freta 0.22.0

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Analysis",
  "type": "object",
  "oneOf": [
    {
      "type": "object",
      "required": [
        "info",
        "initial_namespaces",
        "interrupt_table",
        "kernel_modules",
        "mounts",
        "networks",
        "os",
        "syscall_tables",
        "tasks"
      ],
      "properties": {
        "block_cgroups": {
          "anyOf": [
            {
              "$ref": "#/definitions/BlockCgroups"
            },
            {
              "type": "null"
            }
          ]
        },
        "info": {
          "$ref": "#/definitions/Info"
        },
        "initial_namespaces": {
          "$ref": "#/definitions/Namespaces"
        },
        "interrupt_table": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/IdtEntry"
          }
        },
        "kernel_modules": {
          "$ref": "#/definitions/KernelModules"
        },
        "mounts": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Mount"
          }
        },
        "networks": {
          "$ref": "#/definitions/Networks"
        },
        "os": {
          "type": "string",
          "enum": [
            "Linux"
          ]
        },
        "syscall_tables": {
          "$ref": "#/definitions/SyscallTables"
        },
        "tasks": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Task"
          }
        }
      }
    }
  ],
  "required": [
    "analysis_info",
    "checks"
  ],
  "properties": {
    "analysis_info": {
      "$ref": "#/definitions/AnalysisInfo"
    },
    "checks": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/Check"
      }
    }
  },
  "definitions": {
    "AnalysisInfo": {
      "type": "object",
      "required": [
        "analysis_version",
        "tags"
      ],
      "properties": {
        "analysis_version": {
          "type": "string"
        },
        "detection_versions": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          }
        },
        "tags": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          }
        }
      }
    },
    "ArpEntry": {
      "type": "object",
      "required": [
        "dead",
        "dev_name",
        "dev_type",
        "mac",
        "probes",
        "updated",
        "used"
      ],
      "properties": {
        "dead": {
          "writeOnly": true,
          "type": "integer",
          "format": "uint8",
          "minimum": 0.0
        },
        "dev_name": {
          "type": "string"
        },
        "dev_type": {
          "type": "integer",
          "format": "uint8",
          "minimum": 0.0
        },
        "ip": {
          "type": [
            "string",
            "null"
          ],
          "format": "ip"
        },
        "mac": {
          "type": "string"
        },
        "probes": {
          "writeOnly": true,
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "updated": {
          "writeOnly": true,
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "used": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        }
      }
    },
    "BlockCgroups": {
      "type": "object",
      "required": [
        "cgroups"
      ],
      "properties": {
        "cgroups": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Cgroup"
          }
        },
        "init_cgroup": {
          "anyOf": [
            {
              "$ref": "#/definitions/Cgroup"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "Cgroup": {
      "type": "object",
      "required": [
        "name"
      ],
      "properties": {
        "count": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int32"
        },
        "id": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int32"
        },
        "level": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int32"
        },
        "name": {
          "type": "string"
        },
        "subsystem_name": {
          "type": [
            "string",
            "null"
          ]
        }
      }
    },
    "CgroupNamespace": {
      "type": "object",
      "required": [
        "cgroup_addr"
      ],
      "properties": {
        "cgroup_addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "task_count": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int32"
        },
        "user_namespace_addr": {
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "Check": {
      "description": "An issue found in the analysis of a Freta snapshot",
      "type": "object",
      "required": [
        "issue"
      ],
      "properties": {
        "addr": {
          "description": "Address of the hooked function",
          "allOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            }
          ]
        },
        "address": {
          "description": "The virtual memory address related to the issue",
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        },
        "details": {
          "description": "Detailed information about the issue",
          "type": [
            "string",
            "null"
          ]
        },
        "disassembly": {
          "description": "disassembly of the hooked function",
          "type": "string"
        },
        "exported_path": {
          "description": "Export path",
          "type": [
            "string",
            "null"
          ]
        },
        "hook_type": {
          "description": "type of hook",
          "type": "string"
        },
        "issue": {
          "description": "Basic information about the issue",
          "type": "string"
        },
        "paths": {
          "description": "Paths involved in the issue",
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "pids": {
          "description": "Process IDs involved in the issue",
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint64",
            "minimum": 0.0
          }
        },
        "symbol": {
          "description": "The symbol related to the issue",
          "anyOf": [
            {
              "$ref": "#/definitions/Symbol"
            },
            {
              "type": "null"
            }
          ]
        },
        "target_addr": {
          "description": "calculated address for the destination of the hook",
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        },
        "target_disassembly": {
          "description": "disassembly of the destination for the hooked function",
          "type": [
            "string",
            "null"
          ]
        },
        "target_module": {
          "description": "symbol name for the destination for the hooked function if known",
          "anyOf": [
            {
              "$ref": "#/definitions/Symbol"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "Cred": {
      "type": "object",
      "required": [
        "egid",
        "euid",
        "gid",
        "sgid",
        "suid",
        "uid"
      ],
      "properties": {
        "egid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "euid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "gid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "sgid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "suid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "uid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        }
      }
    },
    "CssSet": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/Cgroup"
      }
    },
    "File": {
      "type": "object",
      "required": [
        "address",
        "mode",
        "mode_raw",
        "offset",
        "path"
      ],
      "properties": {
        "address": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "fd": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint",
          "minimum": 0.0
        },
        "fs_type": {
          "type": [
            "string",
            "null"
          ]
        },
        "inode": {
          "anyOf": [
            {
              "$ref": "#/definitions/Inode"
            },
            {
              "type": "null"
            }
          ]
        },
        "mode": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Mode"
          }
        },
        "mode_raw": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "offset": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "path": {
          "type": "string"
        }
      }
    },
    "Filter": {
      "type": "object",
      "required": [
        "code",
        "jump_false",
        "jump_true",
        "option"
      ],
      "properties": {
        "code": {
          "type": "integer",
          "format": "uint16",
          "minimum": 0.0
        },
        "jump_false": {
          "type": "integer",
          "format": "uint8",
          "minimum": 0.0
        },
        "jump_true": {
          "type": "integer",
          "format": "uint8",
          "minimum": 0.0
        },
        "option": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        }
      }
    },
    "Flags": {
      "type": "string",
      "enum": [
        "READ_ONLY",
        "NO_SUID",
        "NO_DEV",
        "NO_EXEC",
        "SYNCHRONOUS",
        "REMOUNT",
        "ALLOW_MANDITORY_LOCKS",
        "DIR_MODS_ARE_SYNCHRONOUS",
        "NO_ATIME",
        "NO_DIR_ATIME",
        "BIND",
        "MOVE",
        "REC",
        "SILENT",
        "POSIX_ACL",
        "UNBINDABLE",
        "PRIVATE",
        "SLAVE",
        "SHARED",
        "REL_ATIME",
        "KERN_MOUNT",
        "I_VERSION",
        "STRICT_ATIME",
        "NO_SEC",
        "BORN",
        "ACTIVE",
        "NO_USER",
        "__NOT_USED"
      ]
    },
    "IdtEntry": {
      "type": "object",
      "required": [
        "addr",
        "id"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "id": {
          "type": "integer",
          "format": "uint",
          "minimum": 0.0
        },
        "name": {
          "anyOf": [
            {
              "$ref": "#/definitions/IdtName"
            },
            {
              "type": "null"
            }
          ]
        },
        "symbol": {
          "anyOf": [
            {
              "$ref": "#/definitions/Symbol"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "IdtName": {
      "type": "string",
      "enum": [
        "divide_by_zero",
        "non_maskable_interrupt",
        "breakpoint",
        "overflow",
        "bound_range_exceeded",
        "invalid_opcode",
        "device_not_available",
        "double_fault",
        "coprocessor_segment_overrun",
        "invalid_tss",
        "segment_not_present",
        "general_protection_fault",
        "page_fault",
        "spurious_interrupt",
        "floating_point_exception",
        "alignment_check",
        "machine_check",
        "simd_floating_point_exception",
        "iret_exception"
      ]
    },
    "Inet": {
      "type": "object",
      "required": [
        "dst_addr",
        "dst_port",
        "ip_proto",
        "socket_family",
        "socket_state",
        "socket_type",
        "src_addr",
        "src_port"
      ],
      "properties": {
        "dst_addr": {
          "type": "string",
          "format": "ip"
        },
        "dst_port": {
          "type": "integer",
          "format": "uint16",
          "minimum": 0.0
        },
        "ip_proto": {
          "$ref": "#/definitions/ip_proto"
        },
        "socket_family": {
          "$ref": "#/definitions/sock_family"
        },
        "socket_state": {
          "$ref": "#/definitions/tcp_states"
        },
        "socket_type": {
          "$ref": "#/definitions/sock_types"
        },
        "src_addr": {
          "type": "string",
          "format": "ip"
        },
        "src_port": {
          "type": "integer",
          "format": "uint16",
          "minimum": 0.0
        }
      }
    },
    "Info": {
      "type": "object",
      "required": [
        "banner",
        "kernel_aslr_offset",
        "kernel_pml4",
        "machine",
        "memory_info"
      ],
      "properties": {
        "banner": {
          "type": "string"
        },
        "kernel_aslr_offset": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "kernel_pml4": {
          "$ref": "#/definitions/PhysicalAddress"
        },
        "machine": {
          "$ref": "#/definitions/UtsName"
        },
        "memory_info": {
          "$ref": "#/definitions/MemoryInfo"
        }
      }
    },
    "Inode": {
      "type": "object",
      "required": [
        "atime",
        "ctime",
        "flags",
        "gid",
        "ino",
        "mtime",
        "size",
        "uid"
      ],
      "properties": {
        "atime": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "ctime": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "flags": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "gid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "ino": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "mtime": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "size": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "uid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        }
      }
    },
    "KernelModules": {
      "type": "object",
      "required": [
        "modules",
        "notifiers"
      ],
      "properties": {
        "modules": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Module"
          }
        },
        "modules_disabled": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int64"
        },
        "notifiers": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ModuleNotifier"
          }
        }
      }
    },
    "MappedFile": {
      "type": "object",
      "required": [
        "name"
      ],
      "properties": {
        "exported_path": {
          "default": "",
          "type": "string"
        },
        "name": {
          "type": "string"
        }
      }
    },
    "MemoryInfo": {
      "type": "object",
      "required": [
        "swap_pages",
        "total_swap_pages"
      ],
      "properties": {
        "swap_pages": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "total_ram": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint64",
          "minimum": 0.0
        },
        "total_swap_pages": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        }
      }
    },
    "MntNamespace": {
      "type": "object",
      "required": [
        "addr",
        "path",
        "root_addr"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "path": {
          "type": "string"
        },
        "root_addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "user_namespace_addr": {
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "Mode": {
      "type": "string",
      "enum": [
        "Read",
        "Write",
        "Seekable",
        "Pread",
        "Pwrite",
        "Exec",
        "Ndelay",
        "Excl",
        "WriteIoctl",
        "Hash32bit",
        "Hash64bit",
        "Nocmtime",
        "Path"
      ]
    },
    "Module": {
      "type": "object",
      "required": [
        "addr",
        "core_addr",
        "core_size",
        "init_addr",
        "init_size",
        "name",
        "source",
        "srcversion",
        "symbols",
        "version"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "args": {
          "type": [
            "string",
            "null"
          ]
        },
        "core_addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "core_artifact_name": {
          "type": [
            "array",
            "null"
          ],
          "items": {
            "type": "string"
          }
        },
        "core_size": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "init_addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "init_artifact_name": {
          "type": [
            "array",
            "null"
          ],
          "items": {
            "type": "string"
          }
        },
        "init_size": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "name": {
          "type": "string"
        },
        "source": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ModuleSource"
          },
          "uniqueItems": true
        },
        "srcversion": {
          "type": "string"
        },
        "symbols": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ModuleSymbol"
          }
        },
        "version": {
          "type": "string"
        }
      }
    },
    "ModuleNotifier": {
      "type": "object",
      "required": [
        "callback_address",
        "priority"
      ],
      "properties": {
        "callback_address": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "priority": {
          "type": "integer",
          "format": "int64"
        },
        "symbol": {
          "anyOf": [
            {
              "$ref": "#/definitions/Symbol"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "ModuleSource": {
      "type": "string",
      "enum": [
        "ModulesList",
        "BugList",
        "SourceList",
        "TargetList"
      ]
    },
    "ModuleSymbol": {
      "type": "object",
      "required": [
        "addr",
        "name"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "name": {
          "type": "string"
        }
      }
    },
    "Mount": {
      "type": "object",
      "required": [
        "flags",
        "mount_type",
        "name",
        "path"
      ],
      "properties": {
        "flags": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Flags"
          }
        },
        "mount_type": {
          "type": "string"
        },
        "name": {
          "type": "string"
        },
        "path": {
          "type": "string"
        }
      }
    },
    "Namespaces": {
      "type": "object",
      "required": [
        "addr",
        "count"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "cgroup": {
          "anyOf": [
            {
              "$ref": "#/definitions/CgroupNamespace"
            },
            {
              "type": "null"
            }
          ]
        },
        "count": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "mnt": {
          "anyOf": [
            {
              "$ref": "#/definitions/MntNamespace"
            },
            {
              "type": "null"
            }
          ]
        },
        "net": {
          "anyOf": [
            {
              "$ref": "#/definitions/NetNamespace"
            },
            {
              "type": "null"
            }
          ]
        },
        "pid": {
          "anyOf": [
            {
              "$ref": "#/definitions/PidNamespace"
            },
            {
              "type": "null"
            }
          ]
        },
        "uts": {
          "anyOf": [
            {
              "$ref": "#/definitions/UtsNamespace"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "Net": {
      "type": "object",
      "required": [
        "count"
      ],
      "properties": {
        "count": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "loopback_name": {
          "type": [
            "string",
            "null"
          ]
        }
      }
    },
    "NetNamespace": {
      "type": "object",
      "required": [
        "addr"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "count": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint64",
          "minimum": 0.0
        },
        "user_namespace_addr": {
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "NetfilterHook": {
      "type": "object",
      "required": [
        "addr",
        "hook_type_id",
        "protocol_id"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "hook_type": {
          "anyOf": [
            {
              "$ref": "#/definitions/NetfilterInetHook"
            },
            {
              "type": "null"
            }
          ]
        },
        "hook_type_id": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "protocol": {
          "anyOf": [
            {
              "$ref": "#/definitions/NetfilterProtocol"
            },
            {
              "type": "null"
            }
          ]
        },
        "protocol_id": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "symbol": {
          "anyOf": [
            {
              "$ref": "#/definitions/Symbol"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "NetfilterInetHook": {
      "type": "string",
      "enum": [
        "NF_INET_PRE_ROUTING",
        "NF_INET_LOCAL_IN",
        "NF_INET_FORWARD",
        "NF_INET_LOCAL_OUT",
        "NF_INET_POST_ROUTING",
        "NF_INET_INGRESS"
      ]
    },
    "NetfilterProtocol": {
      "type": "string",
      "enum": [
        "NFPROTO_UNSPEC",
        "NFPROTO_INET",
        "NFPROTO_IPV4",
        "NFPROTO_ARP",
        "NFPROTO_BRIDGE",
        "NFPROTO_IPV6",
        "NFPROTO_DECNET"
      ]
    },
    "Networks": {
      "type": "object",
      "required": [
        "arp_table",
        "inet",
        "netfilter_hooks",
        "nets",
        "packet",
        "unix"
      ],
      "properties": {
        "arp_table": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ArpEntry"
          }
        },
        "inet": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Inet"
          }
        },
        "netfilter_hooks": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/NetfilterHook"
          }
        },
        "nets": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Net"
          }
        },
        "packet": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Packet"
          }
        },
        "unix": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Unix"
          }
        }
      }
    },
    "Packet": {
      "type": "object",
      "required": [
        "socket_type"
      ],
      "properties": {
        "original_filter": {
          "type": [
            "array",
            "null"
          ],
          "items": {
            "$ref": "#/definitions/Filter"
          }
        },
        "socket_type": {
          "$ref": "#/definitions/sock_types"
        }
      }
    },
    "PageFlag": {
      "description": "VMA flags\n\nNot all available VM flags are represented here, as these change over time. The values extracted have been consistent from 2.6.39 until 6.2.10\n\nRef: <https://elixir.bootlin.com/linux/v2.6.39.4/source/include/linux/mm.h> Ref: <https://elixir.bootlin.com/linux/v6.2.10/source/include/linux/mm.h>",
      "type": "string",
      "enum": [
        "Read",
        "Write",
        "Exec",
        "Shared",
        "MayRead",
        "MayWrite",
        "MayExec",
        "MayShare",
        "Locked",
        "Io"
      ]
    },
    "PhysicalAddress": {
      "description": "Physical Memory Address\n\nA `PhysicalAddress` represents a valid address in a physical memory address space (`PhysicalMemory`). The design intends to reduce the amount of validation required by restricting instances of `PhysicalAddress` to be valid with respect to a specific address space.\n\nConstruction of new `PhysicalAddress` instances can be done by invoking the `PhysicalMemory::address` function.",
      "type": "integer",
      "format": "uint64",
      "minimum": 0.0
    },
    "PidNamespace": {
      "type": "object",
      "required": [
        "addr",
        "level"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "hide_pid": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int32"
        },
        "last_pid": {
          "type": [
            "integer",
            "null"
          ],
          "format": "int32"
        },
        "level": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "pid_gid": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint32",
          "minimum": 0.0
        },
        "task_reaper": {
          "anyOf": [
            {
              "$ref": "#/definitions/TaskEntry"
            },
            {
              "type": "null"
            }
          ]
        },
        "user_namespace_addr": {
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "ReadlineHistory": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/ReadlineHistoryEntry"
      }
    },
    "ReadlineHistoryEntry": {
      "type": "object",
      "required": [
        "line",
        "timestamp"
      ],
      "properties": {
        "line": {
          "type": "string"
        },
        "timestamp": {
          "type": "string",
          "format": "date-time"
        }
      }
    },
    "Symbol": {
      "description": "Symbol representation",
      "oneOf": [
        {
          "description": "Kernel symbol name",
          "type": "object",
          "required": [
            "Kernel"
          ],
          "properties": {
            "Kernel": {
              "type": "string"
            }
          },
          "additionalProperties": false
        },
        {
          "description": "Kernel module symbol name",
          "type": "object",
          "required": [
            "Module"
          ],
          "properties": {
            "Module": {
              "type": "array",
              "items": [
                {
                  "type": "string"
                },
                {
                  "type": "string"
                }
              ],
              "maxItems": 2,
              "minItems": 2
            }
          },
          "additionalProperties": false
        }
      ]
    },
    "Syscall": {
      "type": "object",
      "required": [
        "addr",
        "id"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "id": {
          "type": "integer",
          "format": "uint",
          "minimum": 0.0
        },
        "name": {
          "anyOf": [
            {
              "$ref": "#/definitions/SyscallName"
            },
            {
              "type": "null"
            }
          ]
        },
        "symbol": {
          "anyOf": [
            {
              "$ref": "#/definitions/Symbol"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "SyscallName": {
      "type": "string",
      "enum": [
        "read",
        "write",
        "open",
        "close",
        "stat",
        "fstat",
        "lstat",
        "poll",
        "lseek",
        "mmap",
        "mprotect",
        "munmap",
        "brk",
        "rt_sigaction",
        "rt_sigprocmask",
        "rt_sigreturn",
        "ioctl",
        "pread64",
        "pwrite64",
        "readv",
        "writev",
        "access",
        "pipe",
        "select",
        "sched_yield",
        "mremap",
        "msync",
        "mincore",
        "madvise",
        "shmget",
        "shmat",
        "shmctl",
        "dup",
        "dup2",
        "pause",
        "nanosleep",
        "getitimer",
        "alarm",
        "setitimer",
        "getpid",
        "sendfile",
        "socket",
        "connect",
        "accept",
        "sendto",
        "recvfrom",
        "sendmsg",
        "recvmsg",
        "shutdown",
        "bind",
        "listen",
        "getsockname",
        "getpeername",
        "socketpair",
        "setsockopt",
        "getsockopt",
        "clone",
        "fork",
        "vfork",
        "execve",
        "exit",
        "wait4",
        "kill",
        "uname",
        "semget",
        "semop",
        "semctl",
        "shmdt",
        "msgget",
        "msgsnd",
        "msgrcv",
        "msgctl",
        "fcntl",
        "flock",
        "fsync",
        "fdatasync",
        "truncate",
        "ftruncate",
        "getdents",
        "getcwd",
        "chdir",
        "fchdir",
        "rename",
        "mkdir",
        "rmdir",
        "creat",
        "link",
        "unlink",
        "symlink",
        "readlink",
        "chmod",
        "fchmod",
        "chown",
        "fchown",
        "lchown",
        "umask",
        "gettimeofday",
        "getrlimit",
        "getrusage",
        "sysinfo",
        "times",
        "ptrace",
        "getuid",
        "syslog",
        "getgid",
        "setuid",
        "setgid",
        "geteuid",
        "getegid",
        "setpgid",
        "getppid",
        "getpgrp",
        "setsid",
        "setreuid",
        "setregid",
        "getgroups",
        "setgroups",
        "setresuid",
        "getresuid",
        "setresgid",
        "getresgid",
        "getpgid",
        "setfsuid",
        "setfsgid",
        "getsid",
        "capget",
        "capset",
        "rt_sigpending",
        "rt_sigtimedwait",
        "rt_sigqueueinfo",
        "rt_sigsuspend",
        "sigaltstack",
        "utime",
        "mknod",
        "uselib",
        "personality",
        "ustat",
        "statfs",
        "fstatfs",
        "sysfs",
        "getpriority",
        "setpriority",
        "sched_setparam",
        "sched_getparam",
        "sched_setscheduler",
        "sched_getscheduler",
        "sched_get_priority_max",
        "sched_get_priority_min",
        "sched_rr_get_interval",
        "mlock",
        "munlock",
        "mlockall",
        "munlockall",
        "vhangup",
        "modify_ldt",
        "pivot_root",
        "_sysctl",
        "prctl",
        "arch_prctl",
        "adjtimex",
        "setrlimit",
        "chroot",
        "sync",
        "acct",
        "settimeofday",
        "mount",
        "umount2",
        "swapon",
        "swapoff",
        "reboot",
        "sethostname",
        "setdomainname",
        "iopl",
        "ioperm",
        "create_module",
        "init_module",
        "delete_module",
        "get_kernel_syms",
        "query_module",
        "quotactl",
        "nfsservctl",
        "getpmsg",
        "putpmsg",
        "afs_syscall",
        "tuxcall",
        "security",
        "gettid",
        "readahead",
        "setxattr",
        "lsetxattr",
        "fsetxattr",
        "getxattr",
        "lgetxattr",
        "fgetxattr",
        "listxattr",
        "llistxattr",
        "flistxattr",
        "removexattr",
        "lremovexattr",
        "fremovexattr",
        "tkill",
        "time",
        "futex",
        "sched_setaffinity",
        "sched_getaffinity",
        "set_thread_area",
        "io_setup",
        "io_destroy",
        "io_getevents",
        "io_submit",
        "io_cancel",
        "get_thread_area",
        "lookup_dcookie",
        "epoll_create",
        "epoll_ctl_old",
        "epoll_wait_old",
        "remap_file_pages",
        "getdents64",
        "set_tid_address",
        "restart_syscall",
        "semtimedop",
        "fadvise64",
        "timer_create",
        "timer_settime",
        "timer_gettime",
        "timer_getoverrun",
        "timer_delete",
        "clock_settime",
        "clock_gettime",
        "clock_getres",
        "clock_nanosleep",
        "exit_group",
        "epoll_wait",
        "epoll_ctl",
        "tgkill",
        "utimes",
        "vserver",
        "mbind",
        "set_mempolicy",
        "get_mempolicy",
        "mq_open",
        "mq_unlink",
        "mq_timedsend",
        "mq_timedreceive",
        "mq_notify",
        "mq_getsetattr",
        "kexec_load",
        "waitid",
        "add_key",
        "request_key",
        "keyctl",
        "ioprio_set",
        "ioprio_get",
        "inotify_init",
        "inotify_add_watch",
        "inotify_rm_watch",
        "migrate_pages",
        "openat",
        "mkdirat",
        "mknodat",
        "fchownat",
        "futimesat",
        "newfstatat",
        "unlinkat",
        "renameat",
        "linkat",
        "symlinkat",
        "readlinkat",
        "fchmodat",
        "faccessat",
        "pselect6",
        "ppoll",
        "unshare",
        "set_robust_list",
        "get_robust_list",
        "splice",
        "tee",
        "sync_file_range",
        "vmsplice",
        "move_pages",
        "utimensat",
        "epoll_pwait",
        "signalfd",
        "timerfd_create",
        "eventfd",
        "fallocate",
        "timerfd_settime",
        "timerfd_gettime",
        "accept4",
        "signalfd4",
        "eventfd2",
        "epoll_create1",
        "dup3",
        "pipe2",
        "inotify_init1",
        "preadv",
        "pwritev",
        "rt_tgsigqueueinfo",
        "perf_event_open",
        "recvmmsg",
        "fanotify_init",
        "fanotify_mark",
        "prlimit64",
        "name_to_handle_at",
        "open_by_handle_at",
        "clock_adjtime",
        "syncfs",
        "sendmmsg",
        "setns",
        "getcpu",
        "process_vm_readv",
        "process_vm_writev",
        "kcmp",
        "finit_module",
        "sched_setattr",
        "sched_getattr",
        "renameat2",
        "seccomp",
        "getrandom",
        "memfd_create",
        "kexec_file_load",
        "bpf",
        "execveat",
        "userfaultfd",
        "membarrier",
        "mlock2",
        "copy_file_range",
        "preadv2",
        "pwritev2",
        "pkey_mprotect",
        "pkey_alloc",
        "pkey_free",
        "statx",
        "io_pgetevents",
        "rseq",
        "pidfd_send_signal",
        "io_uring_setup",
        "io_uring_enter",
        "io_uring_register",
        "open_tree",
        "move_mount",
        "fsopen",
        "fsconfig",
        "fsmount",
        "fspick",
        "pidfd_open",
        "clone3"
      ]
    },
    "SyscallTables": {
      "type": "object",
      "required": [
        "sys_call_table"
      ],
      "properties": {
        "ia32_sys_call_table": {
          "type": [
            "array",
            "null"
          ],
          "items": {
            "$ref": "#/definitions/Syscall"
          }
        },
        "sys_call_table": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Syscall"
          }
        }
      }
    },
    "Task": {
      "type": "object",
      "required": [
        "addr",
        "arg",
        "comm",
        "cred",
        "cwd",
        "env",
        "files",
        "inet_sockets",
        "max_fds",
        "packet_sockets",
        "pid",
        "ppid",
        "ptrace",
        "real_ppid",
        "source",
        "start_time",
        "stime",
        "tgid",
        "unix_sockets",
        "utime"
      ],
      "properties": {
        "addr": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "arg": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "comm": {
          "type": "string"
        },
        "cred": {
          "$ref": "#/definitions/Cred"
        },
        "cred_addr": {
          "writeOnly": true,
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        },
        "css_set": {
          "anyOf": [
            {
              "$ref": "#/definitions/CssSet"
            },
            {
              "type": "null"
            }
          ]
        },
        "cwd": {
          "type": "string"
        },
        "env": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "exe": {
          "anyOf": [
            {
              "$ref": "#/definitions/File"
            },
            {
              "type": "null"
            }
          ]
        },
        "files": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/File"
          }
        },
        "inet_sockets": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Inet"
          }
        },
        "mapped_files": {
          "type": [
            "array",
            "null"
          ],
          "items": {
            "$ref": "#/definitions/MappedFile"
          }
        },
        "max_fds": {
          "type": "integer",
          "format": "uint",
          "minimum": 0.0
        },
        "namespaces": {
          "anyOf": [
            {
              "$ref": "#/definitions/Namespaces"
            },
            {
              "type": "null"
            }
          ]
        },
        "packet_sockets": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Packet"
          }
        },
        "pid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "ppid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "ptrace": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "readline_history": {
          "anyOf": [
            {
              "$ref": "#/definitions/ReadlineHistory"
            },
            {
              "type": "null"
            }
          ]
        },
        "real_cred_addr": {
          "writeOnly": true,
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        },
        "real_ppid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "real_start_time": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint64",
          "minimum": 0.0
        },
        "schedule_stats": {
          "type": [
            "object",
            "null"
          ],
          "additionalProperties": {
            "type": "integer",
            "format": "uint64",
            "minimum": 0.0
          }
        },
        "source": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/TaskSource"
          },
          "uniqueItems": true
        },
        "start_time": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "stime": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "tgid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "unix_sockets": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Unix"
          }
        },
        "utime": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "vma": {
          "anyOf": [
            {
              "$ref": "#/definitions/VMA"
            },
            {
              "type": "null"
            }
          ]
        }
      }
    },
    "TaskEntry": {
      "type": "object",
      "required": [
        "comm",
        "pid"
      ],
      "properties": {
        "comm": {
          "type": "string"
        },
        "pid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        }
      }
    },
    "TaskSource": {
      "type": "string",
      "enum": [
        "TaskList",
        "ThreadGroup",
        "ThreadNode",
        "TaskChildren",
        "TaskSibling"
      ]
    },
    "Unix": {
      "type": "object",
      "required": [
        "inode",
        "reference_count",
        "socket_state",
        "socket_type"
      ],
      "properties": {
        "inode": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "name": {
          "type": [
            "string",
            "null"
          ]
        },
        "reference_count": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0.0
        },
        "socket_state": {
          "$ref": "#/definitions/tcp_states"
        },
        "socket_type": {
          "$ref": "#/definitions/sock_types"
        }
      }
    },
    "UtsName": {
      "type": "object",
      "required": [
        "domainname",
        "machine",
        "nodename",
        "release",
        "sysname",
        "version"
      ],
      "properties": {
        "domainname": {
          "type": "string"
        },
        "machine": {
          "type": "string"
        },
        "nodename": {
          "type": "string"
        },
        "release": {
          "type": "string"
        },
        "sysname": {
          "type": "string"
        },
        "version": {
          "type": "string"
        }
      }
    },
    "UtsNamespace": {
      "type": "object",
      "required": [
        "uts_name"
      ],
      "properties": {
        "group": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint64",
          "minimum": 0.0
        },
        "owner": {
          "type": [
            "integer",
            "null"
          ],
          "format": "uint32",
          "minimum": 0.0
        },
        "user_namespace_addr": {
          "anyOf": [
            {
              "$ref": "#/definitions/VirtualAddress"
            },
            {
              "type": "null"
            }
          ]
        },
        "uts_name": {
          "$ref": "#/definitions/UtsName"
        }
      }
    },
    "VMA": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/VmaEntry"
      }
    },
    "VirtualAddress": {
      "description": "Virtual Memory Address",
      "type": "integer",
      "format": "uint64",
      "minimum": 0.0
    },
    "VmaEntry": {
      "type": "object",
      "required": [
        "flags",
        "offset",
        "prot",
        "raw_flags",
        "vm_end",
        "vm_start"
      ],
      "properties": {
        "filename": {
          "type": [
            "string",
            "null"
          ]
        },
        "flags": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/PageFlag"
          }
        },
        "offset": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "prot": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "raw_flags": {
          "type": "integer",
          "format": "uint64",
          "minimum": 0.0
        },
        "vm_end": {
          "$ref": "#/definitions/VirtualAddress"
        },
        "vm_start": {
          "$ref": "#/definitions/VirtualAddress"
        }
      }
    },
    "ip_proto": {
      "type": "string",
      "enum": [
        "LX_IPPROTO_IP",
        "LX_IPPROTO_ICMP",
        "LX_IPPROTO_TCP",
        "LX_IPPROTO_UDP",
        "LX_IPPROTO_ICMPV6",
        "LX_IPPROTO_RAW"
      ]
    },
    "sock_family": {
      "type": "string",
      "enum": [
        "LX_AF_UNSPEC",
        "LX_AF_UNIX",
        "LX_AF_INET",
        "LX_AF_INET6",
        "LX_AF_NETLINK",
        "LX_AF_PACKET"
      ]
    },
    "sock_types": {
      "type": "string",
      "enum": [
        "LX_SOCK_STREAM",
        "LX_SOCK_DGRAM",
        "LX_SOCK_RAW",
        "LX_SOCK_RDM",
        "LX_SOCK_SEQPACKET"
      ]
    },
    "tcp_states": {
      "type": "string",
      "enum": [
        "ESTABLISHED",
        "SYN_SENT",
        "SYN_RECV",
        "FIN_WAIT1",
        "FIN_WAIT2",
        "TIME_WAIT",
        "CLOSE",
        "CLOSE_WAIT",
        "LAST_ACK",
        "LISTEN",
        "CLOSING",
        "NEW_SYN_RECV"
      ]
    }
  }
}