I am starting osqueryd like with disable events=false enable osquery #ebpf

I am starting osqueryd like with "--disable_events...

Nick Cheng

04/14/2023, 12:59 AM

I am starting osqueryd like with "--disable_events=false --enable_bpf_events=true". It runs, but looks like ebpf probes were created correctly:

Copy code

I0414 00:54:17.598778 839266 bpfeventpublisher.cpp:254] Failed to load the BPF probe for syscall fork: Failed to open the tracepoint descriptor file: /sys/kernel/debug/tracing/events/syscalls/sys_enter_fork/id. This syscall may not be available on this system, continuing despite the error
I0414 00:54:17.599380 839266 bpfeventpublisher.cpp:254] Failed to load the BPF probe for syscall vfork: Failed to open the tracepoint descriptor file: /sys/kernel/debug/tracing/events/syscalls/sys_enter_vfork/id. This syscall may not be available on this system, continuing despite the error
I0414 00:54:17.655769 839266 bpfeventpublisher.cpp:267] Initialized BPF probe for syscall clone (33)
I0414 00:54:17.715793 839266 bpfeventpublisher.cpp:254] Failed to load the BPF probe for syscall close: Module verification failed: Stored value type does not match pointer operand type!
  store i32 %29, i64* %30
 i64Stored value type does not match pointer operand type!
  store i8 %32, i64* %33
 i64
I0414 00:54:17.716641 839266 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Failed to create the function tracer: Module verification failed: Stored value type does not match pointer operand type!
  store i32 %29, i64* %30
 i64Stored value type does not match pointer operand type!
  store i8 %32, i64* %33
 i64

and I checked /sys/kernel/debug/tracing/events/syscalls/ has many sys_enter_*, but not _fork or _vfork.

alessandrogario

04/14/2023, 4:56 PM

Hello Nick, thanks for the report 🙂 So the real problem is actually the verification step and not the missing system calls. Could you share with us which system you are using? (distro name/version + kernel version)

Nick Cheng

04/14/2023, 4:59 PM

uname -r

5.10.41-rt42+g91779bd5e303

it is

Automotive Grade Linux

(AGL)

alessandrogario

04/14/2023, 5:03 PM

Side note, you could try this out too if you are interested in just process events: https://github.com/osquery/osquery/tree/master/osquery/experimental/experiments/linuxevents This is an experimental feature still, but will perform a lot better in terms of cpu/memory usage

Nick Cheng

04/14/2023, 5:04 PM

thanks for the tip, let me take a look at this 🙂

alessandrogario

04/14/2023, 5:05 PM

It can be enabled with the following flag:

--experiment_list=linuxevents

Additional settings can be found in the above page

Nick Cheng

04/14/2023, 5:05 PM

cool!

alessandrogario

04/14/2023, 5:05 PM

The table is named

bpf_process_events_v2

7 Views

Open in Slack

Previous Next