Are the pids returned by `bpf process|socket events` the glo osquery #ebpf

Are the pids returned by `bpf_(process|socket)_eve...

zwass

07/26/2022, 6:15 PM

Are the pids returned by

bpf_(process|socket)_events

the global pid or in-container pid?

alessandrogario

07/26/2022, 6:43 PM

They are global PIDs, from the host perspective

alessandrogario

07/26/2022, 6:47 PM

Compared to audit, I've implemented something that translates the return value for fork/vfork/clone to the host PID

zwass

07/26/2022, 6:48 PM

Nice.

3 Views