osquery-1/specs/linux/bpf_process_events.table
Alessandro Gario 5c1bf4ff0c
Initial implementations for BPF-based socket and process events tables (#6571)
* deb_packages: Fix include order issue

* bpf_socket_events, bpf_process_events: Initial implementation

* BPF: Add process tracking to process events, remove sockets_event

* CMake: Upgrade the C++ standard to C++17

* BPF: Improve initial system state snapshot and event collection

* BPF: Add tests for SystemStateTracker

* BPF: Add tests for BPFEventPublisher

* BPF: Refactor, add tests for ProcessContextFactory

* Refactor: Improve initial scan/event handling, fix openat

* BPF: Improve event ordering

* BPF: Fix test issue in BPFEventPublisher::processOpenAt

* BPF: Mark WIP functions as deprecated

* BPF: Improve tests

* BPF: Add back bpf_socket_events and connect() support

* BPF: Add Netlink addr support, add bind()

* BPF: Add accept/accept4 support

* BPF: Add tests for BPFEventPublisher::processOpenat2Event

* BPF: Add remaining tests for BPFEventPublisher

* BPF: Add configuration flags for memory management

* BPF: Add cmdline support to ProcessContextFactory

* BPF: Add additional tests

* BPF: Add unit test for SystemStateTracker::accept

* BPF: Update cwd handling

* BPF: Add tests for bpf_socket_events

* BPF: Add tests for bpf_process_events

* BPF: Add json_cmdline hidden column to bpf_process_events

* BPF: Update all copyright headers

* BPF: Add syscall duration in socket_events/process_events

* BPF: Code review changes

* BPF: Update ebpfpub to the latest version

* BPF: Removed unused functions

* BPF: Code review changes

Add whitespace around namespaces

* BPF: Revert header changes in rot13.cpp

* BPF: Code review changes

Rename the bpf_ntime column in bpf_socket_events/bpf_process_events
to ntime and make it the last visible column

* BPF: Code review changes

Update the dependencies for the BPF tests

* BPF: Code review changes

Update the dependencies for the BPF table tests

* BPF: Code review changes

Update how characters are appended to strings in the
system state tracker class

* BPF: Code review changes

Update the string -> integer conversion utilities in the
process context factory class.

* BPF: Hide failed exec syscalls from bpf_process_events results

* BPF: Do not log an error for invalid sockaddr structures

* BPF: Code review changes

Remove clang-format ignore block

* BPF: Code review changes

Update log messages in the BPFEventPublisher class

* BPF: Code review changes

Remove clang-format ignore block around the function tracer
descriptors

* BPF: Code review changes

Document the IFilesystem interface

* BPF: Code review changes

Document the IProcessContextFactory interface

* BPF: Code review changes

Document the ISystemStateTracker interface
2020-10-16 01:14:00 -07:00

24 lines
1.2 KiB
Plaintext

table_name("bpf_process_events")
description("Track time/action process executions.")
schema([
Column("tid", BIGINT, "Thread ID"),
Column("pid", BIGINT, "Process ID"),
Column("parent", BIGINT, "Parent process ID"),
Column("uid", BIGINT, "User ID"),
Column("gid", BIGINT, "Group ID"),
Column("cid", INTEGER, "Cgroup ID"),
Column("exit_code", TEXT, "Exit code of the system call"),
Column("probe_error", INTEGER, "Set to 1 if one or more buffers could not be captured"),
Column("syscall", TEXT, "System call name"),
Column("path", TEXT, "Binary path"),
Column("cwd", TEXT, "Current working directory"),
Column("cmdline", TEXT, "Command line arguments"),
Column("duration", INTEGER, "How much time was spent inside the syscall (nsecs)"),
Column("json_cmdline", TEXT, "Command line arguments, in JSON format", hidden=True),
Column("ntime", TEXT, "The nsecs uptime timestamp as obtained from BPF"),
Column("time", BIGINT, "Time of execution in UNIX time", hidden=True),
Column("eid", INTEGER, "Event ID", hidden=True),
])
attributes(event_subscriber=True)
implementation("bpf_process_events@bpf_process_events::genTable")