Latest packages for BPF support. This adds back bpf_socket_events with listen, accept, accept4, socket and connect. There are still no unit tests for this table, so expect hidden bugs!

@alessandrogario are these packages OS and version specific? Will this run on ubuntu server 20.04?

They have been built with the osquery toolchain, so they should be portable

I download the ZIP provided and I installed. Based on the PR and this Slack channel I ran the following command:

sudo osqueryd -S --verbose --enable_bpf_socket_events --enable_bpf_process_events --disable_events=false

but received

ubuntuvm:/tmp/20200929_osquery_pr6571_bpf$ sudo osqueryd -S --verbose --enable_bpf_socket_events --enable_bpf_process_events --disable_events=false

ERROR: unknown command line flag 'enable_bpf_process_events'
ERROR: unknown command line flag 'enable_bpf_socket_events'

aaargh I need to update the docs. So since I need to trace all the syscalls regardless of which table the user wants to use, i removed those flags

I had an Ubuntu server 20.04.1 64-bit machine with 2GBs of memory and it was not enough

Yeah, it's the following settings inside bpfeventpublisher.cpp:

const std::size_t kPerfEventArraySize{12U};
const std::size_t kBufferStorageSize{4096U};
const std::size_t kEventMapSize{2048};

kPerfEventArraySize = power of 2, determines how big the main ring buffer containing basic types is (integers, pointers, process id, uid....) Memory usage: 2^kPerfEventArraySize * cpu_count kBufferStorageSize = how many slots of 4k bytes are allocated in each BufferStorage object. 1 slot = 1 string (example: filename in open) or buffer (example: sockaddr in connect) Memory usage: (kBufferStorageSize * 4k * cpu_count) for each buffer storage (we currently have 4) kEventMapSize: memory map used to merge the enter tracepoint with the exit tracepoint. Each slot is really small, and its memory usage is low