search

sysflow-telemetry / sysflow

SysFlow documentation and issues tracker
Other
45 stars 10 forks source link

username and group name is null for non root users #23

Closed mutazalsallal closed 3 years ago

mutazalsallal commented 4 years ago

Indicate project sf-collector

Describe the bug the username is null for non root users

To reproduce Steps to reproduce the behavior:

  1. adduser mike
  2. su mike
  3. nano /etc/mutaz/test1.txt

(maybe it happened because sysflow cached the user list when it starts, and I added the new user while sysflow is running)

Expected behavior sysflow is logging the correct user id, but the username is not logged, not for the parent process username/groupname.

also should we rename this as effective username? effective group name?

this is the logged process creation event:

<13>Feb 11 13:44:33 ubuntu3 osquery: {"v": "0.1-rc3", "type": "PE", "state": "MODIFIED", "opflags": "EXEC", "opflags_bitmap": 2, "ret": 0, "ts": "02/11/2020T13:44:13.295783", "ts_uts": 1581428653295783106, "endts": "", "endts_uts": null, "proc.pid": 43003, "proc.tid": 43003, "proc.uid": 1001, "proc.user": "", "proc.gid": 1001, "proc.group": "", "proc.exe": "/bin/nano", "proc.args": "/etc/mutaz/test1.txt", "proc.tty": true, "proc.createts": 1581428653294991694, "pproc.pid": 42992, "pproc.gid": 1001, "pproc.uid": 1001, "pproc.group": "", "pproc.tty": true, "pproc.user": "", "pproc.exe": "/bin/bash", "pproc.args": "", "pproc.createts": 1581428650103120750, "file.fd": "", "file.path": "", "file.newpath": "", "file.openflags": "", "net.proto": "", "net.sport": null, "net.dport": null, "net.sip": "", "net.dip": "", "res": "", "flow.rbytes": null, "flow.rops": null, "flow.wbytes": null, "flow.wops": null, "container.id": "", "container.name": "", "container.imageid": "", "container.image": "", "container.type": "", "container.privileged": ""} --

Environment (please complete the following information):

araujof commented 4 years ago

I ran a few tests and this seems to be related to how sysdig records and collects user information. I executed two scenarios with sysdig running it as a docker container:

  1. Added non-root user 'test' to host system and executed a command --> user name is
  2. Added non-root user 'test' to container where sysdig runs and executed a command --> user name is ; if I restart sysdig, the user name shows as 'test'

Note: you can use sysdig -c spy_users to log interactive user commands and check user names.

@terylt, do you know if this a known bug/limitation (of sysdig)?