New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit: Implement support for fork/vfork/clone/execveat #5701
Audit: Implement support for fork/vfork/clone/execveat #5701
Conversation
0352539
to
ce6a318
Compare
Wow, cool! |
What do you think about filling |
} | ||
|
||
} else if (FLAGS_audit_allow_fork_process_events) { | ||
LOG(WARNING) << "--audit_allow_fork_process_events is ignored without " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should investigate if this dependency can be expressed using the gflags APIs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be compared to enabling --audit_allow_config
without also having the command line flag that enables Audit.
If we want to conform to the rest of the code, we can just remove the warning log. Otherwise, we could implement a flag validator and make sure that both flags are active.
Which one would you prefer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry, my comment was too general and not helpful. You are right in that we should address/explore gflags more completely later.
Always your call!
|
||
row["cmdline"] += DecodeAuditPathValues(arg.second); | ||
if (row["cmdline"].size() > 0) { | ||
row["cmdline"] += " "; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can also += ' '
return Status::failure("Malformed AUDIT_EXECVE event"); | ||
} | ||
|
||
row["cmdline"] = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the same as .clear()
.
return Status::failure("Malformed AUDIT_CWD event"); | ||
} | ||
|
||
CopyFieldFromMap(row, cwd_event_record->fields, "cwd", ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see common calls with ""
and "0"
as the third argument. Is it worth making this API more explicit with an overload + fall through?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those arguments are the default value to adopt in case the specified field is missing in the field map, and varies depending on the context. How would you change this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Take a look at the inline notes I left. Overall this looks good, GetProcessIDs
looks complex but also well tested.
35fbc19
to
27a1320
Compare
Are you referring to something similar to this? https://github.com/osquery/osquery/pull/5701/files#diff-ba6fdbb94c1ce5b8f9a3950608fbe86fR59 In general, I think we should avoid having too many SELECTs on other tables inside the code (which also makes testing harder). We could maybe achieve the same using a JOIN in the query? |
Also implement an initial test target for the process_events table
I am not entirely sure how If i am wrong - it is definitely achievable with joins, i already use almost the same logic while joining processes table which does not have mode column. However i understand that in my case |
I see what you mean now! Thanks for the explanation 👍 |
I know it may seem weird but GitHub had no idea what was happening in the PR until we forced it to update by changing the base branch.... 🤔 All seems good now |
This fixes issue #5691