diff --git a/agent/src/bpf/audit.bpf.c b/agent/src/bpf/audit.bpf.c index f66ea16..d49b1ed 100644 --- a/agent/src/bpf/audit.bpf.c +++ b/agent/src/bpf/audit.bpf.c @@ -71,6 +71,10 @@ record_new_context (struct pt_regs *ctx, long context, long parent) context); event->parent = parent; + err = bpf_get_current_comm (event->command, sizeof(event->command)); + if (err < 0) + DEBUG ("unable to get current command: %ld\n", err); + if (BPF_CORE_READ_BITFIELD(build_id, status) & BPF_STACK_BUILD_ID_VALID) { event->origin_size = bpf_core_field_size (build_id->build_id); diff --git a/crypto-auditing/src/bpf/audit.h b/crypto-auditing/src/bpf/audit.h index 3ae0c59..c7cc380 100644 --- a/crypto-auditing/src/bpf/audit.h +++ b/crypto-auditing/src/bpf/audit.h @@ -32,6 +32,7 @@ struct audit_event_header_st }; #define MAX_BUILD_ID_SIZE 64 +#define MAX_COMMAND_SIZE 64 struct audit_new_context_event_st { @@ -39,6 +40,7 @@ struct audit_new_context_event_st long parent; unsigned char origin[MAX_BUILD_ID_SIZE]; unsigned long int origin_size; + char command[MAX_COMMAND_SIZE]; }; struct audit_data_event_st diff --git a/crypto-auditing/src/types.rs b/crypto-auditing/src/types.rs index 13e3625..7712126 100644 --- a/crypto-auditing/src/types.rs +++ b/crypto-auditing/src/types.rs @@ -8,7 +8,7 @@ use serde::{ use serde_with::{hex::Hex, serde_as}; use std::cell::RefCell; use std::collections::BTreeMap; -use std::ffi::CStr; +use std::ffi::{CStr, CString}; use std::rc::Rc; use std::time::{Duration, SystemTime, UNIX_EPOCH}; use sysinfo::System; @@ -32,6 +32,13 @@ where seq.end() } +fn to_string_lossy(source: &CString, serializer: S) -> Result +where + S: Serializer, +{ + serializer.serialize_str(&source.to_string_lossy()) +} + #[serde_as] #[derive(Debug, Serialize)] pub struct Context { @@ -40,6 +47,8 @@ pub struct Context { pub id: ContextId, #[serde_as(as = "Hex")] pub origin: Vec, + #[serde(serialize_with = "to_string_lossy")] + pub command: CString, #[serde_as(as = "serde_with::TimestampSecondsWithFrac")] pub start: SystemTime, #[serde_as(as = "serde_with::TimestampSecondsWithFrac")] @@ -103,10 +112,12 @@ impl ContextTracker { Event::NewContext { parent: parent_context, origin, + command, } => { let context = Rc::new(RefCell::new(Context { id: *group.context(), origin: origin.to_owned(), + command: command.to_owned(), start, end, events: Default::default(), @@ -132,6 +143,7 @@ impl ContextTracker { let context_obj = Rc::new(RefCell::new(Context { id: *group.context(), origin: Default::default(), + command: Default::default(), start, end, events: Default::default(), @@ -173,6 +185,8 @@ pub enum Event { parent: ContextId, #[serde_as(as = "serde_with::Bytes")] origin: Vec, + #[serde(default)] + command: CString, }, Data { key: String, @@ -305,11 +319,17 @@ impl EventGroup { let origin = unsafe { (&(*raw_new_context).origin)[..(*raw_new_context).origin_size as usize].to_vec() }; + let command = + unsafe { CStr::from_ptr((&(*raw_new_context).command).as_ptr()).to_owned() }; EventGroup { context, start: ktime, end: ktime, - events: vec![Event::NewContext { parent, origin }], + events: vec![Event::NewContext { + parent, + origin, + command, + }], } } audit_event_type_t::AUDIT_EVENT_DATA => unsafe { diff --git a/docs/query.schema.json b/docs/query.schema.json index 6776d12..a00fa2d 100644 --- a/docs/query.schema.json +++ b/docs/query.schema.json @@ -11,6 +11,7 @@ "properties": { "context": { "type": "string" }, "origin": { "type": "string" }, + "command": { "type": "string" }, "start": { "type": "number" }, "end": { "type": "number" }, "events": { diff --git a/fixtures/logs/since-until/none.json b/fixtures/logs/since-until/none.json index 8fb0716..4693b36 100644 --- a/fixtures/logs/since-until/none.json +++ b/fixtures/logs/since-until/none.json @@ -2,6 +2,7 @@ { "context": "77c5eac18916f65560e4a72c378fa571", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.010886, "end": 1771974803.010886, "events": { @@ -12,6 +13,7 @@ { "context": "3cb4522554c9b0dc609cb15a60e8066d", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0110753, "end": 1771974803.0110753, "events": { @@ -22,6 +24,7 @@ { "context": "a585d1425ae9a1bb716ef919a7077b79", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0110772, "end": 1771974803.0110772, "events": { @@ -35,6 +38,7 @@ { "context": "8bea2cd10c263427b8ea8f7a75ab63dc", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0253136, "end": 1771974803.0253136, "events": { @@ -45,6 +49,7 @@ { "context": "56cef1e26f5035c51e0df469ac338f5d", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.025316, "end": 1771974803.025316, "events": { @@ -55,6 +60,7 @@ { "context": "bd1bf0fb3d99d6695865fa2bbef92b34", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0255075, "end": 1771974803.0255075, "events": { @@ -67,6 +73,7 @@ { "context": "ba2f7865e4de038b3da670176ac134aa", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0425448, "end": 1771974803.0425448, "events": { @@ -78,6 +85,7 @@ { "context": "dcb5668c7981c908da00c4f485aa28fe", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0257778, "end": 1771974803.0257778, "events": { @@ -88,6 +96,7 @@ { "context": "0c7af68a3db1a3f26781b44c3b74f372", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.025795, "end": 1771974803.025795, "events": { @@ -104,6 +113,7 @@ { "context": "ccb9432c9c2c8c203230e6b7d31c0b16", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.214706, "end": 1771974863.214706, "events": { @@ -114,6 +124,7 @@ { "context": "4496299804038c7e426b63ba21e82767", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148774, "end": 1771974863.2148774, "events": { @@ -124,6 +135,7 @@ { "context": "f4a8575856bd5e71c9cfeb08004b18a8", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148807, "end": 1771974863.2148807, "events": { @@ -137,6 +149,7 @@ { "context": "5d965925626f231276ab4658c070f0bb", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2293024, "end": 1771974863.2293024, "events": { @@ -147,6 +160,7 @@ { "context": "5ffa226b4b1b2e03ac33f016c368daf5", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.22932, "end": 1771974863.22932, "events": { @@ -161,6 +175,7 @@ { "context": "9c3eb879769d1ca094404184669f6d60", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288046, "end": 1771974863.2288046, "events": { @@ -171,6 +186,7 @@ { "context": "464cbb78dccd784c9b70a5592a97c067", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.229047, "end": 1771974863.229047, "events": { @@ -181,6 +197,7 @@ { "context": "6b12b88a73508c86569afb171fc86fa2", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288072, "end": 1771974863.2288072, "events": { @@ -193,6 +210,7 @@ { "context": "f574d1bf35c80d999cd45243992cbcf3", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2472508, "end": 1771974863.2472508, "events": { @@ -206,6 +224,7 @@ { "context": "ba622d5b9877a430162242de965c3a3e", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4500113, "end": 1771974923.4500113, "events": { @@ -216,6 +235,7 @@ { "context": "086f6407cbc7d1ab26012b7e939373c4", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4649017, "end": 1771974923.4649017, "events": { @@ -226,6 +246,7 @@ { "context": "849055c3278578d687c4b54c828ec440", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4649038, "end": 1771974923.4649038, "events": { @@ -236,6 +257,7 @@ { "context": "dbdb8d7e3703cb023b12c41af91cad51", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.465125, "end": 1771974923.465125, "events": { @@ -248,6 +270,7 @@ { "context": "174de05063ba9b25008b373abab6edc2", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4501987, "end": 1771974923.4501987, "events": { @@ -258,6 +281,7 @@ { "context": "ac972e44ea6bcef3b4a63cbe53a80cc9", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4502006, "end": 1771974923.4502006, "events": { @@ -271,6 +295,7 @@ { "context": "520f84448e7d46817efd218659951f35", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4855325, "end": 1771974923.4855325, "events": { @@ -282,6 +307,7 @@ { "context": "7efbca0e91133d460bbabf918ea3d2d5", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4654472, "end": 1771974923.4654472, "events": { @@ -292,6 +318,7 @@ { "context": "631afe9e5424d5b5b2a69e94388704d7", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.465482, "end": 1771974923.465482, "events": { diff --git a/fixtures/logs/since-until/since-until.json b/fixtures/logs/since-until/since-until.json index db393ba..5c53b5b 100644 --- a/fixtures/logs/since-until/since-until.json +++ b/fixtures/logs/since-until/since-until.json @@ -2,6 +2,7 @@ { "context": "ccb9432c9c2c8c203230e6b7d31c0b16", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.214706, "end": 1771974863.214706, "events": { @@ -12,6 +13,7 @@ { "context": "4496299804038c7e426b63ba21e82767", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148774, "end": 1771974863.2148774, "events": { @@ -22,6 +24,7 @@ { "context": "f4a8575856bd5e71c9cfeb08004b18a8", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148807, "end": 1771974863.2148807, "events": { @@ -35,6 +38,7 @@ { "context": "5d965925626f231276ab4658c070f0bb", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2293024, "end": 1771974863.2293024, "events": { @@ -45,6 +49,7 @@ { "context": "5ffa226b4b1b2e03ac33f016c368daf5", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.22932, "end": 1771974863.22932, "events": { @@ -59,6 +64,7 @@ { "context": "9c3eb879769d1ca094404184669f6d60", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288046, "end": 1771974863.2288046, "events": { @@ -69,6 +75,7 @@ { "context": "464cbb78dccd784c9b70a5592a97c067", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.229047, "end": 1771974863.229047, "events": { @@ -79,6 +86,7 @@ { "context": "6b12b88a73508c86569afb171fc86fa2", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288072, "end": 1771974863.2288072, "events": { @@ -91,6 +99,7 @@ { "context": "f574d1bf35c80d999cd45243992cbcf3", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2472508, "end": 1771974863.2472508, "events": { diff --git a/fixtures/logs/since-until/since.json b/fixtures/logs/since-until/since.json index 866ef56..e208dca 100644 --- a/fixtures/logs/since-until/since.json +++ b/fixtures/logs/since-until/since.json @@ -2,6 +2,7 @@ { "context": "ccb9432c9c2c8c203230e6b7d31c0b16", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.214706, "end": 1771974863.214706, "events": { @@ -12,6 +13,7 @@ { "context": "4496299804038c7e426b63ba21e82767", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148774, "end": 1771974863.2148774, "events": { @@ -22,6 +24,7 @@ { "context": "f4a8575856bd5e71c9cfeb08004b18a8", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148807, "end": 1771974863.2148807, "events": { @@ -35,6 +38,7 @@ { "context": "5d965925626f231276ab4658c070f0bb", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2293024, "end": 1771974863.2293024, "events": { @@ -45,6 +49,7 @@ { "context": "5ffa226b4b1b2e03ac33f016c368daf5", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.22932, "end": 1771974863.22932, "events": { @@ -59,6 +64,7 @@ { "context": "9c3eb879769d1ca094404184669f6d60", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288046, "end": 1771974863.2288046, "events": { @@ -69,6 +75,7 @@ { "context": "464cbb78dccd784c9b70a5592a97c067", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.229047, "end": 1771974863.229047, "events": { @@ -79,6 +86,7 @@ { "context": "6b12b88a73508c86569afb171fc86fa2", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288072, "end": 1771974863.2288072, "events": { @@ -91,6 +99,7 @@ { "context": "f574d1bf35c80d999cd45243992cbcf3", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2472508, "end": 1771974863.2472508, "events": { @@ -104,6 +113,7 @@ { "context": "ba622d5b9877a430162242de965c3a3e", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4500113, "end": 1771974923.4500113, "events": { @@ -114,6 +124,7 @@ { "context": "086f6407cbc7d1ab26012b7e939373c4", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4649017, "end": 1771974923.4649017, "events": { @@ -124,6 +135,7 @@ { "context": "849055c3278578d687c4b54c828ec440", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4649038, "end": 1771974923.4649038, "events": { @@ -134,6 +146,7 @@ { "context": "dbdb8d7e3703cb023b12c41af91cad51", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.465125, "end": 1771974923.465125, "events": { @@ -146,6 +159,7 @@ { "context": "174de05063ba9b25008b373abab6edc2", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4501987, "end": 1771974923.4501987, "events": { @@ -156,6 +170,7 @@ { "context": "ac972e44ea6bcef3b4a63cbe53a80cc9", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4502006, "end": 1771974923.4502006, "events": { @@ -169,6 +184,7 @@ { "context": "520f84448e7d46817efd218659951f35", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4855325, "end": 1771974923.4855325, "events": { @@ -180,6 +196,7 @@ { "context": "7efbca0e91133d460bbabf918ea3d2d5", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.4654472, "end": 1771974923.4654472, "events": { @@ -190,6 +207,7 @@ { "context": "631afe9e5424d5b5b2a69e94388704d7", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974923.465482, "end": 1771974923.465482, "events": { diff --git a/fixtures/logs/since-until/until.json b/fixtures/logs/since-until/until.json index 51eec97..11509da 100644 --- a/fixtures/logs/since-until/until.json +++ b/fixtures/logs/since-until/until.json @@ -2,6 +2,7 @@ { "context": "77c5eac18916f65560e4a72c378fa571", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.010886, "end": 1771974803.010886, "events": { @@ -12,6 +13,7 @@ { "context": "3cb4522554c9b0dc609cb15a60e8066d", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0110753, "end": 1771974803.0110753, "events": { @@ -22,6 +24,7 @@ { "context": "a585d1425ae9a1bb716ef919a7077b79", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0110772, "end": 1771974803.0110772, "events": { @@ -35,6 +38,7 @@ { "context": "8bea2cd10c263427b8ea8f7a75ab63dc", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0253136, "end": 1771974803.0253136, "events": { @@ -45,6 +49,7 @@ { "context": "56cef1e26f5035c51e0df469ac338f5d", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.025316, "end": 1771974803.025316, "events": { @@ -55,6 +60,7 @@ { "context": "bd1bf0fb3d99d6695865fa2bbef92b34", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0255075, "end": 1771974803.0255075, "events": { @@ -67,6 +73,7 @@ { "context": "ba2f7865e4de038b3da670176ac134aa", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0425448, "end": 1771974803.0425448, "events": { @@ -78,6 +85,7 @@ { "context": "dcb5668c7981c908da00c4f485aa28fe", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.0257778, "end": 1771974803.0257778, "events": { @@ -88,6 +96,7 @@ { "context": "0c7af68a3db1a3f26781b44c3b74f372", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974803.025795, "end": 1771974803.025795, "events": { @@ -104,6 +113,7 @@ { "context": "ccb9432c9c2c8c203230e6b7d31c0b16", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.214706, "end": 1771974863.214706, "events": { @@ -114,6 +124,7 @@ { "context": "4496299804038c7e426b63ba21e82767", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148774, "end": 1771974863.2148774, "events": { @@ -124,6 +135,7 @@ { "context": "f4a8575856bd5e71c9cfeb08004b18a8", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2148807, "end": 1771974863.2148807, "events": { @@ -137,6 +149,7 @@ { "context": "5d965925626f231276ab4658c070f0bb", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2293024, "end": 1771974863.2293024, "events": { @@ -147,6 +160,7 @@ { "context": "5ffa226b4b1b2e03ac33f016c368daf5", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.22932, "end": 1771974863.22932, "events": { @@ -161,6 +175,7 @@ { "context": "9c3eb879769d1ca094404184669f6d60", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288046, "end": 1771974863.2288046, "events": { @@ -171,6 +186,7 @@ { "context": "464cbb78dccd784c9b70a5592a97c067", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.229047, "end": 1771974863.229047, "events": { @@ -181,6 +197,7 @@ { "context": "6b12b88a73508c86569afb171fc86fa2", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2288072, "end": 1771974863.2288072, "events": { @@ -193,6 +210,7 @@ { "context": "f574d1bf35c80d999cd45243992cbcf3", "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a", + "command": "", "start": 1771974863.2472508, "end": 1771974863.2472508, "events": {