[WIP]: bpf & pkg: Add selectors for audit ids #2065
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Hey welcome! Thanks for taking the time to create this PR, would you like to introduce a bit more context on why you wanted to add that? What was your specific use case? :) Thanks! |
|
Yes we need to write something like: A filter on this as an examples allows to follow all operation performed by user id 1000. Another use case is follow all authenticated users, except system services which have a loginuid -1 (4294967295)" Thanks for the contribution will review it. |
Jianlin-lv
force-pushed
the
pr-auid-support
branch
from
6b8d521 to
3068c29
Compare
|
The current changes do not support multiple loginuid operators. I will submit patch v2 to support it. |
Jianlin-lv
changed the title
|
Hi @Jianlin-lv no worries, thank you very much for your contributions ;-) ! BTW if ci test fail on 4.9 kernel for bpf complexity, you can surround your bpf changes with Feel free to convert to draft. |
Jianlin-lv
force-pushed
the
pr-auid-support
branch
2 times, most recently
from
b9af5c1 to
e76ffe8
Compare
Jianlin-lv
force-pushed
the
pr-auid-support
branch
from
e76ffe8 to
a0f27b8
Compare
|
Could you give a hint about how to fix vmtest fail about kernel 5.4/4.19/bpf-next? @tixxdz |
|
Hi!, We have some instructions here: https://github.com/cilium/tetragon/tree/main/tests/vmtests |
|
Hi @Jianlin-lv as pointed out by Kornilios those tests will help you to isolate tests and better debug. Also I remember when I took a look quickly it hints toward ebpf or assembly. Sorry past days didn't have enough time, I will pull your branch by end of this week and help. |
|
Thank you both for your help. I will attempt to debug this issue. |
|
hi guys, sorry for interrupt , I didn't have any progress from my side, because vm testing env setup failed on my VM. |
Sorry, it is on my review list, just didn't have enough time especially past days with releasing OSS and EE versions, I hope we will get to it as we also want this feature. |
kkourt
added
the
needs-rebase
Jianlin-lv
force-pushed
the
pr-auid-support
branch
2 times, most recently
from
457c316 to
44b7bea
Compare
This commits introduces the "matchLoginUids" selectors, support
filtering based on the audit id of process.
A process is given an audit ID on user login, that is the loginuid.
This ID set during user authentication and handed down to any child
process started by the initial process of the user, even when the user's
identity changes.
the `matchLoginUids` filter supports defining up to four operators,
- `Equal`
- `NotEqual`
- `GreaterThan`
- `LessThan`
which are logically `AND` together.
The loginuid is used to track user's activity. For example, the following
matchLoginUids filter allow to follow operation performed by user id 1000.
```
- matchLoginUids:
- operator: "Equal"
values:
- 1000
```
Signed-off-by: Jianlin Lv <jianlv@ebay.com>
Jianlin-lv
force-pushed
the
pr-auid-support
branch
from
44b7bea to
85b4f6c
Compare
This commits introduces the "matchLoginUids" selectors, support
filtering based on the audit id of process.
A process is given an audit ID on user login, that is the loginuid.
This ID set during user authentication and handed down to any child
process started by the initial process of the user, even when the user's
identity changes.
the
matchLoginUidsfilter supports defining up to four operators,EqualNotEqualGreaterThanLessThanwhich are logically
ANDtogether.The loginuid is used to track user's activity. For example, the following
matchLoginUids filter allow to follow operation performed by user id 1000.
Signed-off-by: Jianlin Lv jianlv@ebay.com
Related: #1943