« BackExecsnoop: Monitors and logs all exec calls on system in real-timeyeet.cxSubmitted by thunderbong 4 days ago
  • akikoo 3 days ago

    You can accomplish the same with bpftrace:

      bpftrace -e 'tracepoint:sched:sched_process_exec { time("%H:%M:%S"); printf("   uid = %d   pid = %d   cmd = %s \n", uid, pid, comm); } tracepoint:syscalls:sys_enter_execve { time("%H:%M:%S"); printf("   uid = %d   pid = %d   cmd_with_args = ", uid, pid); join(args->argv); }'
    • westurner 3 days ago

      From https://news.ycombinator.com/item?id=37442312 re why not ptrace for tracing all exec() syscalls:

      > The Falco docs list 3 syscall event drivers: Kernel module, Classic eBPF probe, and Modern eBPF probe: https://falco.org/docs/event-sources/kernel/

      • T3OU-736 3 days ago

        Consider adding ppid to the mix - cometimes _what_ started a process is also quite valuable (if firefox starts bash, worry more than, say, sshd)

        • westurner 3 days ago

          It looks like the falco rules mention proc.ppid.duration, but there's not yet a rule that matches on ppid: rules/falco_rules.yaml https://github.com/falcosecurity/rules/blob/main/rules/falco... :

          > Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust.