search

sysflow-telemetry / sysflow

SysFlow documentation and issues tracker
Other
45 stars 10 forks source link

Exe full path missing in Exe field #107

Open dcarolloz opened 1 year ago

dcarolloz commented 1 year ago

Indicate project libsysflow

Describe the bug The exe full path is sometimes not reported

To reproduce Steps to reproduce the behavior:

  1. Build and run sf-collector example
  2. Compile and run code example reported below

Expected behavior The exe full path should be reported. In the example, Exe is expected to show /usr/bin/echo.

Environment:

Code example

#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

int main(){
    const char* pathname = "/usr/bin/echo";
    const char* argv[] = { "echo", "arg1", "arg2", "arg3", "arg4", "arg5", NULL };
    const char* envp[] = { NULL };
    int rc = syscall( SYS_execve, pathname, argv, envp);
    printf("errno: %d\n", errno);
}

sf-collector example log

****************************************************************
Header: Exporter , IP , File name 
Process: PID 13246 Creation Time, 1688476758875589088, Exe /usr/bin/bash, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 13246, OpFlags 1, Ret 23207
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /usr/bin/bash, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 1, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 23207, OpFlags: 9344, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /lib/x86_64-linux-gnu/libc.so.6
File Flow: TID 23207, OpFlags: 9600, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 23207, OpFlags: 9344, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /lib/x86_64-linux-gnu/libc.so.6
File Flow: TID 23207, OpFlags: 9600, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /dev/pts/1
File Flow: TID 23207, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /dev/pts/1
File Flow: TID 23207, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 4, Ret 0
****************************************************************