Compute entry leaders #40
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This computes entry_leader and entry_meta.type from ECS: https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-entry-meta-type In order to properly inherit both fields, we have to traverse the process tree "in order of creation", this means building a walking list from pid 1, descending to everything else. Cloud defend does this by ordering pids, which is not quite right as pids can wrap around, we handle it by traversing processes via their actual relationship. There is a bug that can be observed with kprobes and docker, basically docker forks and exits a bunch of intermediary processes before giving us our container, this causes reparenting of processes, meaning their ppid changes. The ppid we get is racy since it depends if the parent exited before fork was commited or after. The actual bug is that kprobes are not updating ppid after fork, this is further described in #43. As this is all very ECS specific, it is disabled by default and you must pass QQ_ENTRY_LEADER to enable the computation. The hooks in raw_event_to_quark_event() might not be completely right, recomputing for exec only, maybe we should recompute more. At any rate this seems to produce correct values for INIT, SSHD and docker (at least on eBPF).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.