-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update readme #70
update readme #70
Conversation
@yanivagman let's move all the TODOs from the readme to github issues:
do we want to create issues for these? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few additions and suggestions here
|
||
## Known Issues | ||
## Notes | ||
As pointers are being dereferenced from userspace memory, a malicious program may change the content being read before it actually gets executed in the kernel. Please consider this when doing security related work with Tracee. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this means the Pathname thing is fixed in gobpf?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can't be true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I guess we could either leave this note about Pathname in the readme, or do we want to track it in our own issue?
|
||
Adding new events (especially system calls) to Tracee is straightforward, but one should keep in mind that tracing too many events may cause system performance degradation. Other than that, high event rate can cause samples to be lost (an error message will then be shown as part of the output). For this reason, *read* and *write* syscalls are deliberately excluded from Tracee. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You removed the part that says that adding new events to Tracee is easy. I think this is a differentiator from other projects, and it should be noted in the readme
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lizrice suggested this belongs in the contribution guidelines. wdyt?
@lizrice @yanivagman I think I addressed your comments, can you please re-review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggested couple minor typos, but otherwise looks good. Do you think we should keep that note about the missing pathname in execve due to BCC bug?
README.md
Outdated
|
||
* Pathname is missing in execve(at) syscalls - Issue #2627 in BCC project | ||
When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provide "LSM" (Linux Security Module) based events, for example the `bprm_check` event which can reported by tracee and cross-referenced with the reported regular syscall event. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provide "LSM" (Linux Security Module) based events, for example the `bprm_check` event which can reported by tracee and cross-referenced with the reported regular syscall event. | |
When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provides "LSM" (Linux Security Module) based events, for example the `bprm_check` event which can be reported by tracee and cross-referenced with the reported regular syscall event. |
|
||
## Known Issues | ||
## Notes | ||
As pointers are being dereferenced from userspace memory, a malicious program may change the content being read before it actually gets executed in the kernel. Please consider this when doing security related work with Tracee. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I guess we could either leave this note about Pathname in the readme, or do we want to track it in our own issue?
Co-Authored-By: Liz Rice <liz@lizrice.com>
Co-Authored-By: Liz Rice <liz@lizrice.com>
Co-Authored-By: Liz Rice <liz@lizrice.com>
This is a draft until we push the referenced docker images to aquasec org in docker hub.