serializers

type AWSIMDSEventSerializer struct {
	// is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions
	IsIMDSv2 bool `json:"is_imds_v2"`
	// SecurityCredentials holds the scrubbed data collected on the security credentials
	SecurityCredentials *AWSSecurityCredentialsSerializer `json:"security_credentials,omitempty"`
}

type AWSSecurityCredentialsSerializer struct {
	// code is the IMDS server code response
	Code string `json:"code"`
	// type is the security credentials type
	Type string `json:"type"`
	// access_key_id is the unique access key ID of the credentials
	AccessKeyID string `json:"access_key_id"`
	// last_updated is the last time the credentials were updated
	LastUpdated string `json:"last_updated"`
	// expiration is the expiration date of the credentials
	Expiration string `json:"expiration"`
}

type AcceptEventSerializer struct {
	// Bound address (if any)
	Addr      IPPortFamilySerializer `json:"addr"`
	Hostnames []string               `json:"hostnames"`
}

type AnomalyDetectionSyscallEventSerializer struct {
	// Name of the syscall that triggered the anomaly detection event
	Syscall string `json:"syscall"`
}

type BPFEventSerializer struct {
	// BPF command
	Cmd string `json:"cmd"`
	// BPF map
	Map *BPFMapSerializer `json:"map,omitempty"`
	// BPF program
	Program *BPFProgramSerializer `json:"program,omitempty"`
}

type BPFMapSerializer struct {
	// Name of the BPF map
	Name string `json:"name,omitempty"`
	// Type of the BPF map
	MapType string `json:"map_type,omitempty"`
}

type BPFProgramSerializer struct {
	// Name of the BPF program
	Name string `json:"name,omitempty"`
	// Hash (sha1) of the BPF program
	Tag string `json:"tag,omitempty"`
	// Type of the BPF program
	ProgramType string `json:"program_type,omitempty"`
	// Attach type of the BPF program
	AttachType string `json:"attach_type,omitempty"`
	// List of helpers used by the BPF program
	Helpers []string `json:"helpers,omitempty"`
}

type BaseEventSerializer struct {
	EventContextSerializer `json:"evt,omitempty"`
	Date                   utils.EasyjsonTime `json:"date,omitempty"`

	*FileEventSerializer        `json:"file,omitempty"`
	*ExitEventSerializer        `json:"exit,omitempty"`
	*ProcessContextSerializer   `json:"process,omitempty"`
	*ContainerContextSerializer `json:"container,omitempty"`
}

type BindEventSerializer struct {
	// Bound address (if any)
	Addr     IPPortFamilySerializer `json:"addr"`
	Protocol string                 `json:"protocol"`
}

type CGroupContextSerializer struct {
	// CGroup ID
	ID string `json:"id,omitempty"`
	// CGroup manager
	Manager string `json:"manager,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
}

type CGroupWriteEventSerializer struct {
	// File pointing to the cgroup
	File *FileSerializer `json:"file,omitempty"`
	// PID of the process added to the cgroup
	Pid uint32 `json:"pid,omitempty"`
}

type CapabilitiesEventSerializer struct {
	// Capabilities that the process attempted to use since it started running
	CapsAttempted []string `json:"caps_attempted,omitempty"`
	// Capabilities that the process successfully used since it started running
	CapsUsed []string `json:"caps_used,omitempty"`
}

type CapsetSerializer struct {
	// Effective Capability set
	CapEffective []string `json:"cap_effective"`
	// Permitted Capability set
	CapPermitted []string `json:"cap_permitted"`
}

type ConnectEventSerializer struct {
	Addr      IPPortFamilySerializer `json:"addr"`
	Hostnames []string               `json:"hostnames"`
	Protocol  string                 `json:"protocol"`
}

type ContainerContextSerializer struct {
	// Container ID
	ID string `json:"id,omitempty"`
	// Creation time of the container
	CreatedAt *utils.EasyjsonTime `json:"created_at,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
}

type CredentialsSerializer struct {
	// User ID
	UID int `json:"uid"`
	// User name
	User string `json:"user,omitempty"`
	// Group ID
	GID int `json:"gid"`
	// Group name
	Group string `json:"group,omitempty"`
	// Effective User ID
	EUID int `json:"euid"`
	// Effective User name
	EUser string `json:"euser,omitempty"`
	// Effective Group ID
	EGID int `json:"egid"`
	// Effective Group name
	EGroup string `json:"egroup,omitempty"`
	// Filesystem User ID
	FSUID int `json:"fsuid"`
	// Filesystem User name
	FSUser string `json:"fsuser,omitempty"`
	// Filesystem Group ID
	FSGID int `json:"fsgid"`
	// Filesystem Group name
	FSGroup string `json:"fsgroup,omitempty"`
	// Login UID
	AUID int `json:"auid"`
	// Effective Capability set
	CapEffective []string `json:"cap_effective"`
	// Permitted Capability set
	CapPermitted []string `json:"cap_permitted"`
}

type DDContextSerializer struct {
	// Span ID used for APM correlation
	SpanID string `json:"span_id,omitempty"`
	// Trace ID used for APM correlation
	TraceID string `json:"trace_id,omitempty"`
}

type DNSEventSerializer struct {
	// id is the unique identifier of the DNS request
	ID uint16 `json:"id"`
	// is_query if true means it's a question, if false is a response
	Query bool `json:"is_query"`
	// question is a DNS question for the DNS request
	Question DNSQuestionSerializer `json:"question"`
	// response is a DNS response for the DNS request
	Response *DNSResponseEventSerializer `json:"response"`
}

type DNSQuestionSerializer struct {
	// class is the class looked up by the DNS question
	Class string `json:"class"`
	// type is a two octet code which specifies the DNS question type
	Type string `json:"type"`
	// name is the queried domain name
	Name string `json:"name"`
	// size is the total DNS request size in bytes
	Size uint16 `json:"size"`
	// count is the total count of questions in the DNS request
	Count uint16 `json:"count"`
}

type DNSResponseEventSerializer struct {
	// RCode is the response code present in the response
	RCode uint8 `json:"code"`
}

type EventContextSerializer struct {
	// Event name
	Name string `json:"name,omitempty"`
	// Event category
	Category string `json:"category,omitempty"`
	// Event outcome
	Outcome string `json:"outcome,omitempty"`
	// True if the event was asynchronous
	Async bool `json:"async,omitempty"`
	// The list of rules that the event matched (only valid in the context of an anomaly)
	MatchedRules []MatchedRuleSerializer `json:"matched_rules,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
	// RuleContext rule context
	RuleContext RuleContext `json:"rule_context,omitempty"`
	// Source of the event
	Source string `json:"source,omitempty"`
}

type EventSerializer struct {
	*BaseEventSerializer
	Signature string `json:"signature,omitempty"`

	*NetworkContextSerializer         `json:"network,omitempty"`
	*DDContextSerializer              `json:"dd,omitempty"`
	*SecurityProfileContextSerializer `json:"security_profile,omitempty"`
	*CGroupContextSerializer          `json:"cgroup,omitempty"`

	*SELinuxEventSerializer       `json:"selinux,omitempty"`
	*BPFEventSerializer           `json:"bpf,omitempty"`
	*MMapEventSerializer          `json:"mmap,omitempty"`
	*MProtectEventSerializer      `json:"mprotect,omitempty"`
	*PTraceEventSerializer        `json:"ptrace,omitempty"`
	*ModuleEventSerializer        `json:"module,omitempty"`
	*SignalEventSerializer        `json:"signal,omitempty"`
	*SpliceEventSerializer        `json:"splice,omitempty"`
	*DNSEventSerializer           `json:"dns,omitempty"`
	*IMDSEventSerializer          `json:"imds,omitempty"`
	*AcceptEventSerializer        `json:"accept,omitempty"`
	*BindEventSerializer          `json:"bind,omitempty"`
	*ConnectEventSerializer       `json:"connect,omitempty"`
	*MountEventSerializer         `json:"mount,omitempty"`
	*SyscallsEventSerializer      `json:"syscalls,omitempty"`
	*UserContextSerializer        `json:"usr,omitempty"`
	*SyscallContextSerializer     `json:"syscall,omitempty"`
	*RawPacketSerializer          `json:"packet,omitempty"`
	*NetworkFlowMonitorSerializer `json:"network_flow_monitor,omitempty"`
	*SysCtlEventSerializer        `json:"sysctl,omitempty"`
	*SetSockOptEventSerializer    `json:"setsockopt,omitempty"`
	*CGroupWriteEventSerializer   `json:"cgroup_write,omitempty"`
	*CapabilitiesEventSerializer  `json:"capabilities,omitempty"`
	*PrCtlEventSerializer         `json:"prctl,omitempty"`
	*SetrlimitEventSerializer     `json:"setrlimit,omitempty"`
}

type EventSerializerPatcher interface {
	PatchEvent(*EventSerializer)
}

type EventStringerWrapper struct {
	Event    interface{} // can be model.Event or events.CustomEvent
	Scrubber *utils.Scrubber
}

type ExitEventSerializer struct {
	// Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
	Cause string `json:"cause"`
	// Exit code of the process or number of the signal that caused the process to terminate
	Code uint32 `json:"code"`
}

type FileEventSerializer struct {
	FileSerializer
	// Target file information
	Destination *FileSerializer `json:"destination,omitempty"`

	// New Mount ID
	NewMountID uint32 `json:"new_mount_id,omitempty"`
	// Device associated with the file
	Device uint32 `json:"device,omitempty"`
	// Filesystem type
	FSType string `json:"fstype,omitempty"`
}

type FileMetadataSerializer struct {
	Size               int64  `json:"size,omitempty"`
	Type               string `json:"type,omitempty"`
	IsExecutable       bool   `json:"is_executable,omitempty"`
	Architecture       string `json:"architecture,omitempty"`
	ABI                string `json:"abi,omitempty"`
	IsUPXPacked        bool   `json:"is_upx_packed,omitempty"`
	Compression        string `json:"compression,omitempty"`
	IsGarbleObfuscated bool   `json:"is_garble_obfuscated,omitempty"`
}

type FileSerializer struct {
	// File path
	Path string `json:"path,omitempty"`
	// File basename
	Name string `json:"name,omitempty"`
	// File extension
	Extension string `json:"extension,omitempty"`
	// Error message from path resolution
	PathResolutionError string `json:"path_resolution_error,omitempty"`
	// File inode number
	Inode *uint64 `json:"inode,omitempty"`
	// File mode
	Mode *uint32 `json:"mode,omitempty"`
	// Indicator of file OverlayFS layer
	InUpperLayer *bool `json:"in_upper_layer,omitempty"`
	// File mount ID
	MountID *uint32 `json:"mount_id,omitempty"`
	// File filesystem name
	Filesystem string `json:"filesystem,omitempty"`
	// File User ID
	UID int64 `json:"uid"`
	// File Group ID
	GID int64 `json:"gid"`
	// File user
	User string `json:"user,omitempty"`
	// File group
	Group string `json:"group,omitempty"`
	// File extended attribute name
	XAttrName string `json:"attribute_name,omitempty"`
	// File extended attribute namespace
	XAttrNamespace string `json:"attribute_namespace,omitempty"`
	// File flags
	Flags []string `json:"flags,omitempty"`
	// File access time
	Atime *utils.EasyjsonTime `json:"access_time,omitempty"`
	// File modified time
	Mtime *utils.EasyjsonTime `json:"modification_time,omitempty"`
	// File change time
	Ctime *utils.EasyjsonTime `json:"change_time,omitempty"`
	// System package name
	PackageName string `json:"package_name,omitempty"`
	// System package version
	PackageVersion string `json:"package_version,omitempty"`
	// System package epoch
	PackageEpoch int `json:"package_epoch,omitempty"`
	// System package release
	PackageRelease string `json:"package_release,omitempty"`
	// System package source version
	PackageSrcVersion string `json:"package_source_version,omitempty"`
	// System package source epoch
	PackageSrcEpoch int `json:"package_source_epoch,omitempty"`
	// System package source release
	PackageSrcRelease string `json:"package_source_release,omitempty"`
	// List of cryptographic hashes of the file
	Hashes []string `json:"hashes,omitempty"`
	// State of the hashes or reason why they weren't computed
	HashState string `json:"hash_state,omitempty"`
	// MountPath path of the mount
	MountPath string `json:"mount_path,omitempty"`
	// MountSource source of the mount
	MountSource string `json:"mount_source,omitempty"`
	// MountOrigin origin of the mount
	MountOrigin string `json:"mount_origin,omitempty"`
	// MountVisible origin of the mount
	MountVisible *bool `json:"mount_visible,omitempty"`
	// MountDetached origin of the mount
	MountDetached *bool `json:"mount_detached,omitempty"`

	FileMetadata *FileMetadataSerializer `json:"metadata,omitempty"`
}

type FlowSerializer struct {
	// l3_protocol is the layer 3 protocol name
	L3Protocol string `json:"l3_protocol"`
	// l4_protocol is the layer 4 protocol name
	L4Protocol string `json:"l4_protocol"`
	// source is the emitter of the network event
	Source IPPortSerializer `json:"source"`
	// destination is the receiver of the network event
	Destination IPPortSerializer `json:"destination"`

	// ingress holds the network statistics for ingress traffic
	Ingress *NetworkStatsSerializer `json:"ingress,omitempty"`
	// egress holds the network statistics for egress traffic
	Egress *NetworkStatsSerializer `json:"egress,omitempty"`
}

type IMDSEventSerializer struct {
	// type is the type of IMDS event
	Type string `json:"type"`
	// cloud_provider is the intended cloud provider of the IMDS event
	CloudProvider string `json:"cloud_provider"`
	// url is the url of the IMDS request
	URL string `json:"url,omitempty"`
	// host is the host of the HTTP protocol
	Host string `json:"host,omitempty"`
	// user_agent is the user agent of the HTTP client
	UserAgent string `json:"user_agent,omitempty"`
	// server is the server header of a response
	Server string `json:"server,omitempty"`

	// AWS holds the AWS specific data parsed from the IMDS event
	AWS *AWSIMDSEventSerializer `json:"aws,omitempty"`
}

type IPPortFamilySerializer struct {
	// Address family
	Family string `json:"family"`
	// IP address
	IP string `json:"ip"`
	// Port number
	Port uint16 `json:"port"`
}

type IPPortSerializer struct {
	// IP address
	IP string `json:"ip"`
	// Port number
	Port uint16 `json:"port"`
}

type K8SSessionContextSerializer struct {
	// Unique identifier of the user session on the host
	K8SSessionID string `json:"k8s_session_id,omitempty"`
	// Username of the Kubernetes "kubectl exec" session
	K8SUsername string `json:"k8s_username,omitempty"`
	// UID of the Kubernetes "kubectl exec" session
	K8SUID string `json:"k8s_uid,omitempty"`
	// Groups of the Kubernetes "kubectl exec" session
	K8SGroups []string `json:"k8s_groups,omitempty"`
	// Extra of the Kubernetes "kubectl exec" session
	K8SExtra map[string][]string `json:"k8s_extra,omitempty"`
}

type LayerSerializer struct {
	Type string `json:"type"`
	gopacket.Layer
}

type MMapEventSerializer struct {
	// memory segment address
	Address string `json:"address"`
	// file offset
	Offset uint64 `json:"offset"`
	// memory segment length
	Len uint64 `json:"length"`
	// memory segment protection
	Protection string `json:"protection"`
	// memory segment flags
	Flags string `json:"flags"`
}

type MProtectEventSerializer struct {
	// memory segment start address
	VMStart string `json:"vm_start"`
	// memory segment end address
	VMEnd string `json:"vm_end"`
	// initial memory segment protection
	VMProtection string `json:"vm_protection"`
	// new memory segment protection
	ReqProtection string `json:"req_protection"`
}

type MatchedRuleSerializer struct {
	// ID of the rule
	ID string `json:"id,omitempty"`
	// Version of the rule
	Version string `json:"version,omitempty"`
	// Tags of the rule
	Tags []string `json:"tags,omitempty"`
	// Name of the policy that introduced the rule
	PolicyName string `json:"policy_name,omitempty"`
	// Version of the policy that introduced the rule
	PolicyVersion string `json:"policy_version,omitempty"`
}

type MatchingSubExpr struct {
	Offset int    `json:"offset"`
	Length int    `json:"length"`
	Value  string `json:"value"`
	Field  string `json:"field,omitempty"`
}

type ModuleEventSerializer struct {
	// module name
	Name string `json:"name"`
	// indicates if a module was loaded from memory, as opposed to a file
	LoadedFromMemory *bool    `json:"loaded_from_memory,omitempty"`
	Argv             []string `json:"argv,omitempty"`
	ArgsTruncated    *bool    `json:"args_truncated,omitempty"`
}

type MountEventSerializer struct {
	// Mount point file information
	MountPoint *FileSerializer `json:"mp,omitempty"`
	// Root file information
	Root *FileSerializer `json:"root,omitempty"`
	// Mount ID of the new mount
	MountID uint32 `json:"mount_id"`
	// Mount ID of the parent mount
	ParentMountID uint32 `json:"parent_mount_id"`
	// Mount ID of the source of a bind mount
	BindSrcMountID uint32 `json:"bind_src_mount_id"`
	// Device associated with the file
	Device uint32 `json:"device"`
	// Filesystem type
	FSType string `json:"fs_type,omitempty"`
	// Mount point path
	MountPointPath string `json:"mountpoint.path,omitempty"`
	// Mount source path
	MountSourcePath string `json:"source.path,omitempty"`
	// Mount point path error
	MountRootPathResolutionError string `json:"mountpoint.path_error,omitempty"`
	// Mount source path error
	MountSourcePathResolutionError string `json:"source.path_error,omitempty"`
	// Mount is not attached to the VFS tree
	Detached bool `json:"detached,omitempty"`
	// Mount is not visible in the VFS tree
	Visible bool `json:"visible,omitempty"`
}

type NetworkContextSerializer struct {
	// device is the network device on which the event was captured
	Device *NetworkDeviceSerializer `json:"device,omitempty"`

	// l3_protocol is the layer 3 protocol name
	L3Protocol string `json:"l3_protocol"`
	// l4_protocol is the layer 4 protocol name
	L4Protocol string `json:"l4_protocol"`
	// source is the emitter of the network event
	Source IPPortSerializer `json:"source"`
	// destination is the receiver of the network event
	Destination IPPortSerializer `json:"destination"`
	// size is the size in bytes of the network event
	Size uint32 `json:"size"`
	// network_direction indicates if the packet was captured on ingress or egress
	NetworkDirection string `json:"network_direction,omitempty"`
	// type is the type of the protocol of the network event
	Type string `json:"type,omitempty"`
}

type NetworkDeviceSerializer struct {
	// netns is the interface ifindex
	NetNS uint32 `json:"netns"`
	// ifindex is the network interface ifindex
	IfIndex uint32 `json:"ifindex"`
	// ifname is the network interface name
	IfName string `json:"ifname"`
}

type NetworkFlowMonitorSerializer struct {
	// device is the network device on which the event was captured
	Device *NetworkDeviceSerializer `json:"device,omitempty"`
	// flows is the list of flows with network statistics that were captured
	Flows []*FlowSerializer `json:"flows,omitempty"`
}

type NetworkStatsSerializer struct {
	// data_size is the total count of bytes sent or received
	DataSize uint64 `json:"data_size,omitempty"`
	// packet_count is the total count of packets sent or received
	PacketCount uint64 `json:"packet_count,omitempty"`
}

type PTraceEventSerializer struct {
	// ptrace request
	Request string `json:"request"`
	// address at which the ptrace request was executed
	Address string `json:"address"`
	// process context of the tracee
	Tracee *ProcessContextSerializer `json:"tracee,omitempty"`
}

type PrCtlEventSerializer struct {
	// PrCtl Option
	Option string `json:"option"`
	// New name of the process
	NewName string `json:"new_name,omitempty"`
	// Name truncated
	IsNameTruncated bool `json:"is_name_truncated,omitempty"`
}

type ProcessContextSerializer struct {
	*ProcessSerializer
	// Parent process
	Parent *ProcessSerializer `json:"parent,omitempty"`
	// Ancestor processes
	Ancestors []*ProcessSerializer `json:"ancestors,omitempty"`
	// Variables values
	Variables Variables `json:"variables,omitempty"`
	// True if the ancestors list was truncated because it was too big
	TruncatedAncestors bool `json:"truncated_ancestors,omitempty"`
}

type ProcessCredentialsSerializer struct {
	*CredentialsSerializer
	// Credentials after the operation
	Destination interface{} `json:"destination,omitempty"`
}

type ProcessSerializer struct {
	// Process ID
	Pid uint32 `json:"pid,omitempty"`
	// Parent Process ID
	PPid *uint32 `json:"ppid,omitempty"`
	// Thread ID
	Tid uint32 `json:"tid,omitempty"`
	// User ID
	UID int `json:"uid"`
	// Group ID
	GID int `json:"gid"`
	// User name
	User string `json:"user,omitempty"`
	// Group name
	Group string `json:"group,omitempty"`
	// Description of an error in the path resolution
	PathResolutionError string `json:"path_resolution_error,omitempty"`
	// Command name
	Comm string `json:"comm,omitempty"`
	// TTY associated with the process
	TTY string `json:"tty,omitempty"`
	// Fork time of the process
	ForkTime *utils.EasyjsonTime `json:"fork_time,omitempty"`
	// Exec time of the process
	ExecTime *utils.EasyjsonTime `json:"exec_time,omitempty"`
	// Exit time of the process
	ExitTime *utils.EasyjsonTime `json:"exit_time,omitempty"`
	// Credentials associated with the process
	Credentials *ProcessCredentialsSerializer `json:"credentials,omitempty"`
	// CapsAttempted lists the capabilities that this process tried to use
	CapsAttempted []string `json:"caps_attempted,omitempty"`
	// CapsUsed lists the capabilities that this process effectively made use of
	CapsUsed []string `json:"caps_used,omitempty"`
	// Context of the user session for this event
	UserSession *UserSessionContextSerializer `json:"user_session,omitempty"`
	// File information of the executable
	Executable *FileSerializer `json:"executable,omitempty"`
	// File information of the interpreter
	Interpreter *FileSerializer `json:"interpreter,omitempty"`
	// CGroup context
	CGroup *CGroupContextSerializer `json:"cgroup,omitempty"`
	// Container context
	Container *ContainerContextSerializer `json:"container,omitempty"`
	// First command line argument
	Argv0 string `json:"argv0,omitempty"`
	// Command line arguments
	Args []string `json:"args,omitempty"`
	// Indicator of arguments truncation
	ArgsTruncated bool `json:"args_truncated,omitempty"`
	// Environment variables of the process
	Envs []string `json:"envs,omitempty"`
	// Indicator of environments variable truncation
	EnvsTruncated bool `json:"envs_truncated,omitempty"`
	// Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)
	IsThread bool `json:"is_thread,omitempty"`
	// Indicates whether the process is a kworker
	IsKworker bool `json:"is_kworker,omitempty"`
	// Indicates whether the process is an exec following another exec
	IsExecExec bool `json:"is_exec_child,omitempty"`
	// Process source
	Source string `json:"source,omitempty"`
	// List of syscalls captured to generate the event
	Syscalls *SyscallsEventSerializer `json:"syscalls,omitempty"`
	// List of AWS Security Credentials that the process had access to
	AWSSecurityCredentials []*AWSSecurityCredentialsSerializer `json:"aws_security_credentials,omitempty"`
}

type RawPacketSerializer struct {
	*NetworkContextSerializer

	TLSContext *TLSContextSerializer `json:"tls,omitempty"`
	Dropped    *bool                 `json:"dropped,omitempty"`
	Layers     []*LayerSerializer    `json:"layers,omitempty"`
}

type RuleContext struct {
	MatchingSubExprs []MatchingSubExpr `json:"matching_subexprs,omitempty"`
	Expression       string            `json:"expression,omitempty"`
}

type SELinuxBoolChangeSerializer struct {
	// SELinux boolean name
	Name string `json:"name,omitempty"`
	// SELinux boolean state ('on' or 'off')
	State string `json:"state,omitempty"`
}

type SELinuxBoolCommitSerializer struct {
	// SELinux boolean commit operation
	State bool `json:"state,omitempty"`
}

type SELinuxEnforceStatusSerializer struct {
	// SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')
	Status string `json:"status,omitempty"`
}

type SELinuxEventSerializer struct {
	// SELinux boolean operation
	BoolChange *SELinuxBoolChangeSerializer `json:"bool,omitempty"`
	// SELinux enforcement change
	EnforceStatus *SELinuxEnforceStatusSerializer `json:"enforce,omitempty"`
	// SELinux boolean commit
	BoolCommit *SELinuxBoolCommitSerializer `json:"bool_commit,omitempty"`
}

type SSHSessionContextSerializer struct {
	// Unique identifier of the SSH session
	SSHSessionID string `json:"ssh_session_id,omitempty"`
	// Port of the SSH session
	SSHClientPort int `json:"ssh_client_port,omitempty"`
	// Client IP of the SSH session
	SSHClientIP string `json:"ssh_client_ip,omitempty"`
	// Authentication method of the SSH session
	SSHAuthMethod string `json:"ssh_auth_method,omitempty"`
	// Public key of the SSH session
	SSHPublicKey string `json:"ssh_public_key,omitempty"`
}

type SecurityProfileContextSerializer struct {
	// Name of the security profile
	Name string `json:"name"`
	// Version of the profile in use
	Version string `json:"version"`
	// List of tags associated to this profile
	Tags []string `json:"tags"`
	// True if the corresponding event is part of this profile
	EventInProfile bool `json:"event_in_profile"`
	// State of the event type in this profile
	EventTypeState string `json:"event_type_state"`
}

type SetSockOptEventSerializer struct {
	// Socket file descriptor
	SocketType string `json:"socket_type"`
	// Socket family
	SocketFamily string `json:"socket_family"`
	// Length of the filter
	FilterLen uint16 `json:"filter_len,omitempty"`
	// Socket protocol
	SocketProtocol string `json:"socket_protocol"`

	// Level at which the option is defined
	Level string `json:"level"`
	// Name of the option being set
	OptName string `json:"optname"`
	// Filter truncated
	IsFilterTruncated bool `json:"is_filter_truncated,omitempty"`
	// Filter instructions
	FilterInstructions string `json:"filter,omitempty"`
	//Filter hash
	FilterHash string `json:"filter_hash,omitempty"`
}

type SetgidSerializer struct {
	// Group ID
	GID int `json:"gid"`
	// Group name
	Group string `json:"group,omitempty"`
	// Effective Group ID
	EGID int `json:"egid"`
	// Effective Group name
	EGroup string `json:"egroup,omitempty"`
	// Filesystem Group ID
	FSGID int `json:"fsgid"`
	// Filesystem Group name
	FSGroup string `json:"fsgroup,omitempty"`
}

type SetrlimitEventSerializer struct {
	// Resource being limited
	Resource string `json:"resource"`
	// Current limit
	Current uint64 `json:"rlim_cur"`
	// Maximum limit
	Max uint64 `json:"rlim_max"`
	// process context of the setrlimit target
	Target *ProcessContextSerializer `json:"target,omitempty"`
}

type SetuidSerializer struct {
	// User ID
	UID int `json:"uid"`
	// User name
	User string `json:"user,omitempty"`
	// Effective User ID
	EUID int `json:"euid"`
	// Effective User name
	EUser string `json:"euser,omitempty"`
	// Filesystem User ID
	FSUID int `json:"fsuid"`
	// Filesystem User name
	FSUser string `json:"fsuser,omitempty"`
}

type SignalEventSerializer struct {
	// signal type
	Type string `json:"type"`
	// signal target pid
	PID uint32 `json:"pid"`
	// process context of the signal target
	Target *ProcessContextSerializer `json:"target,omitempty"`
}

type SpliceEventSerializer struct {
	// Entry flag of the fd_out pipe passed to the splice syscall
	PipeEntryFlag string `json:"pipe_entry_flag"`
	// Exit flag of the fd_out pipe passed to the splice syscall
	PipeExitFlag string `json:"pipe_exit_flag"`
}

type SysCtlEventSerializer struct {
	// Proc contains the /proc system control parameters and their values
	Proc map[string]interface{} `json:"proc,omitempty"`
	// action performed on the system control parameter
	Action string `json:"action,omitempty"`
	// file_position is the position in the sysctl control parameter file at which the action occurred
	FilePosition uint32 `json:"file_position,omitempty"`
	// name is the name of the system control parameter
	Name string `json:"name,omitempty"`
	// name_truncated indicates if the name field is truncated
	NameTruncated bool `json:"name_truncated,omitempty"`
	// value is the new and/or current value for the system control parameter depending on the action type
	Value string `json:"value,omitempty"`
	// value_truncated indicates if the value field is truncated
	ValueTruncated bool `json:"value_truncated,omitempty"`
	// old_value is the old value of the system control parameter
	OldValue string `json:"old_value,omitempty"`
	// old_value_truncated indicates if the old_value field is truncated
	OldValueTruncated bool `json:"old_value_truncated,omitempty"`
}

type SyscallArgsSerializer struct {
	// Path argument
	Path *string `json:"path,omitempty"`
	// Flags argument
	Flags *int `json:"flags,omitempty"`
	// Mode argument
	Mode *int `json:"mode,omitempty"`
	// UID argument
	UID *int `json:"uid,omitempty"`
	// GID argument
	GID *int `json:"gid,omitempty"`
	// Directory file descriptor argument
	DirFd *int `json:"dirfd,omitempty"`
	// Destination path argument
	DestinationPath *string `json:"destination_path,omitempty"`
	// File system type argument
	FSType *string `json:"fs_type,omitempty"`
}

type SyscallContextSerializer struct {
	Chmod      *SyscallArgsSerializer `json:"chmod,omitempty"`
	Chown      *SyscallArgsSerializer `json:"chown,omitempty"`
	Chdir      *SyscallArgsSerializer `json:"chdir,omitempty"`
	Exec       *SyscallArgsSerializer `json:"exec,omitempty"`
	Open       *SyscallArgsSerializer `json:"open,omitempty"`
	Unlink     *SyscallArgsSerializer `json:"unlink,omitempty"`
	Link       *SyscallArgsSerializer `json:"link,omitempty"`
	Rename     *SyscallArgsSerializer `json:"rename,omitempty"`
	Utimes     *SyscallArgsSerializer `json:"utimes,omitempty"`
	Mount      *SyscallArgsSerializer `json:"mount,omitempty"`
	Mkdir      *SyscallArgsSerializer `json:"mkdir,omitempty"`
	Rmdir      *SyscallArgsSerializer `json:"rmdir,omitempty"`
	SetSockOpt *SyscallArgsSerializer `json:"setsockopt,omitempty"`
	PrCtl      *SyscallArgsSerializer `json:"prctl,omitempty"`
}

type SyscallSerializer struct {
	// Name of the syscall
	Name string `json:"name"`
	// ID of the syscall in the host architecture
	ID int `json:"id"`
}

type SyscallsEventSerializer []SyscallSerializer

type TLSContextSerializer struct {
	Version string `json:"version,omitempty"`
}

type UserContextSerializer struct {
	// User name
	User string `json:"id,omitempty"`
	// Group name
	Group string `json:"group,omitempty"`
}

type UserSessionContextSerializer struct {
	// Type of the user session
	SessionType string `json:"session_type,omitempty"`
	// Unique identifier of the user session on the host
	ID string `json:"id,omitempty"`
	// Identity of the user session
	Identity string `json:"identity,omitempty"`
	K8SSessionContextSerializer
	SSHSessionContextSerializer
}

type Variables map[string]interface{}