Title
#ebpf
a

alessandrogario

01/22/2021, 12:25 PM
So a couple of additional notes on the matter1. We should rename exit_code to syscall_exit_code or something else that better describes the meaning of that value 2. It is possible to capture the program exit code, but that requires additional tracing (exit and exit_group). If you think it could be useful, we could open a feature request/blueprint 3. In the case of Audit, when receiving SYSCALL events we discard everything if the 'success' field is not set to 'yes'. This means that failed execve/execveat should never appear under Audit. I think that BPF should follow what Audit is doing here
i

Ivanlei

01/25/2021, 4:31 PM
for 3 - this prevents osquery from tracking async sockets which is a bummer.
a

alessandrogario

01/25/2021, 4:40 PM
That is true, I actually had a PR for changing this; the problem is that unless we start tracking the file descriptors there is no way to tell if a file descriptor has the async non-blocking flag set
4:40 PM
On BPF we are tracking them however; I am wondering what the best approach is, ideally we should try to not have too many differences between the tables
clong

clong

01/29/2021, 3:55 AM
I don't see exit codes (syscall or otherwise) as being an exceedingly important datapoint to have (from a security perspective at least). I would be happy just seeing the column renamed to
syscall_exit_code