search

elastic / ebpf

Elastic's eBPF
Other
66 stars 11 forks source link

Add file content and owner modification probes #180

Closed mmat11 closed 9 months ago

mmat11 commented 10 months ago 
File              Program                              Verdict  Duration (us)  Insns  States  Peak states
----------------  -----------------------------------  -------  -------------  -----  ------  -----------
EventProbe.bpf.o  fentry__commit_creds                 success           1899    740      35           35
EventProbe.bpf.o  fentry__do_renameat2                 success            218     68       4            4
EventProbe.bpf.o  fentry__do_unlinkat                  success            155     50       2            2
EventProbe.bpf.o  fentry__mnt_want_write               success            133     37       3            3
EventProbe.bpf.o  fentry__taskstats_exit               success          86209  26453    1397           78
EventProbe.bpf.o  fentry__tcp_close                    success           1358    474      26           26
EventProbe.bpf.o  fentry__tty_write                    success           1585    561      25           25
EventProbe.bpf.o  fentry__vfs_rename                   success         203489  79651    3119          405
EventProbe.bpf.o  fentry__vfs_unlink                   success            174     37       3            3
EventProbe.bpf.o  fexit__chmod_common                  success         102471  39551    1559          242
EventProbe.bpf.o  fexit__chown_common                  success         105521  39551    1559          242
EventProbe.bpf.o  fexit__do_filp_open                  success         107216  40449    1573          244
EventProbe.bpf.o  fexit__do_truncate                   success         105723  39583    1561          244
EventProbe.bpf.o  fexit__inet_csk_accept               success           1173    419      25           25
EventProbe.bpf.o  fexit__tcp_v4_connect                success           1214    422      25           25
EventProbe.bpf.o  fexit__tcp_v6_connect                success           1196    422      25           25
EventProbe.bpf.o  fexit__vfs_rename                    success           3423   1309      42           42
EventProbe.bpf.o  fexit__vfs_unlink                    success         106861  40420    1571          243
EventProbe.bpf.o  fexit__vfs_write                     success         104344  39562    1560          243
EventProbe.bpf.o  kprobe__chmod_common                 success            128     43       1            1
EventProbe.bpf.o  kprobe__chown_common                 success            119     41       1            1
EventProbe.bpf.o  kprobe__commit_creds                 success           1922    740      35           35
EventProbe.bpf.o  kprobe__do_renameat2                 success            208     68       4            4
EventProbe.bpf.o  kprobe__do_truncate                  success            192     63       3            3
EventProbe.bpf.o  kprobe__do_unlinkat                  success            158     50       2            2
EventProbe.bpf.o  kprobe__mnt_want_write               success            132     37       3            3
EventProbe.bpf.o  kprobe__taskstats_exit               success          86878  26453    1397           78
EventProbe.bpf.o  kprobe__tcp_close                    success           1430    474      26           26
EventProbe.bpf.o  kprobe__tcp_v4_connect               success            154     50       2            2
EventProbe.bpf.o  kprobe__tcp_v6_connect               success            145     50       2            2
EventProbe.bpf.o  kprobe__tty_write                    success           1565    561      25           25
EventProbe.bpf.o  kprobe__vfs_rename                   success         210256  79648    3120          406
EventProbe.bpf.o  kprobe__vfs_unlink                   success            133     39       4            4
EventProbe.bpf.o  kprobe__vfs_write                    success            282     54       1            1
EventProbe.bpf.o  kretprobe__chmod_common              success         105099  39561    1560          243
EventProbe.bpf.o  kretprobe__chown_common              success         106245  39561    1560          243
EventProbe.bpf.o  kretprobe__do_filp_open              success         108032  40449    1573          244
EventProbe.bpf.o  kretprobe__do_truncate               success         105759  39561    1560          243
EventProbe.bpf.o  kretprobe__inet_csk_accept           success           1214    419      25           25
EventProbe.bpf.o  kretprobe__tcp_v4_connect            success           1188    432      26           26
EventProbe.bpf.o  kretprobe__tcp_v6_connect            success           1189    432      26           26
EventProbe.bpf.o  kretprobe__vfs_rename                success           3378   1298      41           41
EventProbe.bpf.o  kretprobe__vfs_unlink                success         106097  40409    1570          242
EventProbe.bpf.o  kretprobe__vfs_write                 success         107164  39561    1560          243
EventProbe.bpf.o  sched_process_exec                   success         200834  67486    2987          292
EventProbe.bpf.o  sched_process_fork                   success          83060  26868    1416           99
EventProbe.bpf.o  tracepoint_syscalls_sys_exit_setsid  success            704    262      14           14
----------------  -----------------------------------  -------  -------------  -----  ------  -----------
Done. Processed 1 files, 0 programs. Skipped 47 files, 0 programs.
mmat11 commented 10 months ago

don't we need vfs_writev as well?

yes, I think so, good catch!

there are also some kernels failing in CI, for the kprobe version, I'll fix that