-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unix username in event along the UID #2015
Comments
Hey, thanks for taking the time to open an issue for this. So there are some technical limitations to this, reading The
As of now, Tetragon is compiled statically without CGO, making it possible to run in a distroless environment, we could not use the libc implementation without changing that for that specific feature. On top of that, the Tetragon pod would need to have access to the host So, unfortunately, that feature which might look simple at first sight could require some fundamental changes to Tetragon, especially when deploying on Kubernetes. |
FWIW I'm doing the translation (from |
Indeed, maybe a script using binaries or an external custom binary (that could be linked against the libc) could be used for those use cases but integrating that directly in Tetragon is challenging if you want to make it right. |
If we think this is the way to go, these limitations and solutions could be documented in tutorials https://tetragon.io/docs/tutorials/. |
Thank you both. I am opening this mostly for user experience, for security perspective, the username means a lot. If tetragon has such, I am pretty sure it will kill a lot other similar open source products for Observability, especially for security. |
@christian-2 yes, looks good to me! |
BTW, I'm going thru the O'Reilly report Security Observability with eBPF and it it appears to me that (if if one allows that usernames are a kind of metadata) what we want is conceptually something a bit akin to a "watcher" program as mentioned in the report in relation to a Cloud-native approach to security observability:
|
By the way, you can already contribute by opening the issue if you want as an enhancement and fill the information, I'll do that later if you need help. https://github.com/cilium/tetragon/issues/new?assignees=&labels=kind%2Fenhancement&projects=&template=feature_request_template.yaml |
Closing this, since #2030 has been opened. |
I'm reopening this as it contains most of the information on why this is a complex issue, I will redirect other issues to this one with the context. |
Username is useful when tetragon works on host. On different hosts the same username can have different UIDs. So username will help to identify the actual user without access to the host. |
could be possible, however, you would need to subscribe to the change of the |
Is there an existing issue for this?
Is your feature request related to a problem?
As a security team, we want to know users' activities on a host. However in the current event logs, it only has the user ID, making it hard to trace down to the real user.
Describe the feature you would like
A straightforward way would be to map the user id with the
/etc/passwd
, and output the username. I've found falco has similar things too, would like to request similar thing. https://falco.org/docs/reference/rules/supported-fields/#field-class-userDescribe your proposed solution
Something like this from falco, https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/user.cpp#L60
Code of Conduct
The text was updated successfully, but these errors were encountered: