-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BPF-based file open events #7947
base: master
Are you sure you want to change the base?
BPF-based file open events #7947
Conversation
bpf_file_events addition
bpf_file_events addition
bpf_file_events.cpp addition
bpf_file_events.h addition
@@ -37,6 +37,7 @@ function(generateOsqueryTablesEventsEventstable) | |||
list(APPEND source_files | |||
linux/bpf_process_events.cpp | |||
linux/bpf_socket_events.cpp | |||
linux/bpf_file_events.cpp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indentation
* SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) | ||
*/ | ||
|
||
#include <osquery/logger/logger.h> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove unused headers
|
||
REGISTER(BPFFileEventSubscriber, "event_subscriber", "bpf_file_events"); | ||
|
||
std::vector<std::string> monitored_paths; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid writable global variables
configure_filtering(); | ||
} | ||
|
||
Status BPFFileEventSubscriber::init() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a flag to enable/disable this feature; only perform initialization when the flag is enabled
|
||
switch (event.type) { | ||
case ISystemStateTracker::Event::Type::Open: | ||
row["syscall"] = TEXT("open"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this column, since its value is always fixed
bool is_path_matched = false; | ||
|
||
if (!std::holds_alternative<ISystemStateTracker::Event::FileIOData>(event.data)) { | ||
row["file_path"] = TEXT(""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do not generate rows if the data is missing
row["duration"] = INTEGER(event.bpf_header.duration); | ||
row["uptime"] = TEXT(std::to_string(getUptime())); | ||
|
||
if (!std::holds_alternative<ISystemStateTracker::Event::FileIOData>( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was already evaluated earlier, only check it once. The entire block can be removed
|
||
if (file_io_data.flags.find("O_CREAT") != std::string::npos) | ||
{ | ||
configure_filtering(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configuration should only be read once, within the dedicated ::configure() method.
Additionally, triggering a complete path expansion whenever a new file is created is not a good strategy (refer to the comment left on configure_filtering
)
|
||
std::vector<std::string> monitored_paths; | ||
|
||
void configure_filtering() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Paths are expanded by the file_events implementation because osquery needs to install inotify watchers. In the case of BPF, this is not needed. Paths should be checked without performing expansion
specs/linux/bpf_file_events.table
Outdated
@@ -0,0 +1,22 @@ | |||
table_name("bpf_file_events") | |||
description("Track network socket opens and closes.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update the table description
Column("cid", INTEGER, "Cgroup ID"), | ||
Column("fd", INTEGER, "File descriptor"), | ||
Column("probe_error", INTEGER, "Set to 1 if one or more buffers could not be captured"), | ||
Column("syscall", TEXT, "System call name"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this column, since it can only contain the open
value
Removed logger.h header. But it seems that it is also present in bpf_process_event and bpf_socket_event. Also, some commented line removed.
Added description for bpf_file_events
@@ -0,0 +1,22 @@ | |||
table_name("bpf_file_events") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a slight nit, we're trying to move this to putting the variant at the end -- file_events_bpf
To submit a PR please make sure to follow the next steps:
CONTRIBUTING.md
guide at the root of the repo.format_check
target.If it is not, then move the committed files to the git staging area,
build the
format
target to format them, and then re-commit.More information is available on the wiki.