sysflow icon indicating copy to clipboard operation
sysflow copied to clipboard
verified publisher icon sysflow-telemetry

Exe full path missing in Exe field

Open dcarolloz opened this issue 2 years ago • 0 comments

Indicate project libsysflow

Describe the bug The exe full path is sometimes not reported

To reproduce Steps to reproduce the behavior:

  1. Build and run sf-collector example
  2. Compile and run code example reported below

Expected behavior The exe full path should be reported. In the example, Exe is expected to show /usr/bin/echo.

Environment:

  • OS: Ubuntu 20.04.4 LTS
  • kernel: 5.4.0-128-generic
  • SysFlow version: v0.5.1 (from master branch)
  • Configurations: eBPF driver

Code example

#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

int main(){
    const char* pathname = "/usr/bin/echo";
    const char* argv[] = { "echo", "arg1", "arg2", "arg3", "arg4", "arg5", NULL };
    const char* envp[] = { NULL };
    int rc = syscall( SYS_execve, pathname, argv, envp);
    printf("errno: %d\n", errno);
}

sf-collector example log

****************************************************************
Header: Exporter , IP , File name 
Process: PID 13246 Creation Time, 1688476758875589088, Exe /usr/bin/bash, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 13246, OpFlags 1, Ret 23207
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /usr/bin/bash, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 1, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 23207, OpFlags: 9344, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /lib/x86_64-linux-gnu/libc.so.6
File Flow: TID 23207, OpFlags: 9600, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 23207, OpFlags: 9344, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /lib/x86_64-linux-gnu/libc.so.6
File Flow: TID 23207, OpFlags: 9600, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /dev/pts/1
File Flow: TID 23207, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /dev/pts/1
File Flow: TID 23207, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 4, Ret 0
****************************************************************

dcarolloz avatar Jul 04 '23 13:07 dcarolloz