312 lines
8.5 KiB
JSON
312 lines
8.5 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://stella-ops.io/schemas/runtime-evidence/v1.json",
|
|
"title": "Runtime Evidence Record",
|
|
"description": "Unified schema for syscall-level and symbol-level runtime evidence collected via eBPF probes.",
|
|
"type": "object",
|
|
"required": ["ts_ns", "src", "pid", "comm", "event"],
|
|
"properties": {
|
|
"ts_ns": {
|
|
"type": "integer",
|
|
"description": "Timestamp in nanoseconds since boot (monotonic)",
|
|
"minimum": 0
|
|
},
|
|
"src": {
|
|
"type": "string",
|
|
"description": "Event source identifier (probe name)",
|
|
"examples": [
|
|
"sys_enter_openat",
|
|
"sched_process_exec",
|
|
"inet_sock_set_state",
|
|
"uprobe:connect",
|
|
"uprobe:SSL_read",
|
|
"uprobe:function_entry"
|
|
]
|
|
},
|
|
"pid": {
|
|
"type": "integer",
|
|
"description": "Process ID",
|
|
"minimum": 1
|
|
},
|
|
"tid": {
|
|
"type": "integer",
|
|
"description": "Thread ID",
|
|
"minimum": 1
|
|
},
|
|
"cgroup_id": {
|
|
"type": "integer",
|
|
"description": "Cgroup ID for container identification",
|
|
"minimum": 0
|
|
},
|
|
"container_id": {
|
|
"type": "string",
|
|
"description": "Container ID with runtime prefix (enriched post-collection)",
|
|
"pattern": "^(containerd|docker|cri-o|podman)://[a-f0-9]{64}$",
|
|
"examples": ["containerd://abc123def456..."]
|
|
},
|
|
"image_digest": {
|
|
"type": "string",
|
|
"description": "Image digest (enriched post-collection)",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
},
|
|
"comm": {
|
|
"type": "string",
|
|
"description": "Process command name (up to 16 chars)",
|
|
"maxLength": 16
|
|
},
|
|
"event": {
|
|
"description": "Event-specific data",
|
|
"oneOf": [
|
|
{ "$ref": "#/$defs/file_open" },
|
|
{ "$ref": "#/$defs/process_exec" },
|
|
{ "$ref": "#/$defs/tcp_state" },
|
|
{ "$ref": "#/$defs/net_connect" },
|
|
{ "$ref": "#/$defs/ssl_op" },
|
|
{ "$ref": "#/$defs/function_call" }
|
|
]
|
|
}
|
|
},
|
|
"$defs": {
|
|
"file_open": {
|
|
"type": "object",
|
|
"description": "File open event (sys_enter_openat tracepoint)",
|
|
"required": ["type", "path"],
|
|
"properties": {
|
|
"type": { "const": "file_open" },
|
|
"path": {
|
|
"type": "string",
|
|
"description": "Opened file path"
|
|
},
|
|
"flags": {
|
|
"type": "integer",
|
|
"description": "Open flags (O_RDONLY=0, O_WRONLY=1, O_RDWR=2, etc.)"
|
|
},
|
|
"access": {
|
|
"type": "string",
|
|
"description": "Human-readable access mode",
|
|
"enum": ["read", "write", "read_write", "unknown"]
|
|
},
|
|
"dfd": {
|
|
"type": "integer",
|
|
"description": "Directory file descriptor (-100 = AT_FDCWD)"
|
|
},
|
|
"mode": {
|
|
"type": "integer",
|
|
"description": "File mode for O_CREAT",
|
|
"minimum": 0,
|
|
"maximum": 4095
|
|
}
|
|
}
|
|
},
|
|
"process_exec": {
|
|
"type": "object",
|
|
"description": "Process execution event (sched_process_exec tracepoint)",
|
|
"required": ["type", "filename"],
|
|
"properties": {
|
|
"type": { "const": "process_exec" },
|
|
"filename": {
|
|
"type": "string",
|
|
"description": "Executed file path"
|
|
},
|
|
"ppid": {
|
|
"type": "integer",
|
|
"description": "Parent process ID",
|
|
"minimum": 0
|
|
},
|
|
"argv0": {
|
|
"type": "string",
|
|
"description": "First argument (argv[0])"
|
|
}
|
|
}
|
|
},
|
|
"tcp_state": {
|
|
"type": "object",
|
|
"description": "TCP state change event (inet_sock_set_state tracepoint)",
|
|
"required": ["type", "oldstate", "newstate", "daddr", "dport"],
|
|
"properties": {
|
|
"type": { "const": "tcp_state" },
|
|
"oldstate": {
|
|
"type": "string",
|
|
"description": "Previous TCP state",
|
|
"enum": [
|
|
"ESTABLISHED", "SYN_SENT", "SYN_RECV", "FIN_WAIT1", "FIN_WAIT2",
|
|
"TIME_WAIT", "CLOSE", "CLOSE_WAIT", "LAST_ACK", "LISTEN",
|
|
"CLOSING", "NEW_SYN_RECV"
|
|
]
|
|
},
|
|
"newstate": {
|
|
"type": "string",
|
|
"description": "New TCP state"
|
|
},
|
|
"daddr": {
|
|
"type": "string",
|
|
"description": "Destination IP address",
|
|
"oneOf": [
|
|
{ "format": "ipv4" },
|
|
{ "format": "ipv6" }
|
|
]
|
|
},
|
|
"dport": {
|
|
"type": "integer",
|
|
"description": "Destination port",
|
|
"minimum": 0,
|
|
"maximum": 65535
|
|
},
|
|
"saddr": {
|
|
"type": "string",
|
|
"description": "Source IP address"
|
|
},
|
|
"sport": {
|
|
"type": "integer",
|
|
"description": "Source port",
|
|
"minimum": 0,
|
|
"maximum": 65535
|
|
},
|
|
"family": {
|
|
"type": "string",
|
|
"description": "Address family",
|
|
"enum": ["inet", "inet6"]
|
|
}
|
|
}
|
|
},
|
|
"net_connect": {
|
|
"type": "object",
|
|
"description": "Network connect/accept event (libc uprobes)",
|
|
"required": ["type", "addr", "port"],
|
|
"properties": {
|
|
"type": { "const": "net_connect" },
|
|
"fd": {
|
|
"type": "integer",
|
|
"description": "Socket file descriptor"
|
|
},
|
|
"addr": {
|
|
"type": "string",
|
|
"description": "Remote IP address"
|
|
},
|
|
"port": {
|
|
"type": "integer",
|
|
"description": "Remote port",
|
|
"minimum": 0,
|
|
"maximum": 65535
|
|
},
|
|
"success": {
|
|
"type": "boolean",
|
|
"description": "Whether the operation succeeded"
|
|
},
|
|
"error": {
|
|
"type": "integer",
|
|
"description": "Error code if failed"
|
|
}
|
|
}
|
|
},
|
|
"ssl_op": {
|
|
"type": "object",
|
|
"description": "SSL/TLS operation event (OpenSSL uprobes)",
|
|
"required": ["type", "operation"],
|
|
"properties": {
|
|
"type": { "const": "ssl_op" },
|
|
"operation": {
|
|
"type": "string",
|
|
"description": "Operation type",
|
|
"enum": ["read", "write"]
|
|
},
|
|
"bytes": {
|
|
"type": "integer",
|
|
"description": "Bytes transferred",
|
|
"minimum": 0
|
|
},
|
|
"ssl_ptr": {
|
|
"type": "string",
|
|
"description": "SSL session pointer (hex) for correlation",
|
|
"pattern": "^0x[a-fA-F0-9]+$"
|
|
}
|
|
}
|
|
},
|
|
"function_call": {
|
|
"type": "object",
|
|
"description": "Function call event (generic uprobe)",
|
|
"required": ["type", "addr"],
|
|
"properties": {
|
|
"type": { "const": "function_call" },
|
|
"addr": {
|
|
"type": "string",
|
|
"description": "Function address (hex)",
|
|
"pattern": "^0x[a-fA-F0-9]+$"
|
|
},
|
|
"symbol": {
|
|
"type": "string",
|
|
"description": "Resolved symbol name"
|
|
},
|
|
"library": {
|
|
"type": "string",
|
|
"description": "Library containing the function"
|
|
},
|
|
"runtime": {
|
|
"type": "string",
|
|
"description": "Detected runtime type",
|
|
"enum": ["native", "jvm", "node", "python", "dotnet", "go", "ruby"]
|
|
},
|
|
"stack": {
|
|
"type": "array",
|
|
"description": "Call stack addresses (hex)",
|
|
"items": {
|
|
"type": "string",
|
|
"pattern": "^0x[a-fA-F0-9]+$"
|
|
}
|
|
},
|
|
"node_hash": {
|
|
"type": "string",
|
|
"description": "Canonical node hash for reachability joining",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"examples": [
|
|
{
|
|
"ts_ns": 1737890000123456789,
|
|
"src": "sys_enter_openat",
|
|
"pid": 2311,
|
|
"tid": 2311,
|
|
"cgroup_id": 12345,
|
|
"comm": "nginx",
|
|
"event": {
|
|
"type": "file_open",
|
|
"path": "/etc/ssl/certs/ca-bundle.crt",
|
|
"flags": 0,
|
|
"access": "read"
|
|
}
|
|
},
|
|
{
|
|
"ts_ns": 1737890001123456789,
|
|
"src": "inet_sock_set_state",
|
|
"pid": 2311,
|
|
"tid": 2315,
|
|
"cgroup_id": 12345,
|
|
"comm": "nginx",
|
|
"event": {
|
|
"type": "tcp_state",
|
|
"oldstate": "SYN_SENT",
|
|
"newstate": "ESTABLISHED",
|
|
"daddr": "93.184.216.34",
|
|
"dport": 443,
|
|
"family": "inet"
|
|
}
|
|
},
|
|
{
|
|
"ts_ns": 1737890002123456789,
|
|
"src": "uprobe:SSL_write",
|
|
"pid": 2311,
|
|
"tid": 2315,
|
|
"cgroup_id": 12345,
|
|
"comm": "nginx",
|
|
"event": {
|
|
"type": "ssl_op",
|
|
"operation": "write",
|
|
"bytes": 2048,
|
|
"ssl_ptr": "0x7f1234560000"
|
|
}
|
|
}
|
|
]
|
|
}
|