tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard

Published 20 hours ago verified publisher icon cilium

process:exit: ensure that the "status" process exit code field is always set

Open tixxdz opened this issue 1 year ago • 3 comments

Original issue: Seems if a process is started before tetragon, then when its exits we may not get the process_exit->status field the exit code

Updated one: seems we don't print the process_exit->status field anymore.

Tasks:

  • [ ] Tetragon daemon ensure that we always export the process_exit->status field for all processes, even the ones that started before tetragon.
  • [ ] Tetra cli ensure we print it in the json, maybe the bug is here in the tetra cli?
  • [ ] Add tests to cover Tetragon daemon to assert that process_exit->status is set.

tixxdz avatar Apr 07 '23 22:04 tixxdz

Seems if a process is started before tetragon, then when its exits we may not get the process_exit->status field the exit code

@tixxdz can you give me more info, what to fix as I was trying to fix it, should I modify the code in this file!

RickDeb2004 avatar May 23 '23 12:05 RickDeb2004

@RickDeb2004 really sorry for late reply on this, I missed it.

So the original issue was: before I start tetragon, I do sleep 10, start tetragon then do the cli tetra getevents, I get this:

  "process_exit": {
    "process": {
      "exec_id": "OjcwNzg3MDAwMDAwMDo5NjIx",
      "pid": 9621,
      "uid": 1000,
      "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon",
      "binary": "/usr/bin/sleep",
      "arguments": "10",
      "flags": "procFS auid",
      "start_time": "2023-11-07T09:20:43.396990069Z",
      "auid": 1000,
      "parent_exec_id": "OjYwOTYwMDAwMDAwMDo5Mzk2",
      "cap": {},
      "tid": 9621,
      "process_credentials": {
        "uid": 1000,
        "gid": 1000,
        "euid": 1000,
        "egid": 1000,
        "suid": 1000,
        "sgid": 1000,
        "fsuid": 1000,
        "fsgid": 1000
      }
    },
    "parent": {
      "exec_id": "OjYwOTYwMDAwMDAwMDo5Mzk2",
      "pid": 9396,
      "uid": 1000,
      "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon",
      "binary": "/usr/bin/bash",
      "flags": "procFS auid",
      "start_time": "2023-11-07T09:19:05.126990053Z",
      "auid": 1000,
      "parent_exec_id": "OjIwMjAwMDAwMDAwMDo0NTAx",
      "cap": {},
      "tid": 9396,
      "process_credentials": {
        "uid": 1000,
        "gid": 1000,
        "euid": 1000,
        "egid": 1000,
        "suid": 1000,
        "sgid": 1000,
        "fsuid": 1000,
        "fsgid": 1000
      }
    },
    "time": "2023-11-07T09:20:53.408386527Z"
  },
  "time": "2023-11-07T09:20:53.408384856Z"
}

I don't get the process_exit->status field, reference here: https://tetragon.io/docs/reference/grpc-api/#processexit

However, I just tested on processes that start after tetragon and it we also miss the process_exit->status

I updated the first paragraph of the issue with tasks.

tixxdz avatar Nov 07 '23 09:11 tixxdz

So we used to get it at some point, and I think we did break it.

tixxdz avatar Nov 07 '23 09:11 tixxdz