Add tests for non-recursive kprobe fim#3
Merged
pkoutsovasilis merged 1 commit intopkoutsovasilis:pkoutsovasilis/kprobe_fimfrom Jan 31, 2024
Tacklebox:mborden/kprobe_fim_nonrecursive_test
Merged
Add tests for non-recursive kprobe fim#3pkoutsovasilis merged 1 commit intopkoutsovasilis:pkoutsovasilis/kprobe_fimfrom Tacklebox:mborden/kprobe_fim_nonrecursive_test
pkoutsovasilis merged 1 commit intopkoutsovasilis:pkoutsovasilis/kprobe_fimfrom
Tacklebox:mborden/kprobe_fim_nonrecursive_test
Conversation
pkoutsovasilis
pushed a commit
that referenced
this pull request
Jan 31, 2024
pkoutsovasilis
added a commit
that referenced
this pull request
Feb 15, 2024
* feat: add helper funcs to get symbol info from /proc/kallsyms * feat: introduce fixed executor that always runs funcs from the same os thread * feat: add probe manager to handle building tracing kprobes from tk-btf ones * feat: define probe events with corresponding alloc and release funcs * feat: embed stripped btf files and add helper funcs to read them * feat: add fsnotify, fsnotify_nameremove, fsnotify_parent and vfs_geattr tk-btf probe builders in probe manager * feat: implement path traverser to produce monitor events by walking a path * feat: implement directory entries cache * feat: implement event processor to process probe events and based on directory entry cache emit the respective event * feat: implement event verifier that validates that the expected sequence of generated fs events are properly emitted * feat: add perfChannel to reduce tracing.PerfChannel boilerplate code and satisfy testing needs * feat: implement monitor that ties together path traverser, perf channel and event emitting * feat: implement probe verification at runtime and the creation of a new monitor based on these * feat: implement event reader for kprobe-based file integrity module * doc: update NOTICE.txt to include tk-btf license * feat: add tests for non-recursive kprobe fim (#3) * fix: remove existing file from cache when a move operation is overwriting it * feat: introduce force_backend in for file integrity auditbeat module * ci: add necessary volume mounts for kprobes backend in auditbeat docker-compose.yml * feat: add the instantiation of file integrity module with kprobes backend * doc: update CHANGELOG.next.asciidoc * fix: address compilation issues for non-linux oses * fix: correct folder permission for path traverser unit-test * fix: build kprobe package and unit-tests only for linux * ci: extend test_file_integrity.py to test kprobes backend of file integrity module * ci: extend TestNew in monitor to include actual file changes * ci: mark with nolint prealloc slices that can't be pre-allocated * chore: inline defer funcs * fix: return the scanner error if any * fix: remove redundant runtime os checks for linux * doc: comment that dEntryCache is not thread-safe * fix: set the appropriate verbosity of errors of watcher * fix: check for scanner.Err and return err from parsing mountinfo lines * fix: remove redundant fim_backends list from test_file_integrity.py * fix: gofumpt kprobes package * fix: highlight unused context in event processor * fix: increase interval period of wait_output as kprobes require more time to verify the probes and print output * fix: proper formatting for auditbeat.reference.yml * fix: proper formatting for x-pack/auditbeat/auditbeat.reference.yml --------- Co-authored-by: Maxwell Borden <Tacklebox@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pr just has the test for nonrecursive mode. The wiring for the config will be coming shortly 🙏