gRPC API
The Tetragon API is an independant Go module that can be found in the Tetragon repository under api. The version 1 of this API is defined in github.com/cilium/tetragon/api/v1/tetragon.
tetragon/capabilities.proto
CapabilitiesType
Name | Number | Description |
---|---|---|
CAP_CHOWN | 0 | In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership. |
DAC_OVERRIDE | 1 | Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. |
CAP_DAC_READ_SEARCH | 2 | Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by "$1"_LINUX_IMMUTABLE. |
CAP_FOWNER | 3 | Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn't override MAC and DAC restrictions. |
CAP_FSETID | 4 | Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). |
CAP_KILL | 5 | Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal. |
CAP_SETGID | 6 | Allows forged gids on socket credentials passing. |
CAP_SETUID | 7 | Allows forged pids on socket credentials passing. |
CAP_SETPCAP | 8 | Without VFS support for capabilities: Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid With VFS support for capabilities (neither of above, but) Add any capability from current's capability bounding set to the current process' inheritable set Allow taking bits out of capability bounding set Allow modification of the securebits for a process |
CAP_LINUX_IMMUTABLE | 9 | Allow modification of S_IMMUTABLE and S_APPEND file attributes |
CAP_NET_BIND_SERVICE | 10 | Allows binding to ATM VCIs below 32 |
CAP_NET_BROADCAST | 11 | Allow broadcasting, listen to multicast |
CAP_NET_ADMIN | 12 | Allow activation of ATM control sockets |
CAP_NET_RAW | 13 | Allow binding to any address for transparent proxying (also via NET_ADMIN) |
CAP_IPC_LOCK | 14 | Allow mlock and mlockall (which doesn't really have anything to do with IPC) |
CAP_IPC_OWNER | 15 | Override IPC ownership checks |
CAP_SYS_MODULE | 16 | Insert and remove kernel modules - modify kernel without limit |
CAP_SYS_RAWIO | 17 | Allow sending USB messages to any device via /dev/bus/usb |
CAP_SYS_CHROOT | 18 | Allow use of chroot() |
CAP_SYS_PTRACE | 19 | Allow ptrace() of any process |
CAP_SYS_PACCT | 20 | Allow configuration of process accounting |
CAP_SYS_ADMIN | 21 | Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility |
CAP_SYS_BOOT | 22 | Allow use of reboot() |
CAP_SYS_NICE | 23 | Allow setting cpu affinity on other processes |
CAP_SYS_RESOURCE | 24 | Control memory reclaim behavior |
CAP_SYS_TIME | 25 | Allow setting the real-time clock |
CAP_SYS_TTY_CONFIG | 26 | Allow vhangup() of tty |
CAP_MKNOD | 27 | Allow the privileged aspects of mknod() |
CAP_LEASE | 28 | Allow taking of leases on files |
CAP_AUDIT_WRITE | 29 | Allow writing the audit log via unicast netlink socket |
CAP_AUDIT_CONTROL | 30 | Allow configuration of audit via unicast netlink socket |
CAP_SETFCAP | 31 | Set or remove capabilities on files |
CAP_MAC_OVERRIDE | 32 | Override MAC access. The base kernel enforces no MAC policy. An LSM may enforce a MAC policy, and if it does and it chooses to implement capability based overrides of that policy, this is the capability it should use to do so. |
CAP_MAC_ADMIN | 33 | Allow MAC configuration or state changes. The base kernel requires no MAC configuration. An LSM may enforce a MAC policy, and if it does and it chooses to implement capability based checks on modifications to that policy or the data required to maintain it, this is the capability it should use to do so. |
CAP_SYSLOG | 34 | Allow configuring the kernel's syslog (printk behaviour) |
CAP_WAKE_ALARM | 35 | Allow triggering something that will wake the system |
CAP_BLOCK_SUSPEND | 36 | Allow preventing system suspends |
CAP_AUDIT_READ | 37 | Allow reading the audit log via multicast netlink socket |
CAP_PERFMON | 38 | Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems |
CAP_BPF | 39 | CAP_BPF allows the following BPF operations: - Creating all types of BPF maps - Advanced verifier features - Indirect variable access - Bounded loops - BPF to BPF function calls - Scalar precision tracking - Larger complexity limits - Dead code elimination - And potentially other features - Loading BPF Type Format (BTF) data - Retrieve xlated and JITed code of BPF programs - Use bpf_spin_lock() helper CAP_PERFMON relaxes the verifier checks further: - BPF progs can use of pointer-to-integer conversions - speculation attack hardening measures are bypassed - bpf_probe_read to read arbitrary kernel memory is allowed - bpf_trace_printk to print kernel memory is allowed CAP_SYS_ADMIN is required to use bpf_probe_write_user. CAP_SYS_ADMIN is required to iterate system wide loaded programs, maps, links, BTFs and convert their IDs to file descriptors. CAP_PERFMON and CAP_BPF are required to load tracing programs. CAP_NET_ADMIN and CAP_BPF are required to load networking programs. |
CAP_CHECKPOINT_RESTORE | 40 | Allow writing to ns_last_pid |
SecureBitsType
Name | Number | Description |
---|---|---|
SecBitNotSet | 0 | |
SecBitNoRoot | 1 | When set UID 0 has no special privileges. When unset, inheritance of root-permissions and suid-root executable under compatibility mode is supported. If the effective uid of the new process is 0 then the effective and inheritable bitmasks of the executable file is raised. If the real uid is 0, the effective (legacy) bit of the executable file is raised. |
SecBitNoRootLocked | 2 | Make bit-0 SecBitNoRoot immutable |
SecBitNoSetUidFixup | 4 | When set, setuid to/from uid 0 does not trigger capability-"fixup". When unset, to provide compatiblility with old programs relying on set*uid to gain/lose privilege, transitions to/from uid 0 cause capabilities to be gained/lost. |
SecBitNoSetUidFixupLocked | 8 | Make bit-2 SecBitNoSetUidFixup immutable |
SecBitKeepCaps | 16 | When set, a process can retain its capabilities even after transitioning to a non-root user (the set-uid fixup suppressed by bit 2). Bit-4 is cleared when a process calls exec(); setting both bit 4 and 5 will create a barrier through exec that no exec()'d child can use this feature again. |
SecBitKeepCapsLocked | 32 | Make bit-4 SecBitKeepCaps immutable |
SecBitNoCapAmbientRaise | 64 | When set, a process cannot add new capabilities to its ambient set. |
SecBitNoCapAmbientRaiseLocked | 128 | Make bit-6 SecBitNoCapAmbientRaise immutable |
tetragon/tetragon.proto
BinaryProperties
Field | Type | Label | Description |
---|---|---|---|
setuid | google.protobuf.UInt32Value | If set then this is the set user ID used for execution | |
setgid | google.protobuf.UInt32Value | If set then this is the set group ID used for execution |
Capabilities
Field | Type | Label | Description |
---|---|---|---|
permitted | CapabilitiesType | repeated | Permitted set indicates what capabilities the process can use. This is a limiting superset for the effective capabilities that the thread may assume. It is also a limiting superset for the capabilities that may be added to the inheritable set by a thread without the CAP_SETPCAP in its effective set. |
effective | CapabilitiesType | repeated | Effective set indicates what capabilities are active in a process. This is the set used by the kernel to perform permission checks for the thread. |
inheritable | CapabilitiesType | repeated | Inheritable set indicates which capabilities will be inherited by the current process when running as a root user. |
Container
Field | Type | Label | Description |
---|---|---|---|
id | string | Identifier of the container. | |
name | string | Name of the container. | |
image | Image | Image of the container. | |
start_time | google.protobuf.Timestamp | Start time of the container. | |
pid | google.protobuf.UInt32Value | Process identifier in the container namespace. | |
maybe_exec_probe | bool | If this is set true, it means that the process might have been originated from a Kubernetes exec probe. For this field to be true, the following must be true: 1. The binary field matches the first element of the exec command list for either liveness or readiness probe excluding the basename. For example, "/bin/ls" and "ls" are considered a match. 2. The arguments field exactly matches the rest of the exec command list. |
CreateContainer
CreateContainer informs the agent that a container was created This is intented to be used by OCI hooks (but not limited to them) and corresponds to the CreateContainer hook: https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontainer-hooks.
Field | Type | Label | Description |
---|---|---|---|
cgroupsPath | string | cgroupsPath is the cgroups path for the container. The path is expected to be relative to the cgroups mountpoint. See: https://github.com/opencontainers/runtime-spec/blob/58ec43f9fc39e0db229b653ae98295bfde74aeab/specs-go/config.go#L174 | |
rootDir | string | rootDir is the absolute path of the root directory of the container. See: https://github.com/opencontainers/runtime-spec/blob/main/specs-go/config.go#L174 | |
annotations | CreateContainer.AnnotationsEntry | repeated | annotations are the run-time annotations for the container see https://github.com/opencontainers/runtime-spec/blob/main/config.md#annotations |
CreateContainer.AnnotationsEntry
Field | Type | Label | Description |
---|---|---|---|
key | string | ||
value | string |
GetHealthStatusRequest
Field | Type | Label | Description |
---|---|---|---|
event_set | HealthStatusType | repeated |
GetHealthStatusResponse
Field | Type | Label | Description |
---|---|---|---|
health_status | HealthStatus | repeated |
HealthStatus
Field | Type | Label | Description |
---|---|---|---|
event | HealthStatusType | ||
status | HealthStatusResult | ||
details | string |
Image
Field | Type | Label | Description |
---|---|---|---|
id | string | Identifier of the container image composed of the registry path and the sha256. | |
name | string | Name of the container image composed of the registry path and the tag. |
KernelModule
Field | Type | Label | Description |
---|---|---|---|
name | string | Kernel module name | |
signature_ok | google.protobuf.BoolValue | If true the module signature was verified successfully. Depends on kernels compiled with CONFIG_MODULE_SIG option, for details please read: https://www.kernel.org/doc/Documentation/admin-guide/module-signing.rst | |
tainted | TaintedBitsType | repeated | The module tainted flags that will be applied on the kernel. For further details please read: https://docs.kernel.org/admin-guide/tainted-kernels.html |
KprobeArgument
Field | Type | Label | Description |
---|---|---|---|
string_arg | string | ||
int_arg | int32 | ||
skb_arg | KprobeSkb | ||
size_arg | uint64 | ||
bytes_arg | bytes | ||
path_arg | KprobePath | ||
file_arg | KprobeFile | ||
truncated_bytes_arg | KprobeTruncatedBytes | ||
sock_arg | KprobeSock | ||
cred_arg | KprobeCred | ||
long_arg | int64 | ||
bpf_attr_arg | KprobeBpfAttr | ||
perf_event_arg | KprobePerfEvent | ||
bpf_map_arg | KprobeBpfMap | ||
uint_arg | uint32 | ||
user_namespace_arg | KprobeUserNamespace | Deprecated. | |
capability_arg | KprobeCapability | ||
process_credentials_arg | ProcessCredentials | ||
user_ns_arg | UserNamespace | ||
module_arg | KernelModule | ||
label | string |
KprobeBpfAttr
Field | Type | Label | Description |
---|---|---|---|
ProgType | string | ||
InsnCnt | uint32 | ||
ProgName | string |
KprobeBpfMap
Field | Type | Label | Description |
---|---|---|---|
MapType | string | ||
KeySize | uint32 | ||
ValueSize | uint32 | ||
MaxEntries | uint32 | ||
MapName | string |
KprobeCapability
Field | Type | Label | Description |
---|---|---|---|
value | google.protobuf.Int32Value | ||
name | string |
KprobeCred
Field | Type | Label | Description |
---|---|---|---|
permitted | CapabilitiesType | repeated | |
effective | CapabilitiesType | repeated | |
inheritable | CapabilitiesType | repeated |
KprobeFile
Field | Type | Label | Description |
---|---|---|---|
mount | string | ||
path | string | ||
flags | string |
KprobePath
Field | Type | Label | Description |
---|---|---|---|
mount | string | ||
path | string | ||
flags | string |
KprobePerfEvent
Field | Type | Label | Description |
---|---|---|---|
KprobeFunc | string | ||
Type | string | ||
Config | uint64 | ||
ProbeOffset | uint64 |
KprobeSkb
Field | Type | Label | Description |
---|---|---|---|
hash | uint32 | ||
len | uint32 | ||
priority | uint32 | ||
mark | uint32 | ||
saddr | string | ||
daddr | string | ||
sport | uint32 | ||
dport | uint32 | ||
proto | uint32 | ||
sec_path_len | uint32 | ||
sec_path_olen | uint32 | ||
protocol | string | ||
family | string |
KprobeSock
Field | Type | Label | Description |
---|---|---|---|
family | string | ||
type | string | ||
protocol | string | ||
mark | uint32 | ||
priority | uint32 | ||
saddr | string | ||
daddr | string | ||
sport | uint32 | ||
dport | uint32 | ||
cookie | uint64 | ||
state | string |
KprobeTruncatedBytes
Field | Type | Label | Description |
---|---|---|---|
bytes_arg | bytes | ||
orig_size | uint64 |
KprobeUserNamespace
Field | Type | Label | Description |
---|---|---|---|
level | google.protobuf.Int32Value | ||
owner | google.protobuf.UInt32Value | ||
group | google.protobuf.UInt32Value | ||
ns | Namespace |
Namespace
Field | Type | Label | Description |
---|---|---|---|
inum | uint32 | Inode number of the namespace. | |
is_host | bool | Indicates if namespace belongs to host. |
Namespaces
Field | Type | Label | Description |
---|---|---|---|
uts | Namespace | Hostname and NIS domain name. | |
ipc | Namespace | System V IPC, POSIX message queues. | |
mnt | Namespace | Mount points. | |
pid | Namespace | Process IDs. | |
pid_for_children | Namespace | Process IDs for children processes. | |
net | Namespace | Network devices, stacks, ports, etc. | |
time | Namespace | Boot and monotonic clocks. | |
time_for_children | Namespace | Boot and monotonic clocks for children processes. | |
cgroup | Namespace | Cgroup root directory. | |
user | Namespace | User and group IDs. |
Pod
Field | Type | Label | Description |
---|---|---|---|
namespace | string | Kubernetes namespace of the Pod. | |
name | string | Name of the Pod. | |
labels | string | repeated | Deprecated. Cilium identity labels of the Pod. This field is deprecated. Use pod_labels instead. |
container | Container | Container of the Pod from which the process that triggered the event originates. | |
pod_labels | Pod.PodLabelsEntry | repeated | Contains all the labels of the pod. Note that the labels field contains Cilium identity labels, which is a subset of pod labels. |
workload | string | Kubernetes workload of the Pod. | |
workload_kind | string | Kubernetes workload kind (e.g. "Deployment", "DaemonSet") of the Pod. |
Pod.PodLabelsEntry
Field | Type | Label | Description |
---|---|---|---|
key | string | ||
value | string |
Process
Field | Type | Label | Description |
---|---|---|---|
exec_id | string | Exec ID uniquely identifies the process over time across all the nodes in the cluster. | |
pid | google.protobuf.UInt32Value | Process identifier from host PID namespace. | |
uid | google.protobuf.UInt32Value | User identifier associated with the process. | |
cwd | string | Current working directory of the process. | |
binary | string | Absolute path of the executed binary. | |
arguments | string | Arguments passed to the binary at execution. | |
flags | string | Flags are for debugging purposes only and should not be considered a reliable source of information. They hold various information about which syscalls generated events, use of internal Tetragon buffers, errors and more. - execve This event is generated by an execve syscall for a new process. See procFs for the other option. A correctly formatted event should either set execve or procFS (described next). - procFS This event is generated from a proc interface. This happens at Tetragon init when existing processes are being loaded into Tetragon event buffer. All events should have either execve or procFS set. - truncFilename Indicates a truncated processes filename because the buffer size is too small to contain the process filename. Consider increasing buffer size to avoid this. - truncArgs Indicates truncated the processes arguments because the buffer size was too small to contain all exec args. Consider increasing buffer size to avoid this. - taskWalk Primarily useful for debugging. Indicates a walked process hierarchy to find a parent process in the Tetragon buffer. This may happen when we did not receive an exec event for the immediate parent of a process. Typically means we are looking at a fork that in turn did another fork we don't currently track fork events exactly and instead push an event with the original parent exec data. This flag can provide this insight into the event if needed. - miss An error flag indicating we could not find parent info in the Tetragon event buffer. If this is set it should be reported to Tetragon developers for debugging. Tetragon will do its best to recover information about the process from available kernel data structures instead of using cached info in this case. However, args will not be available. - needsAUID An internal flag for Tetragon to indicate the audit has not yet been resolved. The BPF hooks look at this flag to determine if probing the audit system is necessary. - errorFilename An error flag indicating an error happened while reading the filename. If this is set it should be reported to Tetragon developers for debugging. - errorArgs An error flag indicating an error happened while reading the process args. If this is set it should be reported to Tetragon developers for debugging - needsCWD An internal flag for Tetragon to indicate the current working directory has not yet been resolved. The Tetragon hooks look at this flag to determine if probing the CWD is necessary. - noCWDSupport Indicates that CWD is removed from the event because the buffer size is too small. Consider increasing buffer size to avoid this. - rootCWD Indicates that CWD is the root directory. This is necessary to inform readers the CWD is not in the event buffer and is '/' instead. - errorCWD An error flag indicating an error occurred while reading the CWD of a process. If this is set it should be reported to Tetragon developers for debugging. - clone Indicates the process issued a clone before exec*. This is the general flow to exec* a new process, however its possible to replace the current process with a new process by doing an exec* without a clone. In this case the flag will be omitted and the same PID will be used by the kernel for both the old process and the newly exec'd process. | |
start_time | google.protobuf.Timestamp | Start time of the execution. | |
auid | google.protobuf.UInt32Value | Audit user ID, this ID is assigned to a user upon login and is inherited by every process even when the user's identity changes. For example, by switching user accounts with su - john. | |
pod | Pod | Information about the the Kubernetes Pod where the event originated. | |
docker | string | The 15 first digits of the container ID. | |
parent_exec_id | string | Exec ID of the parent process. | |
refcnt | uint32 | Reference counter from the Tetragon process cache. | |
cap | Capabilities | Set of capabilities that define the permissions the process can execute with. | |
ns | Namespaces | Linux namespaces of the process, disabled by default, can be enabled by the --enable-process-ns flag. | |
tid | google.protobuf.UInt32Value | Thread ID, note that for the thread group leader, tid is equal to pid. | |
process_credentials | ProcessCredentials | Process credentials | |
binary_properties | BinaryProperties | Executed binary properties. This field is only available on ProcessExec events. |
ProcessCredentials
Field | Type | Label | Description |
---|---|---|---|
uid | google.protobuf.UInt32Value | The real user ID | |
gid | google.protobuf.UInt32Value | The real group ID | |
euid | google.protobuf.UInt32Value | The effective user ID | |
egid | google.protobuf.UInt32Value | The effective group ID | |
suid | google.protobuf.UInt32Value | The saved user ID | |
sgid | google.protobuf.UInt32Value | The saved group ID | |
fsuid | google.protobuf.UInt32Value | the filesystem user ID | |
fsgid | google.protobuf.UInt32Value | The filesystem group ID | |
securebits | SecureBitsType | repeated | Secure management flags |
caps | Capabilities | Set of capabilities that define the permissions the process can execute with. | |
user_ns | UserNamespace | User namespace where the UIDs, GIDs and capabilities are relative to. |
ProcessExec
Field | Type | Label | Description |
---|---|---|---|
process | Process | Process that triggered the exec. | |
parent | Process | Immediate parent of the process. | |
ancestors | Process | repeated | Ancestors of the process beyond the immediate parent. |
ProcessExit
Field | Type | Label | Description |
---|---|---|---|
process | Process | Process that triggered the exit. | |
parent | Process | Immediate parent of the process. | |
signal | string | Signal that the process received when it exited, for example SIGKILL or SIGTERM (list all signal names with kill -l ). If there is no signal handler implemented for a specific process, we report the exit status code that can be found in the status field. | |
status | uint32 | Status code on process exit. For example, the status code can indicate if an error was encountered or the program exited successfully. | |
time | google.protobuf.Timestamp | Date and time of the event. |
ProcessKprobe
Field | Type | Label | Description |
---|---|---|---|
process | Process | Process that triggered the kprobe. | |
parent | Process | Immediate parent of the process. | |
function_name | string | Symbol on which the kprobe was attached. | |
args | KprobeArgument | repeated | Arguments definition of the observed kprobe. |
return | KprobeArgument | Return value definition of the observed kprobe. | |
action | KprobeAction | Action performed when the kprobe matched. | |
stack_trace | StackTraceEntry | repeated | Kernel stack trace to the call. |
policy_name | string | Name of the Tracing Policy that created that kprobe. |
ProcessLoader
loader sensor event triggered for loaded binary/library
Field | Type | Label | Description |
---|---|---|---|
process | Process | ||
path | string | ||
buildid | bytes |
ProcessTracepoint
Field | Type | Label | Description |
---|---|---|---|
process | Process | Process that triggered the tracepoint. | |
parent | Process | Immediate parent of the process. | |
subsys | string | Subsystem of the tracepoint. | |
event | string | Event of the subsystem. | |
args | KprobeArgument | repeated | Arguments definition of the observed tracepoint. TODO: once we implement all we want, rename KprobeArgument to GenericArgument |
policy_name | string | Name of the policy that created that tracepoint. | |
action | KprobeAction | Action performed when the tracepoint matched. |
ProcessUprobe
Field | Type | Label | Description |
---|---|---|---|
process | Process | ||
parent | Process | ||
path | string | ||
symbol | string | ||
policy_name | string | Name of the policy that created that uprobe. |
RuntimeHookRequest
RuntimeHookRequest synchronously propagates information to the agent about run-time state.
Field | Type | Label | Description |
---|---|---|---|
createContainer | CreateContainer |
RuntimeHookResponse
StackTraceEntry
Field | Type | Label | Description |
---|---|---|---|
address | uint64 | address is the kernel function address. | |
offset | uint64 | offset is the offset into the native instructions for the function. | |
symbol | string | symbol is the symbol name of the function. |
Test
Field | Type | Label | Description |
---|---|---|---|
arg0 | uint64 | ||
arg1 | uint64 | ||
arg2 | uint64 | ||
arg3 | uint64 |
UserNamespace
Field | Type | Label | Description |
---|---|---|---|
level | google.protobuf.Int32Value | Nested level of the user namespace. Init or host user namespace is at level 0. | |
uid | google.protobuf.UInt32Value | The owner user ID of the namespace | |
gid | google.protobuf.UInt32Value | The owner group ID of the namepace. | |
ns | Namespace | The user namespace details that include the inode number of the namespace. |
HealthStatusResult
Name | Number | Description |
---|---|---|
HEALTH_STATUS_UNDEF | 0 | |
HEALTH_STATUS_RUNNING | 1 | |
HEALTH_STATUS_STOPPED | 2 | |
HEALTH_STATUS_ERROR | 3 |
HealthStatusType
Name | Number | Description |
---|---|---|
HEALTH_STATUS_TYPE_UNDEF | 0 | |
HEALTH_STATUS_TYPE_STATUS | 1 |
KprobeAction
Name | Number | Description |
---|---|---|
KPROBE_ACTION_UNKNOWN | 0 | Unknown action |
KPROBE_ACTION_POST | 1 | Post action creates an event (default action). |
KPROBE_ACTION_FOLLOWFD | 2 | Post action creates a mapping between file descriptors and file names. |
KPROBE_ACTION_SIGKILL | 3 | Sigkill action synchronously terminates the process. |
KPROBE_ACTION_UNFOLLOWFD | 4 | Post action removes a mapping between file descriptors and file names. |
KPROBE_ACTION_OVERRIDE | 5 | Override action modifies the return value of the call. |
KPROBE_ACTION_COPYFD | 6 | Post action dupplicates a mapping between file descriptors and file names. |
KPROBE_ACTION_GETURL | 7 | GetURL action issue an HTTP Get request against an URL from userspace. |
KPROBE_ACTION_DNSLOOKUP | 8 | GetURL action issue a DNS lookup against an URL from userspace. |
KPROBE_ACTION_NOPOST | 9 | NoPost action suppresses the transmission of the event to userspace. |
KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. |
KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. |
KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. |
KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. |
TaintedBitsType
Tainted bits to indicate if the kernel was tainted. For further details: https://docs.kernel.org/admin-guide/tainted-kernels.html
Name | Number | Description |
---|---|---|
TAINT_UNSET | 0 | |
TAINT_PROPRIETARY_MODULE | 1 | A proprietary module was loaded. |
TAINT_FORCED_MODULE | 2 | A module was force loaded. |
TAINT_FORCED_UNLOAD_MODULE | 4 | A module was force unloaded. |
TAINT_STAGED_MODULE | 1024 | A staging driver was loaded. |
TAINT_OUT_OF_TREE_MODULE | 4096 | An out of tree module was loaded. |
TAINT_UNSIGNED_MODULE | 8192 | An unsigned module was loaded. Supported only on kernels built with CONFIG_MODULE_SIG option. |
TAINT_KERNEL_LIVE_PATCH_MODULE | 32768 | The kernel has been live patched. |
TAINT_TEST_MODULE | 262144 | Loading a test module. |
tetragon/events.proto
AggregationInfo
AggregationInfo contains information about aggregation results.
Field | Type | Label | Description |
---|---|---|---|
count | uint64 | Total count of events in this aggregation time window. |
AggregationOptions
AggregationOptions defines configuration options for aggregating events.
Field | Type | Label | Description |
---|---|---|---|
window_size | google.protobuf.Duration | Aggregation window size. Defaults to 15 seconds if this field is not set. | |
channel_buffer_size | uint64 | Size of the buffer for the aggregator to receive incoming events. If the buffer becomes full, the aggregator will log a warning and start dropping incoming events. |
FieldFilter
Field | Type | Label | Description |
---|---|---|---|
event_set | EventType | repeated | Event types to filter or undefined to filter over all event types. |
fields | google.protobuf.FieldMask | Fields to include or exclude. | |
action | FieldFilterAction | Whether to include or exclude fields. | |
invert_event_set | google.protobuf.BoolValue | Whether or not the event set filter should be inverted. |
Filter
Field | Type | Label | Description |
---|---|---|---|
binary_regex | string | repeated | |
namespace | string | repeated | |
health_check | google.protobuf.BoolValue | ||
pid | uint32 | repeated | |
pid_set | uint32 | repeated | Filter by the PID of a process and any of its descendants. Note that this filter is intended for testing and development purposes only and should not be used in production. In particular, PID cycling in the OS over longer periods of time may cause unexpected events to pass this filter. |
event_set | EventType | repeated | |
pod_regex | string | repeated | Filter by process.pod.name field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
arguments_regex | string | repeated | Filter by process.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
labels | string | repeated | Filter events by pod labels using Kubernetes label selector syntax: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Note that this filter never matches events without the pod field (i.e. host process events). |
GetEventsRequest
Field | Type | Label | Description |
---|---|---|---|
allow_list | Filter | repeated | allow_list specifies a list of filters to apply to only return certain events. If multiple filters are specified, at least one of them has to match for an event to be included in the results. |
deny_list | Filter | repeated | deny_list specifies a list of filters to apply to exclude certain events from the results. If multiple filters are specified, at least one of them has to match for an event to be excluded. If both allow_list and deny_list are specified, the results contain the set difference allow_list - deny_list. |
aggregation_options | AggregationOptions | aggregation_options configures aggregation options for this request. If this field is not set, responses will not be aggregated. Note that currently only process_accept and process_connect events are aggregated. Other events remain unaggregated. | |
field_filters | FieldFilter | repeated | Fields to include or exclude for events in the GetEventsResponse. Omitting this field implies that all fields will be included. Exclusion always takes precedence over inclusion in the case of conflicts. |
GetEventsResponse
Field | Type | Label | Description |
---|---|---|---|
process_exec | ProcessExec | ProcessExec event includes information about the execution of binaries and other related process metadata. | |
process_exit | ProcessExit | ProcessExit event indicates how and when a process terminates. | |
process_kprobe | ProcessKprobe | ProcessKprobe event contains information about the pre-defined functions and the process that invoked them. | |
process_tracepoint | ProcessTracepoint | ProcessTracepoint contains information about the pre-defined tracepoint and the process that invoked them. | |
process_loader | ProcessLoader | ||
process_uprobe | ProcessUprobe | ||
test | Test | ||
rate_limit_info | RateLimitInfo | ||
node_name | string | Name of the node where this event was observed. | |
time | google.protobuf.Timestamp | Timestamp at which this event was observed. For an aggregated response, this field to set to the timestamp at which the event was observed for the first time in a given aggregation time window. | |
aggregation_info | AggregationInfo | aggregation_info contains information about aggregation results. This field is set only for aggregated responses. |
RateLimitInfo
Field | Type | Label | Description |
---|---|---|---|
number_of_dropped_process_events | uint64 |
EventType
Represents the type of a Tetragon event.
NOTE: EventType constants must be in sync with the numbers used in the GetEventsResponse event oneof.
Name | Number | Description |
---|---|---|
UNDEF | 0 | |
PROCESS_EXEC | 1 | |
PROCESS_EXIT | 5 | |
PROCESS_KPROBE | 9 | |
PROCESS_TRACEPOINT | 10 | |
PROCESS_LOADER | 11 | |
PROCESS_UPROBE | 12 | |
TEST | 40000 | |
RATE_LIMIT_INFO | 40001 |
FieldFilterAction
Determins the behaviour of a field filter
Name | Number | Description |
---|---|---|
INCLUDE | 0 | |
EXCLUDE | 1 |
tetragon/stack.proto
StackAddress
Field | Type | Label | Description |
---|---|---|---|
address | uint64 | ||
symbol | string |
StackTrace
Field | Type | Label | Description |
---|---|---|---|
addresses | StackAddress | repeated |
StackTraceLabel
Field | Type | Label | Description |
---|---|---|---|
key | string | ||
count | uint64 |
StackTraceNode
Field | Type | Label | Description |
---|---|---|---|
address | StackAddress | ||
count | uint64 | ||
labels | StackTraceLabel | repeated | |
children | StackTraceNode | repeated |
tetragon/sensors.proto
AddTracingPolicyRequest
Field | Type | Label | Description |
---|---|---|---|
yaml | string |
AddTracingPolicyResponse
DeleteTracingPolicyRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
DeleteTracingPolicyResponse
DisableSensorRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
DisableSensorResponse
DisableTracingPolicyRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
DisableTracingPolicyResponse
EnableSensorRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
EnableSensorResponse
EnableTracingPolicyRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
EnableTracingPolicyResponse
GetStackTraceTreeRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
GetStackTraceTreeResponse
Field | Type | Label | Description |
---|---|---|---|
root | StackTraceNode |
GetVersionRequest
GetVersionResponse
Field | Type | Label | Description |
---|---|---|---|
version | string |
ListSensorsRequest
ListSensorsResponse
Field | Type | Label | Description |
---|---|---|---|
sensors | SensorStatus | repeated |
ListTracingPoliciesRequest
ListTracingPoliciesResponse
Field | Type | Label | Description |
---|---|---|---|
policies | TracingPolicyStatus | repeated |
RemoveSensorRequest
Field | Type | Label | Description |
---|---|---|---|
name | string |
RemoveSensorResponse
SensorStatus
Field | Type | Label | Description |
---|---|---|---|
name | string | name is the name of the sensor | |
enabled | bool | enabled marks whether the sensor is enabled | |
collection | string | collection is the collection the sensor belongs to (typically a tracing policy) |
TracingPolicyStatus
Field | Type | Label | Description |
---|---|---|---|
id | uint64 | id is the id of the policy | |
name | string | name is the name of the policy | |
namespace | string | namespace is the namespace of the policy (or empty of the policy is global) | |
info | string | info is additional information about the policy | |
sensors | string | repeated | sensors loaded in the scope of this policy |
enabled | bool | indicating if the policy is enabled | |
filter_id | uint64 | filter ID of the policy used for k8s filtering | |
error | string | potential error of the policy |
FineGuidanceSensors
Method Name | Request Type | Response Type | Description |
---|---|---|---|
GetEvents | GetEventsRequest | GetEventsResponse stream | |
GetHealth | GetHealthStatusRequest | GetHealthStatusResponse | |
AddTracingPolicy | AddTracingPolicyRequest | AddTracingPolicyResponse | |
DeleteTracingPolicy | DeleteTracingPolicyRequest | DeleteTracingPolicyResponse | |
RemoveSensor | RemoveSensorRequest | RemoveSensorResponse | |
ListTracingPolicies | ListTracingPoliciesRequest | ListTracingPoliciesResponse | |
EnableTracingPolicy | EnableTracingPolicyRequest | EnableTracingPolicyResponse | |
DisableTracingPolicy | DisableTracingPolicyRequest | DisableTracingPolicyResponse | |
ListSensors | ListSensorsRequest | ListSensorsResponse | |
EnableSensor | EnableSensorRequest | EnableSensorResponse | |
DisableSensor | DisableSensorRequest | DisableSensorResponse | |
GetStackTraceTree | GetStackTraceTreeRequest | GetStackTraceTreeResponse | |
GetVersion | GetVersionRequest | GetVersionResponse | |
RuntimeHook | RuntimeHookRequest | RuntimeHookResponse |
Scalar Value Types
.proto Type | Notes | C++ | Java | Python | Go | C# | PHP | Ruby |
---|---|---|---|---|---|---|---|---|
double | double | double | float | float64 | double | float | Float | |
float | float | float | float | float32 | float | float | Float | |
int32 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. | int32 | int | int | int32 | int | integer | Bignum or Fixnum (as required) |
int64 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long | int64 | long | integer/string | Bignum |
uint32 | Uses variable-length encoding. | uint32 | int | int/long | uint32 | uint | integer | Bignum or Fixnum (as required) |
uint64 | Uses variable-length encoding. | uint64 | long | int/long | uint64 | ulong | integer/string | Bignum or Fixnum (as required) |
sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int | int32 | int | integer | Bignum or Fixnum (as required) |
sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long | int64 | long | integer/string | Bignum |
fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int | uint32 | uint | integer | Bignum or Fixnum (as required) |
fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long | uint64 | ulong | integer/string | Bignum |
sfixed32 | Always four bytes. | int32 | int | int | int32 | int | integer | Bignum or Fixnum (as required) |
sfixed64 | Always eight bytes. | int64 | long | int/long | int64 | long | integer/string | Bignum |
bool | bool | boolean | boolean | bool | bool | boolean | TrueClass/FalseClass | |
string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode | string | string | string | String (UTF-8) |
bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str | []byte | ByteString | string | String (ASCII-8BIT) |