sysdig icon indicating copy to clipboard operation
sysdig copied to clipboard
verified publisher icon draios

broken evt.abspath filter

Open aebm opened this issue 8 years ago • 3 comments

Hi,

In sysdig version 0.13.0 the evt.abspath cannot be used for filtering, only for displaying.

Ex:

sudo sysdig  "evt.abspath contains 'stuff'"
filter error: unrecognized field evt.abspath at pos 0

sudo sysdig -p "%evt.abspath" | head -n 3
/proc
/proc/1/task
/proc/2/task

aebm avatar Jan 19 '17 11:01 aebm

This is still present in 0.16.0, despite documentation describing the exact inverse ("FILTER ONLY"). Perhaps this is just a documentation bug, and this needs to be "DISPLAY ONLY"?

charles-dyfis-net avatar Jun 13 '17 21:06 charles-dyfis-net

This is stopping me from using sysdig as a full fledged FIM (File Integrity Monitoring) tool. I want to capture delete events from directories but anything that calls an 'at' system call (e.g., unlink at via rm) has arg[0] as an fd and I need the abspath to check it against critical directories. As of 0.17.0 I am still unable to use this as a filter.

grudzien avatar Aug 17 '17 02:08 grudzien

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Feb 25 '23 02:02 github-actions[bot]