-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adds second part of tracing system calls using eBPF blog #1149
Open
ashutoshcloud
wants to merge
5
commits into
falcosecurity:master
Choose a base branch
from
ashutoshcloud:Tracing-System-Calls-Using-eBPF-2
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+186
−85
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
c2586bc
adds second part of tracing system calls using eBPF blog
ashutoshcloud 32d7d97
falcosidekick-ui v2.2.0
Issif 086273b
updated events
mikegcoleman 05eb9a5
Updated amsterdam URL
mikegcoleman 18ce5f8
removes the suggested link
ashutoshcloud File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| --- | ||
| title: Falcosidekick-UI 2.2.0 | ||
| linktitle: Falcosidekick-UI 2.2.0 | ||
| date: 2023-09-14 | ||
| author: Thomas Labarussias | ||
| slug: falcosidekick-ui-2-2-0 | ||
| images: | ||
| - /blog/falcosidekick-ui-2-2-0/images/featured.png | ||
| tags: ["Falcosidekick-UI","Release"] | ||
| --- | ||
|
|
||
| Not so long ago, we proudly released a new fantastic release of [falcosidekick](/blog/falcosidekick-2-28-0/), it's time for its little brother, [falcosidekick-ui](https://github.com/falcosecurity/falcosidekick-ui) to know the same, with the version v2.2.0. | ||
|
|
||
| Let's take a tour to introduce the most important cool new features of this release. | ||
|
|
||
| ## Disabling the authentication | ||
|
|
||
| The previous version introduced a basic auth mechanism to protect access to the dashboard and API. Some complained it broke the access through their reverse proxy. You can now disable the authentication: | ||
|
|
||
| ```shell | ||
| -d boolean | ||
| Disable authentication (environment "FALCOSIDEKICK_UI_DISABLEAUTH") | ||
| ``` | ||
|
|
||
| ## Dialog box to display the details of an event | ||
|
|
||
| To have a better view of each event, you can now open a dialog box that displays all details but also the raw JSON of the event. You can even copy it into your clipboard with a simple click. | ||
|
|
||
|  | ||
|
|
||
| To display the dialog box, just click on the `{...}` at the end of the event row. | ||
|
|
||
|  | ||
|
|
||
| ## Export | ||
|
|
||
| A new `Export` button appeared, it allows you to export all the events found in json format. It takes in consideration the filters, of course. | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| ## Units for TTL | ||
|
|
||
| For users with a lot of events, it can be useful to specify a TTL (time to live) for the keys in Redis (the storage backend). It can be done with `-t` argument for a while, and the value had to be in seconds, which is not convenient for long-term storage. You can now specify a unit (`s`econds, `m`inutes, `h`ours, `W`eeks, `M`onths, `y`ear). If no unit is specified, it's considered as seconds to avoid breaking previous configs. | ||
|
|
||
| ```shell | ||
| -t string | ||
| TTL for keys, the format is X<unit>, | ||
| with unit (s, m, h, d, W, M, y)" (default "0", environment "FALCOSIDEKICK_UI_TTL") | ||
| ``` | ||
| ## Redis password | ||
|
|
||
| The access to the dashboard and the API can be protected by credentials, but the Redis wasn't. You can now specify a password for access to Redis, it will prevent your security scans from complaining ;-). | ||
|
|
||
| ```shell | ||
| -w string | ||
| Redis password (default "", environment "FALCOSIDEKICK_REDIS_PASSWORD") | ||
| ``` | ||
|
|
||
| ## Conclusion | ||
|
|
||
| Thanks again to our amazing community, most of these features came from your ideas and we're still thrilled to see how much you find falcosidekick-ui useful. | ||
|
|
||
| --- | ||
| As usual, if you have any feedback or need help, you can find us at any of the following locations. | ||
|
|
||
| * Get started in [Falco.org](http://falco.org/) | ||
| * Check out the [Falcosidekick project on GitHub](https://github.com/falcosecurity/falcosidekick). | ||
| * Check out the [Falcosidekick UI project on GitHub](https://github.com/falcosecurity/falcosidekick-ui). | ||
| * Get involved in the [Falco community](https://falco.org/community/). | ||
| * Meet the maintainers on the [Falco Slack](https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32). | ||
| * Follow [@falco_org on Twitter](https://twitter.com/falco_org). |
Binary file added
BIN
+11.3 KB
content/en/blog/tracing-system-calls-using-ebpf-part-2/images/ebpf2-01.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+34.7 KB
content/en/blog/tracing-system-calls-using-ebpf-part-2/images/ebpf2-02.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+25.3 KB
content/en/blog/tracing-system-calls-using-ebpf-part-2/images/ebpf2-03.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+64 KB
content/en/blog/tracing-system-calls-using-ebpf-part-2/images/ebpf2-04.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+8.67 KB
content/en/blog/tracing-system-calls-using-ebpf-part-2/images/ebpf2-05.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+635 KB
...t/en/blog/tracing-system-calls-using-ebpf-part-2/images/ebpf2-blog-featured.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
92 changes: 92 additions & 0 deletions
92
content/en/blog/tracing-system-calls-using-ebpf-part-2/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| --- | ||
| title: Tracing System Calls Using eBPF - Part 2 | ||
| linktitle: Tracing System Calls Using eBPF - Part 2 | ||
| description: Learn how to trace system calls using eBPF probes. | ||
| date: 2023-09-12 | ||
| author: Anshu Bansal, Rakshit Awasthi, Ashutosh Venkatrao More | ||
| slug: tracing-system-calls-using-ebpf-part-2 | ||
| images: | ||
| - /blog/tracing-syscalls-using-ebpf-part-2/images/ebpf2-blog-featured.png | ||
| tags: ["eBPF", "Falco", "Syscalls", "Probes"] | ||
| --- | ||
|
|
||
| ## Introduction | ||
|
|
||
| In [Tracing System Calls Using eBPF Part 1](https://falco.org/blog/tracing-syscalls-using-ebpf-part-1/), we lay the groundwork, introducing you to the fundamentals of `eBPF` and its predecessor, `BPF (Berkeley Packet Filter)`. We delve into the evolution of this technology, its safety, performance, and observability advantages over traditional kernel modules, and its pivotal role in securing modern cloud-native environments. We guide you through the intricate process of working with eBPF programs, from compilation to execution, highlighting its power in tracing system calls. | ||
|
|
||
| In the second installment, `Tracing System Calls Using eBPF Part 2`, we elevate our understanding of eBPF's capabilities. We unravel the world of `Uprobes` and `Uretprobes`, demonstrating how these features empower developers to instrument and monitor user-space applications seamlessly. We then venture into `Kprobes` and `Kretprobes`, unlocking the potential to dynamically trace and debug kernel functions, offering insights into system behavior and performance analysis. | ||
|
|
||
| ## Uprobes | ||
|
|
||
| Uprobes, short for user probes, are a feature in the Linux kernel that enables developers to instrument and monitor user-space applications without modifying their code directly. They allow for the insertion of breakpoints at specific points of interest within an application, facilitating the collection of data, tracing of function calls, debugging, and performance analysis. | ||
|
|
||
| ## Uretprobes | ||
|
|
||
| Uretprobes, short for User Return Probes, are a feature in the Linux kernel that allows developers to trace and monitor the return paths of functions in user-space applications. While uprobes are used to instrument and intercept the entry points of functions, URETprobes specifically focus on the exit points or return paths. They enable developers to set up probes that are triggered when a specific function returns to its caller. | ||
|
|
||
| Here is an eBPF program that uses user probes to trace the printf function present in `glibc (the standard GNU C Library)`. | ||
|
|
||
| <br><a target="_blank" href="images/ebpf2-01.png"> | ||
| <img style="border: 2px solid #00b4c8" | ||
| alt="An eBPF program that uses user probes to trace the printf function present in `glibc (the standard GNU C Library)`" | ||
| src="images/ebpf2-01.png"> | ||
| </img> | ||
| </a><br><br> | ||
|
|
||
| In accordance with the instructions outlined in our [Tracing System Calls Using eBPF Part 1](https://falco.org/blog/tracing-syscalls-using-ebpf-part-1/) blog, we can create a loader to effectively load this eBPF program and read the logs from the file `/sys/kernel/tracing/trace_pipe` . | ||
|
|
||
| ## Kprobes | ||
|
|
||
| Kprobes, short for Kernel Probes, are a feature in the Linux kernel that allow dynamic tracing and debugging of kernel functions. They are particularly useful for tasks like performance analysis, bug diagnosis, and system monitoring. They provide a non-intrusive way to gather runtime information from the kernel without requiring modifications to the kernel code itself. Additionally, they can be used to trace specific function calls, track parameters and return values, and gather statistical data on function execution | ||
|
|
||
| ## Kretprobes | ||
|
|
||
| Kretprobes, short for Kernel Return Probes, are a feature in the Linux kernel that complements Kprobes by allowing dynamic tracing and debugging of kernel function return points. While Kprobes focus on probing the entry points of kernel functions, kretprobes specifically target the return points of these functions.Similar to Kprobes, kretprobes work by inserting a probe handler function that gets executed when a specific kernel function is about to return. This allows developers and system administrators to gather information, modify return values, or perform additional actions at the point of function return. | ||
|
|
||
| Here is an eBPF program that uses kernel probes to trace a kernel function named `prepare_kernel_cred`. This function is used to create a new `struct cred object` that represents the credentials or privileges associated with a kernel task. It is commonly used in `privilege escalation exploits` for gaining root access. By tracing this function, we can identify all processes that invoke it, providing valuable insight for analyzing potential malicious activity. | ||
|
|
||
| <br><a target="_blank" href="images/ebpf2-02.png"> | ||
| <img style="border: 2px solid #00b4c8" | ||
| alt="An eBPF program that uses kernel probes to trace a kernel function" | ||
| src="images/ebpf2-02.png"> | ||
| </img> | ||
| </a><br><br> | ||
|
|
||
| `SEC(“kprobe/prepare_kernel_cred”)` indicates that an eBPF program is associated with the kprobe event for the `"prepare_kernel_cred"` kernel function. This event allows dynamic tracing and debugging by intercepting the entry point of the function. | ||
|
|
||
| `struct pt_regs` is a data structure that provides access to the register state of the program when it is executed. It contains information about the `CPU registers` at the time of the eBPF program invocation. It is defined as : | ||
|
|
||
| <br><a target="_blank" href="images/ebpf2-03.png"> | ||
| <img style="border: 2px solid #00b4c8" | ||
| alt="Consolidated rule" | ||
| src="images/ebpf2-03.png"> | ||
| </img> | ||
| </a><br><br> | ||
|
|
||
| To facilitate the loading of the aforementioned eBPF program, we’ll use the following program. | ||
|
|
||
| <br><a target="_blank" href="images/ebpf2-04.png"> | ||
| <img style="border: 2px solid #00b4c8" | ||
| alt="Loader for the above program" | ||
| src="images/ebpf2-04.png"> | ||
| </img> | ||
| </a><br><br> | ||
|
|
||
| Here is a Makefile for compiling the eBPF program and the loader | ||
|
|
||
| <br><a target="_blank" href="images/ebpf2-05.png"> | ||
| <img style="border: 2px solid #00b4c8" | ||
| alt="A Makefile for compiling the eBPF program and the loader" | ||
| src="images/ebpf2-05.png"> | ||
| </img> | ||
| </a><br><br> | ||
|
|
||
| ## Conclusion | ||
|
|
||
| In this two-part exploration of **Tracing System Calls Using eBPF**, we've embarked on a fascinating journey through the inner workings of this powerful technology. `Part 1` laid the foundation by introducing us to the fundamentals of eBPF and its predecessor, BPF, shedding light on their evolution and significance in modern cloud-native environments. We uncovered how eBPF's safety, performance, and observability advantages empower us to trace system calls with unmatched efficiency. | ||
|
|
||
| In `Part 2`, we took our understanding to new heights. We delved into the world of `Uprobes` and `Uretprobes`, showcasing how they enable seamless instrumentation and monitoring of user-space applications. We then ventured into `Kprobes` and `Kretprobes`, unlocking the ability to dynamically trace and debug kernel functions. Armed with these advanced techniques, we gained valuable insights into system behavior, performance analysis, and even the detection of potential malicious activity. | ||
|
|
||
| As we conclude this journey into the heart of eBPF, we stand equipped with a powerful set of tools and knowledge. Whether you're a seasoned sysadmin, a curious developer, or a vigilant security enthusiast, the capabilities of eBPF open new doors to real-time monitoring and analysis. | ||
|
|
||
| Stay tuned for further insights and practical guidance in the world of eBPF, where innovation meets security, and the future of system monitoring becomes a reality. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.