Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
alessandrogario
01/22/2021, 12:25 PMSo a couple of additional notes on the matter
1. We should rename exit_code to syscall_exit_code or something else that better describes the meaning of that value
2. It is possible to capture the program exit code, but that requires additional tracing (exit and exit_group). If you think it could be useful, we could open a feature request/blueprint
3. In the case of Audit, when receiving SYSCALL events we discard everything if the 'success' field is not set to 'yes'. This means that failed execve/execveat should never appear under Audit. I think that BPF should follow what Audit is doing here
i
Ivanlei
01/25/2021, 4:31 PMfor 3 - this prevents osquery from tracking async sockets which is a bummer.
a
alessandrogario
01/25/2021, 4:40 PMThat is true, I actually had a PR for changing this; the problem is that unless we start tracking the file descriptors there is no way to tell if a file descriptor has the async non-blocking flag set
On BPF we are tracking them however; I am wondering what the best approach is, ideally we should try to not have too many differences between the tables
c
clong
01/29/2021, 3:55 AMI don't see exit codes (syscall or otherwise) as being an exceedingly important datapoint to have (from a security perspective at least). I would be happy just seeing the column renamed to
syscall_exit_code👍 1