-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add file hash to exec events #225
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anjmao
reviewed
Mar 12, 2024
e113bb6
to
3ef474e
Compare
anjmao
approved these changes
Mar 12, 2024
d5f99c9
to
88fac20
Compare
anjmao
reviewed
Mar 13, 2024
e485793
to
199c666
Compare
anjmao
reviewed
Mar 20, 2024
199c666
to
30cfd70
Compare
anjmao
reviewed
Mar 20, 2024
anjmao
approved these changes
Mar 20, 2024
641f751
to
d5a5aa4
Compare
With the enrichment service it is now possible to easily add event enrichers, that run outside of the main event reporting hot loop. This can be useful to e.g. calculate hashes for files, as the enrichment process has multiple workers available.
Exec events now feature a sha256 hash field, of the executed binary. File access is done via the `/proc` filesystem. In order to also catch short living processes, kvisor also tries accessing the file via other processes in the same mount namespace. For this to work in virtualised environments, such as kind, kvisor now also translates PIDs from the origin PID namespace, to the namespace it is running in.
It is no longer feasable to run kvisor with `hostPID: false`, as various features depend on this (e.g. the translation for container related PIDs). Hence the option to configure it via the helm chart has been removed. Additionally, the mount of the hosts `/proc` directory has also been dropped, as it is no longer required.
80e0106
to
c95014e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds some basic infrastructure for adding various event enrichers. It also adds the first enricher in form of calculating a sha256 hash over executed files.