search

elastic / ebpf

Elastic's eBPF
Other
67 stars 11 forks source link

EventProbe: add file modification events #179

Closed mmat11 closed 11 months ago

mmat11 commented 11 months ago

Veristat output:

File              Program                              Verdict  Duration (us)  Insns  States  Peak states
----------------  -----------------------------------  -------  -------------  -----  ------  -----------
EventProbe.bpf.o  fentry__commit_creds                 success            331    740      35           35
EventProbe.bpf.o  fentry__do_renameat2                 success             71     68       4            4
EventProbe.bpf.o  fentry__do_unlinkat                  success             55     50       2            2
EventProbe.bpf.o  fentry__mnt_want_write               success             60     37       3            3
EventProbe.bpf.o  fentry__taskstats_exit               success          20725  26453    1397           78
EventProbe.bpf.o  fentry__tcp_close                    success            302    474      26           26
EventProbe.bpf.o  fentry__tty_write                    success            318    561      25           25
EventProbe.bpf.o  fentry__vfs_rename                   success          39680  79651    3119          405
EventProbe.bpf.o  fentry__vfs_unlink                   success             54     37       3            3
EventProbe.bpf.o  fexit__chmod_common                  success          20804  39540    1560          243
EventProbe.bpf.o  fexit__do_filp_open                  success          20830  40449    1573          244
EventProbe.bpf.o  fexit__inet_csk_accept               success            265    419      25           25
EventProbe.bpf.o  fexit__tcp_v4_connect                success            258    422      25           25
EventProbe.bpf.o  fexit__tcp_v6_connect                success            257    422      25           25
EventProbe.bpf.o  fexit__vfs_rename                    success            523   1309      42           42
EventProbe.bpf.o  fexit__vfs_unlink                    success          22484  40420    1571          243
EventProbe.bpf.o  kprobe__chmod_common                 success             33     43       1            1
EventProbe.bpf.o  kprobe__commit_creds                 success            319    740      35           35
EventProbe.bpf.o  kprobe__do_renameat2                 success             56     68       4            4
EventProbe.bpf.o  kprobe__do_unlinkat                  success             42     50       2            2
EventProbe.bpf.o  kprobe__mnt_want_write               success             41     37       3            3
EventProbe.bpf.o  kprobe__taskstats_exit               success          20921  26453    1397           78
EventProbe.bpf.o  kprobe__tcp_close                    success            292    474      26           26
EventProbe.bpf.o  kprobe__tcp_v4_connect               success             50     50       2            2
EventProbe.bpf.o  kprobe__tcp_v6_connect               success             45     50       2            2
EventProbe.bpf.o  kprobe__tty_write                    success            300    561      25           25
EventProbe.bpf.o  kprobe__vfs_rename                   success          41809  79648    3120          406
EventProbe.bpf.o  kprobe__vfs_unlink                   success             43     39       4            4
EventProbe.bpf.o  kretprobe__chmod_common              success          21164  39551    1561          244
EventProbe.bpf.o  kretprobe__do_filp_open              success          20861  40449    1573          244
EventProbe.bpf.o  kretprobe__inet_csk_accept           success            246    419      25           25
EventProbe.bpf.o  kretprobe__tcp_v4_connect            success            267    432      26           26
EventProbe.bpf.o  kretprobe__tcp_v6_connect            success            261    432      26           26
EventProbe.bpf.o  kretprobe__vfs_rename                success            506   1298      41           41
EventProbe.bpf.o  kretprobe__vfs_unlink                success          22073  40409    1570          242
EventProbe.bpf.o  sched_process_exec                   success          40250  67486    2987          292
EventProbe.bpf.o  sched_process_fork                   success          18328  26868    1416           99
EventProbe.bpf.o  tracepoint_syscalls_sys_exit_setsid  success            146    262      14           14
----------------  -----------------------------------  -------  -------------  -----  ------  -----------
Done. Processed 1 files, 0 programs. Skipped 38 files, 0 programs.

Tested manually:

{"probes_initialized": true, "features": {"bpf_tramp": true}}
{"event_type":"FILE_MODIFY","pids":{"tid":3020316,"tgid":3020316,"ppid":3014701,"pgid":3020316,"sid":3014701,"start_time_ns":1507556923658071},"mount_namespace":4026531841,"comm":"chmod","change_type":"PERMISSIONS","file_info":{"type":"FILE","inode":252659,"mode":100755,"size":0,"uid":1000,"gid":1000,"atime":1703253982613656962,"mtime":1703253982613656962,"ctime":1703255053237977655},"path":"/tmp/test123","symlink_target_path":""}
^CReceived SIGINT, exiting...

TODO: tests

Other file modification triggers (truncate, setxattr) will be handled in separate PRs

pkoutsovasilis commented 11 months ago

code-wise LGTM @mmat11 , will you add any extra tests in this PR?