEventType is sent for events on net devices
    83  	NetDeviceEventType
    84  	// VethPairEventType is sent when a new veth pair is created
    85  	VethPairEventType
    86  	// BindEventType Bind event
    87  	BindEventType
    88  	// UnshareMountNsEventType is sent when a new mount is created from a mount namespace copy
    89  	UnshareMountNsEventType
    90  	// SyscallsEventType Syscalls event
    91  	SyscallsEventType
    92  	// AnomalyDetectionSyscallEventType Anomaly Detection Syscall event
    93  	AnomalyDetectionSyscallEventType
    94  	// MaxKernelEventType is used internally to get the maximum number of kernel events.
    95  	MaxKernelEventType
    96  
    97  	// FirstEventType is the first valid event type
    98  	FirstEventType = FileOpenEventType
    99  
   100  	// LastEventType is the last valid event type
   101  	LastEventType = SyscallsEventType
   102  
   103  	// FirstDiscarderEventType first event that accepts discarders
   104  	FirstDiscarderEventType = FileOpenEventType
   105  
   106  	// LastDiscarderEventType last event that accepts discarders
   107  	LastDiscarderEventType = FileChdirEventType
   108  
   109  	// LastApproverEventType is the last event that accepts approvers
   110  	LastApproverEventType = SpliceEventType
   111  
   112  	// CustomLostReadEventType is the custom event used to report lost events detected in user space
   113  	CustomLostReadEventType = iota
   114  	// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
   115  	CustomLostWriteEventType
   116  	// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
   117  	CustomRulesetLoadedEventType
   118  	// CustomHeartbeatEventType is the custom event used to report a heartbeat event
   119  	CustomHeartbeatEventType
   120  	// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
   121  	CustomForkBombEventType
   122  	// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
   123  	CustomTruncatedParentsEventType
   124  	// CustomSelfTestEventType is the custom event used to report the results of a self test run
   125  	CustomSelfTestEventType
   126  
   127  	// CreateNewFileEventType event
   128  	CreateNewFileEventType
   129  	// DeleteFileEventType event
   130  	DeleteFileEventType
   131  	// WriteFileEventType event
   132  	WriteFileEventType
   133  	// CreateRegistryKeyEventType event
   134  	CreateRegistryKeyEventType
   135  	// OpenRegistryKeyEventType event
   136  	OpenRegistryKeyEventType
   137  	// SetRegistryKeyValueEventType event
   138  	SetRegistryKeyValueEventType
   139  	// DeleteRegistryKeyEventType event
   140  	DeleteRegistryKeyEventType
   141  
   142  	// MaxAllEventType is used internally to get the maximum number of events.
   143  	MaxAllEventType
   144  )
   145  
   146  func (t EventType) String() string {
   147  	switch t {
   148  	case FileOpenEventType:
   149  		return "open"
   150  	case FileMkdirEventType:
   151  		return "mkdir"
   152  	case FileLinkEventType:
   153  		return "link"
   154  	case FileRenameEventType:
   155  		return "rename"
   156  	case FileUnlinkEventType:
   157  		return "unlink"
   158  	case FileRmdirEventType:
   159  		return "rmdir"
   160  	case FileChmodEventType:
   161  		return "chmod"
   162  	case FileChownEventType:
   163  		return "chown"
   164  	case FileUtimesEventType:
   165  		return "utimes"
   166  	case FileMountEventType:
   167  		return "mount"
   168  	case FileUmountEventType:
   169  		return "umount"
   170  	case FileSetXAttrEventType:
   171  		return "setxattr"
   172  	case FileRemoveXAttrEventType:
   173  		return "removexattr"
   174  	case FileChdirEventType:
   175  		return "chdir"
   176  	case ForkEventType:
   177  		return "fork"
   178  	case ExecEventType:
   179  		return "exec"
   180  	case ExitEventType:
   181  		return "exit"
   182  	case InvalidateDentryEventType:
   183  		return "invalidate_dentry"
   184  	case SetuidEventType:
   185  		return "setuid"
   186  	case SetgidEventType:
   187  		return "setgid"
   188  	case CapsetEventType:
   189  		return "capset"
   190  	case ArgsEnvsEventType:
   191  		return "args_envs"
   192  	case MountReleasedEventType:
   193  		return "mount_released"
   194  	case SELinuxEventType:
   195  		return "selinux"
   196  	case BPFEventType:
   197  		return "bpf"
   198  	case PTraceEventType:
   199  		return "ptrace"
   200  	case MMapEventType:
   201  		return "mmap"
   202  	case MProtectEventType:
   203  		return "mprotect"
   204  	case LoadModuleEventType:
   205  		return "load_module"
   206  	case UnloadModuleEventType:
   207  		return "unload_module"
   208  	case SignalEventType:
   209  		return "signal"
   210  	case SpliceEventType:
   211  		return "splice"
   212  	case CgroupTracingEventType:
   213  		return "cgroup_tracing"
   214  	case DNSEventType:
   215  		return "dns"
   216  	case NetDeviceEventType:
   217  		return "net_device"
   218  	case VethPairEventType:
   219  		return "veth_pair"
   220  	case BindEventType:
   221  		return "bind"
   222  	case UnshareMountNsEventType:
   223  		return "unshare_mntns"
   224  	case SyscallsEventType:
   225  		return "syscalls"
   226  	case AnomalyDetectionSyscallEventType:
   227  		return "anomaly_detection_syscall"
   228  
   229  	case CustomLostReadEventType:
   230  		return "lost_events_read"
   231  	case CustomLostWriteEventType:
   232  		return "lost_events_write"
   233  	case CustomRulesetLoadedEventType:
   234  		return "ruleset_loaded"
   235  	case CustomForkBombEventType:
   236  		return "fork_bomb"
   237  	case CustomTruncatedParentsEventType:
   238  		return "truncated_parents"
   239  	case CustomSelfTestEventType:
   240  		return "self_test"
   241  	case CreateNewFileEventType:
   242  		return "create"
   243  	case DeleteFileEventType:
   244  		return "delete"
   245  	case WriteFileEventType:
   246  		return "write"
   247  	case CreateRegistryKeyEventType:
   248  		return "create_key"
   249  	case OpenRegistryKeyEventType:
   250  		return "open_key"
   251  	case SetRegistryKeyValueEventType:
   252  		return "set_key_value"
   253  	case DeleteRegistryKeyEventType:
   254  		return "delete_key"
   255  	default:
   256  		return "unknown"
   257  	}
   258  }