-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[auditbeat] fim: implement kprobes backend #37796
Merged
pkoutsovasilis
merged 43 commits into
elastic:main
from
pkoutsovasilis:pkoutsovasilis/kprobe_fim
Feb 14, 2024
+7,435
−6
Merged
Changes from 36 commits
Commits
Show all changes
43 commits
Select commit
Hold shift + click to select a range
cb01f59
feat: add helper funcs to get symbol info from /proc/kallsyms
pkoutsovasilis 9417243
feat: introduce fixed executor that always runs funcs from the same o…
pkoutsovasilis bbca9e7
feat: add probe manager to handle building tracing kprobes from tk-bt…
pkoutsovasilis 292b7b7
feat: define probe events with corresponding alloc and release funcs
pkoutsovasilis d585da1
feat: embed stripped btf files and add helper funcs to read them
pkoutsovasilis e4616c1
feat: add fsnotify, fsnotify_nameremove, fsnotify_parent and vfs_geat…
pkoutsovasilis 625da6b
feat: implement path traverser to produce monitor events by walking a…
pkoutsovasilis 6f35ab1
feat: implement directory entries cache
pkoutsovasilis 31ec585
feat: implement event processor to process probe events and based on …
pkoutsovasilis ea61593
feat: implement event verifier that validates that the expected seque…
pkoutsovasilis f58e369
feat: add perfChannel to reduce tracing.PerfChannel boilerplate code …
pkoutsovasilis 0c785ca
feat: implement monitor that ties together path traverser, perf chann…
pkoutsovasilis d8bf292
feat: implement probe verification at runtime and the creation of a n…
pkoutsovasilis 097aa25
feat: implement event reader for kprobe-based file integrity module
pkoutsovasilis c4a9d9b
doc: update NOTICE.txt to include tk-btf license
pkoutsovasilis 6ca359f
feat: add tests for non-recursive kprobe fim (#3)
Tacklebox 07b927b
fix: remove existing file from cache when a move operation is overwri…
pkoutsovasilis 045bf40
feat: introduce force_backend in for file integrity auditbeat module
pkoutsovasilis bd6bcfb
ci: add necessary volume mounts for kprobes backend in auditbeat dock…
pkoutsovasilis 651b2f7
feat: add the instantiation of file integrity module with kprobes bac…
pkoutsovasilis d39b22f
doc: update CHANGELOG.next.asciidoc
pkoutsovasilis 1509a1a
fix: address compilation issues for non-linux oses
pkoutsovasilis 0469332
fix: correct folder permission for path traverser unit-test
pkoutsovasilis 6308e8b
fix: build kprobe package and unit-tests only for linux
pkoutsovasilis c52743b
ci: extend test_file_integrity.py to test kprobes backend of file int…
pkoutsovasilis 6ccd479
ci: extend TestNew in monitor to include actual file changes
pkoutsovasilis 82a07be
ci: mark with nolint prealloc slices that can't be pre-allocated
pkoutsovasilis cb2b330
Merge remote-tracking branch 'beats/main' into pkoutsovasilis/kprobe_fim
pkoutsovasilis 5c00c37
Merge remote-tracking branch 'beats/main' into pkoutsovasilis/kprobe_fim
pkoutsovasilis 3ad318b
Merge remote-tracking branch 'beats/main' into pkoutsovasilis/kprobe_fim
pkoutsovasilis 4650e5f
chore: inline defer funcs
pkoutsovasilis 62ea807
fix: return the scanner error if any
pkoutsovasilis f1cff58
fix: remove redundant runtime os checks for linux
pkoutsovasilis 5350596
doc: comment that dEntryCache is not thread-safe
pkoutsovasilis fe6453a
fix: set the appropriate verbosity of errors of watcher
pkoutsovasilis da84277
fix: check for scanner.Err and return err from parsing mountinfo lines
pkoutsovasilis c4d2edb
fix: remove redundant fim_backends list from test_file_integrity.py
pkoutsovasilis 6cd08cb
Merge remote-tracking branch 'beats/main' into pkoutsovasilis/kprobe_fim
pkoutsovasilis e745e23
fix: gofumpt kprobes package
pkoutsovasilis 4a12aa9
fix: highlight unused context in event processor
pkoutsovasilis d80fbf5
fix: increase interval period of wait_output as kprobes require more …
pkoutsovasilis bd8d23a
fix: proper formatting for auditbeat.reference.yml
pkoutsovasilis f1e51f4
fix: proper formatting for x-pack/auditbeat/auditbeat.reference.yml
pkoutsovasilis File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auditbeat has doc page about running in Docker. For a future PR, I think that page should get updated to specify the specific settings (capabilities, user, mounts, etc) that are necessary for each FIM backend.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops noted, I wasn't aware of that but definitely more than a valid think to look out, especially when kprobe BE of FIM transitions out from technical preview, thx for the catch!