Adds a new metric that tracks cases where the file reported in EXEC events is not the same file currently on disk.
Test setup:
Create some binary named t. In one terminal, run the following to rapidly change t devno/inode pair:
cp t t1
cp t t2
while [[ true ]]; do rm ./t; cp ./t1 ./t; sleep 0; rm ./t; cp ./t2 ./t; sleep 0; done
In a second terminal, continuously execute the binary:
while [[ true ]]; do ./t > /dev/null; done
Sample santactl metrics output:
Metric Name | /santa/event_stat_change_count
Description | Count of times a stat info changed for a binary being evalauted
Type | SNTMetricTypeCounter
Field | step=MessageCreate,error=0
Created | 2024-05-15T00:47:07.050Z
Last Updated | 2024-05-15T00:47:07.050Z
Data | 70
Field | step=MessageCreate,error=2
Created | 2024-05-15T00:47:07.050Z
Last Updated | 2024-05-15T00:47:07.050Z
Data | 62
Field | step=NoChange,error=0
Created | 2024-05-14T23:47:10.405Z
Last Updated | 2024-05-15T00:47:07.050Z
Data | 1252973
Adds a new metric that tracks cases where the file reported in EXEC events is not the same file currently on disk.
Test setup: Create some binary named
t
. In one terminal, run the following to rapidly changet
devno/inode pair:In a second terminal, continuously execute the binary:
Sample
santactl metrics
output: