blob: dfe483f98760557112ae7a007ee66833d525a804 [file] [log] [blame]
syntax = "proto3";
package schema;
message SocketIp {
uint32 family = 1; // AF_* for socket type.
bytes ip = 2; // ip4 or ip6 address.
uint32 port = 3; // port bind or connected.
}
message Socket {
SocketIp local = 1;
SocketIp remote = 2; // unset if not connected.
}
message Overlay {
bool lower_layer = 1;
bool upper_layer = 2;
bytes modified_uuid = 3; // The process who first modified the file.
}
message File {
bytes fullpath = 1;
uint32 ino = 3; // inode number.
oneof filesystem {
Overlay overlayfs = 2;
Socket socket = 4;
}
}
message ProcessArguments {
repeated bytes argv = 1; // process arguments
uint32 argv_truncated = 2; // number of characters truncated from argv
repeated bytes envp = 3; // process environment variables
uint32 envp_truncated = 4; // number of characters truncated from envp
}
message Descriptor {
uint32 mode = 1; // file mode (stat st_mode)
File file = 2;
}
message Streams {
Descriptor stdin = 1;
Descriptor stdout = 2;
Descriptor stderr = 3;
}
message Process {
uint64 creation_timestamp = 1; // Only populated in ExecuteEvent, in ns.
bytes uuid = 2;
uint32 pid = 3;
File binary = 4; // Only populated in ExecuteEvent.
uint32 parent_pid = 5;
bytes parent_uuid = 6;
uint64 container_id = 7; // unique id of process's container
uint32 container_pid = 8; // pid inside the container namespace pid
uint32 container_parent_pid = 9; // optional
ProcessArguments args = 10; // Only populated in ExecuteEvent.
Streams streams = 11; // Only populated in ExecuteEvent.
uint64 exec_session_id = 12; // identifier set for kubectl exec sessions.
}
message Container {
uint64 creation_timestamp = 1; // container create time in ns
bytes pod_namespace = 2;
bytes pod_name = 3;
uint64 container_id = 4; // unique across lifetime of Node
bytes container_name = 5;
bytes container_image_uri = 6;
repeated bytes labels = 7;
bytes init_uuid = 8;
bytes container_image_id = 9;
}
// A binary being executed.
// e.g., execve()
message ExecuteEvent {
Process proc = 1;
}
// A process clone is being created. This message means that a cloning operation
// is being attempted. It may be sent even if fork fails.
message CloneEvent {
Process proc = 1;
}
// Processes that are enumerated at startup will be sent with this event. There
// is no distinction from events we would have seen from fork or exec.
message EnumerateProcessEvent {
Process proc = 1;
}
// Collect information about mmap/mprotect calls with the PROT_EXEC flag set.
message MemoryExecEvent {
Process proc = 1; // The origin process
// The timestamp in ns when the memory was set executable
uint64 prot_exec_timestamp = 2;
// The prot flags granted by the kernel for the operation
uint64 new_flags = 3;
// The prot flags requested for the mprotect/mmap operation
uint64 req_flags = 4;
// The vm_flags prior to the mprotect operation, if relevant
uint64 old_vm_flags = 5;
// The operational flags for the mmap operation, if relevant
uint64 mmap_flags = 6;
// Derived from the file struct describing the fd being mapped
File mapped_file = 7;
enum Action {
UNDEFINED = 0;
MPROTECT = 1;
MMAP_FILE = 2;
}
Action action = 8;
uint64 start_addr = 9; // The executable memory region start addr
uint64 end_addr = 10; // The executable memory region end addr
// True if this event is a mmap of the process' binary
bool is_initial_mmap = 11;
}
// Associate the following container information with all processes
// that have the indicated container_id.
message ContainerInfoEvent {
Container container = 1;
}
// The process with the indicated pid has exited.
message ExitEvent {
bytes process_uuid = 1;
}
// Next ID: 8
message Event {
oneof event {
ExecuteEvent execute = 1;
ContainerInfoEvent container = 2;
ExitEvent exit = 3;
MemoryExecEvent memexec = 4;
CloneEvent clone = 5;
EnumerateProcessEvent enumproc = 7;
}
uint64 timestamp = 6; // In nanoseconds
}
// Message sent by the daemonset to the LSM for container enlightenment.
message ContainerReport {
uint32 pid = 1; // Top pid of the running container.
Container container = 2; // Information collected about the container.
}