Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hostName field reported by Tracee should be 64 characters long #3840

Open
hangrymuppet opened this issue Feb 1, 2024 · 3 comments
Open

hostName field reported by Tracee should be 64 characters long #3840

hangrymuppet opened this issue Feb 1, 2024 · 3 comments
Labels
kind/feature

Comments

@hangrymuppet
Copy link
Contributor

Version: 0.19.0

An example of this is already in the Tracee repo here

Most of the tests in the project have hostnames that are under 15 characters which is why I think this was not caught before.
@yanivagman
Copy link
Collaborator

Yes, this is "by design" - tracee uses a fixed-size context for each event originated from eBPF code (~132 bytes).
To save space, we limit the size of the UTS name to 15 chars, as can be seen here: https://github.com/aquasecurity/tracee/blob/main/pkg/ebpf/c/common/context.h#L71

Since we now store information about threads/processes in userspace, it might be possible to include the full hostname by saving it there. This task requires some work, including considering the possibility of the UTS name being modified by the process after its initiation.

@hangrymuppet
Copy link
Contributor Author

Hi @yanivagman, Thanks for the info. I see it is more than just hostName that is truncated. processName is as well. Perhaps change this to a feature request instead of a bug considering it is by design.

Also I ill add an upvote to consider storing this information in userspace if it can include the whole field. In kubenetes contexts, hostNames and processNames can get pretty large and 15 characters is not enough to uniquely identify where a trace occurred easily without some human intervention.

For hostName (since my use case is primarily in kubernetes), I can get the info from the container enrichment fields.

For processName however I don't have a workaround.

With regard to UTS name (or even processName) changing by a process after its initialization; is the consideration any different that how it is instrumented today?

@yanivagman yanivagman changed the title hostName field reported by Tracee in k8s is truncated to 15 characters hostName field reported by Tracee should be 64 characters long Feb 21, 2024
@yanivagman
Copy link
Collaborator

task name (aka "comm") in Linux is limited to 16 characters - https://elixir.bootlin.com/linux/v6.7.5/source/include/linux/sched.h#L291
So we don't trim it, this is just the way it is.

UTS name, on the other hand, is limited in the kernel to 64 chars, so it is a different case.
I updated the issue to make it a feature request.

Regarding "process name", I think the full name you are looking for is actually the binary name. This field will have the full name as part of the path, and we plan to add it to Tracee soon (see context->process->executable here: #2870)

BTW, we already keep all the information about processes in userspace today. This is done in here: https://github.com/aquasecurity/tracee/tree/main/pkg/proctree

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hangrymuppet @yanivagman