New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hostName field reported by Tracee should be 64 characters long #3840
Comments
Yes, this is "by design" - tracee uses a fixed-size context for each event originated from eBPF code (~132 bytes). Since we now store information about threads/processes in userspace, it might be possible to include the full hostname by saving it there. This task requires some work, including considering the possibility of the UTS name being modified by the process after its initiation. |
Hi @yanivagman, Thanks for the info. I see it is more than just hostName that is truncated. processName is as well. Perhaps change this to a feature request instead of a bug considering it is by design. Also I ill add an upvote to consider storing this information in userspace if it can include the whole field. In kubenetes contexts, hostNames and processNames can get pretty large and 15 characters is not enough to uniquely identify where a trace occurred easily without some human intervention. For hostName (since my use case is primarily in kubernetes), I can get the info from the container enrichment fields. For processName however I don't have a workaround. With regard to UTS name (or even processName) changing by a process after its initialization; is the consideration any different that how it is instrumented today? |
task name (aka "comm") in Linux is limited to 16 characters - https://elixir.bootlin.com/linux/v6.7.5/source/include/linux/sched.h#L291 UTS name, on the other hand, is limited in the kernel to 64 chars, so it is a different case. Regarding "process name", I think the full name you are looking for is actually the binary name. This field will have the full name as part of the path, and we plan to add it to Tracee soon (see context->process->executable here: #2870) BTW, we already keep all the information about processes in userspace today. This is done in here: https://github.com/aquasecurity/tracee/tree/main/pkg/proctree |
Version: 0.19.0
An example of this is already in the Tracee repo here
Most of the tests in the project have hostnames that are under 15 characters which is why I think this was not caught before.
The text was updated successfully, but these errors were encountered: