Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: include ancestors in process events #2938

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: include ancestors in process events #2938

wants to merge 3 commits into from

Conversation

t0x01
Copy link

@t0x01 t0x01 commented Sep 19, 2024

Fixes 2420

Description

Reason: Option to include all ancestors of the process in process events can be very useful for observability and filtering purposes. E.g. to apply complex correlation rules later in data processing pipeline, or to filter out extra events.

Changes made:

  • Read and set option enable-process-ancestors from the config file. Turn option enable-process-ancestors off by default.
  • If option enable-process-ancestors is set, try to include ancestors (up to PID 1/PID 2) of the process beyond the immediate parent in process_exec, process_exit, process_uprobe, process_kprobe, process_lsm, process_tracepoint events in a respective protobuf message for the given process.
  • If option enable-process-ancestors is set and there was an error when trying to include process' ancestors in the protobuf message, add the event to eventcache for reprocessing.
  • When trying to reprocess events from eventcache, if option enable-process-ancestors is set and Ancestors is nil, try to include process' ancestors again.
  • Implement a new export filter that can filter over ancestor binary names using RE2 regular expressions.
  • Add a new test for the new export filter.
  • Add information about new features to documentation.

@t0x01
feat: Allow to include process' ancestors in events
6836971 
Allow to include ancestors of the process beyond the immediate parent (up to PID 1 / PID 2) in process_exec, process_exit, process_uprobe, process_kprobe, process_lsm, process_tracepoint events via `--enable-process-ancestors` option. Turn `--enable-process-ancestors` option off by default.

Signed-off-by: t0x01 <T0x01@protonmail.ch>
@t0x01
filters: Implement ancestor binary export filter
5f4dd5a 
Implement a new export filter that can filter over ancestor binary names using RE2 regular expressions.

Signed-off-by: t0x01 <T0x01@protonmail.ch>
@t0x01
docs: Add ancestors and ancestor filter information
e2e9ea1 
Add information about ancestors, ancestor filter and ancestors related metrics to documentation.

Signed-off-by: t0x01 <T0x01@protonmail.ch>
@t0x01 t0x01 requested review from a team and mtardy as code owners September 19, 2024 14:51
@netlify Netlify
Copy link

netlify bot commented Sep 19, 2024

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit e2e9ea1
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/66ec3a59c5d59800086cfa23
😎 Deploy Preview https://deploy-preview-2938--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtardy mtardy Awaiting requested review from mtardy mtardy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tetragon is not showing process exec ancestors
1 participant
@t0x01