Audit: Implement support for fork/vfork/clone/execveat

[alessandrogario]

This fixes issue #5691

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Teddy Reed (a56b43e)
• ✅ Shim Myeongseob (7abf354)
• ✅ Alessandro Gario (7d88db8, 98f892a, a0304ec, af5346e, 2740267, 87cf5b4, c1b209d, 3f562cf, ac037bd, 15c05ac, be23950, de8d0e0, 616135a, 428c4f1)

[theopolis]

Wow, cool!

[loqpa]

What do you think about filling mode column with info from file table in case there are no PATH records?

[theopolis]

We should investigate if this dependency can be expressed using the gflags APIs.

[alessandrogario]

This can be compared to enabling --audit_allow_config without also having the command line flag that enables Audit.

If we want to conform to the rest of the code, we can just remove the warning log. Otherwise, we could implement a flag validator and make sure that both flags are active.

Which one would you prefer?

[theopolis]

Ah sorry, my comment was too general and not helpful. You are right in that we should address/explore gflags more completely later.

Always your call!

[theopolis]

You can also += ' '

[theopolis]

Is this the same as .clear().

[theopolis]

I see common calls with "" and "0" as the third argument. Is it worth making this API more explicit with an overload + fall through?

[alessandrogario]

Those arguments are the default value to adopt in case the specified field is missing in the field map, and varies depending on the context. How would you change this?

[theopolis]

Take a look at the inline notes I left. Overall this looks good, GetProcessIDs looks complex but also well tested.

[alessandrogario]

What do you think about filling mode column with info from file table in case there are no PATH records?

Are you referring to something similar to this? https://github.com/osquery/osquery/pull/5701/files#diff-ba6fdbb94c1ce5b8f9a3950608fbe86fR59

In general, I think we should avoid having too many SELECTs on other tables inside the code (which also makes testing harder). We could maybe achieve the same using a JOIN in the query?

[loqpa]

What do you think about filling mode column with info from file table in case there are no PATH records?

Are you referring to something similar to this? https://github.com/osquery/osquery/pull/5701/files#diff-ba6fdbb94c1ce5b8f9a3950608fbe86fR59

In general, I think we should avoid having too many SELECTs on other tables inside the code (which also makes testing harder). We could maybe achieve the same using a JOIN in the query?

I am not entirely sure how selectAllFrom works, but i think something like
if (row["mode"]=="") row["mode"] = qd.front().at("mode")
at line 67 should not introduce any new SELECTs.

If i am wrong - it is definitely achievable with joins, i already use almost the same logic while joining processes table which does not have mode column.

However i understand that in my case mode column would be a little inconsistent (4 digits records from file vs 7 digits from PATH). This is the main reason behind my question.

[alessandrogario]

What do you think about filling mode column with info from file table in case there are no PATH records?

Are you referring to something similar to this? https://github.com/osquery/osquery/pull/5701/files#diff-ba6fdbb94c1ce5b8f9a3950608fbe86fR59
In general, I think we should avoid having too many SELECTs on other tables inside the code (which also makes testing harder). We could maybe achieve the same using a JOIN in the query?

I am not entirely sure how selectAllFrom works, but i think something like
if (row["mode"]=="") row["mode"] = qd.front().at("mode")
at line 67 should not introduce any new SELECTs.

If i am wrong - it is definitely achievable with joins, i already use almost the same logic while joining processes table which does not have mode column.

I see what you mean now! Thanks for the explanation 👍

[alessandrogario]

I know it may seem weird but GitHub had no idea what was happening in the PR until we forced it to update by changing the base branch.... 🤔

All seems good now