ebpf
ebpf copied to clipboard
Elastic's eBPF
New events added: EBPF_EVENT_FILE_MEMFD_OPEN EBPF_EVENT_FILE_SHMEM_OPEN EBPF_EVENT_PROCESS_MEMFD_CREATE EBPF_EVENT_PROCESS_SHMGET EBPF_EVENT_PROCESS_PTRACE EBPF_EVENT_PROCESS_LOAD_MODULE Also added new fields to process exec event
Add Go tests for all probes except `load_kernel_module` (this one will come in the next PR). Test for `shm_open` was not integrated because of complicated dependencies (libraries) of that glibc...
Would it be feasible to introduce the eBPF capability to Windows environments? Today this is done with certain versions of Linux and the capabilities are quite powerful. I noticed that...
aarch64 CI build times out likely because of EPEL
Also adds flags for whether the exec target is has setuid and/or setgid bits set
Changes required to use skeleton headers for host isolation. It is still possible to use `*bpf.o` files and the Host Isolation demos continue to use those.
Currently, eBPF sensor does not report already running processes. Investigate use of a BPF_ITER program to enumerate all the already running tasks (and consequently, disable the already running logic in...
Podman / overlayfs: ``` {"event_type":"FILE_RENAME","pids": ...,"old_path":"./test","new_path":"./test2"} ``` ``` mv-170700 [003] d... 9717.441932: bpf_trace_printk: path truncated mv-170700 [003] d... 9717.441938: bpf_trace_printk: path truncated ``` Check if the bottleneck is `PATH_RESOLVER_MAX_COMPONENTS` or...
While working on the CMake porting I noticed that the prog_test_run tests ( `BPFTcFilterTests` ) for AL2 both on ARM and are having failures. Initially the failures I noticed were...