search

exein-io / pulsar

A modular and blazing fast runtime security tool for the IoT, powered by eBPF.
https://pulsar.sh
Other
888 stars 51 forks source link

feat: Include inode of executable in `Exec` and `Fork` events #276

Closed vadorovsky closed 4 months ago

vadorovsky commented 5 months ago

This information is going to be useful for unique distinguising of containerized binaries. The path of the binary logged in events is relative to the root filesystem. By including an inode, we can retrieve a binary file of a containerized process from the host reliably.

For example, given the following event coming from container:

[2024-04-08T08:01:30Z EVENT alpine:3.19
sha256:05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd
/bin/sh (11356)] [process-monitor] Fork { ppid: 11332, exe_inode: 5503693 }

/bin/sh mentioned here refers to a path inside container's filesystem. It's not the same as /bin/sh on the host. However, if we ever want to access that binary from the host, we can search for it by the inode 5503693:

# btrfs inspect-internal inode-resolve 5503693 /var/lib/docker
/var/lib/docker/lib/docker/overlay2/ba168125fc8c536a047552f3a16c5a9db7e649092a0fb3ec3321b65530399050/diff/bin/busybox
/var/lib/docker/overlay2/ba168125fc8c536a047552f3a16c5a9db7e649092a0fb3ec3321b65530399050/diff/bin/busybox