update readme #70
Merged
update readme #70
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@yanivagman let's move all the TODOs from the readme to github issues: do we want to create issues for these? |
lizrice
suggested changes
Apr 22, 2020
|
|
||
| ## Known Issues | ||
| ## Notes | ||
| As pointers are being dereferenced from userspace memory, a malicious program may change the content being read before it actually gets executed in the kernel. Please consider this when doing security related work with Tracee. | ||
|
|
There was a problem hiding this comment.
I guess this means the Pathname thing is fixed in gobpf?
There was a problem hiding this comment.
So I guess we could either leave this note about Pathname in the readme, or do we want to track it in our own issue?
yanivagman
reviewed
Apr 22, 2020
yanivagman
reviewed
Apr 22, 2020
yanivagman
reviewed
Apr 22, 2020
|
|
||
| Adding new events (especially system calls) to Tracee is straightforward, but one should keep in mind that tracing too many events may cause system performance degradation. Other than that, high event rate can cause samples to be lost (an error message will then be shown as part of the output). For this reason, *read* and *write* syscalls are deliberately excluded from Tracee. |
There was a problem hiding this comment.
You removed the part that says that adding new events to Tracee is easy. I think this is a differentiator from other projects, and it should be noted in the readme
There was a problem hiding this comment.
@lizrice suggested this belongs in the contribution guidelines. wdyt?
|
@lizrice @yanivagman I think I addressed your comments, can you please re-review? |
lizrice
approved these changes
Apr 27, 2020
README.md
Outdated
|
|
||
| * Pathname is missing in execve(at) syscalls - Issue #2627 in BCC project | ||
| When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provide "LSM" (Linux Security Module) based events, for example the `bprm_check` event which can reported by tracee and cross-referenced with the reported regular syscall event. |
There was a problem hiding this comment.
Suggested change
| When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provide "LSM" (Linux Security Module) based events, for example the `bprm_check` event which can reported by tracee and cross-referenced with the reported regular syscall event. | |
| When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provides "LSM" (Linux Security Module) based events, for example the `bprm_check` event which can be reported by tracee and cross-referenced with the reported regular syscall event. |
|
|
||
| ## Known Issues | ||
| ## Notes | ||
| As pointers are being dereferenced from userspace memory, a malicious program may change the content being read before it actually gets executed in the kernel. Please consider this when doing security related work with Tracee. | ||
|
|
There was a problem hiding this comment.
So I guess we could either leave this note about Pathname in the readme, or do we want to track it in our own issue?
Co-Authored-By: Liz Rice <liz@lizrice.com>
Co-Authored-By: Liz Rice <liz@lizrice.com>
Co-Authored-By: Liz Rice <liz@lizrice.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a draft until we push the referenced docker images to aquasec org in docker hub.