So a couple of additional notes on the matter
1. W...
# ebpfa
alessandrogario
01/22/2021, 12:25 PM
So a couple of additional notes on the matter
1. We should rename exit_code to syscall_exit_code or something else that better describes the meaning of that value
2. It is possible to capture the program exit code, but that requires additional tracing (exit and exit_group). If you think it could be useful, we could open a feature request/blueprint
3. In the case of Audit, when receiving SYSCALL events we discard everything if the 'success' field is not set to 'yes'. This means that failed execve/execveat should never appear under Audit. I think that BPF should follow what Audit is doing here
i
Ivanlei
01/25/2021, 4:31 PMfor 3 - this prevents osquery from tracking async sockets which is a bummer.
a
alessandrogario
01/25/2021, 4:40 PM
That is true, I actually had a PR for changing this; the problem is that unless we start tracking the file descriptors there is no way to tell if a file descriptor has the async non-blocking flag set
alessandrogario
01/25/2021, 4:40 PM
On BPF we are tracking them however; I am wondering what the best approach is, ideally we should try to not have too many differences between the tables
c
clong
01/29/2021, 3:55 AMI don't see exit codes (syscall or otherwise) as being an exceedingly important datapoint to have (from a security perspective at least). I would be happy just seeing the column renamed to
syscall_exit_code👍 1
7 Views