BPF-based file open events #7947
Conversation
bpf_file_events addition
bpf_file_events addition
bpf_file_events.cpp addition
bpf_file_events.h addition
| @@ -37,6 +37,7 @@ function(generateOsqueryTablesEventsEventstable) | |||
| list(APPEND source_files | |||
| linux/bpf_process_events.cpp | |||
| linux/bpf_socket_events.cpp | |||
| linux/bpf_file_events.cpp | |||
| * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) | ||
| */ | ||
|
|
||
| #include <osquery/logger/logger.h> |
|
|
||
| REGISTER(BPFFileEventSubscriber, "event_subscriber", "bpf_file_events"); | ||
|
|
||
| std::vector<std::string> monitored_paths; |
There was a problem hiding this comment.
Avoid writable global variables
| configure_filtering(); | ||
| } | ||
|
|
||
| Status BPFFileEventSubscriber::init() { |
There was a problem hiding this comment.
Add a flag to enable/disable this feature; only perform initialization when the flag is enabled
|
|
||
| switch (event.type) { | ||
| case ISystemStateTracker::Event::Type::Open: | ||
| row["syscall"] = TEXT("open"); |
There was a problem hiding this comment.
Remove this column, since its value is always fixed
| bool is_path_matched = false; | ||
|
|
||
| if (!std::holds_alternative<ISystemStateTracker::Event::FileIOData>(event.data)) { | ||
| row["file_path"] = TEXT(""); |
There was a problem hiding this comment.
Do not generate rows if the data is missing
| row["duration"] = INTEGER(event.bpf_header.duration); | ||
| row["uptime"] = TEXT(std::to_string(getUptime())); | ||
|
|
||
| if (!std::holds_alternative<ISystemStateTracker::Event::FileIOData>( |
There was a problem hiding this comment.
This was already evaluated earlier, only check it once. The entire block can be removed
|
|
||
| if (file_io_data.flags.find("O_CREAT") != std::string::npos) | ||
| { | ||
| configure_filtering(); |
There was a problem hiding this comment.
Configuration should only be read once, within the dedicated ::configure() method.
Additionally, triggering a complete path expansion whenever a new file is created is not a good strategy (refer to the comment left on configure_filtering)
|
|
||
| std::vector<std::string> monitored_paths; | ||
|
|
||
| void configure_filtering() { |
There was a problem hiding this comment.
Paths are expanded by the file_events implementation because osquery needs to install inotify watchers. In the case of BPF, this is not needed. Paths should be checked without performing expansion
specs/linux/bpf_file_events.table
Outdated
| @@ -0,0 +1,22 @@ | |||
| table_name("bpf_file_events") | |||
| description("Track network socket opens and closes.") | |||
There was a problem hiding this comment.
Update the table description
| Column("cid", INTEGER, "Cgroup ID"), | ||
| Column("fd", INTEGER, "File descriptor"), | ||
| Column("probe_error", INTEGER, "Set to 1 if one or more buffers could not be captured"), | ||
| Column("syscall", TEXT, "System call name"), |
There was a problem hiding this comment.
Remove this column, since it can only contain the open value
Removed logger.h header. But it seems that it is also present in bpf_process_event and bpf_socket_event. Also, some commented line removed.
Added description for bpf_file_events
| @@ -0,0 +1,22 @@ | |||
| table_name("bpf_file_events") | |||
There was a problem hiding this comment.
As a slight nit, we're trying to move this to putting the variant at the end -- file_events_bpf
To submit a PR please make sure to follow the next steps:
CONTRIBUTING.mdguide at the root of the repo.format_checktarget.If it is not, then move the committed files to the git staging area,
build the
formattarget to format them, and then re-commit.More information is available on the wiki.