osquery #ebpf

Stefano Bonicatti

06/15/2022, 9:15 AM

Yeah there were also some LPEs due to bugs in the BPF verifier via unprivileged BPF. One can also check

system_controls

to see if unprivileged BPF is enabled.

zwass

07/25/2022, 6:29 PM

What's the status of container support for the bpf evented tables?

zwass

07/26/2022, 6:15 PM

Are the pids returned by

bpf_(process|socket)_events

the global pid or in-container pid?

zwass

08/09/2022, 5:03 PM

Bringing some things out of DM from @alessandrogario

alessandrogario  [9:52 AM]
The procfs-based approach can be a really useful addition to the processes table; it can't be used for events if the containers or the processes are shortlived. in that case, we have to update ebpfpub. To do that, we just have to
detect if btf can be constructed
pass a constructed btf object to FunctionTracer (osquery/events/linux/bpf/bpfeventpublisher.cpp), ideally only for fork/vfork/clone so that we don't add 64 bytes of overhead to all the probes
update the sytem state tracker (osquery/events/linux/bpf/systemstatetracker.h) to propagate the cgroup names

alessandrogario  [9:52 AM]
I think having both approaches would be really cool

alessandrogario  [9:55 AM]
I've merged an example
Initializing btf: <https://github.com/trailofbits/ebpfpub/blob/main/examples/execsnoop/src/main.cpp#L167>
Reading the cgroup names: <https://github.com/trailofbits/ebpfpub/blob/main/examples/execsnoop/src/main.cpp#L79>

alessandrogario

08/09/2022, 5:04 PM

I think this should cover the original feature request i got on the library; if there's anything else I can help with let me know (here or in private is perfectly fine!)

Artemis Tosini

08/09/2022, 5:10 PM

I'll get an AWS server to test it since I've been having weird issues with my VM on top of macOS. I definitely do see the utility in both, getting things from procfs is a pain, especially since the readfile syscall isn't upstream

alessandrogario

08/09/2022, 5:18 PM

I think the procfs approach to improve the processes table is even better, it's a great idea and definitely useful on all kind of deployments

Artemis Tosini

08/11/2022, 4:20 PM

Not using eBPF but I have a draft PR for adding cgroups to the processes table: https://github.com/osquery/osquery/pull/7728

Artemis Tosini

08/11/2022, 4:22 PM

I'm not sure how to deal with cgroups v1 since that would blow up the schema (There are 13 different controllers and each can get their own hierarchy)

alessandrogario

08/11/2022, 5:06 PM

This is going to be really useful!

Artemis Tosini

08/11/2022, 7:48 PM

I fixed some test issues, I'd appreciate any testing you can do

alessandrogario

08/17/2022, 10:51 AM

I experimented a bit with a sql function to extract the container name from it, and it's so useful. Draft code below:

alessandrogario

08/17/2022, 10:51 AM

/**
 * Copyright (c) 2014-present, The osquery authors
 *
 * This source code is licensed as defined by the LICENSE file found in the
 * root directory of this source tree.
 *
 * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
 */

#include <string_view>
#include <vector>

#include <osquery/logger/logger.h>

#include <sqlite3.h>

namespace osquery {

namespace {

const std::vector<std::string> kPrefixList{
    "libpod-conmon-",
    "libpod-",
    "docker-",
};

const std::string kSeparatorList{"./"};

void cgroupContainerName(sqlite3_context* context,
                         int argc,
                         sqlite3_value** argv) {
  auto buffer_ptr = reinterpret_cast<const char*>(sqlite3_value_text(argv[0]));
  if (buffer_ptr == nullptr) {
    sqlite3_result_null(context);
    return;
  }

  auto buffer_size = std::strlen(buffer_ptr);
  std::string_view cgroup_path(buffer_ptr, buffer_size);

  for (const auto& prefix : kPrefixList) {
    auto start_index = cgroup_path.find(prefix);
    if (start_index == std::string::npos) {
      continue;
    }

    start_index += prefix.size();

    auto end_index = cgroup_path.find_first_of(kSeparatorList, start_index);
    auto substr_size = (end_index != std::string::npos)
                           ? end_index - start_index
                           : std::string::npos;

    auto container_name = cgroup_path.substr(start_index, substr_size);

    sqlite3_result_text(context,
                        container_name.data(),
                        container_name.size(),
                        SQLITE_TRANSIENT);
    return;
  }

  sqlite3_result_null(context);
}

} // namespace

void registerCgroupUtilsExtensions(sqlite3* db) {
  sqlite3_create_function(db,
                          "cgroup_container_name",
                          -1,
                          SQLITE_UTF8 | SQLITE_DETERMINISTIC,
                          nullptr,
                          cgroupContainerName,
                          nullptr,
                          nullptr);
}
} // namespace osquery

alessandrogario

08/17/2022, 10:52 AM

osqueryd -S 'SELECT name, cgroup_path, cgroup_container_name(cgroup_path) AS container FROM processes WHERE container <> "";' 
+--------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------+
| name   | cgroup_path                                                                                            | container                                                        |
+--------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------+
| conmon | /machine.slice/libpod-conmon-b8c8b2f3d8dcffed531ea0557e59e740264a1b2a3d6b76fd86b2c258309e3254.scope    | b8c8b2f3d8dcffed531ea0557e59e740264a1b2a3d6b76fd86b2c258309e3254 |
| bash   | /machine.slice/libpod-b8c8b2f3d8dcffed531ea0557e59e740264a1b2a3d6b76fd86b2c258309e3254.scope/container | b8c8b2f3d8dcffed531ea0557e59e740264a1b2a3d6b76fd86b2c258309e3254 |
+--------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------+

alessandrogario

08/17/2022, 10:53 AM

Another thing that could be useful is something to get the backend name, like Docker, podman, etc

seph

08/17/2022, 12:24 PM

I suspect you can do those with

REGEX_MATCH

but

cgroup_container_name

seems less fiddly 🙂

alessandrogario

08/17/2022, 4:17 PM

@Artemis Tosini would something similar to this functionality be interesting for your future enhancements roadmap?

alessandrogario

09/27/2022, 1:34 AM

We have a new BPF PoC here: https://github.com/osquery/osquery/pull/7773 Test packages: https://github.com/osquery/osquery/actions/runs/3132085206 TLDR: With BTF (built-in kernel debug symbols, in kernels >= ~5.3) we can now read kernel structures while also respecting the osquery guidelines of having no external dependencies. This means we no longer need to trace a large amount of system calls, which was solved by auto-generating the BPF probes using LLVM IR. The new probes are written in C! We have some additional advantages compared to other solutions, like being able to inspect private kernel types (thanks to the debug info we are parsing). If there is interest and some spare time during the next office hours, I'll briefly walk over this PR and explain what it contains, how it was built and why. It still requires some work, and it's currently marked as an experiment and not a stable feature (more on this in the PR description). As previously stated it is going to require newer kernels, so we may still have to keep the current implementation for a while

zwass

09/28/2022, 10:10 PM

@alessandrogario do you have some time Monday that we could meet with @Artemis Tosini and talk about joining in on the eBPF work? Our schedules are fairly open. Perhaps 5PM your time?

alessandrogario

09/29/2022, 3:04 PM

Totally unrelated, live streaming for the second day of the (free) ebpf-summit event https://ebpf.io/summit-2022/day-2

ag4ve

09/29/2022, 8:35 PM

so, that talk where the guy showed a ./query-bpf (which I searched for and couldn’t find) that created and deployed a program and filter and showed the events - that’s possible in osquery?

alessandrogario

10/01/2022, 3:56 PM

Pushed a new update to PR7773, fixing support for Ubuntu 20.04 LTS (kernel 5.15.0-48-generic) The new packages can be downloaded from here: https://github.com/osquery/osquery/actions/runs/3164969151 (files are only visible for logged in users)

alessandrogario

10/04/2022, 8:33 AM

@Zander Mackie && @Matt Uebel Would it be possible for you to try out these packages? This is from the following PR: https://github.com/osquery/osquery/pull/7773 (packages are from this runner: https://github.com/osquery/osquery/actions/runs/3177333118)

Artemis Tosini

10/14/2022, 6:58 PM

I think there's a TOCTOU in the execveat example of ebpfpub, though there shouldn't be an issue if you use the tracepoint like in linuxevents

Lili

11/25/2022, 9:15 AM

Hello Everyone! I am testing usage ebpf with osquery, but sometimes get this errors: 1.

orbit[24125]: I1125 11:47:48.859995 24164 rocksdb.cpp:67] RocksDB: [ERROR] [table/block_based/block_based_table_reader.cc:1090] Encountered error while reading data from properties block IO error: While pread offset 4655206 len 40: /opt/orbit/osquery.db/004706.sst: Is a directory

orbit[24125]: I1125 11:47:48.955194 24164 rocksdb.cpp:67] RocksDB: [ERROR] [db/db_impl/db_impl_compaction_flush.cc:2624] Waiting after background flush error: IO error: While pread offset 4655206 len 40: /opt/orbit/osquery.db/004706.sst: Is a directoryAccumulated background error counts: 1

orbit[24125]: E1125 11:49:16.361975 25035 shutdown.cpp:79] Error adding new results to database for query pack/Global/bpf_socket_events (test)-1: IOError: Is a directory

orbit[13777]: I1125 11:43:09.381443 13824 rocksdb.cpp:67] RocksDB: [WARN] [db/error_handler.cc:387] Background IO error IO error: While appending to file: /opt/orbit/osquery.db/005943.sst: Bad file descriptor

orbit[13777]: I1125 11:43:09.381582 13824 rocksdb.cpp:67] RocksDB: [ERROR] [db/db_impl/db_impl_compaction_flush.cc:2624] Waiting after background flush error: IO error: While appending to file: /opt/orbit/osquery.db/005943.sst: Bad file descriptorAccumulated background error counts: 1

orbit[13777]: E1125 11:44:52.375362 19350 shutdown.cpp:79] Error adding new results to database for query pack/Global/ebpf proccess events (test): IOError: Bad file descriptor

After that agent is restarted. Why this errors occurs? Maybe I can tune some flags for exclude this error? Query: 1.

SELECT uid, gid, local_address, local_port, path, pid, remote_address, remote_port, ntime, duration, family, exit_code FROM bpf_socket_events WHERE path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');

SELECT cmdline, ntime, cwd, gid, uid, parent, path, pid FROM bpf_process_events;

Flags used:

table_delay: 200
  augeas_lenses: /usr/share/augeas/lenses/dist
  logger_plugin: tls
  disable_events: false
  watchdog_delay: 120
  buffered_log_max: 3000000
  disable_watchdog: false
  enable_bpf_events: true
  logger_min_stderr: 1
  logger_tls_period: 1
  logger_tls_max_lines: 8192
  watchdog_memory_limit: 2048
  bpf_buffer_storage_size: 4096

Fleet version: 4.23.0 Agent version: 1.3.0 Osquery version: 5.5.1 VM has 8 GB RAM, 4 CPU.

Andrea

01/17/2023, 5:22 PM

Hello everyone, I have a quick question. I briefly looked at the osquery code base and it looks like “exit” is not implemented yet. Also it looks like it is not implemented on

ebpfpub

. is that correct or I missed it ?

Sunil Kahalekar

02/27/2023, 6:55 AM

Hey hi all, I try to implement bpf file events table. Please go through raised PR. Implementations for bpf based file events i.e inclusion of bpf_file_events table for Linux #7947. https://github.com/osquery/osquery/pull/7947

Nick Cheng

04/14/2023, 12:51 AM

@Nick Cheng has left the channel

Nick Cheng

04/14/2023, 12:59 AM

I am starting osqueryd like with "--disable_events=false --enable_bpf_events=true". It runs, but looks like ebpf probes were created correctly:

I0414 00:54:17.598778 839266 bpfeventpublisher.cpp:254] Failed to load the BPF probe for syscall fork: Failed to open the tracepoint descriptor file: /sys/kernel/debug/tracing/events/syscalls/sys_enter_fork/id. This syscall may not be available on this system, continuing despite the error
I0414 00:54:17.599380 839266 bpfeventpublisher.cpp:254] Failed to load the BPF probe for syscall vfork: Failed to open the tracepoint descriptor file: /sys/kernel/debug/tracing/events/syscalls/sys_enter_vfork/id. This syscall may not be available on this system, continuing despite the error
I0414 00:54:17.655769 839266 bpfeventpublisher.cpp:267] Initialized BPF probe for syscall clone (33)
I0414 00:54:17.715793 839266 bpfeventpublisher.cpp:254] Failed to load the BPF probe for syscall close: Module verification failed: Stored value type does not match pointer operand type!
  store i32 %29, i64* %30
 i64Stored value type does not match pointer operand type!
  store i8 %32, i64* %33
 i64
I0414 00:54:17.716641 839266 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Failed to create the function tracer: Module verification failed: Stored value type does not match pointer operand type!
  store i32 %29, i64* %30
 i64Stored value type does not match pointer operand type!
  store i8 %32, i64* %33
 i64

and I checked /sys/kernel/debug/tracing/events/syscalls/ has many sys_enter_*, but not _fork or _vfork.

Andrea

04/21/2023, 9:59 AM

Hello everyone, I am playing with BPF these days and I see we can trace kernel’s function calls via

kprobe

. I don’t think we can trace a returning function with the

kretprobe

though. Is that correct or am I missing something ? my use case would be tracing

tcp_v4_connect

the same way

bcc/tools/tcpconnect

does, which looks better for tracing local/destination address+port than tracing connect() bind() accept() separately (again..unless I missed something 🙂 ). Any pointer would be appreciated! thanks