mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 01:55:20 +00:00
5c1bf4ff0c
* deb_packages: Fix include order issue * bpf_socket_events, bpf_process_events: Initial implementation * BPF: Add process tracking to process events, remove sockets_event * CMake: Upgrade the C++ standard to C++17 * BPF: Improve initial system state snapshot and event collection * BPF: Add tests for SystemStateTracker * BPF: Add tests for BPFEventPublisher * BPF: Refactor, add tests for ProcessContextFactory * Refactor: Improve initial scan/event handling, fix openat * BPF: Improve event ordering * BPF: Fix test issue in BPFEventPublisher::processOpenAt * BPF: Mark WIP functions as deprecated * BPF: Improve tests * BPF: Add back bpf_socket_events and connect() support * BPF: Add Netlink addr support, add bind() * BPF: Add accept/accept4 support * BPF: Add tests for BPFEventPublisher::processOpenat2Event * BPF: Add remaining tests for BPFEventPublisher * BPF: Add configuration flags for memory management * BPF: Add cmdline support to ProcessContextFactory * BPF: Add additional tests * BPF: Add unit test for SystemStateTracker::accept * BPF: Update cwd handling * BPF: Add tests for bpf_socket_events * BPF: Add tests for bpf_process_events * BPF: Add json_cmdline hidden column to bpf_process_events * BPF: Update all copyright headers * BPF: Add syscall duration in socket_events/process_events * BPF: Code review changes * BPF: Update ebpfpub to the latest version * BPF: Removed unused functions * BPF: Code review changes Add whitespace around namespaces * BPF: Revert header changes in rot13.cpp * BPF: Code review changes Rename the bpf_ntime column in bpf_socket_events/bpf_process_events to ntime and make it the last visible column * BPF: Code review changes Update the dependencies for the BPF tests * BPF: Code review changes Update the dependencies for the BPF table tests * BPF: Code review changes Update how characters are appended to strings in the system state tracker class * BPF: Code review changes Update the string -> integer conversion utilities in the process context factory class. * BPF: Hide failed exec syscalls from bpf_process_events results * BPF: Do not log an error for invalid sockaddr structures * BPF: Code review changes Remove clang-format ignore block * BPF: Code review changes Update log messages in the BPFEventPublisher class * BPF: Code review changes Remove clang-format ignore block around the function tracer descriptors * BPF: Code review changes Document the IFilesystem interface * BPF: Code review changes Document the IProcessContextFactory interface * BPF: Code review changes Document the ISystemStateTracker interface
24 lines
1.2 KiB
Plaintext
24 lines
1.2 KiB
Plaintext
table_name("bpf_process_events")
|
|
description("Track time/action process executions.")
|
|
schema([
|
|
Column("tid", BIGINT, "Thread ID"),
|
|
Column("pid", BIGINT, "Process ID"),
|
|
Column("parent", BIGINT, "Parent process ID"),
|
|
Column("uid", BIGINT, "User ID"),
|
|
Column("gid", BIGINT, "Group ID"),
|
|
Column("cid", INTEGER, "Cgroup ID"),
|
|
Column("exit_code", TEXT, "Exit code of the system call"),
|
|
Column("probe_error", INTEGER, "Set to 1 if one or more buffers could not be captured"),
|
|
Column("syscall", TEXT, "System call name"),
|
|
Column("path", TEXT, "Binary path"),
|
|
Column("cwd", TEXT, "Current working directory"),
|
|
Column("cmdline", TEXT, "Command line arguments"),
|
|
Column("duration", INTEGER, "How much time was spent inside the syscall (nsecs)"),
|
|
Column("json_cmdline", TEXT, "Command line arguments, in JSON format", hidden=True),
|
|
Column("ntime", TEXT, "The nsecs uptime timestamp as obtained from BPF"),
|
|
Column("time", BIGINT, "Time of execution in UNIX time", hidden=True),
|
|
Column("eid", INTEGER, "Event ID", hidden=True),
|
|
])
|
|
attributes(event_subscriber=True)
|
|
implementation("bpf_process_events@bpf_process_events::genTable")
|