Skip to content

Commit

Permalink
perf: remove sys_enter/exit dependency from default event set
Browse files Browse the repository at this point in the history
This commit removes the dependency of the default event set on
sys_enter/sys_exit probes to improve performance when no specific event
is selected.

To do that, update default event set and signatures that were depend on events
that used these probes.
  • Loading branch information
yanivagman committed Nov 20, 2024
1 parent 6d174d0 commit 245bd3b
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 142 deletions.
56 changes: 28 additions & 28 deletions pkg/events/core.go
Original file line number Diff line number Diff line change
Expand Up @@ -2286,7 +2286,7 @@ var CoreEvents = map[ID]Definition{
name: "creat",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_ops"},
sets: []string{"syscalls", "fs", "fs_file_ops"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "pathname"},
{Type: "umode_t", Name: "mode"},
Expand Down Expand Up @@ -2406,7 +2406,7 @@ var CoreEvents = map[ID]Definition{
name: "chmod",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "pathname"},
{Type: "umode_t", Name: "mode"},
Expand All @@ -2430,7 +2430,7 @@ var CoreEvents = map[ID]Definition{
name: "fchmod",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "int", Name: "fd"},
{Type: "umode_t", Name: "mode"},
Expand All @@ -2454,7 +2454,7 @@ var CoreEvents = map[ID]Definition{
name: "chown",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "pathname"},
{Type: "uid_t", Name: "owner"},
Expand All @@ -2479,7 +2479,7 @@ var CoreEvents = map[ID]Definition{
name: "fchown",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "int", Name: "fd"},
{Type: "uid_t", Name: "owner"},
Expand All @@ -2504,7 +2504,7 @@ var CoreEvents = map[ID]Definition{
name: "lchown",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "pathname"},
{Type: "uid_t", Name: "owner"},
Expand Down Expand Up @@ -2757,7 +2757,7 @@ var CoreEvents = map[ID]Definition{
name: "setuid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "uid_t", Name: "uid"},
},
Expand All @@ -2780,7 +2780,7 @@ var CoreEvents = map[ID]Definition{
name: "setgid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "gid_t", Name: "gid"},
},
Expand Down Expand Up @@ -2845,7 +2845,7 @@ var CoreEvents = map[ID]Definition{
name: "setpgid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "pid_t", Name: "pid"},
{Type: "pid_t", Name: "pgid"},
Expand Down Expand Up @@ -2911,7 +2911,7 @@ var CoreEvents = map[ID]Definition{
name: "setsid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{},
dependencies: Dependencies{
probes: []Probe{
Expand All @@ -2932,7 +2932,7 @@ var CoreEvents = map[ID]Definition{
name: "setreuid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "uid_t", Name: "ruid"},
{Type: "uid_t", Name: "euid"},
Expand All @@ -2956,7 +2956,7 @@ var CoreEvents = map[ID]Definition{
name: "setregid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "gid_t", Name: "rgid"},
{Type: "gid_t", Name: "egid"},
Expand Down Expand Up @@ -3028,7 +3028,7 @@ var CoreEvents = map[ID]Definition{
name: "setresuid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "uid_t", Name: "ruid"},
{Type: "uid_t", Name: "euid"},
Expand Down Expand Up @@ -3078,7 +3078,7 @@ var CoreEvents = map[ID]Definition{
name: "setresgid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "gid_t", Name: "rgid"},
{Type: "gid_t", Name: "egid"},
Expand Down Expand Up @@ -3151,7 +3151,7 @@ var CoreEvents = map[ID]Definition{
name: "setfsuid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "uid_t", Name: "fsuid"},
},
Expand All @@ -3174,7 +3174,7 @@ var CoreEvents = map[ID]Definition{
name: "setfsgid",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc", "proc_ids"},
sets: []string{"syscalls", "proc", "proc_ids"},
params: []trace.ArgMeta{
{Type: "gid_t", Name: "fsgid"},
},
Expand Down Expand Up @@ -4405,7 +4405,7 @@ var CoreEvents = map[ID]Definition{
name: "init_module",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "system", "system_module"},
sets: []string{"syscalls", "system", "system_module"},
params: []trace.ArgMeta{
{Type: "void*", Name: "module_image"},
{Type: "unsigned long", Name: "len"},
Expand Down Expand Up @@ -6484,7 +6484,7 @@ var CoreEvents = map[ID]Definition{
name: "fchownat",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "int", Name: "dirfd"},
{Type: "const char*", Name: "pathname"},
Expand Down Expand Up @@ -6691,7 +6691,7 @@ var CoreEvents = map[ID]Definition{
name: "fchmodat",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_attr"},
sets: []string{"syscalls", "fs", "fs_file_attr"},
params: []trace.ArgMeta{
{Type: "int", Name: "dirfd"},
{Type: "const char*", Name: "pathname"},
Expand Down Expand Up @@ -7708,7 +7708,7 @@ var CoreEvents = map[ID]Definition{
name: "setns",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc"},
sets: []string{"syscalls", "proc"},
params: []trace.ArgMeta{
{Type: "int", Name: "fd"},
{Type: "int", Name: "nstype"},
Expand Down Expand Up @@ -7757,7 +7757,7 @@ var CoreEvents = map[ID]Definition{
name: "process_vm_readv",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "proc"},
sets: []string{"syscalls", "proc"},
params: []trace.ArgMeta{
{Type: "pid_t", Name: "pid"},
{Type: "const struct iovec*", Name: "local_iov"},
Expand Down Expand Up @@ -7834,7 +7834,7 @@ var CoreEvents = map[ID]Definition{
name: "finit_module",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "system", "system_module"},
sets: []string{"syscalls", "system", "system_module"},
params: []trace.ArgMeta{
{Type: "int", Name: "fd"},
{Type: "const char*", Name: "param_values"},
Expand Down Expand Up @@ -7987,7 +7987,7 @@ var CoreEvents = map[ID]Definition{
name: "memfd_create",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs", "fs_file_ops"},
sets: []string{"syscalls", "fs", "fs_file_ops"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "name"},
{Type: "unsigned int", Name: "flags"},
Expand Down Expand Up @@ -8530,7 +8530,7 @@ var CoreEvents = map[ID]Definition{
name: "move_mount",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{"default", "syscalls", "fs"},
sets: []string{"syscalls", "fs"},
params: []trace.ArgMeta{
{Type: "int", Name: "from_dfd"},
{Type: "const char*", Name: "from_path"},
Expand Down Expand Up @@ -11337,7 +11337,7 @@ var CoreEvents = map[ID]Definition{
{handle: probes.CommitCreds, required: true},
},
},
sets: []string{},
sets: []string{"default"},
params: []trace.ArgMeta{
{Type: "slim_cred_t", Name: "old_cred"},
{Type: "slim_cred_t", Name: "new_cred"},
Expand Down Expand Up @@ -12429,7 +12429,7 @@ var CoreEvents = map[ID]Definition{
{handle: probes.ModuleLoad, required: true},
},
},
sets: []string{},
sets: []string{"default"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "name"},
{Type: "const char*", Name: "version"},
Expand Down Expand Up @@ -12602,7 +12602,7 @@ var CoreEvents = map[ID]Definition{
{handle: probes.SecurityInodeRename, required: true},
},
},
sets: []string{},
sets: []string{"default"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "old_path"},
{Type: "const char*", Name: "new_path"},
Expand Down Expand Up @@ -13049,7 +13049,7 @@ var CoreEvents = map[ID]Definition{
name: "chmod_common",
version: NewVersion(1, 0, 0),
syscall: true,
sets: []string{},
sets: []string{"default"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "pathname"},
{Type: "umode_t", Name: "mode"},
Expand Down
11 changes: 5 additions & 6 deletions signatures/golang/illegitimate_shell.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package main

import (
"fmt"
"strings"

"github.com/aquasecurity/tracee/signatures/helpers"
"github.com/aquasecurity/tracee/types/detect"
Expand All @@ -18,7 +17,7 @@ type IllegitimateShell struct {

func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error {
sig.cb = ctx.Callback
sig.shellNames = []string{"/ash", "/bash", "/csh", "/ksh", "/sh", "/tcsh", "/zsh", "/dash"}
sig.shellNames = []string{"ash", "bash", "csh", "ksh", "sh", "tcsh", "zsh", "dash"}
sig.webServersProcessNames = []string{"nginx", "httpd", "httpd-foregroun", "http-nio", "lighttpd", "apache", "apache2"}
return nil
}
Expand All @@ -43,7 +42,7 @@ func (sig *IllegitimateShell) GetMetadata() (detect.SignatureMetadata, error) {

func (sig *IllegitimateShell) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
return []detect.SignatureEventSelector{
{Source: "tracee", Name: "security_bprm_check", Origin: "*"},
{Source: "tracee", Name: "sched_process_exec", Origin: "*"},
}, nil
}

Expand All @@ -54,16 +53,16 @@ func (sig *IllegitimateShell) OnEvent(event protocol.Event) error {
}

switch eventObj.EventName {
case "security_bprm_check":
case "sched_process_exec":
for _, webServersProcessName := range sig.webServersProcessNames {
if webServersProcessName == eventObj.ProcessName {
pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
prevComm, err := helpers.GetTraceeStringArgumentByName(eventObj, "prev_comm")
if err != nil {
return err
}

for _, shellName := range sig.shellNames {
if strings.HasSuffix(pathname, shellName) {
if prevComm == shellName {
metadata, err := sig.GetMetadata()
if err != nil {
return err
Expand Down
26 changes: 13 additions & 13 deletions signatures/golang/illegitimate_shell_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ func TestIllegitimateShell(t *testing.T) {
Name: "should trigger detection",
Events: []trace.Event{
{
EventName: "security_bprm_check",
EventName: "sched_process_exec",
ProcessName: "apache2",
Args: []trace.Argument{
{
ArgMeta: trace.ArgMeta{
Name: "pathname",
Name: "prev_comm",
},
Value: interface{}("/bin/dash"),
Value: interface{}("dash"),
},
},
},
Expand All @@ -39,14 +39,14 @@ func TestIllegitimateShell(t *testing.T) {
"TRC-1016": {
Data: nil,
Event: trace.Event{
EventName: "security_bprm_check",
EventName: "sched_process_exec",
ProcessName: "apache2",
Args: []trace.Argument{
{
ArgMeta: trace.ArgMeta{
Name: "pathname",
Name: "prev_comm",
},
Value: interface{}("/bin/dash"),
Value: interface{}("dash"),
},
},
}.ToProtocol(),
Expand All @@ -69,17 +69,17 @@ func TestIllegitimateShell(t *testing.T) {
},
},
{
Name: "should not trigger detection - wrong path",
Name: "should not trigger detection - not a shell",
Events: []trace.Event{
{
EventName: "security_bprm_check",
EventName: "sched_process_exec",
ProcessName: "apache2",
Args: []trace.Argument{
{
ArgMeta: trace.ArgMeta{
Name: "pathname",
Name: "prev_comm",
},
Value: interface{}("/bin/ls"),
Value: interface{}("ls"),
},
},
},
Expand All @@ -90,14 +90,14 @@ func TestIllegitimateShell(t *testing.T) {
Name: "should not trigger detection - wrong process name",
Events: []trace.Event{
{
EventName: "security_bprm_check",
EventName: "sched_process_exec",
ProcessName: "bash",
Args: []trace.Argument{
{
ArgMeta: trace.ArgMeta{
Name: "pathname",
Name: "prev_comm",
},
Value: interface{}("/bin/dash"),
Value: interface{}("dash"),
},
},
},
Expand Down
Loading

0 comments on commit 245bd3b

Please sign in to comment.