Add support to monitor BPF program loads/unloads #104
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
hi,
we would like to add BPF program tracking into audit daemon,
so we could monitor BPF programs loading and unloading
in the systerm.
This pull request is RFC to get an idea from you guys how you
feel about this and what perhaps needs to be made differently
or is missing.
thanks for the feedback,
jirka
Adding src/auditd-bpf.c object with BPF related code that:
loop object with handler
The handler function reads the events from memory map
and calls send_audit_event on BPF events generating
following audit messages on BPF program load/unload:
Because of events processing delay we might not be able
to see process name (read from /proc//comm), so the
comm might have the 'N/A' value sometimes.
I added
AUDIT_BPF
type, but I'm not too sure about theproper number for it, perhaps this should be discussed.
The memory maps should be pretty low traffic and the
default size (4 pages per event) should be enough for
most setups.
However there's a possibility to setup perf memory map
size with new auditd's config file option:
bpf_mem_pages = <NUM>
It's the number of pages that will be used as size for
perf event memory map size and must be power of 2. It's
possible to add more user friendly option for setting
the memory size.
It's possible to disable BPF code with configure option:
--disable-bpf