feat(observability): add structured target context metadata for runtime block events#101
Conversation
|
Hi @nevinshine The implementation now:
Please review when possible. Thank you for your understanding!! |
|
Hi @Akshu121796, Thanks for getting this done so quickly! The logic looks great overall and successfully hooks up the target_context to our NDJSON alerts. I just noticed one bug and one small missing piece we should fix before merging: IP Address Byte Order: You're currently using binary.BigEndian.PutUint32 to parse the IP address. While network byte order is indeed big-endian, the eBPF kernel code actually reads the raw network-byte-order memory into a host CPU register (which is little-endian) before sending it over the ring buffer. Because of this, using BigEndian in Go will actually reverse the IP address (e.g., 192.168.1.100 would end up logging as 100.1.168.192). Could you switch this to use binary.LittleEndian.PutUint32(ip, uint32(event.ContextVal))? ptrace_denied Support: You correctly handled the network and inode contexts, but there's one more blocked action in our eBPF code that passes contextual data. When an agent tries to ptrace a tainted process, we deny it and pass the target child's PID as the context. Could you add a quick case for this as well? Something like: else if event.DescStr == "ptrace_denied" {
targetContext = fmt.Sprintf("pid:%d", event.ContextVal)Let me know once you've pushed these updates and I'll be happy to approve and merge it. Thanks again for your work on this! |
|
Hello! @nevinshine I’ll update the IP parsing to use Thanks again for the guidance! |
|
Hi @nevinshine I’ve now updated the implementation to:
The updates have been pushed to this PR for review. Thankyou! Looking out to more contibutions. |
|
Thank you for taking the time to read through the explanation on the ringbuffer endianness and for implementing the LittleEndian fix so cleanly. It can be really tricky dealing with low-level kernel-to-userspace memory translation, and you handled it perfectly. Also, great job getting the ptrace_denied context hooked up! It is incredibly refreshing to work with a contributor who takes technical feedback seriously, understands it, and applies it directly to the code. This is exactly the kind of high-quality engineering contribution we are looking for in this project <3 I am approving and merging this now. Outstanding work, @Akshu121796! :) |
|
@nevinshine Thankyou for your feedback and support!! Looking out for more contribution, Loved the repo!!⭐ |
Summary
This PR improves runtime observability by attaching structured contextual metadata (
target_context) to emitted security audit events generated from blocked runtime actions.The implementation uses the newly exposed
ContextValfield from the eBPF ringbuffer layer and formats contextual runtime targets into human-readable values for downstream SIEM/debugging workflows.Changes Made
connect_deniedexfil_blockedopen_inodemirage_traptarget_contextmetadata emissionBenefits
Note: I was able to validate the formatter integration flow and structured event emission logic from the code path itself, but I could not fully reproduce the kernel/eBPF runtime environment locally on Windows for end-to-end runtime verification.
Fixes #74