Class: Vivarium::Event

Inherits:
Struct
  • Object
show all
Defined in:
lib/vivarium.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#event_nameObject

Returns the value of attribute event_name

Returns:

  • (Object)

    the current value of event_name



86
87
88
 
# File 'lib/vivarium.rb', line 86

def event_name
  @event_name
end

#ktime_nsObject

Returns the value of attribute ktime_ns

Returns:

  • (Object)

    the current value of ktime_ns



86
87
88
 
# File 'lib/vivarium.rb', line 86

def ktime_ns
  @ktime_ns
end

#payloadObject

Returns the value of attribute payload

Returns:

  • (Object)

    the current value of payload



86
87
88
 
# File 'lib/vivarium.rb', line 86

def payload
  @payload
end

#pidObject

Returns the value of attribute pid

Returns:

  • (Object)

    the current value of pid



86
87
88
 
# File 'lib/vivarium.rb', line 86

def pid
  @pid
end

Class Method Details

.c_string(bytes) ⇒ Object 



118
119
120
121
122
123
124
 
# File 'lib/vivarium.rb', line 118

def self.c_string(bytes)
  str = bytes.to_s.b
  nul = str.index("\x00")
  return str if nul.nil?

  str[0, nul]
end

.from_binary(raw) ⇒ Object 



95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/vivarium.rb', line 95

def self.from_binary(raw)
  bytes = raw.to_s.b
  bytes = bytes.ljust(EVENT_STRUCT_SIZE, "\x00")

  ktime_ns = bytes[EVENT_TS_OFFSET, EVENT_TS_SIZE].unpack1("Q<")
  pid = bytes[EVENT_PID_OFFSET, 4].unpack1("L<")
  event_name = c_string(bytes[EVENT_NAME_OFFSET, EVENT_NAME_SIZE])
  raw_payload = bytes[EVENT_PAYLOAD_OFFSET, EVENT_PAYLOAD_SIZE]
  raw_payload_events = %w[
    dns_req sock_connect odd_socket proc_exec
    file_symlink file_hardlink file_rename file_chmod file_getdents
    ptrace_check sb_mount kernel_read_file task_kill
    setid_change capable_check bprm_creds
  ]
  payload = if raw_payload_events.include?(event_name)
              raw_payload
            else
              c_string(raw_payload)
            end

  new(ktime_ns: ktime_ns, pid: pid, event_name: event_name, payload: payload)
end

Instance Method Details

#empty?Boolean

Returns:

  • (Boolean) 


87
88
89
 
# File 'lib/vivarium.rb', line 87

def empty?
  ktime_ns.to_i.zero? && pid.to_i.zero? && event_name.to_s.empty? && payload.to_s.empty?
end

#severityObject 



91
92
93
 
# File 'lib/vivarium.rb', line 91

def severity
  Vivarium.event_severity(event_name)
end