Add file hash to exec events #225
Merged
+1,677
−196
Commits on Mar 20, 2024
-
-
With the enrichment service it is now possible to easily add event enrichers, that run outside of the main event reporting hot loop. This can be useful to e.g. calculate hashes for files, as the enrichment process has multiple workers available.
-
Add sha256 sum of executed binaries
Exec events now feature a sha256 hash field, of the executed binary. File access is done via the `/proc` filesystem. In order to also catch short living processes, kvisor also tries accessing the file via other processes in the same mount namespace. For this to work in virtualised environments, such as kind, kvisor now also translates PIDs from the origin PID namespace, to the namespace it is running in.
-
Switch to always run in hostPID namespace
It is no longer feasable to run kvisor with `hostPID: false`, as various features depend on this (e.g. the translation for container related PIDs). Hence the option to configure it via the helm chart has been removed. Additionally, the mount of the hosts `/proc` directory has also been dropped, as it is no longer required.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.