- 重要な情報
- アプリ内
- インフラストラクチャー
- アプリケーションパフォーマンス
- 継続的インテグレーション
- ログ管理
- セキュリティ
- UX モニタリング
- 管理
When activity matches a Cloud Workload Security (CWS) Agent expression, a CWS log will be collected from the system containing all the relevant context about the activity.
This log is sent to Datadog, where it is analyzed. Based on analysis, CWS logs can trigger Security Signals or they can be stored as logs for audit, threat investigation purposes.
CWS logs have the following JSON schema:
BACKEND_EVENT_JSON_SCHEMA
{
"$id": "https://github.com/DataDog/datadog-agent/pkg/security/probe/event",
"$defs": {
"BPFEvent": {
"properties": {
"cmd": {
"type": "string",
"description": "BPF command"
},
"map": {
"$ref": "#/$defs/BPFMap",
"description": "BPF map"
},
"program": {
"$ref": "#/$defs/BPFProgram",
"description": "BPF program"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cmd"
],
"description": "BPFEventSerializer serializes a BPF event to JSON"
},
"BPFMap": {
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF map"
},
"map_type": {
"type": "string",
"description": "Type of the BPF map"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFMapSerializer serializes a BPF map to JSON"
},
"BPFProgram": {
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF program"
},
"tag": {
"type": "string",
"description": "Hash (sha1) of the BPF program"
},
"program_type": {
"type": "string",
"description": "Type of the BPF program"
},
"attach_type": {
"type": "string",
"description": "Attach type of the BPF program"
},
"helpers": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of helpers used by the BPF program"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFProgramSerializer serializes a BPF map to JSON"
},
"BindEvent": {
"properties": {
"addr": {
"$ref": "#/$defs/IPPortFamily",
"description": "Bound address (if any)"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"addr"
],
"description": "BindEventSerializer serializes a bind event to JSON"
},
"ContainerContext": {
"properties": {
"id": {
"type": "string",
"description": "Container ID"
}
},
"additionalProperties": false,
"type": "object",
"description": "ContainerContextSerializer serializes a container context to JSON"
},
"DDContext": {
"properties": {
"span_id": {
"type": "integer",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "integer",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
},
"DNSEvent": {
"properties": {
"id": {
"type": "integer",
"description": "id is the unique identifier of the DNS request"
},
"question": {
"$ref": "#/$defs/DNSQuestion",
"description": "question is a DNS question for the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"id"
],
"description": "DNSEventSerializer serializes a DNS event to JSON"
},
"DNSQuestion": {
"properties": {
"class": {
"type": "string",
"description": "class is the class looked up by the DNS question"
},
"type": {
"type": "string",
"description": "type is a two octet code which specifies the DNS question type"
},
"name": {
"type": "string",
"description": "name is the queried domain name"
},
"size": {
"type": "integer",
"description": "size is the total DNS request size in bytes"
},
"count": {
"type": "integer",
"description": "count is the total count of questions in the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"class",
"type",
"name",
"size",
"count"
],
"description": "DNSQuestionSerializer serializes a DNS question to JSON"
},
"EventContext": {
"properties": {
"name": {
"type": "string",
"description": "Event name"
},
"category": {
"type": "string",
"description": "Event category"
},
"outcome": {
"type": "string",
"description": "Event outcome"
},
"async": {
"type": "boolean",
"description": "True if the event was asynchronous"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventContextSerializer serializes an event context to JSON"
},
"ExitEvent": {
"properties": {
"cause": {
"type": "string",
"description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
},
"code": {
"type": "integer",
"description": "Exit code of the process or number of the signal that caused the process to terminate"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cause",
"code"
],
"description": "ExitEventSerializer serializes an exit event to JSON"
},
"File": {
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileSerializer serializes a file to JSON"
},
"FileEvent": {
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"destination": {
"$ref": "#/$defs/File",
"description": "Target file information"
},
"new_mount_id": {
"type": "integer",
"description": "New Mount ID"
},
"group_id": {
"type": "integer",
"description": "Group ID"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fstype": {
"type": "string",
"description": "Filesystem type"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileEventSerializer serializes a file event to JSON"
},
"IPPort": {
"properties": {
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"ip",
"port"
],
"description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
},
"IPPortFamily": {
"properties": {
"family": {
"type": "string",
"description": "Address family"
},
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"family",
"ip",
"port"
],
"description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
},
"MMapEvent": {
"properties": {
"address": {
"type": "string",
"description": "memory segment address"
},
"offset": {
"type": "integer",
"description": "file offset"
},
"length": {
"type": "integer",
"description": "memory segment length"
},
"protection": {
"type": "string",
"description": "memory segment protection"
},
"flags": {
"type": "string",
"description": "memory segment flags"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"address",
"offset",
"length",
"protection",
"flags"
],
"description": "MMapEventSerializer serializes a mmap event to JSON"
},
"MProtectEvent": {
"properties": {
"vm_start": {
"type": "string",
"description": "memory segment start address"
},
"vm_end": {
"type": "string",
"description": "memory segment end address"
},
"vm_protection": {
"type": "string",
"description": "initial memory segment protection"
},
"req_protection": {
"type": "string",
"description": "new memory segment protection"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"vm_start",
"vm_end",
"vm_protection",
"req_protection"
],
"description": "MProtectEventSerializer serializes a mmap event to JSON"
},
"ModuleEvent": {
"properties": {
"name": {
"type": "string",
"description": "module name"
},
"loaded_from_memory": {
"type": "boolean",
"description": "indicates if a module was loaded from memory, as opposed to a file"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name"
],
"description": "ModuleEventSerializer serializes a module event to JSON"
},
"MountEvent": {
"properties": {
"mp": {
"$ref": "#/$defs/File"
},
"root": {
"$ref": "#/$defs/File"
},
"mount_id": {
"type": "integer"
},
"group_id": {
"type": "integer"
},
"parent_mount_id": {
"type": "integer"
},
"bind_src_mount_id": {
"type": "integer"
},
"device": {
"type": "integer"
},
"fs_type": {
"type": "string"
},
"mountpoint.path": {
"type": "string"
},
"source.path": {
"type": "string"
},
"mountpoint.path_error": {
"type": "string"
},
"source.path_error": {
"type": "string"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"mount_id",
"group_id",
"parent_mount_id",
"bind_src_mount_id",
"device"
],
"description": "MountEventSerializer serializes a mount event to JSON"
},
"NetworkContext": {
"properties": {
"device": {
"$ref": "#/$defs/NetworkDevice",
"description": "device is the network device on which the event was captured"
},
"l3_protocol": {
"type": "string",
"description": "l3_protocol is the layer 3 protocol name"
},
"l4_protocol": {
"type": "string",
"description": "l4_protocol is the layer 4 protocol name"
},
"source": {
"$ref": "#/$defs/IPPort",
"description": "source is the emitter of the network event"
},
"destination": {
"$ref": "#/$defs/IPPort",
"description": "destination is the receiver of the network event"
},
"size": {
"type": "integer",
"description": "size is the size in bytes of the network event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"l3_protocol",
"l4_protocol",
"source",
"destination",
"size"
],
"description": "NetworkContextSerializer serializes the network context to JSON"
},
"NetworkDevice": {
"properties": {
"netns": {
"type": "integer",
"description": "netns is the interface ifindex"
},
"ifindex": {
"type": "integer",
"description": "ifindex is the network interface ifindex"
},
"ifname": {
"type": "string",
"description": "ifname is the network interface name"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"netns",
"ifindex",
"ifname"
],
"description": "NetworkDeviceSerializer serializes the network device context to JSON"
},
"PTraceEvent": {
"properties": {
"request": {
"type": "string",
"description": "ptrace request"
},
"address": {
"type": "string",
"description": "address at which the ptrace request was executed"
},
"tracee": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the tracee"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"request",
"address"
],
"description": "PTraceEventSerializer serializes a mmap event to JSON"
},
"Process": {
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessSerializer serializes a process to JSON"
},
"ProcessContext": {
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"parent": {
"$ref": "#/$defs/Process",
"description": "Parent process"
},
"ancestors": {
"items": {
"$ref": "#/$defs/Process"
},
"type": "array",
"description": "Ancestor processes"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessContextSerializer serializes a process context to JSON"
},
"ProcessCredentials": {
"properties": {
"uid": {
"type": "integer",
"description": "User ID"
},
"user": {
"type": "string",
"description": "User name"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"group": {
"type": "string",
"description": "Group name"
},
"euid": {
"type": "integer",
"description": "Effective User ID"
},
"euser": {
"type": "string",
"description": "Effective User name"
},
"egid": {
"type": "integer",
"description": "Effective Group ID"
},
"egroup": {
"type": "string",
"description": "Effective Group name"
},
"fsuid": {
"type": "integer",
"description": "Filesystem User ID"
},
"fsuser": {
"type": "string",
"description": "Filesystem User name"
},
"fsgid": {
"type": "integer",
"description": "Filesystem Group ID"
},
"fsgroup": {
"type": "string",
"description": "Filesystem Group name"
},
"cap_effective": {
"items": {
"type": "string"
},
"type": "array",
"description": "Effective Capability set"
},
"cap_permitted": {
"items": {
"type": "string"
},
"type": "array",
"description": "Permitted Capability set"
},
"destination": {
"description": "Credentials after the operation"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid",
"euid",
"egid",
"fsuid",
"fsgid",
"cap_effective",
"cap_permitted"
],
"description": "ProcessCredentialsSerializer serializes the process credentials to JSON"
},
"SELinuxBoolChange": {
"properties": {
"name": {
"type": "string",
"description": "SELinux boolean name"
},
"state": {
"type": "string",
"description": "SELinux boolean state ('on' or 'off')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"
},
"SELinuxBoolCommit": {
"properties": {
"state": {
"type": "boolean",
"description": "SELinux boolean commit operation"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"
},
"SELinuxEnforceStatus": {
"properties": {
"status": {
"type": "string",
"description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"
},
"SELinuxEvent": {
"properties": {
"bool": {
"$ref": "#/$defs/SELinuxBoolChange",
"description": "SELinux boolean operation"
},
"enforce": {
"$ref": "#/$defs/SELinuxEnforceStatus",
"description": "SELinux enforcement change"
},
"bool_commit": {
"$ref": "#/$defs/SELinuxBoolCommit",
"description": "SELinux boolean commit"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEventSerializer serializes a SELinux context to JSON"
},
"SignalEvent": {
"properties": {
"type": {
"type": "string",
"description": "signal type"
},
"pid": {
"type": "integer",
"description": "signal target pid"
},
"target": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the signal target"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"type",
"pid"
],
"description": "SignalEventSerializer serializes a signal event to JSON"
},
"SpliceEvent": {
"properties": {
"pipe_entry_flag": {
"type": "string",
"description": "Entry flag of the fd_out pipe passed to the splice syscall"
},
"pipe_exit_flag": {
"type": "string",
"description": "Exit flag of the fd_out pipe passed to the splice syscall"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"pipe_entry_flag",
"pipe_exit_flag"
],
"description": "SpliceEventSerializer serializes a splice event to JSON"
},
"UserContext": {
"properties": {
"id": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
}
},
"additionalProperties": false,
"type": "object",
"description": "UserContextSerializer serializes a user context to JSON"
}
},
"properties": {
"evt": {
"$ref": "#/$defs/EventContext"
},
"file": {
"$ref": "#/$defs/FileEvent"
},
"selinux": {
"$ref": "#/$defs/SELinuxEvent"
},
"bpf": {
"$ref": "#/$defs/BPFEvent"
},
"mmap": {
"$ref": "#/$defs/MMapEvent"
},
"mprotect": {
"$ref": "#/$defs/MProtectEvent"
},
"ptrace": {
"$ref": "#/$defs/PTraceEvent"
},
"module": {
"$ref": "#/$defs/ModuleEvent"
},
"signal": {
"$ref": "#/$defs/SignalEvent"
},
"splice": {
"$ref": "#/$defs/SpliceEvent"
},
"dns": {
"$ref": "#/$defs/DNSEvent"
},
"network": {
"$ref": "#/$defs/NetworkContext"
},
"bind": {
"$ref": "#/$defs/BindEvent"
},
"exit": {
"$ref": "#/$defs/ExitEvent"
},
"mount": {
"$ref": "#/$defs/MountEvent"
},
"usr": {
"$ref": "#/$defs/UserContext"
},
"process": {
"$ref": "#/$defs/ProcessContext"
},
"dd": {
"$ref": "#/$defs/DDContext"
},
"container": {
"$ref": "#/$defs/ContainerContext"
},
"date": {
"type": "string",
"format": "date-time"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventSerializer serializes an event to JSON"
}
Parameter | Type | Description |
---|---|---|
evt | $ref | Please see EventContext |
file | $ref | Please see FileEvent |
selinux | $ref | Please see SELinuxEvent |
bpf | $ref | Please see BPFEvent |
mmap | $ref | Please see MMapEvent |
mprotect | $ref | Please see MProtectEvent |
ptrace | $ref | Please see PTraceEvent |
module | $ref | Please see ModuleEvent |
signal | $ref | Please see SignalEvent |
splice | $ref | Please see SpliceEvent |
dns | $ref | Please see DNSEvent |
network | $ref | Please see NetworkContext |
bind | $ref | Please see BindEvent |
exit | $ref | Please see ExitEvent |
mount | $ref | Please see MountEvent |
usr | $ref | Please see UserContext |
process | $ref | Please see ProcessContext |
dd | $ref | Please see DDContext |
container | $ref | Please see ContainerContext |
date | string |
BPFEvent
{
"properties": {
"cmd": {
"type": "string",
"description": "BPF command"
},
"map": {
"$ref": "#/$defs/BPFMap",
"description": "BPF map"
},
"program": {
"$ref": "#/$defs/BPFProgram",
"description": "BPF program"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cmd"
],
"description": "BPFEventSerializer serializes a BPF event to JSON"
}
Field | Description |
---|---|
cmd | BPF command |
map | BPF map |
program | BPF program |
References |
---|
BPFMap |
BPFProgram |
BPFMap
{
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF map"
},
"map_type": {
"type": "string",
"description": "Type of the BPF map"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFMapSerializer serializes a BPF map to JSON"
}
Field | Description |
---|---|
name | Name of the BPF map |
map_type | Type of the BPF map |
BPFProgram
{
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF program"
},
"tag": {
"type": "string",
"description": "Hash (sha1) of the BPF program"
},
"program_type": {
"type": "string",
"description": "Type of the BPF program"
},
"attach_type": {
"type": "string",
"description": "Attach type of the BPF program"
},
"helpers": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of helpers used by the BPF program"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFProgramSerializer serializes a BPF map to JSON"
}
Field | Description |
---|---|
name | Name of the BPF program |
tag | Hash (sha1) of the BPF program |
program_type | Type of the BPF program |
attach_type | Attach type of the BPF program |
helpers | List of helpers used by the BPF program |
BindEvent
{
"properties": {
"addr": {
"$ref": "#/$defs/IPPortFamily",
"description": "Bound address (if any)"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"addr"
],
"description": "BindEventSerializer serializes a bind event to JSON"
}
Field | Description |
---|---|
addr | Bound address (if any) |
References |
---|
IPPortFamily |
ContainerContext
{
"properties": {
"id": {
"type": "string",
"description": "Container ID"
}
},
"additionalProperties": false,
"type": "object",
"description": "ContainerContextSerializer serializes a container context to JSON"
}
Field | Description |
---|---|
id | Container ID |
DDContext
{
"properties": {
"span_id": {
"type": "integer",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "integer",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
}
Field | Description |
---|---|
span_id | Span ID used for APM correlation |
trace_id | Trace ID used for APM correlation |
DNSEvent
{
"properties": {
"id": {
"type": "integer",
"description": "id is the unique identifier of the DNS request"
},
"question": {
"$ref": "#/$defs/DNSQuestion",
"description": "question is a DNS question for the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"id"
],
"description": "DNSEventSerializer serializes a DNS event to JSON"
}
Field | Description |
---|---|
id | id is the unique identifier of the DNS request |
question | question is a DNS question for the DNS request |
References |
---|
DNSQuestion |
DNSQuestion
{
"properties": {
"class": {
"type": "string",
"description": "class is the class looked up by the DNS question"
},
"type": {
"type": "string",
"description": "type is a two octet code which specifies the DNS question type"
},
"name": {
"type": "string",
"description": "name is the queried domain name"
},
"size": {
"type": "integer",
"description": "size is the total DNS request size in bytes"
},
"count": {
"type": "integer",
"description": "count is the total count of questions in the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"class",
"type",
"name",
"size",
"count"
],
"description": "DNSQuestionSerializer serializes a DNS question to JSON"
}
Field | Description |
---|---|
class | class is the class looked up by the DNS question |
type | type is a two octet code which specifies the DNS question type |
name | name is the queried domain name |
size | size is the total DNS request size in bytes |
count | count is the total count of questions in the DNS request |
EventContext
{
"properties": {
"name": {
"type": "string",
"description": "Event name"
},
"category": {
"type": "string",
"description": "Event category"
},
"outcome": {
"type": "string",
"description": "Event outcome"
},
"async": {
"type": "boolean",
"description": "True if the event was asynchronous"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventContextSerializer serializes an event context to JSON"
}
Field | Description |
---|---|
name | Event name |
category | Event category |
outcome | Event outcome |
async | True if the event was asynchronous |
ExitEvent
{
"properties": {
"cause": {
"type": "string",
"description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
},
"code": {
"type": "integer",
"description": "Exit code of the process or number of the signal that caused the process to terminate"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cause",
"code"
],
"description": "ExitEventSerializer serializes an exit event to JSON"
}
Field | Description |
---|---|
cause | Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED) |
code | Exit code of the process or number of the signal that caused the process to terminate |
File
{
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileSerializer serializes a file to JSON"
}
Field | Description |
---|---|
path | File path |
name | File basename |
path_resolution_error | Error message from path resolution |
inode | File inode number |
mode | File mode |
in_upper_layer | Indicator of file OverlayFS layer |
mount_id | File mount ID |
filesystem | File filesystem name |
uid | File User ID |
gid | File Group ID |
user | File user |
group | File group |
attribute_name | File extended attribute name |
attribute_namespace | File extended attribute namespace |
flags | File flags |
access_time | File access time |
modification_time | File modified time |
change_time | File change time |
FileEvent
{
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"destination": {
"$ref": "#/$defs/File",
"description": "Target file information"
},
"new_mount_id": {
"type": "integer",
"description": "New Mount ID"
},
"group_id": {
"type": "integer",
"description": "Group ID"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fstype": {
"type": "string",
"description": "Filesystem type"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileEventSerializer serializes a file event to JSON"
}
Field | Description |
---|---|
path | File path |
name | File basename |
path_resolution_error | Error message from path resolution |
inode | File inode number |
mode | File mode |
in_upper_layer | Indicator of file OverlayFS layer |
mount_id | File mount ID |
filesystem | File filesystem name |
uid | File User ID |
gid | File Group ID |
user | File user |
group | File group |
attribute_name | File extended attribute name |
attribute_namespace | File extended attribute namespace |
flags | File flags |
access_time | File access time |
modification_time | File modified time |
change_time | File change time |
destination | Target file information |
new_mount_id | New Mount ID |
group_id | Group ID |
device | Device associated with the file |
fstype | Filesystem type |
References |
---|
File |
IPPort
{
"properties": {
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"ip",
"port"
],
"description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
}
Field | Description |
---|---|
ip | IP address |
port | Port number |
IPPortFamily
{
"properties": {
"family": {
"type": "string",
"description": "Address family"
},
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"family",
"ip",
"port"
],
"description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
}
Field | Description |
---|---|
family | Address family |
ip | IP address |
port | Port number |
MMapEvent
{
"properties": {
"address": {
"type": "string",
"description": "memory segment address"
},
"offset": {
"type": "integer",
"description": "file offset"
},
"length": {
"type": "integer",
"description": "memory segment length"
},
"protection": {
"type": "string",
"description": "memory segment protection"
},
"flags": {
"type": "string",
"description": "memory segment flags"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"address",
"offset",
"length",
"protection",
"flags"
],
"description": "MMapEventSerializer serializes a mmap event to JSON"
}
Field | Description |
---|---|
address | memory segment address |
offset | file offset |
length | memory segment length |
protection | memory segment protection |
flags | memory segment flags |
MProtectEvent
{
"properties": {
"vm_start": {
"type": "string",
"description": "memory segment start address"
},
"vm_end": {
"type": "string",
"description": "memory segment end address"
},
"vm_protection": {
"type": "string",
"description": "initial memory segment protection"
},
"req_protection": {
"type": "string",
"description": "new memory segment protection"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"vm_start",
"vm_end",
"vm_protection",
"req_protection"
],
"description": "MProtectEventSerializer serializes a mmap event to JSON"
}
Field | Description |
---|---|
vm_start | memory segment start address |
vm_end | memory segment end address |
vm_protection | initial memory segment protection |
req_protection | new memory segment protection |
ModuleEvent
{
"properties": {
"name": {
"type": "string",
"description": "module name"
},
"loaded_from_memory": {
"type": "boolean",
"description": "indicates if a module was loaded from memory, as opposed to a file"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name"
],
"description": "ModuleEventSerializer serializes a module event to JSON"
}
Field | Description |
---|---|
name | module name |
loaded_from_memory | indicates if a module was loaded from memory, as opposed to a file |
MountEvent
{
"properties": {
"mp": {
"$ref": "#/$defs/File"
},
"root": {
"$ref": "#/$defs/File"
},
"mount_id": {
"type": "integer"
},
"group_id": {
"type": "integer"
},
"parent_mount_id": {
"type": "integer"
},
"bind_src_mount_id": {
"type": "integer"
},
"device": {
"type": "integer"
},
"fs_type": {
"type": "string"
},
"mountpoint.path": {
"type": "string"
},
"source.path": {
"type": "string"
},
"mountpoint.path_error": {
"type": "string"
},
"source.path_error": {
"type": "string"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"mount_id",
"group_id",
"parent_mount_id",
"bind_src_mount_id",
"device"
],
"description": "MountEventSerializer serializes a mount event to JSON"
}
References |
---|
File |
File |
NetworkContext
{
"properties": {
"device": {
"$ref": "#/$defs/NetworkDevice",
"description": "device is the network device on which the event was captured"
},
"l3_protocol": {
"type": "string",
"description": "l3_protocol is the layer 3 protocol name"
},
"l4_protocol": {
"type": "string",
"description": "l4_protocol is the layer 4 protocol name"
},
"source": {
"$ref": "#/$defs/IPPort",
"description": "source is the emitter of the network event"
},
"destination": {
"$ref": "#/$defs/IPPort",
"description": "destination is the receiver of the network event"
},
"size": {
"type": "integer",
"description": "size is the size in bytes of the network event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"l3_protocol",
"l4_protocol",
"source",
"destination",
"size"
],
"description": "NetworkContextSerializer serializes the network context to JSON"
}
Field | Description |
---|---|
device | device is the network device on which the event was captured |
l3_protocol | l3_protocol is the layer 3 protocol name |
l4_protocol | l4_protocol is the layer 4 protocol name |
source | source is the emitter of the network event |
destination | destination is the receiver of the network event |
size | size is the size in bytes of the network event |
References |
---|
NetworkDevice |
IPPort |
IPPort |
NetworkDevice
{
"properties": {
"netns": {
"type": "integer",
"description": "netns is the interface ifindex"
},
"ifindex": {
"type": "integer",
"description": "ifindex is the network interface ifindex"
},
"ifname": {
"type": "string",
"description": "ifname is the network interface name"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"netns",
"ifindex",
"ifname"
],
"description": "NetworkDeviceSerializer serializes the network device context to JSON"
}
Field | Description |
---|---|
netns | netns is the interface ifindex |
ifindex | ifindex is the network interface ifindex |
ifname | ifname is the network interface name |
PTraceEvent
{
"properties": {
"request": {
"type": "string",
"description": "ptrace request"
},
"address": {
"type": "string",
"description": "address at which the ptrace request was executed"
},
"tracee": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the tracee"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"request",
"address"
],
"description": "PTraceEventSerializer serializes a mmap event to JSON"
}
Field | Description |
---|---|
request | ptrace request |
address | address at which the ptrace request was executed |
tracee | process context of the tracee |
References |
---|
ProcessContext |
Process
{
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessSerializer serializes a process to JSON"
}
Field | Description |
---|---|
pid | Process ID |
ppid | Parent Process ID |
tid | Thread ID |
uid | User ID |
gid | Group ID |
user | User name |
group | Group name |
path_resolution_error | Description of an error in the path resolution |
comm | Command name |
tty | TTY associated with the process |
fork_time | Fork time of the process |
exec_time | Exec time of the process |
exit_time | Exit time of the process |
credentials | Credentials associated with the process |
executable | File information of the executable |
interpreter | File information of the interpreter |
container | Container context |
argv0 | First command line argument |
args | Command line arguments |
args_truncated | Indicator of arguments truncation |
envs | Environment variables of the process |
envs_truncated | Indicator of environments variable truncation |
is_thread | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) |
is_kworker | Indicates whether the process is a kworker |
References |
---|
ProcessCredentials |
File |
File |
ContainerContext |
ProcessContext
{
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"parent": {
"$ref": "#/$defs/Process",
"description": "Parent process"
},
"ancestors": {
"items": {
"$ref": "#/$defs/Process"
},
"type": "array",
"description": "Ancestor processes"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessContextSerializer serializes a process context to JSON"
}
Field | Description |
---|---|
pid | Process ID |
ppid | Parent Process ID |
tid | Thread ID |
uid | User ID |
gid | Group ID |
user | User name |
group | Group name |
path_resolution_error | Description of an error in the path resolution |
comm | Command name |
tty | TTY associated with the process |
fork_time | Fork time of the process |
exec_time | Exec time of the process |
exit_time | Exit time of the process |
credentials | Credentials associated with the process |
executable | File information of the executable |
interpreter | File information of the interpreter |
container | Container context |
argv0 | First command line argument |
args | Command line arguments |
args_truncated | Indicator of arguments truncation |
envs | Environment variables of the process |
envs_truncated | Indicator of environments variable truncation |
is_thread | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) |
is_kworker | Indicates whether the process is a kworker |
parent | Parent process |
ancestors | Ancestor processes |
References |
---|
ProcessCredentials |
File |
File |
ContainerContext |
Process |
ProcessCredentials
{
"properties": {
"uid": {
"type": "integer",
"description": "User ID"
},
"user": {
"type": "string",
"description": "User name"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"group": {
"type": "string",
"description": "Group name"
},
"euid": {
"type": "integer",
"description": "Effective User ID"
},
"euser": {
"type": "string",
"description": "Effective User name"
},
"egid": {
"type": "integer",
"description": "Effective Group ID"
},
"egroup": {
"type": "string",
"description": "Effective Group name"
},
"fsuid": {
"type": "integer",
"description": "Filesystem User ID"
},
"fsuser": {
"type": "string",
"description": "Filesystem User name"
},
"fsgid": {
"type": "integer",
"description": "Filesystem Group ID"
},
"fsgroup": {
"type": "string",
"description": "Filesystem Group name"
},
"cap_effective": {
"items": {
"type": "string"
},
"type": "array",
"description": "Effective Capability set"
},
"cap_permitted": {
"items": {
"type": "string"
},
"type": "array",
"description": "Permitted Capability set"
},
"destination": {
"description": "Credentials after the operation"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid",
"euid",
"egid",
"fsuid",
"fsgid",
"cap_effective",
"cap_permitted"
],
"description": "ProcessCredentialsSerializer serializes the process credentials to JSON"
}
Field | Description |
---|---|
uid | User ID |
user | User name |
gid | Group ID |
group | Group name |
euid | Effective User ID |
euser | Effective User name |
egid | Effective Group ID |
egroup | Effective Group name |
fsuid | Filesystem User ID |
fsuser | Filesystem User name |
fsgid | Filesystem Group ID |
fsgroup | Filesystem Group name |
cap_effective | Effective Capability set |
cap_permitted | Permitted Capability set |
destination | Credentials after the operation |
SELinuxBoolChange
{
"properties": {
"name": {
"type": "string",
"description": "SELinux boolean name"
},
"state": {
"type": "string",
"description": "SELinux boolean state ('on' or 'off')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"
}
Field | Description |
---|---|
name | SELinux boolean name |
state | SELinux boolean state (‘on’ or ‘off’) |
SELinuxBoolCommit
{
"properties": {
"state": {
"type": "boolean",
"description": "SELinux boolean commit operation"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"
}
Field | Description |
---|---|
state | SELinux boolean commit operation |
SELinuxEnforceStatus
{
"properties": {
"status": {
"type": "string",
"description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"
}
Field | Description |
---|---|
status | SELinux enforcement status (one of ’enforcing’, ‘permissive’ or ‘disabled’) |
SELinuxEvent
{
"properties": {
"bool": {
"$ref": "#/$defs/SELinuxBoolChange",
"description": "SELinux boolean operation"
},
"enforce": {
"$ref": "#/$defs/SELinuxEnforceStatus",
"description": "SELinux enforcement change"
},
"bool_commit": {
"$ref": "#/$defs/SELinuxBoolCommit",
"description": "SELinux boolean commit"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEventSerializer serializes a SELinux context to JSON"
}
Field | Description |
---|---|
bool | SELinux boolean operation |
enforce | SELinux enforcement change |
bool_commit | SELinux boolean commit |
References |
---|
SELinuxBoolChange |
SELinuxEnforceStatus |
SELinuxBoolCommit |
SignalEvent
{
"properties": {
"type": {
"type": "string",
"description": "signal type"
},
"pid": {
"type": "integer",
"description": "signal target pid"
},
"target": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the signal target"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"type",
"pid"
],
"description": "SignalEventSerializer serializes a signal event to JSON"
}
Field | Description |
---|---|
type | signal type |
pid | signal target pid |
target | process context of the signal target |
References |
---|
ProcessContext |
SpliceEvent
{
"properties": {
"pipe_entry_flag": {
"type": "string",
"description": "Entry flag of the fd_out pipe passed to the splice syscall"
},
"pipe_exit_flag": {
"type": "string",
"description": "Exit flag of the fd_out pipe passed to the splice syscall"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"pipe_entry_flag",
"pipe_exit_flag"
],
"description": "SpliceEventSerializer serializes a splice event to JSON"
}
Field | Description |
---|---|
pipe_entry_flag | Entry flag of the fd_out pipe passed to the splice syscall |
pipe_exit_flag | Exit flag of the fd_out pipe passed to the splice syscall |
UserContext
{
"properties": {
"id": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
}
},
"additionalProperties": false,
"type": "object",
"description": "UserContextSerializer serializes a user context to JSON"
}
Field | Description |
---|---|
id | User name |
group | Group name |