github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/pkg/ebpftracer/signature/tty_detected.go

github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/pkg/ebpftracer/signature/tty_detected.go (about)

     1  package signature
     2  
     3  import (
     4  	v1 "github.com/castai/kvisor/api/v1/runtime"
     5  	"github.com/castai/kvisor/pkg/ebpftracer/events"
     6  	"github.com/castai/kvisor/pkg/ebpftracer/types"
     7  )
     8  
     9  var _ Signature = (*TTYDetected)(nil)
    10  
    11  type TTYDetected struct{}
    12  
    13  func NewTTYDetectedSignature() Signature {
    14  	return &TTYDetected{}
    15  }
    16  
    17  func (*TTYDetected) GetMetadata() SignatureMetadata {
    18  	return SignatureMetadata{
    19  		ID:      v1.SignatureEventID_SIGNATURE_TTY_DETECTED,
    20  		Name:    "tty_detected",
    21  		Version: "0.0.1",
    22  		TargetEvents: []events.ID{
    23  			events.TtyOpen,
    24  		},
    25  	}
    26  }
    27  
    28  func (s *TTYDetected) OnEvent(event *types.Event) *v1.SignatureFinding {
    29  	var path string
    30  
    31  	switch args := event.Args.(type) {
    32  	case types.TtyOpenArgs:
    33  		path = args.Path
    34  	default:
    35  		return nil
    36  	}
    37  
    38  	// For now each tty open event will be treated as an anomaly. We might want to add
    39  	// more logic to it later.
    40  	return &v1.SignatureFinding{
    41  		Data: &v1.SignatureFinding_TtyDetected{
    42  			TtyDetected: &v1.TtyDetectedFinding{
    43  				Path: path,
    44  			},
    45  		},
    46  	}
    47  }