├── .clang-format ├── .dockerignore ├── .github └── workflows │ └── ci.yaml ├── .gitignore ├── .gitmodules ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Dockerfile ├── Dockerfile.alpine ├── Dockerfile.dev.amd64 ├── Dockerfile.driver.amd64 ├── Dockerfile.driver.s390x ├── Dockerfile.musl ├── Dockerfile.ubi.amd64 ├── LICENSE.md ├── MAINTAINERS.md ├── Makefile ├── README.md ├── debug-entrypoint ├── docker-entry-ubi.sh ├── docs ├── BUILD.md ├── LIBS.md └── SPEC.md ├── examples ├── Dockerfile ├── Dockerfile.dev ├── Dockerfile.musl ├── Dockerfile.musl.dev ├── Makefile ├── README.md ├── callback.cpp ├── docker-run.sh ├── run-core.sh ├── run-kmod.sh └── run.sh ├── makefile.env.inc ├── makefile.manifest.inc ├── modules ├── Makefile ├── falco-libs.s390x.mri └── falco-libs.x86_64.mri ├── scripts ├── build │ ├── build.sh │ ├── cleanup.sh │ ├── env_init.sh │ ├── redhat_scan_submit.sh │ └── test.sh ├── cpack │ ├── CPackConfig-libs-musl.cmake │ ├── CPackConfig-libs.cmake │ ├── CPackConfig.cmake │ ├── clean.sh │ ├── prepackage-driver.sh │ ├── prepackage-libs-musl.sh │ ├── prepackage-libs.sh │ └── prepackage.sh ├── dev │ └── rpms │ │ └── llvm │ │ ├── clang-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm │ │ ├── clang-libs-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm │ │ ├── install.sh │ │ ├── libedit-3.1-23.20170329cvs.el8.x86_64.rpm │ │ ├── lld-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm │ │ ├── lld-libs-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm │ │ ├── lldb-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm │ │ ├── llvm-9.0.1-5.module_el8.2.0+461+2e15bd5f.x86_64.rpm │ │ ├── llvm-libs-9.0.1-5.module_el8.2.0+461+2e15bd5f.x86_64.rpm │ │ ├── llvm-toolset-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm │ │ └── python3-lldb-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm ├── installUBIDependency.sh ├── installUBIDependencyWoSubManager.sh ├── runFormat └── service │ ├── bin │ └── sysflow │ ├── conf │ └── sysflow.env │ ├── driver │ ├── cleanup │ └── start │ └── systemd │ ├── sysflow-collector.service │ └── sysflow.service ├── src ├── collector │ ├── Makefile │ └── main.cpp └── libs │ ├── Makefile │ ├── MurmurHash3.cpp │ ├── MurmurHash3.h │ ├── containercontext.cpp │ ├── containercontext.h │ ├── controlflowprocessor.cpp │ ├── controlflowprocessor.h │ ├── dataflowprocessor.cpp │ ├── dataflowprocessor.h │ ├── datatypes.h │ ├── file_types.h │ ├── filecontext.cpp │ ├── filecontext.h │ ├── fileeventprocessor.cpp │ ├── fileeventprocessor.h │ ├── fileflowprocessor.cpp │ ├── fileflowprocessor.h │ ├── k8scontext.cpp │ ├── k8scontext.h │ ├── k8seventprocessor.cpp │ ├── k8seventprocessor.h │ ├── libsysflow-musl.mri │ ├── libsysflow.mri │ ├── logger.h │ ├── modutils.cpp │ ├── modutils.h │ ├── networkflowprocessor.cpp │ ├── networkflowprocessor.h │ ├── op_flags.h │ ├── processcontext.cpp │ ├── processcontext.h │ ├── processeventprocessor.cpp │ ├── processeventprocessor.h │ ├── readonly.h │ ├── sfcallbackwriter.cpp │ ├── sfcallbackwriter.h │ ├── sfconfig.h │ ├── sffilewriter.cpp │ ├── sffilewriter.h │ ├── sfmodes.h │ ├── sfmultiwriter.cpp │ ├── sfmultiwriter.h │ ├── sfsockwriter.cpp │ ├── sfsockwriter.h │ ├── syscall_defs.h │ ├── sysflow.h │ ├── sysflow_config.h.in │ ├── sysflowcontext.cpp │ ├── sysflowcontext.h │ ├── sysflowexception.cpp │ ├── sysflowexception.h │ ├── sysflowlibs.cpp │ ├── sysflowlibs.hpp │ ├── sysflowprocessor.cpp │ ├── sysflowprocessor.h │ ├── sysflowwriter.cpp │ ├── sysflowwriter.h │ ├── utils.cpp │ └── utils.h └── tests ├── alpine ├── alpine.scap └── alpine.sf ├── baseline.bats ├── client-server ├── client.c ├── server.c ├── tcp-client-server.scap └── tcp-client-server.sf ├── files ├── files.c ├── files.scap ├── files.sf ├── filesat.c ├── filesat.scap ├── filesat.sf └── make.sh ├── mpm-event ├── Dockerfile ├── README.md ├── build ├── capture ├── cold_start_capture.scap ├── cold_start_capture.sf ├── full_capture.scap ├── full_capture.sf ├── htdocs │ └── index.html ├── httpd.conf ├── run └── test ├── mpm-preforked ├── Dockerfile ├── README.md ├── build ├── capture ├── cold_start_capture.scap ├── cold_start_capture.sf ├── full_capture.scap ├── full_capture.sf ├── htdocs │ └── index.html ├── httpd.conf ├── run └── test ├── mpm-worker ├── Dockerfile ├── README.md ├── build ├── capture ├── cold_start_capture.scap ├── cold_start_capture.sf ├── full_capture.scap ├── full_capture.sf ├── htdocs │ └── index.html ├── httpd.conf ├── run └── test ├── namespaces ├── create_ns.sh ├── enter_ns.sh ├── setns.scap └── setns.sf ├── nginx ├── nginx.scap └── nginx.sf ├── nodejs ├── mon.1544763289 ├── mon.1544763289.sf ├── mon.1544763319 ├── mon.1544763319.sf ├── mon.1544763349 ├── mon.1544763349.sf ├── mon.1544763379 └── mon.1544763379.sf ├── objectstore ├── README.md ├── capture ├── client ├── data │ ├── .minio.sys │ │ ├── buckets │ │ │ └── play │ │ │ │ ├── mon.1544763289 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1544763319 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1544763349 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1544763379 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1548965896 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1548965926 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1548965956 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1548965986 │ │ │ │ └── fs.json │ │ │ │ ├── mon.1548966016 │ │ │ │ └── fs.json │ │ │ │ └── tcpclientserver │ │ │ │ └── fs.json │ │ └── format.json │ └── play │ │ ├── mon.1544763289 │ │ ├── mon.1544763319 │ │ ├── mon.1544763349 │ │ ├── mon.1544763379 │ │ ├── mon.1548965896 │ │ ├── mon.1548965926 │ │ ├── mon.1548965956 │ │ ├── mon.1548965986 │ │ ├── mon.1548966016 │ │ └── tcpclientserver ├── download.scap ├── download.sf ├── ls.scap ├── ls.sf ├── run ├── upload.scap └── upload.sf ├── rename ├── rename.scap ├── rename.sf ├── rename2at.scap └── rename2at.sf ├── setuid ├── make.sh ├── setuid.c ├── setuid.scap └── setuid.sf ├── sffilecomp.py └── tests.bats /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | Language: Cpp 3 | # BasedOnStyle: LLVM 4 | AccessModifierOffset: -2 5 | AlignAfterOpenBracket: Align 6 | AlignConsecutiveMacros: false 7 | AlignConsecutiveAssignments: false 8 | AlignConsecutiveDeclarations: false 9 | AlignEscapedNewlines: Right 10 | AlignOperands: true 11 | AlignTrailingComments: true 12 | AllowAllArgumentsOnNextLine: true 13 | AllowAllConstructorInitializersOnNextLine: true 14 | AllowAllParametersOfDeclarationOnNextLine: true 15 | AllowShortBlocksOnASingleLine: false 16 | AllowShortCaseLabelsOnASingleLine: false 17 | AllowShortFunctionsOnASingleLine: All 18 | AllowShortLambdasOnASingleLine: All 19 | AllowShortIfStatementsOnASingleLine: Never 20 | AllowShortLoopsOnASingleLine: false 21 | AlwaysBreakAfterDefinitionReturnType: None 22 | AlwaysBreakAfterReturnType: None 23 | AlwaysBreakBeforeMultilineStrings: false 24 | AlwaysBreakTemplateDeclarations: MultiLine 25 | BinPackArguments: true 26 | BinPackParameters: true 27 | BraceWrapping: 28 | AfterCaseLabel: false 29 | AfterClass: false 30 | AfterControlStatement: false 31 | AfterEnum: false 32 | AfterFunction: false 33 | AfterNamespace: false 34 | AfterObjCDeclaration: false 35 | AfterStruct: false 36 | AfterUnion: false 37 | AfterExternBlock: false 38 | BeforeCatch: false 39 | BeforeElse: false 40 | IndentBraces: false 41 | SplitEmptyFunction: true 42 | SplitEmptyRecord: true 43 | SplitEmptyNamespace: true 44 | BreakBeforeBinaryOperators: None 45 | BreakBeforeBraces: Attach 46 | BreakBeforeInheritanceComma: false 47 | BreakInheritanceList: BeforeColon 48 | BreakBeforeTernaryOperators: true 49 | BreakConstructorInitializersBeforeComma: false 50 | BreakConstructorInitializers: BeforeColon 51 | BreakAfterJavaFieldAnnotations: false 52 | BreakStringLiterals: true 53 | ColumnLimit: 80 54 | CommentPragmas: '^ IWYU pragma:' 55 | CompactNamespaces: false 56 | ConstructorInitializerAllOnOneLineOrOnePerLine: false 57 | ConstructorInitializerIndentWidth: 4 58 | ContinuationIndentWidth: 4 59 | Cpp11BracedListStyle: true 60 | DerivePointerAlignment: false 61 | DisableFormat: false 62 | ExperimentalAutoDetectBinPacking: false 63 | FixNamespaceComments: true 64 | ForEachMacros: 65 | - foreach 66 | - Q_FOREACH 67 | - BOOST_FOREACH 68 | IncludeBlocks: Preserve 69 | IncludeCategories: 70 | - Regex: '^"(llvm|llvm-c|clang|clang-c)/' 71 | Priority: 2 72 | - Regex: '^(<|"(gtest|gmock|isl|json)/)' 73 | Priority: 3 74 | - Regex: '.*' 75 | Priority: 1 76 | IncludeIsMainRegex: '(Test)?$' 77 | IndentCaseLabels: false 78 | IndentPPDirectives: None 79 | IndentWidth: 2 80 | IndentWrappedFunctionNames: false 81 | JavaScriptQuotes: Leave 82 | JavaScriptWrapImports: true 83 | KeepEmptyLinesAtTheStartOfBlocks: true 84 | MacroBlockBegin: '' 85 | MacroBlockEnd: '' 86 | MaxEmptyLinesToKeep: 1 87 | NamespaceIndentation: None 88 | ObjCBinPackProtocolList: Auto 89 | ObjCBlockIndentWidth: 2 90 | ObjCSpaceAfterProperty: false 91 | ObjCSpaceBeforeProtocolList: true 92 | PenaltyBreakAssignment: 2 93 | PenaltyBreakBeforeFirstCallParameter: 19 94 | PenaltyBreakComment: 300 95 | PenaltyBreakFirstLessLess: 120 96 | PenaltyBreakString: 1000 97 | PenaltyBreakTemplateDeclaration: 10 98 | PenaltyExcessCharacter: 1000000 99 | PenaltyReturnTypeOnItsOwnLine: 60 100 | PointerAlignment: Right 101 | ReflowComments: true 102 | SortIncludes: true 103 | SortUsingDeclarations: true 104 | SpaceAfterCStyleCast: false 105 | SpaceAfterLogicalNot: false 106 | SpaceAfterTemplateKeyword: true 107 | SpaceBeforeAssignmentOperators: true 108 | SpaceBeforeCpp11BracedList: false 109 | SpaceBeforeCtorInitializerColon: true 110 | SpaceBeforeInheritanceColon: true 111 | SpaceBeforeParens: ControlStatements 112 | SpaceBeforeRangeBasedForLoopColon: true 113 | SpaceInEmptyParentheses: false 114 | SpacesBeforeTrailingComments: 1 115 | SpacesInAngles: false 116 | SpacesInContainerLiterals: true 117 | SpacesInCStyleCastParentheses: false 118 | SpacesInParentheses: false 119 | SpacesInSquareBrackets: false 120 | Standard: Cpp11 121 | StatementMacros: 122 | - Q_UNUSED 123 | - QT_REQUIRE_VERSION 124 | TabWidth: 8 125 | UseTab: Never 126 | ... 127 | 128 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | # ignore these files and directories when running docker build 2 | */.git* 3 | */.cache 4 | .travis* 5 | build 6 | clean 7 | export 8 | hooks* 9 | */*.md 10 | !README*.md 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled Object files 2 | *.slo 3 | *.lo 4 | *.o 5 | *.obj 6 | *.ur-safe 7 | *.ko 8 | 9 | # Precompiled Headers 10 | *.gch 11 | *.pch 12 | 13 | # Compiled Dynamic libraries 14 | *.so 15 | *.dylib 16 | *.dll 17 | 18 | # Fortran module files 19 | *.mod 20 | *.smod 21 | 22 | # Compiled Static libraries 23 | *.lai 24 | *.la 25 | *.a 26 | *.lib 27 | 28 | # Executables 29 | *.exe 30 | *.out 31 | *.app 32 | 33 | # Python 34 | *.pyc 35 | *.pyo 36 | __pycache__/ 37 | 38 | # File extensions 39 | *.log 40 | 41 | # Paths 42 | avro-cpp-1.8.2 43 | src/sysporter 44 | src/sysreader 45 | src/avro/py3/build/ 46 | src/avro/py3/classes/*.egg-info 47 | src/avro/py3/dist 48 | src/sysflow_config.h 49 | 50 | # others 51 | *DS_Store 52 | *.egg-info 53 | /logs/ 54 | docker-run* 55 | scaptests 56 | 57 | # secrets 58 | scripts/build/rhpassword 59 | scripts/build/rhuser 60 | 61 | # examples 62 | examples/manifest 63 | examples/callback 64 | examples/libsysflow-* 65 | 66 | # cpack 67 | scripts/cpack/_CPack_Packages 68 | scripts/cpack/build 69 | scripts/cpack/build-libs 70 | scripts/cpack/build-libs-musl 71 | scripts/cpack/build-driver 72 | scripts/cpack/sfcollector* 73 | scripts/cpack/libsysflow* 74 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "avro"] 2 | path = modules/avro 3 | url = https://github.com/apache/avro.git 4 | [submodule "modules/sysflow"] 5 | path = modules/sysflow 6 | url = https://github.com/sysflow-telemetry/sf-apis.git 7 | [submodule "modules/filesystem"] 8 | path = modules/filesystem 9 | url = https://github.com/gulrak/filesystem.git 10 | [submodule "modules/falco-libs"] 11 | path = modules/falco-libs 12 | url = https://github.com/falcosecurity/libs.git 13 | [submodule "modules/falco"] 14 | path = modules/falco 15 | url = https://github.com/falcosecurity/falco.git 16 | [submodule "modules/glog"] 17 | path = modules/glog 18 | url = https://github.com/google/glog.git 19 | [submodule "modules/snappy"] 20 | path = modules/snappy 21 | url = https://github.com/google/snappy.git 22 | [submodule "modules/dkms"] 23 | path = modules/dkms 24 | url = https://github.com/dell/dkms.git 25 | [submodule "modules/falco-driver"] 26 | path = modules/falco-driver 27 | url = https://github.com/falcosecurity/libs.git 28 | [submodule "modules/xxHash"] 29 | path = modules/xxHash 30 | url = https://github.com/Cyan4973/xxHash.git 31 | [submodule "modules/sparsehash"] 32 | path = modules/sparsehash 33 | url = https://github.com/sparsehash/sparsehash.git 34 | [submodule "modules/elf"] 35 | path = modules/elf 36 | url = https://github.com/arachsys/libelf.git 37 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at [Slack channel](https://join.slack.com/t/sysflow-telemetry/shared_invite/enQtODA5OTA3NjE0MTAzLTlkMGJlZDQzYTc3MzhjMzUwNDExNmYyNWY0NWIwODNjYmRhYWEwNGU0ZmFkNGQ2NzVmYjYxMWFjYTM1MzA5YWQ) or via [email](mailto:sysflow@us.ibm.com). The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the Qiskit project's [Code of Conduct](https://github.com/Qiskit/qiskit/blob/master/CODE_OF_CONDUCT.md) and has roots from the [Contributor Covenant](https://www.contributor-covenant.org/), version 1.4, available at [version](http://contributor-covenant.org/version/1/4). 44 | -------------------------------------------------------------------------------- /Dockerfile.alpine: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2024 IBM Corporation. 3 | # 4 | # Authors: 5 | # Frederico Araujo 6 | # Teryl Taylor 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | 20 | ARG ALPINE_VER=latest 21 | ARG ALPINE_IMAGE=alpine 22 | 23 | #----------------------- 24 | # Stage: base 25 | #----------------------- 26 | FROM ${ALPINE_IMAGE}:${ALPINE_VER} AS base 27 | 28 | # install dependencies 29 | RUN apk add \ 30 | g++ \ 31 | gcc \ 32 | cmake \ 33 | make \ 34 | git \ 35 | bash \ 36 | perl \ 37 | linux-headers \ 38 | autoconf \ 39 | automake \ 40 | m4 \ 41 | libtool \ 42 | patch \ 43 | binutils \ 44 | zstd-static \ 45 | boost-dev \ 46 | boost-static \ 47 | flex \ 48 | bison \ 49 | gawk \ 50 | clang \ 51 | bpftool \ 52 | musl-libintl 53 | 54 | #----------------------- 55 | # Stage: mods 56 | #----------------------- 57 | FROM base AS mods 58 | 59 | # environment and args 60 | ARG INSTALL_PATH=/usr/local/sysflow 61 | 62 | ENV PATH="$PATH:"${INSTALL_PATH}"/modules/bin" 63 | 64 | ENV HOST_ROOT=/host 65 | 66 | ENV HOME=/root 67 | 68 | ARG MAKE_JOBS=1 69 | 70 | ARG ARCH=x86_64 71 | 72 | # build modules 73 | COPY ./modules /build/modules 74 | COPY ./makefile.* /build/ 75 | COPY ./docker-entry-ubi.sh /usr/local/sysflow/modules/bin/ 76 | 77 | RUN cd /build/modules && \ 78 | make INSTALL_PATH=${INSTALL_PATH} ARCH=${ARCH} MUSL=1 MAKE_JOBS=${MAKE_JOBS} install && \ 79 | make clean && rm -rf /build/modules 80 | 81 | -------------------------------------------------------------------------------- /Dockerfile.dev.amd64: -------------------------------------------------------------------------------- 1 | # syntax = docker/dockerfile:1.0-experimental 2 | # 3 | # Copyright (C) 2019 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | 21 | #----------------------- 22 | # Usage 23 | #----------------------- 24 | # 25 | # 1. Build with Docker BuildKit: 26 | # 27 | # DOCKER_BUILDKIT=1 docker build --no-cache \ 28 | # --build-arg UBI_VER=8.4-206 29 | # --target mods \ 30 | # -t ubi:mods-0.0.0 \ 31 | # -f Dockerfile.ubi.amd64 . 32 | # 33 | 34 | #----------------------- 35 | # Stage: base 36 | #----------------------- 37 | ARG UBI_VER 38 | FROM registry.access.redhat.com/ubi8/ubi:${UBI_VER} AS base 39 | 40 | # Install Packages 41 | COPY ./scripts/installUBIDependencyWoSubManager.sh /build/install.sh 42 | RUN ( /build/install.sh base ) && rm -rf /build 43 | 44 | #----------------------- 45 | # Stage: mods 46 | #----------------------- 47 | FROM base AS mods 48 | 49 | # environment and args 50 | ARG INSTALL_PATH=/usr/local/sysflow 51 | 52 | ENV PATH="$PATH:"${INSTALL_PATH}"/modules/bin" 53 | 54 | ENV LIBRARY_PATH=/lib64 55 | 56 | ENV HOST_ROOT=/host 57 | 58 | ENV HOME=/root 59 | 60 | # build modules 61 | COPY ./modules /build/modules 62 | COPY ./makefile.* /build/ 63 | COPY ./docker-entry-ubi.sh /usr/local/sysflow/modules/bin/ 64 | RUN dnf -y install git && \ 65 | cd /build/modules && \ 66 | make INSTALL_PATH=${INSTALL_PATH} install && \ 67 | mkdir /falcosrc && cp -a /usr/src/falco-* /falcosrc/ && \ 68 | make clean && rm -rf /build/modules && \ 69 | dnf -y remove git && dnf -y clean all && rm -rf /var/cache/dnf 70 | 71 | ENTRYPOINT ["/usr/local/sysflow/modules/bin/docker-entry-ubi.sh"] 72 | -------------------------------------------------------------------------------- /Dockerfile.driver.amd64: -------------------------------------------------------------------------------- 1 | # syntax = docker/dockerfile:1.0-experimental 2 | # 3 | # Copyright (C) 2022 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | 21 | ARG FALCO_VER 22 | ARG FALCO_LIBS_VER 23 | ARG UBI_VER 24 | 25 | #----------------------- 26 | # Stage: mods 27 | #----------------------- 28 | FROM sysflowtelemetry/ubi:mods-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS mods 29 | 30 | #----------------------- 31 | # Stage: driver 32 | #----------------------- 33 | FROM registry.access.redhat.com/ubi9/ubi:${UBI_VER} AS driver 34 | 35 | # environment and args 36 | ARG INSTALL_PATH=/usr/local/sysflow 37 | ARG DRIVER_PACKAGE_NAME=falco 38 | ENV DRIVER_NAME=falco 39 | ENV DRIVERS_REPO="https://download.falco.org/driver" 40 | ENV HOST_ROOT=/host 41 | ENV HOME=/root 42 | ARG FALCOCTL_VERSION 43 | 44 | # To enable subscription manager on ubi9 45 | # https://access.redhat.com/discussions/5889431 46 | ENV SMDEV_CONTAINER_OFF=1 47 | 48 | # Install Packages 49 | # Copy in llvm 9.0 rpms. Falco's ebpf probe fails unless compiled with llvm 7 to 12 for now. 50 | # https://github.com/falcosecurity/libs/issues/4 51 | #COPY ./scripts/dev/rpms /build/rpms 52 | COPY ./scripts/installUBIDependency.sh /build/install.sh 53 | 54 | RUN --mount=type=secret,id=rhuser,dst=/secret/rhuser --mount=type=secret,id=rhpassword,dst=/secret/rhpassword \ 55 | ( export REGISTER_USER=$(cat /secret/rhuser) && export REGISTER_PASSWORD=$(cat /secret/rhpassword) && bash /build/install.sh driver ) && \ 56 | rm -rf /build 57 | 58 | #install falcoctl 59 | RUN curl --fail -LS "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_linux_amd64.tar.gz" | tar -xz && \ 60 | install -o root -g root -m 0755 falcoctl /usr/bin/falcoctl && mkdir -p /etc/falco/ && touch /etc/falco/falco.yaml 61 | 62 | # copy resources 63 | COPY docker-entry-ubi.sh /docker-entrypoint.sh 64 | COPY --from=mods ${INSTALL_PATH}/modules/bin/docker-entrypoint.sh ${INSTALL_PATH}/modules/bin/docker-entrypoint.sh 65 | COPY --from=mods /usr/src/falco-* /usr/src/ 66 | COPY --from=mods /usr/sbin/dkms /usr/sbin/dkms 67 | 68 | ENTRYPOINT ["/docker-entrypoint.sh"] 69 | 70 | -------------------------------------------------------------------------------- /Dockerfile.driver.s390x: -------------------------------------------------------------------------------- 1 | # syntax = docker/dockerfile:1.0-experimental 2 | # 3 | # Copyright (C) 2022 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | 21 | ARG FALCO_VER 22 | ARG FALCO_LIBS_VER 23 | ARG ALPINE_VER 24 | 25 | #----------------------- 26 | # Stage: mods 27 | #----------------------- 28 | FROM sysflowtelemetry/alpine:mods-${FALCO_LIBS_VER}-${FALCO_VER}-${ALPINE_VER} AS mods 29 | 30 | #----------------------- 31 | # Stage: driver 32 | #----------------------- 33 | FROM s390x/alpine:${ALPINE_VER} AS driver 34 | 35 | RUN apk add \ 36 | g++ \ 37 | gcc \ 38 | cmake \ 39 | make \ 40 | bash \ 41 | perl \ 42 | linux-headers \ 43 | autoconf \ 44 | automake \ 45 | m4 \ 46 | libtool \ 47 | patch \ 48 | binutils \ 49 | flex \ 50 | bison \ 51 | wget \ 52 | patch \ 53 | curl \ 54 | clang \ 55 | llvm \ 56 | xz \ 57 | bc 58 | 59 | # environment and args 60 | ARG INSTALL_PATH=/usr/local/sysflow 61 | ARG DRIVER_PACKAGE_NAME=falco 62 | ENV DRIVER_NAME=falco 63 | ENV DRIVERS_REPO="https://download.falco.org/driver" 64 | ENV HOST_ROOT=/host 65 | ENV HOME=/root 66 | 67 | 68 | # copy resources 69 | COPY --from=mods ${INSTALL_PATH}/modules/bin/docker-entry-ubi.sh /docker-entrypoint.sh 70 | COPY --from=mods ${INSTALL_PATH}/modules/bin/docker-entrypoint.sh ${INSTALL_PATH}/modules/bin/docker-entrypoint.sh 71 | COPY --from=mods ${INSTALL_PATH}/modules/bin/falco-driver-loader /usr/bin/falco-driver-loader 72 | COPY --from=mods /usr/src/falco-* /usr/src/ 73 | COPY --from=mods /usr/sbin/dkms /usr/sbin/dkms 74 | 75 | ENTRYPOINT ["/docker-entrypoint.sh"] 76 | 77 | -------------------------------------------------------------------------------- /Dockerfile.ubi.amd64: -------------------------------------------------------------------------------- 1 | # syntax = docker/dockerfile:1.0-experimental 2 | # 3 | # Copyright (C) 2022 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | 21 | #----------------------- 22 | # Usage 23 | #----------------------- 24 | # 25 | # 1. Add scripts/build/rhpassword and scripts/build/rhuser and update them 26 | # with user/password for RHEL subscription manager 27 | # 2. Build with Docker BuildKit: 28 | # 29 | # DOCKER_BUILDKIT=1 docker build --no-cache \ 30 | # --build-arg UBI_VER=8.4-206 31 | # --secret id=rhuser,src=scripts/build/rhuser \ 32 | # --secret id=rhpassword,src=scripts/build/rhpassword \ 33 | # --target mods \ 34 | # -t ubi:mods-0.0.0 \ 35 | # -f Dockerfile.ubi.amd64 . 36 | # 37 | 38 | ARG UBI_VER 39 | 40 | #----------------------- 41 | # Stage: base 42 | #----------------------- 43 | FROM registry.access.redhat.com/ubi9/ubi:${UBI_VER} AS base 44 | 45 | # To enable subscription manager on ubi9 46 | # https://access.redhat.com/discussions/5889431 47 | ENV SMDEV_CONTAINER_OFF=1 48 | 49 | # Install Packages 50 | # Copy in llvm 9.0 rpms. Falco's ebpf probe fails unless compiled with llvm 7 to 12 for now. 51 | # https://github.com/falcosecurity/libs/issues/4 52 | COPY ./scripts/dev/rpms /build/rpms 53 | COPY ./scripts/installUBIDependency.sh /build/install.sh 54 | 55 | RUN --mount=type=secret,id=rhuser,dst=/secret/rhuser --mount=type=secret,id=rhpassword,dst=/secret/rhpassword \ 56 | ( export REGISTER_USER=$(cat /secret/rhuser) && export REGISTER_PASSWORD=$(cat /secret/rhpassword) && bash /build/install.sh base ) && \ 57 | rm -rf /build 58 | 59 | #----------------------- 60 | # Stage: mods 61 | #----------------------- 62 | FROM base AS mods 63 | 64 | # environment and args 65 | ARG INSTALL_PATH=/usr/local/sysflow 66 | 67 | ENV PATH="$PATH:"${INSTALL_PATH}"/modules/bin" 68 | 69 | ENV HOST_ROOT=/host 70 | 71 | ENV HOME=/root 72 | 73 | ARG MAKE_JOBS=1 74 | 75 | ARG ARCH=x86_64 76 | 77 | # build modules 78 | COPY ./modules /build/modules 79 | COPY ./makefile.* /build/ 80 | COPY ./docker-entry-ubi.sh /usr/local/sysflow/modules/bin/ 81 | RUN dnf -y install git && \ 82 | cd /build/modules && \ 83 | make INSTALL_PATH=${INSTALL_PATH} MAKE_JOBS=${MAKE_JOBS} install && \ 84 | make clean && rm -rf /build/modules && \ 85 | dnf -y remove git && dnf -y clean all && rm -rf /var/cache/dnf 86 | 87 | -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- 1 | # MAINTAINERS 2 | 3 | Frederico Araujo 4 | 5 | Teryl Taylor 6 | -------------------------------------------------------------------------------- /debug-entrypoint: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) 2019 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | 21 | echo "Running Sysporter..." 22 | 23 | timeout 15.0m /usr/bin/valgrind --leak-check=full --show-leak-kinds=all --log-file=/valgrind.log /usr/local/sysflow/bin/sysporter -G $1 -w $2 -e $3 -f $4 $5 24 | 25 | echo "Sysporter exited..." 26 | 27 | sleep 60.0m 28 | -------------------------------------------------------------------------------- /docker-entry-ubi.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -x 3 | rm -fr /usr/src/kernels/ && rm -fr /usr/src/debug/ 4 | rm -fr /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules 5 | rm -fr /boot && ln -s $HOST_ROOT/boot /boot 6 | if [ -S "/host/var/run/docker.sock" ] ; then 7 | echo "Docker Engine domain socket detected" 8 | fi 9 | echo "CRI_PATH: ${CRI_PATH}" 10 | if [ ! -z "${CRI_PATH}" ] ; then 11 | echo "Adopt CRI_PATH: ${CRI_PATH}" 12 | else 13 | # Auto-detecting the container runtime sockets when CRI_PATH is empty. 14 | # Also providing some information here about the environment 15 | numSocks=0 16 | if [ -S "/host/var/run/crio/crio.sock" ] ; then 17 | echo "CRIO domain socket detected" 18 | CRI_PATH="/var/run/crio/crio.sock" 19 | numSocks=$((numSocks+1)) 20 | fi 21 | if [ -S "/host/run/containerd/containerd.sock" ] ; then 22 | echo "Containerd Domain Socket detected" 23 | CRI_PATH="/run/containerd/containerd.sock" 24 | numSocks=$((numSocks+1)) 25 | fi 26 | if [ -S "/host/var/run/docker.sock" ] ; then 27 | echo "DOCKER domain socket detected" 28 | # Do not set CRI_PATH here, we will take DOCKER domain socket 29 | numSocks=$((numSocks+1)) 30 | fi 31 | echo "${numSocks} container runtime sockets detected" 32 | if [ $numSocks -eq 0 ] ; then 33 | echo "WARNING: Unable to detect container runtime sockets. Will not be able to load container information" 34 | elif [ $numSocks -gt 1 ] ; then 35 | echo "WARNING: Multiple container runtime sockets found. This is not supported. Specify CRI_PATH environmental variable instead." 36 | fi 37 | fi 38 | 39 | if [ "${DRIVER_TYPE}" == "ebpf-core" ]; then 40 | echo "Exporting SKIP_DRIVER_LOADER" 41 | export SKIP_DRIVER_LOADER=1 42 | fi 43 | 44 | if [ "${DRIVER_TYPE}" == "ebpf" ] && [ -z "${FALCO_BPF_PROBE}" ]; then 45 | echo "Exporting FALCO_BPF_PROBE" 46 | export FALCO_BPF_PROBE="" 47 | fi 48 | 49 | exec /usr/local/sysflow/modules/bin/docker-entrypoint.sh "$@" 50 | -------------------------------------------------------------------------------- /examples/Dockerfile: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2022 IBM Corporation. 3 | # 4 | # Authors: 5 | # Frederico Araujo 6 | # Teryl Taylor 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | 20 | ARG FALCO_LIBS_VER 21 | ARG FALCO_VER 22 | ARG UBI_VER 23 | 24 | #----------------------- 25 | # Stage: Builder 26 | #----------------------- 27 | FROM sysflowtelemetry/ubi:base-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS builder 28 | 29 | # sysflow release 30 | ARG SYSFLOW_VERSION 31 | 32 | # install libsysflow 33 | RUN wget https://github.com/sysflow-telemetry/sf-collector/releases/download/${SYSFLOW_VERSION}/libsysflow-${SYSFLOW_VERSION}-x86_64.tar.gz && \ 34 | tar xzf libsysflow-${SYSFLOW_VERSION}-x86_64.tar.gz && cp -r libsysflow-${SYSFLOW_VERSION}-x86_64/usr/* /usr/. 35 | 36 | # build the example program 37 | COPY callback.cpp /build/ 38 | COPY Makefile /build/ 39 | COPY manifest /build/ 40 | RUN make -C /build install 41 | 42 | #----------------------- 43 | # Stage: Runtime 44 | #----------------------- 45 | FROM sysflowtelemetry/ubi:driver-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS runtime 46 | 47 | COPY --from=builder /usr/local/example/bin/callback /usr/local/example/bin/callback 48 | 49 | ARG driver_type="e" 50 | ENV DRIVER_TYPE=$driver_type 51 | 52 | CMD /usr/local/example/bin/callback ${DRIVER_TYPE} 53 | 54 | -------------------------------------------------------------------------------- /examples/Dockerfile.dev: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2022 IBM Corporation. 3 | # 4 | # Authors: 5 | # Frederico Araujo 6 | # Teryl Taylor 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | 20 | ARG FALCO_LIBS_VER 21 | ARG FALCO_VER 22 | ARG UBI_VER 23 | 24 | #----------------------- 25 | # Stage: Builder 26 | #----------------------- 27 | FROM sysflowtelemetry/ubi:base-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS builder 28 | 29 | # sysflow release 30 | ARG SYSFLOW_VERSION 31 | 32 | # install libsysflow 33 | COPY libsysflow-${SYSFLOW_VERSION}-x86_64.tar.gz . 34 | RUN tar xzf libsysflow-${SYSFLOW_VERSION}-x86_64.tar.gz && cp -r libsysflow-${SYSFLOW_VERSION}-x86_64/usr/* /usr/. 35 | 36 | # build the example program 37 | COPY callback.cpp /build/ 38 | COPY Makefile /build/ 39 | COPY manifest /build/ 40 | RUN make -C /build install 41 | 42 | #----------------------- 43 | # Stage: Runtime 44 | #----------------------- 45 | FROM sysflowtelemetry/ubi:driver-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS runtime 46 | 47 | COPY --from=builder /usr/local/example/bin/callback /usr/local/example/bin/callback 48 | 49 | ARG driver_type="e" 50 | ENV DRIVER_TYPE=$driver_type 51 | 52 | CMD /usr/local/example/bin/callback ${DRIVER_TYPE} 53 | 54 | -------------------------------------------------------------------------------- /examples/Dockerfile.musl: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2022 IBM Corporation. 3 | # 4 | # Authors: 5 | # Frederico Araujo 6 | # Teryl Taylor 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | 20 | ARG FALCO_LIBS_VER 21 | ARG FALCO_VER 22 | ARG UBI_VER 23 | ARG ALPINE_VER 24 | ARG ALPINE_IMAGE 25 | ARG RUNTIME_IMAGE 26 | 27 | #----------------------- 28 | # Stage: Builder 29 | #----------------------- 30 | FROM ${ALPINE_IMAGE}:${ALPINE_VER} AS builder 31 | 32 | ARG ARCH="x86_64" 33 | 34 | # sysflow release 35 | ARG SYSFLOW_VERSION 36 | 37 | # setup build requirements 38 | RUN apk add \ 39 | make \ 40 | g++ \ 41 | boost-dev \ 42 | boost-static \ 43 | flex \ 44 | bison \ 45 | gawk \ 46 | sparsehash 47 | 48 | # install libsysflow 49 | RUN wget -qO- https://github.com/sysflow-telemetry/sf-collector/releases/download/${SYSFLOW_VERSION}/libsysflow-musl-${SYSFLOW_VERSION}-${ARCH}.tar.gz | tar xz --strip-components=2 -C /usr 50 | 51 | # build the example program 52 | COPY callback.cpp /build/ 53 | COPY Makefile /build/ 54 | COPY manifest /build/ 55 | RUN MUSL=1 make -C /build install 56 | 57 | #----------------------- 58 | # Stage: Runtime 59 | #----------------------- 60 | FROM sysflowtelemetry/${RUNTIME_IMAGE}:driver-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS runtime 61 | 62 | COPY --from=builder /usr/lib/sysflow /usr/lib/sysflow 63 | COPY --from=builder /usr/local/example/bin/callback /usr/local/example/bin/callback 64 | 65 | ARG driver_type="e" 66 | ENV DRIVER_TYPE=$driver_type 67 | 68 | CMD /usr/local/example/bin/callback ${DRIVER_TYPE} 69 | 70 | -------------------------------------------------------------------------------- /examples/Dockerfile.musl.dev: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2022 IBM Corporation. 3 | # 4 | # Authors: 5 | # Frederico Araujo 6 | # Teryl Taylor 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | 20 | ARG FALCO_LIBS_VER 21 | ARG FALCO_VER 22 | ARG UBI_VER 23 | ARG ALPINE_VER 24 | ARG ALPINE_IMAGE 25 | ARG RUNTIME_IMAGE 26 | 27 | #----------------------- 28 | # Stage: Builder 29 | #----------------------- 30 | FROM ${ALPINE_IMAGE}:${ALPINE_VER} AS builder 31 | 32 | ARG ARCH="x86_64" 33 | 34 | # sysflow release 35 | ARG SYSFLOW_VERSION 36 | 37 | # setup build requirements 38 | RUN apk add \ 39 | make \ 40 | g++ \ 41 | boost-dev \ 42 | boost-static \ 43 | flex \ 44 | bison \ 45 | gawk \ 46 | sparsehash 47 | 48 | # install libsysflow 49 | COPY libsysflow-musl-${SYSFLOW_VERSION}-${ARCH}.tar.gz . 50 | RUN tar xzf libsysflow-musl-${SYSFLOW_VERSION}-${ARCH}.tar.gz && cp -r libsysflow-musl-${SYSFLOW_VERSION}-${ARCH}/usr/* /usr/. 51 | 52 | # build the example program 53 | COPY callback.cpp /build/ 54 | COPY Makefile /build/ 55 | COPY manifest /build/ 56 | RUN MUSL=1 make -C /build install 57 | 58 | #----------------------- 59 | # Stage: Runtime 60 | #----------------------- 61 | FROM sysflowtelemetry/${RUNTIME_IMAGE}:driver-${FALCO_LIBS_VER}-${FALCO_VER}-${UBI_VER} AS runtime 62 | 63 | COPY --from=builder /usr/lib/sysflow /usr/lib/sysflow 64 | COPY --from=builder /usr/local/example/bin/callback /usr/local/example/bin/callback 65 | 66 | ARG driver_type="e" 67 | ENV DRIVER_TYPE=$driver_type 68 | 69 | CMD /usr/local/example/bin/callback ${DRIVER_TYPE} 70 | 71 | -------------------------------------------------------------------------------- /examples/README.md: -------------------------------------------------------------------------------- 1 | # Example: SysFlow consumer 2 | 3 | This [example](callback.cpp) shows how to implement, build, and run a SysFlow consumer using LibSysFlow. 4 | 5 | The application uses callback functions to process SysFlow records. E.g., 6 | 7 | ```cpp 8 | // consumer-defined callback function 9 | void process_sysflow(sysflow::SFHeader* header, sysflow::Container* cont, sysflow::Process* proc, sysflow::File* f1, sysflow::File* f2, sysflow::SysFlow* rec) { 10 | // your switch block here 11 | } 12 | 13 | // example consumer 14 | int main(int argc, char **argv) { 15 | SysFlowConfig* config = sysflowlibscpp::InitializeSysFlowConfig(); 16 | config->callback = process_sysflow; 17 | sysflowlibscpp::SysFlowDriver *driver = new sysflowlibscpp::SysFlowDriver(config); 18 | driver->run(); 19 | } 20 | ``` 21 | 22 | ## Pre-requisites 23 | 24 | - docker (for building the application) 25 | 26 | ### Build requirements 27 | 28 | If using the provided dockerfiles, all the requirements are installed in the `builder` target. 29 | 30 | For debian-based builds: 31 | 32 | ```bash 33 | apt-get install -y make wget g++ libboost-iostreams-dev flex bison gawk libsparsehash-dev 34 | ``` 35 | 36 | For musl-based builds, on Alpine: 37 | 38 | ```bash 39 | apk add make g++ boost-dev boost-static flex bison gawk sparsehash 40 | ``` 41 | 42 | ### Falco drivers and driver loader requirements 43 | 44 | Debian-based systems: 45 | 46 | ```bash 47 | apt-get install -y --no-install-recommends bash-completion bc bison clang ca-certificates curl dkms flex gnupg2 gcc jq libc6-dev libelf-dev libmpx2 libssl-dev llvm netcat xz-utils 48 | ``` 49 | 50 | RPM-based systems: 51 | 52 | ```bash 53 | dnf install -y gcc gcc-c++ wget binutils bzip2 perl glibc-static diffutils kmod xz apr-devel apr-util-devel openssl-devel flex bison libstdc++-static bc llvm-toolset 54 | ``` 55 | 56 | **Note:** The Falco driver requires the kernel headers to be installed on the environment. You can check if kernel headers are installed by checking `/usr/src` in your closed environment. In debian systems, the package name is `linux-headers-generic` or `linux-headers-$(uname -r)`, and in rhel systems, the package name is `kernel-devel` or `kernel-devel-$(uname -r)`. 57 | 58 | ## Build 59 | 60 | ```bash 61 | make build 62 | ``` 63 | 64 | Or, to build the example using a musl toolchain, run: 65 | 66 | ```bash 67 | make build/musl 68 | ``` 69 | 70 | ## Running 71 | 72 | To execute the application on a barehost, run: 73 | 74 | ```bash 75 | run.sh 76 | ``` 77 | 78 | Otherwise, to launch the application in a container, run: 79 | 80 | ```bash 81 | docker-run.sh 82 | ``` 83 | 84 | **Note:** The example uses the eBPF probe by default. To use the kmod probe, remove `-e FALCO_BPF_PROBE=""` from `docker-run.sh` and remove argument `bpf` passed to the falco-driver-loader in `run.sh`. 85 | 86 | 87 | -------------------------------------------------------------------------------- /examples/callback.cpp: -------------------------------------------------------------------------------- 1 | #include "sysflow/enums.hh" 2 | #include "sysflowlibs.hpp" 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | sysflowlibscpp::SysFlowDriver *g_driver; 9 | 10 | namespace { 11 | std::function shutdown_handler; 12 | void signal_handler(int /*i*/) { shutdown_handler(); } 13 | } // namespace 14 | 15 | void printFile(sysflow::File *file) { 16 | printf("File: Type %d, Path %s\n", file->restype, file->path.c_str()); 17 | } 18 | 19 | void process_sysflow(sysflow::SFHeader *header, sysflow::Container *cont, 20 | sysflow::Process *proc, sysflow::File *f1, 21 | sysflow::File *f2, sysflow::SysFlow *flow) { 22 | 23 | printf("****************************************************************\n"); 24 | printf("Header: Exporter %s, IP %s, File name %s\n", header->exporter.c_str(), 25 | header->ip.c_str(), header->filename.c_str()); 26 | 27 | if (cont != nullptr) { 28 | printf("Container: Id %s, Name %s, Image %s, ImageId %s, Type, %d\n", 29 | cont->id.c_str(), cont->name.c_str(), cont->image.c_str(), 30 | cont->imageid.c_str(), (int)cont->type); 31 | } 32 | 33 | printf("Process: PID %lu Creation Time, %lu, Exe %s, Exe Args %s, User Name " 34 | "%s, Group Name %s, TTY %d\n", 35 | proc->oid.hpid, proc->oid.createTS, proc->exe.c_str(), 36 | proc->exeArgs.c_str(), proc->userName.c_str(), proc->groupName.c_str(), 37 | proc->tty); 38 | 39 | if (f1 != nullptr) { 40 | printFile(f1); 41 | } 42 | 43 | if (f2 != nullptr) { 44 | printFile(f2); 45 | } 46 | 47 | switch (flow->rec.idx()) { 48 | case SF_PROC_EVT: { 49 | sysflow::ProcessEvent pe = flow->rec.get_ProcessEvent(); 50 | printf("Proc Evt: TID %lu, OpFlags %d, Ret %d\n", pe.tid, pe.opFlags, 51 | pe.ret); 52 | break; 53 | } 54 | case SF_NET_FLOW: { 55 | sysflow::NetworkFlow nf = flow->rec.get_NetworkFlow(); 56 | printf("Network Flow: TID %lu, OpFlags: %d, SIP %d, SPort %d, DIP %d, " 57 | "DPort %d\n", 58 | nf.tid, nf.opFlags, nf.sip, nf.sport, nf.dip, nf.dport); 59 | break; 60 | } 61 | case SF_FILE_FLOW: { 62 | sysflow::FileFlow ff = flow->rec.get_FileFlow(); 63 | printf("File Flow: TID %lu, OpFlags: %d, OpenFlags %d, FD %d\n", ff.tid, 64 | ff.opFlags, ff.openFlags, ff.fd); 65 | break; 66 | } 67 | case SF_FILE_EVT: { 68 | sysflow::FileEvent fe = flow->rec.get_FileEvent(); 69 | printf("File Flow: TID %lu, OpFlags: %d, Ret %d\n", fe.tid, fe.opFlags, 70 | fe.ret); 71 | break; 72 | } 73 | case SF_NET_EVT: { 74 | break; 75 | } 76 | case SF_PROC_FLOW: { 77 | printf("Proc Flow received\n"); 78 | break; 79 | } 80 | default: { 81 | printf("Received unexpected flow type %lu\n", flow->rec.idx()); 82 | break; 83 | } 84 | } 85 | 86 | printf("****************************************************************\n"); 87 | } 88 | 89 | int main(int argc, char **argv) { 90 | // configure event collection (using defaults) 91 | SysFlowConfig *config = sysflowlibscpp::InitializeSysFlowConfig(); 92 | config->callback = process_sysflow; 93 | 94 | if (argc > 1 && strcmp(argv[1], "k") == 0) { 95 | config->driverType = KMOD; 96 | } else if (argc > 1 && strcmp(argv[1], "e") == 0) { 97 | config->driverType = EBPF; 98 | } else if (argc > 1 && strcmp(argv[1], "c") == 0) { 99 | config->driverType = CORE_EBPF; 100 | } else { 101 | printf("Please specify the driver type: ./callback \n"); 102 | printf("k = kernel module, e = ebpf module, c = core epbf probe\n"); 103 | exit(1); 104 | } 105 | g_driver = new sysflowlibscpp::SysFlowDriver(config); 106 | 107 | // register signal handlers to stop event collection 108 | shutdown_handler = [&]() -> void { g_driver->exit(); }; 109 | std::signal(SIGINT, signal_handler); 110 | std::signal(SIGTERM, signal_handler); 111 | 112 | // start event collection 113 | g_driver->run(); 114 | 115 | // clean up resources 116 | delete g_driver; 117 | } 118 | -------------------------------------------------------------------------------- /examples/docker-run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 3 | export $(grep -v '^#' $DIR/manifest | xargs | sed 's/?//g') 4 | docker run \ 5 | --privileged \ 6 | -v /var/run/docker.sock:/host/var/run/docker.sock \ 7 | -v /dev:/host/dev \ 8 | -v /proc:/host/proc:ro \ 9 | -v /boot:/host/boot:ro \ 10 | -v /lib/modules:/host/lib/modules:ro \ 11 | -v /usr:/host/usr:ro \ 12 | -v /etc/:/host/etc:ro \ 13 | -v /var/lib:/host/var/lib:ro \ 14 | -e FALCO_DRIVER_LOADER_OPTIONS="ebpf" \ 15 | -e DRIVER_TYPE="e" \ 16 | --rm callback:${SYSFLOW_VERSION} 17 | -------------------------------------------------------------------------------- /examples/run-core.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 4 | $DIR/callback c 5 | -------------------------------------------------------------------------------- /examples/run-kmod.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 5 | DRIVER_NAME=falco /usr/bin/falco-driver-loader && $DIR/callback k 6 | -------------------------------------------------------------------------------- /examples/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 4 | export DRIVER_NAME=falco 5 | export FALCO_BPF_PROBE="" 6 | export DRIVERS_REPO=https://download.falco.org/driver 7 | /usr/bin/falco-driver-loader bpf && $DIR/callback e 8 | -------------------------------------------------------------------------------- /makefile.env.inc: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2019 IBM Corporation. 3 | # 4 | # Authors: 5 | # Frederico Araujo 6 | # Teryl Taylor 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | 20 | INSTALL_PATH?=/usr/local/sysflow 21 | MODPREFIX=$(INSTALL_PATH)/modules 22 | LIBPREFIX=$(MODPREFIX)/lib 23 | BINPREFIX=$(MODPREFIX)/bin 24 | CONFPREFIX=$(MODPREFIX)/conf 25 | DRIVERPREFIX=/usr/src/falco- 26 | FALCOINCPREFIX=$(MODPREFIX)/include/falcosecurity 27 | FALCOLIBPREFIX=$(LIBPREFIX)/falcosecurity 28 | AVRINCPREFIX=$(MODPREFIX)/include/avro 29 | SFINCPREFIX=$(MODPREFIX)/include/sysflow 30 | FSINCPREFIX=$(MODPREFIX)/include/filesystem 31 | -------------------------------------------------------------------------------- /makefile.manifest.inc: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2022 IBM Corporation. 2 | # 3 | # Authors: 4 | # Frederico Araujo 5 | # Teryl Taylor 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | 19 | SYSFLOW_VERSION?=0.7.0 20 | SYSFLOW_BUILD_NUMBER?=1 21 | FALCO_VERSION=0.39.1 22 | FALCO_LIBS_VERSION=0.18.1 23 | FALCO_LIBS_DRIVER_VERSION=7.3.0+driver 24 | FALCOCTL_VERSION=0.10.0 25 | AVRO_VERSION=release-1.11.0 26 | ELF_VERSION=v0.189 27 | GLOG_VERSION=v0.6.0 28 | SNAPPY_VERSION=1.1.9 29 | DKMS_VERSION=v3.0.3 30 | GHCFS_VERSION=v1.5.14 31 | XXHASH_VERSION=v0.8.2 32 | SPARSE_VERSION=sparsehash-2.0.4 33 | ALPINE_VERSION=3.18.3 34 | UBI_VERSION=9.4-1214.1729773476 35 | -------------------------------------------------------------------------------- /modules/falco-libs.s390x.mri: -------------------------------------------------------------------------------- 1 | create libs.a 2 | addlib libabsl_bad_any_cast_impl.a 3 | addlib libabsl_bad_optional_access.a 4 | addlib libabsl_bad_variant_access.a 5 | addlib libabsl_base.a 6 | addlib libabsl_city.a 7 | addlib libabsl_civil_time.a 8 | addlib libabsl_cord.a 9 | addlib libabsl_cord_internal.a 10 | addlib libabsl_cordz_functions.a 11 | addlib libabsl_cordz_handle.a 12 | addlib libabsl_cordz_info.a 13 | addlib libabsl_cordz_sample_token.a 14 | addlib libabsl_debugging_internal.a 15 | addlib libabsl_demangle_internal.a 16 | addlib libabsl_examine_stack.a 17 | addlib libabsl_exponential_biased.a 18 | addlib libabsl_failure_signal_handler.a 19 | addlib libabsl_flags.a 20 | addlib libabsl_flags_commandlineflag.a 21 | addlib libabsl_flags_commandlineflag_internal.a 22 | addlib libabsl_flags_config.a 23 | addlib libabsl_flags_internal.a 24 | addlib libabsl_flags_marshalling.a 25 | addlib libabsl_flags_parse.a 26 | addlib libabsl_flags_private_handle_accessor.a 27 | addlib libabsl_flags_program_name.a 28 | addlib libabsl_flags_reflection.a 29 | addlib libabsl_flags_usage.a 30 | addlib libabsl_flags_usage_internal.a 31 | addlib libabsl_graphcycles_internal.a 32 | addlib libabsl_hash.a 33 | addlib libabsl_hashtablez_sampler.a 34 | addlib libabsl_int128.a 35 | addlib libabsl_leak_check.a 36 | addlib libabsl_leak_check_disable.a 37 | addlib libabsl_log_severity.a 38 | addlib libabsl_low_level_hash.a 39 | addlib libabsl_malloc_internal.a 40 | addlib libabsl_periodic_sampler.a 41 | addlib libabsl_random_distributions.a 42 | addlib libabsl_random_internal_distribution_test_util.a 43 | addlib libabsl_random_internal_platform.a 44 | addlib libabsl_random_internal_pool_urbg.a 45 | addlib libabsl_random_internal_randen.a 46 | addlib libabsl_random_internal_randen_hwaes.a 47 | addlib libabsl_random_internal_randen_hwaes_impl.a 48 | addlib libabsl_random_internal_randen_slow.a 49 | addlib libabsl_random_internal_seed_material.a 50 | addlib libabsl_random_seed_gen_exception.a 51 | addlib libabsl_random_seed_sequences.a 52 | addlib libabsl_raw_hash_set.a 53 | addlib libabsl_raw_logging_internal.a 54 | addlib libabsl_scoped_set_env.a 55 | addlib libabsl_spinlock_wait.a 56 | addlib libabsl_stacktrace.a 57 | addlib libabsl_status.a 58 | addlib libabsl_statusor.a 59 | addlib libabsl_str_format_internal.a 60 | addlib libabsl_strerror.a 61 | addlib libabsl_strings.a 62 | addlib libabsl_strings_internal.a 63 | addlib libabsl_symbolize.a 64 | addlib libabsl_synchronization.a 65 | addlib libabsl_throw_delegate.a 66 | addlib libabsl_time.a 67 | addlib libabsl_time_zone.a 68 | addlib libcurl.a 69 | addlib libdriver_event_schema.a 70 | addlib libgpr.a 71 | addlib libgrpcpp.a 72 | addlib libgrpcpp_alts.a 73 | addlib libgrpcpp_error_details.a 74 | addlib libgrpcpp_reflection.a 75 | addlib libgrpcpp_unsecure.a 76 | addlib libgrpc.a 77 | addlib libgrpc_plugin_support.a 78 | addlib libgrpc_unsecure.a 79 | addlib libgrpcpp_channelz.a 80 | addlib libscap.a 81 | addlib libscap_engine_bpf.a 82 | addlib libscap_engine_kmod.a 83 | addlib libscap_engine_nodriver.a 84 | addlib libscap_engine_noop.a 85 | addlib libscap_engine_modern_bpf.a 86 | addlib libscap_engine_savefile.a 87 | addlib libscap_engine_source_plugin.a 88 | addlib libscap_engine_util.a 89 | addlib libscap_error.a 90 | addlib libscap_event_schema.a 91 | addlib libscap_platform.a 92 | addlib libscap_platform_util.a 93 | addlib libsinsp.a 94 | addlib libcri_v1alpha2.a 95 | addlib libcri_v1.a 96 | addlib libtbb.a 97 | addlib libpman.a 98 | addlib libbpf.a 99 | addlib libjsoncpp.a 100 | save 101 | end 102 | -------------------------------------------------------------------------------- /modules/falco-libs.x86_64.mri: -------------------------------------------------------------------------------- 1 | create libs.a 2 | addlib libabsl_bad_any_cast_impl.a 3 | addlib libabsl_bad_optional_access.a 4 | addlib libabsl_bad_variant_access.a 5 | addlib libabsl_base.a 6 | addlib libabsl_city.a 7 | addlib libabsl_civil_time.a 8 | addlib libabsl_cord.a 9 | addlib libabsl_cord_internal.a 10 | addlib libabsl_cordz_functions.a 11 | addlib libabsl_cordz_handle.a 12 | addlib libabsl_cordz_info.a 13 | addlib libabsl_cordz_sample_token.a 14 | addlib libabsl_debugging_internal.a 15 | addlib libabsl_demangle_internal.a 16 | addlib libabsl_examine_stack.a 17 | addlib libabsl_exponential_biased.a 18 | addlib libabsl_failure_signal_handler.a 19 | addlib libabsl_flags.a 20 | addlib libabsl_flags_commandlineflag.a 21 | addlib libabsl_flags_commandlineflag_internal.a 22 | addlib libabsl_flags_config.a 23 | addlib libabsl_flags_internal.a 24 | addlib libabsl_flags_marshalling.a 25 | addlib libabsl_flags_parse.a 26 | addlib libabsl_flags_private_handle_accessor.a 27 | addlib libabsl_flags_program_name.a 28 | addlib libabsl_flags_reflection.a 29 | addlib libabsl_flags_usage.a 30 | addlib libabsl_flags_usage_internal.a 31 | addlib libabsl_graphcycles_internal.a 32 | addlib libabsl_hash.a 33 | addlib libabsl_hashtablez_sampler.a 34 | addlib libabsl_int128.a 35 | addlib libabsl_leak_check.a 36 | addlib libabsl_leak_check_disable.a 37 | addlib libabsl_log_severity.a 38 | addlib libabsl_low_level_hash.a 39 | addlib libabsl_malloc_internal.a 40 | addlib libabsl_periodic_sampler.a 41 | addlib libabsl_random_distributions.a 42 | addlib libabsl_random_internal_distribution_test_util.a 43 | addlib libabsl_random_internal_platform.a 44 | addlib libabsl_random_internal_pool_urbg.a 45 | addlib libabsl_random_internal_randen.a 46 | addlib libabsl_random_internal_randen_hwaes.a 47 | addlib libabsl_random_internal_randen_hwaes_impl.a 48 | addlib libabsl_random_internal_randen_slow.a 49 | addlib libabsl_random_internal_seed_material.a 50 | addlib libabsl_random_seed_gen_exception.a 51 | addlib libabsl_random_seed_sequences.a 52 | addlib libabsl_raw_hash_set.a 53 | addlib libabsl_raw_logging_internal.a 54 | addlib libabsl_scoped_set_env.a 55 | addlib libabsl_spinlock_wait.a 56 | addlib libabsl_stacktrace.a 57 | addlib libabsl_status.a 58 | addlib libabsl_statusor.a 59 | addlib libabsl_str_format_internal.a 60 | addlib libabsl_strerror.a 61 | addlib libabsl_strings.a 62 | addlib libabsl_strings_internal.a 63 | addlib libabsl_symbolize.a 64 | addlib libabsl_synchronization.a 65 | addlib libabsl_throw_delegate.a 66 | addlib libabsl_time.a 67 | addlib libabsl_time_zone.a 68 | addlib libcurl.a 69 | addlib libdriver_event_schema.a 70 | addlib libgpr.a 71 | addlib libgrpcpp.a 72 | addlib libgrpcpp_alts.a 73 | addlib libgrpcpp_error_details.a 74 | addlib libgrpcpp_reflection.a 75 | addlib libgrpcpp_unsecure.a 76 | addlib libgrpc.a 77 | addlib libgrpc_plugin_support.a 78 | addlib libgrpc_unsecure.a 79 | addlib libgrpcpp_channelz.a 80 | addlib libscap.a 81 | addlib libscap_engine_bpf.a 82 | addlib libscap_engine_gvisor.a 83 | addlib libscap_engine_kmod.a 84 | addlib libscap_engine_nodriver.a 85 | addlib libscap_engine_noop.a 86 | addlib libscap_engine_modern_bpf.a 87 | addlib libscap_engine_savefile.a 88 | addlib libscap_engine_source_plugin.a 89 | addlib libscap_engine_util.a 90 | addlib libscap_error.a 91 | addlib libscap_event_schema.a 92 | addlib libscap_platform.a 93 | addlib libscap_platform_util.a 94 | addlib libsinsp.a 95 | addlib libcri_v1alpha2.a 96 | addlib libcri_v1.a 97 | addlib libtbb.a 98 | addlib libpman.a 99 | addlib libbpf.a 100 | addlib libjsoncpp.a 101 | save 102 | end 103 | -------------------------------------------------------------------------------- /scripts/build/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage: build.sh version release falcover libsver ubiver target 3 | target=$6 4 | docker build --build-arg BUILD_NUMBER=$2 \ 5 | --build-arg VERSION=$1 \ 6 | --build-arg RELEASE=$2 \ 7 | --build-arg FALCO_VER=$3 \ 8 | --build-arg FALCO_LIBS_VER=$4 \ 9 | --build-arg UBI_VER=$5 \ 10 | --target $target \ 11 | -t sf-collector:$target \ 12 | . 13 | docker build --cache-from=sf-collector:$target --target=testing -t sf-collector:testing . 14 | -------------------------------------------------------------------------------- /scripts/build/cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage: cleanup image 3 | docker rmi $1-testing 4 | docker rmi $1 5 | docker image prune -f 6 | docker rmi $(docker images -q sysflowtelemetry/ubi) 7 | docker image prune -f 8 | -------------------------------------------------------------------------------- /scripts/build/env_init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | make -C modules init -------------------------------------------------------------------------------- /scripts/build/redhat_scan_submit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Submit an image to RedHat Sysfow Exporter Jobs for certification 3 | # Usage: redhat_scan_submit.sh [login secret] [image_to_be_scanned] [RedHat project ID] [container label] 4 | set -e 5 | 6 | docker login -u unused -p $1 scan.connect.redhat.com 7 | 8 | docker tag $2 scan.connect.redhat.com/$3/test:$4 9 | docker push scan.connect.redhat.com/$3/test:$4 10 | 11 | docker rmi scan.connect.redhat.com/$3/test:$4 12 | 13 | 14 | -------------------------------------------------------------------------------- /scripts/build/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Submit an image to RedHat Sysfow Exporter Jobs for certification 3 | # Usage: test.sh ci-image 4 | docker build --cache-from $1 --target testing -t $1-testing . 5 | docker run --rm --name sftests -v "$(pwd)/tests:/usr/local/sysflow/tests" $1-testing -t tests/tests.bats 6 | -------------------------------------------------------------------------------- /scripts/cpack/CPackConfig-libs-musl.cmake: -------------------------------------------------------------------------------- 1 | set(CPACK_PACKAGE_NAME "libsysflow-musl") 2 | set(CPACK_PACKAGE_CONTACT "sysflow.io") 3 | set(CPACK_PACKAGE_VENDOR "SysFlow") 4 | set(CPACK_PACKAGE_DESCRIPTION "LibSysFlow exposes a programmatic API to monitor and collect system call and event information from hosts and export them in the entity-relational, flow-based SysFlow format") 5 | set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "SysFlow library for implementing userspace consumers") 6 | set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_LIST_DIR}/build-libs/LICENSE.md") 7 | set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_LIST_DIR}/build-libs/README.md") 8 | set(CPACK_STRIP_FILES "ON") 9 | set(CPACK_PACKAGE_RELOCATABLE "OFF") 10 | 11 | set(CPACK_PACKAGE_VERSION "$ENV{SYSFLOW_VERSION}") 12 | if(NOT CPACK_PACKAGE_VERSION) 13 | set(CPACK_PACKAGE_VERSION "0.0.0") 14 | else() 15 | # Remove the starting "v" in case there is one 16 | string(REGEX REPLACE "^v(.*)" "\\1" CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 17 | 18 | # Remove any release suffixes in case there is one 19 | # string(REGEX REPLACE "-.*" "" CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 20 | endif() 21 | # Parse version into its major, minor, patch components 22 | string(REGEX MATCH "^(0|[1-9][0-9]*)" CPACK_PACKAGE_VERSION_MAJOR "${CPACK_PACKAGE_VERSION}") 23 | string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" CPACK_PACKAGE_VERSION_MINOR "${CPACK_PACKAGE_VERSION}") 24 | string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" CPACK_PACKAGE_VERSION_PATCH "${CPACK_PACKAGE_VERSION}") 25 | 26 | if(NOT CPACK_GENERATOR) 27 | set(CPACK_GENERATOR DEB RPM TGZ) 28 | endif() 29 | 30 | message(STATUS "Packaging LibSysFlow ${CPACK_PACKAGE_VERSION}") 31 | message(STATUS "Using package generators: ${CPACK_GENERATOR}") 32 | message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}") 33 | 34 | # DEB 35 | set(CPACK_DEBIAN_PACKAGE_SECTION "utils") 36 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64") 37 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64") 38 | endif() 39 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64") 40 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64") 41 | endif() 42 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "s390x") 43 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "s390x") 44 | endif() 45 | set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://github.com/sysflow-telemetry/sf-collector") 46 | 47 | # RPM 48 | set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0") 49 | set(CPACK_RPM_PACKAGE_ARCHITECTURE, "${CMAKE_SYSTEM_PROCESSOR}") 50 | set(CPACK_RPM_PACKAGE_URL "https://github.com/sysflow-telemetry/sf-collector") 51 | set(CPACK_RPM_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 52 | set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION 53 | /etc/falco 54 | /usr/src 55 | /usr/src/dkms 56 | /usr/share/man 57 | /usr/share/man/man8 58 | /usr/lib 59 | /usr/lib/falcosecurity 60 | /usr/lib/sysflow 61 | /usr/include 62 | /usr/include/falcosecurity 63 | /usr/include/sysflow 64 | /usr 65 | /usr/bin 66 | /usr/share) 67 | set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF") 68 | # Since we package make to enable dkms install 69 | set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") 70 | set(CPACK_RPM_PACKAGE_AUTOREQ "OFF") 71 | 72 | # Contents 73 | set(CPACK_PACKAGE_FILE_NAME ${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}) 74 | set(CPACK_INSTALLED_DIRECTORIES "${CMAKE_CURRENT_LIST_DIR}/build-driver/bin" "/usr/bin" "${CMAKE_CURRENT_LIST_DIR}/build-driver/src" "/usr/src" "${CMAKE_CURRENT_LIST_DIR}/build-libs-musl/include" "/usr/include" "${CMAKE_CURRENT_LIST_DIR}/build-libs-musl/lib" "/usr/lib" "${CMAKE_CURRENT_LIST_DIR}/build-libs-musl/etc/falco" "/etc/falco") 75 | 76 | -------------------------------------------------------------------------------- /scripts/cpack/CPackConfig-libs.cmake: -------------------------------------------------------------------------------- 1 | set(CPACK_PACKAGE_NAME "libsysflow") 2 | set(CPACK_PACKAGE_CONTACT "sysflow.io") 3 | set(CPACK_PACKAGE_VENDOR "SysFlow") 4 | set(CPACK_PACKAGE_DESCRIPTION "LibSysFlow exposes a programmatic API to monitor and collect system call and event information from hosts and export them in the entity-relational, flow-based SysFlow format") 5 | set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "SysFlow library for implementing userspace consumers") 6 | set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_LIST_DIR}/build-libs/LICENSE.md") 7 | set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_LIST_DIR}/build-libs/README.md") 8 | set(CPACK_STRIP_FILES "ON") 9 | set(CPACK_PACKAGE_RELOCATABLE "OFF") 10 | 11 | set(CPACK_PACKAGE_VERSION "$ENV{SYSFLOW_VERSION}") 12 | if(NOT CPACK_PACKAGE_VERSION) 13 | set(CPACK_PACKAGE_VERSION "0.0.0") 14 | else() 15 | # Remove the starting "v" in case there is one 16 | string(REGEX REPLACE "^v(.*)" "\\1" CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 17 | 18 | # Remove any release suffixes in case there is one 19 | # string(REGEX REPLACE "-.*" "" CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 20 | endif() 21 | # Parse version into its major, minor, patch components 22 | string(REGEX MATCH "^(0|[1-9][0-9]*)" CPACK_PACKAGE_VERSION_MAJOR "${CPACK_PACKAGE_VERSION}") 23 | string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" CPACK_PACKAGE_VERSION_MINOR "${CPACK_PACKAGE_VERSION}") 24 | string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" CPACK_PACKAGE_VERSION_PATCH "${CPACK_PACKAGE_VERSION}") 25 | 26 | if(NOT CPACK_GENERATOR) 27 | set(CPACK_GENERATOR DEB RPM TGZ) 28 | endif() 29 | 30 | message(STATUS "Packaging LibSysFlow ${CPACK_PACKAGE_VERSION}") 31 | message(STATUS "Using package generators: ${CPACK_GENERATOR}") 32 | message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}") 33 | 34 | # DEB 35 | set(CPACK_DEBIAN_PACKAGE_SECTION "utils") 36 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64") 37 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64") 38 | endif() 39 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64") 40 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64") 41 | endif() 42 | set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://github.com/sysflow-telemetry/sf-collector") 43 | set(CPACK_DEBIAN_COMPRESSION_TYPE "gzip") 44 | 45 | # RPM 46 | set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0") 47 | set(CPACK_RPM_PACKAGE_ARCHITECTURE, "${CMAKE_SYSTEM_PROCESSOR}") 48 | set(CPACK_RPM_PACKAGE_URL "https://github.com/sysflow-telemetry/sf-collector") 49 | set(CPACK_RPM_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 50 | set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION 51 | /etc/falco 52 | /usr/src 53 | /usr/src/dkms 54 | /usr/share/man 55 | /usr/share/man/man8 56 | /usr/lib 57 | /usr/lib/falcosecurity 58 | /usr/lib/sysflow 59 | /usr/include 60 | /usr/include/falcosecurity 61 | /usr/include/sysflow 62 | /usr 63 | /usr/bin 64 | /usr/share) 65 | set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF") 66 | # Since we package make to enable dkms install 67 | set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") 68 | 69 | # Contents 70 | set(CPACK_PACKAGE_FILE_NAME ${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}) 71 | set(CPACK_INSTALLED_DIRECTORIES "${CMAKE_CURRENT_LIST_DIR}/build-driver/bin" "/usr/bin" "${CMAKE_CURRENT_LIST_DIR}/build-driver/src" "/usr/src" "${CMAKE_CURRENT_LIST_DIR}/build-libs/include" "/usr/include" "${CMAKE_CURRENT_LIST_DIR}/build-libs/lib" "/usr/lib" "${CMAKE_CURRENT_LIST_DIR}/build-libs/etc/falco" "/etc/falco") 72 | 73 | -------------------------------------------------------------------------------- /scripts/cpack/CPackConfig.cmake: -------------------------------------------------------------------------------- 1 | set(CPACK_PACKAGE_NAME "sfcollector") 2 | set(CPACK_PACKAGE_CONTACT "sysflow.io") 3 | set(CPACK_PACKAGE_VENDOR "SysFlow") 4 | set(CPACK_PACKAGE_DESCRIPTION "The SysFlow Collector monitors and collects system call and event information from hosts and exports them in the SysFlow format using Apache Avro object serialization") 5 | set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "SysFlow collector agent") 6 | set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_LIST_DIR}/build/LICENSE.md") 7 | set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_LIST_DIR}/build/README.md") 8 | set(CPACK_STRIP_FILES "ON") 9 | set(CPACK_PACKAGE_RELOCATABLE "OFF") 10 | 11 | set(CPACK_PACKAGE_VERSION "$ENV{SYSFLOW_VERSION}") 12 | if(NOT CPACK_PACKAGE_VERSION) 13 | set(CPACK_PACKAGE_VERSION "0.0.0") 14 | else() 15 | # Remove the starting "v" in case there is one 16 | string(REGEX REPLACE "^v(.*)" "\\1" CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 17 | 18 | # Remove any release suffixes in case there is one 19 | # string(REGEX REPLACE "-.*" "" CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 20 | endif() 21 | # Parse version into its major, minor, patch components 22 | string(REGEX MATCH "^(0|[1-9][0-9]*)" CPACK_PACKAGE_VERSION_MAJOR "${CPACK_PACKAGE_VERSION}") 23 | string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" CPACK_PACKAGE_VERSION_MINOR "${CPACK_PACKAGE_VERSION}") 24 | string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" CPACK_PACKAGE_VERSION_PATCH "${CPACK_PACKAGE_VERSION}") 25 | 26 | if(NOT CPACK_GENERATOR) 27 | set(CPACK_GENERATOR DEB RPM TGZ) 28 | endif() 29 | 30 | message(STATUS "Packaging SysFlow ${CPACK_PACKAGE_VERSION}") 31 | message(STATUS "Using package generators: ${CPACK_GENERATOR}") 32 | message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}") 33 | 34 | # DEB 35 | set(CPACK_DEBIAN_PACKAGE_SECTION "utils") 36 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64") 37 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64") 38 | endif() 39 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64") 40 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64") 41 | endif() 42 | if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "s390x") 43 | set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "s390x") 44 | endif() 45 | set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://github.com/sysflow-telemetry/sf-collector") 46 | 47 | # RPM 48 | set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0") 49 | set(CPACK_RPM_PACKAGE_ARCHITECTURE, "${CMAKE_SYSTEM_PROCESSOR}") 50 | set(CPACK_RPM_PACKAGE_URL "https://github.com/sysflow-telemetry/sf-collector") 51 | set(CPACK_RPM_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}") 52 | set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION 53 | /etc/falco 54 | /usr/src 55 | /usr/share/man 56 | /usr/share/man/man8 57 | /etc 58 | /etc/sysflow 59 | /usr 60 | /usr/bin 61 | /usr/share 62 | /usr/lib 63 | /usr/lib/sysflow 64 | /usr/lib/systemd 65 | /usr/lib/systemd/system) 66 | set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF") 67 | # Since we package make to enable dkms install 68 | set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") 69 | set(CPACK_RPM_PACKAGE_AUTOREQ "OFF") 70 | 71 | # Contents 72 | set(CPACK_PACKAGE_FILE_NAME ${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}) 73 | set(CPACK_INSTALLED_DIRECTORIES "${CMAKE_CURRENT_LIST_DIR}/build/bin" "/usr/bin" "${CMAKE_CURRENT_LIST_DIR}/build/conf" "/etc/sysflow/conf" "${CMAKE_CURRENT_LIST_DIR}/build/driver" "/etc/sysflow/driver" "${CMAKE_CURRENT_LIST_DIR}/build/src" "/usr/src" "${CMAKE_CURRENT_LIST_DIR}/build/service" "/usr/lib/systemd/system" "${CMAKE_CURRENT_LIST_DIR}/build/modules" "/etc/sysflow/modules" "${CMAKE_CURRENT_LIST_DIR}/build/lib" "/usr/lib" "${CMAKE_CURRENT_LIST_DIR}/build/etc/falco" "/etc/falco") 74 | 75 | -------------------------------------------------------------------------------- /scripts/cpack/clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | rm -rf build build-libs build-libs-musl build-driver _CPack_Packages sfcollector* libsysflow* 4 | 5 | -------------------------------------------------------------------------------- /scripts/cpack/prepackage-driver.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 5 | BUILD_DIR=build-driver 6 | DRIVER_SRC_PATH=$(find /usr/src -name "falco-*") 7 | 8 | cd $DIR && rm -rf $BUILD_DIR && mkdir -p $BUILD_DIR 9 | mkdir -p $DIR/$BUILD_DIR/bin && cp -a /usr/bin/falcoctl $DIR/$BUILD_DIR/bin/. && \ 10 | cp -a /docker-entrypoint.sh $DIR/$BUILD_DIR/bin/. 11 | mkdir -p $DIR/$BUILD_DIR/src && cp -a $DRIVER_SRC_PATH $DIR/$BUILD_DIR/src/$(basename $DRIVER_SRC_PATH) && \ 12 | mkdir $DIR/$BUILD_DIR/src/dkms && cp -a $DIR/../../modules/src/dkms/* $DIR/$BUILD_DIR/src/dkms 13 | 14 | -------------------------------------------------------------------------------- /scripts/cpack/prepackage-libs-musl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 5 | BUILD_DIR=build-libs-musl 6 | 7 | cd $DIR && rm -rf $BUILD_DIR && mkdir -p $BUILD_DIR 8 | mkdir -p $DIR/$BUILD_DIR/etc/falco && touch $DIR/$BUILD_DIR/etc/falco/falco.yaml 9 | mkdir -p $DIR/$BUILD_DIR/lib && cp -a /usr/local/sysflow/modules/lib/falcosecurity $DIR/$BUILD_DIR/lib/. 10 | mkdir -p $DIR/$BUILD_DIR/include && cp -a /usr/local/sysflow/modules/include/falcosecurity $DIR/$BUILD_DIR/include/. 11 | mkdir -p $DIR/$BUILD_DIR/lib && cp -a /usr/local/sysflow/lib $DIR/$BUILD_DIR/lib/sysflow && \ 12 | cp -a /usr/lib/sysflow/* $DIR/$BUILD_DIR/lib/sysflow/. && \ 13 | cp -a /usr/local/sysflow/modules/lib/*.a $DIR/$BUILD_DIR/lib/sysflow/. && \ 14 | cp -a /usr/local/lib/libsnappy.a $DIR/$BUILD_DIR/lib/sysflow/. && \ 15 | cp -a /usr/local/lib/libglog.a $DIR/$BUILD_DIR/lib/sysflow/. 16 | mkdir -p $DIR/$BUILD_DIR/include && cp -a /usr/local/sysflow/include/sysflow $DIR/$BUILD_DIR/include/. && cp -a /usr/local/sysflow/modules/include/*.h $DIR/$BUILD_DIR/include/. && \ 17 | cp -a /usr/local/sysflow/modules/include/sysflow/c++/sysflow/* $DIR/$BUILD_DIR/include/sysflow/. && \ 18 | cp -a /usr/local/sysflow/modules/include/avro $DIR/$BUILD_DIR/include/sysflow/. && \ 19 | cp -a /usr/local/sysflow/modules/include/filesystem $DIR/$BUILD_DIR/include/sysflow/. && \ 20 | cp -a /usr/local/include $DIR/$BUILD_DIR/include/sysflow/mods 21 | cp $DIR/../../LICENSE.md $DIR/$BUILD_DIR/. 22 | cp $DIR/../../README.md $DIR/$BUILD_DIR/. 23 | 24 | # strip static libraries 25 | find "$BUILD_DIR" -type f -name "*.a" -exec strip -g '{}' \; 26 | -------------------------------------------------------------------------------- /scripts/cpack/prepackage-libs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 5 | BUILD_DIR=build-libs 6 | 7 | cd $DIR && rm -rf $BUILD_DIR && mkdir -p $BUILD_DIR 8 | mkdir -p $DIR/$BUILD_DIR/etc/falco && touch $DIR/$BUILD_DIR/etc/falco/falco.yaml 9 | mkdir -p $DIR/$BUILD_DIR/lib && cp -a /usr/local/sysflow/modules/lib/falcosecurity $DIR/$BUILD_DIR/lib/. 10 | mkdir -p $DIR/$BUILD_DIR/include && cp -a /usr/local/sysflow/modules/include/falcosecurity $DIR/$BUILD_DIR/include/. 11 | mkdir -p $DIR/$BUILD_DIR/lib && cp -a /usr/local/sysflow/lib $DIR/$BUILD_DIR/lib/sysflow && \ 12 | cp -a /usr/local/sysflow/modules/lib/*.a $DIR/$BUILD_DIR/lib/sysflow/. && \ 13 | cp -a /usr/local/lib64/libsnappy.a $DIR/$BUILD_DIR/lib/sysflow/. && \ 14 | cp -a /usr/local/lib64/libglog.a $DIR/$BUILD_DIR/lib/sysflow/. 15 | mkdir -p $DIR/$BUILD_DIR/include && cp -a /usr/local/sysflow/include/sysflow $DIR/$BUILD_DIR/include/. && \ 16 | cp -a /usr/local/sysflow/modules/include/sysflow/c++/sysflow/* $DIR/$BUILD_DIR/include/sysflow/. && \ 17 | cp -a /usr/local/sysflow/modules/include/avro $DIR/$BUILD_DIR/include/sysflow/. && \ 18 | cp -a /usr/local/sysflow/modules/include/filesystem $DIR/$BUILD_DIR/include/sysflow/. && \ 19 | cp -a /usr/local/include $DIR/$BUILD_DIR/include/sysflow/mods 20 | cp $DIR/../../LICENSE.md $DIR/$BUILD_DIR/. 21 | cp $DIR/../../README.md $DIR/$BUILD_DIR/. 22 | 23 | # strip static libraries 24 | find "$BUILD_DIR" -type f -name "*.a" -exec strip -g '{}' \; 25 | 26 | -------------------------------------------------------------------------------- /scripts/cpack/prepackage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 5 | BUILD_DIR=build 6 | DRIVER_SRC_PATH=$(find /usr/src -name "falco-*") 7 | 8 | cd $DIR && rm -rf $BUILD_DIR && mkdir -p $BUILD_DIR 9 | cp -a $DIR/../../bin $DIR/$BUILD_DIR/bin 10 | mkdir -p $DIR/$BUILD_DIR/etc/falco && touch $DIR/$BUILD_DIR/etc/falco/falco.yaml 11 | mkdir -p $DIR/$BUILD_DIR/lib && cp -a /usr/lib/sysflow $DIR/$BUILD_DIR/lib 12 | mkdir -p $DIR/$BUILD_DIR/driver && cp -a /usr/bin/falcoctl $DIR/$BUILD_DIR/driver/. 13 | mkdir -p $DIR/$BUILD_DIR/src && cp -a $DRIVER_SRC_PATH $DIR/$BUILD_DIR/src/$(basename $DRIVER_SRC_PATH) 14 | mkdir -p $DIR/$BUILD_DIR/modules/src/dkms && cp -a $DIR/../../modules/src/dkms/* $DIR/$BUILD_DIR/modules/src/dkms 15 | mkdir -p $DIR/$BUILD_DIR/modules/bin && cp -a $(which make) $DIR/$BUILD_DIR/modules/bin/make 16 | cp -a $DIR/../service/systemd $DIR/$BUILD_DIR/service 17 | cp $DIR/../service/bin/sysflow $DIR/$BUILD_DIR/bin/. 18 | cp -a $DIR/../service/conf $DIR/$BUILD_DIR/conf 19 | cp $DIR/../service/driver/start $DIR/$BUILD_DIR/driver/. 20 | cp $DIR/../service/driver/cleanup $DIR/$BUILD_DIR/driver/. 21 | cp $DIR/../../LICENSE.md $DIR/$BUILD_DIR/. 22 | cp $DIR/../../README.md $DIR/$BUILD_DIR/. 23 | 24 | # strip binaries 25 | find "$BUILD_DIR" -type f -name "sysporter" -exec strip -g '{}' \; 26 | 27 | -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/clang-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/clang-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/clang-libs-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/clang-libs-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | rpm -ivh --oldpackage *.rpm 3 | -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/libedit-3.1-23.20170329cvs.el8.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/libedit-3.1-23.20170329cvs.el8.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/lld-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/lld-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/lld-libs-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/lld-libs-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/lldb-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/lldb-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/llvm-9.0.1-5.module_el8.2.0+461+2e15bd5f.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/llvm-9.0.1-5.module_el8.2.0+461+2e15bd5f.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/llvm-libs-9.0.1-5.module_el8.2.0+461+2e15bd5f.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/llvm-libs-9.0.1-5.module_el8.2.0+461+2e15bd5f.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/llvm-toolset-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/llvm-toolset-9.0.1-1.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/dev/rpms/llvm/python3-lldb-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/scripts/dev/rpms/llvm/python3-lldb-9.0.1-2.module_el8.2.0+309+0c7b6b03.x86_64.rpm -------------------------------------------------------------------------------- /scripts/installUBIDependency.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) 2019 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | # dependencies 21 | 22 | # Insatall required dependencies to the UBI base image. 23 | # Based on different purpose, we will install different stuff inside 24 | # Mode we supports: base and test-extra 25 | set -ex 26 | MODE=${1:-base} 27 | 28 | echo "Install Dependency under mode: ${MODE}" 29 | 30 | # 31 | # Clean up function 32 | # 33 | cleanup() { 34 | dnf -y clean all 35 | rm -rf /var/cache/{dnf,yum} || true 36 | subscription-manager unregister || true 37 | dnf -y remove \ 38 | python3-subscription-manager-rhsm \ 39 | subscription-manager \ 40 | subscription-manager-rhsm-certificates \ 41 | vim-minimal \ 42 | || true 43 | } 44 | trap cleanup EXIT 45 | 46 | # 47 | # RHEL subscription 48 | # 49 | ( 50 | set +x 51 | which subscription-manager || dnf -y install subscription-manager 52 | if [ -z "$REGISTER_USER" -o -z "$REGISTER_PASSWORD" ] ; then 53 | echo 'Lack of RHEL credential.' 54 | echo 'Assume build on RHEL machines or install packages only in UBI repositories.' 55 | else 56 | echo "Login RHEL..." 57 | # See https://access.redhat.com/discussions/5889431?tour=8 58 | sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py 59 | subscription-manager register --username "$REGISTER_USER" --password "$REGISTER_PASSWORD" --auto-attach 60 | fi 61 | ) 62 | 63 | if [ "${MODE}" == "base" ] ; then 64 | # packages for base image 65 | 66 | subscription-manager repos --enable="codeready-builder-for-rhel-9-$(/bin/arch)-rpms" && \ 67 | dnf -y update && \ 68 | dnf -y install \ 69 | gcc \ 70 | gcc-c++ \ 71 | make \ 72 | cmake \ 73 | pkgconfig \ 74 | autoconf \ 75 | gettext-devel \ 76 | wget \ 77 | libtool \ 78 | patch \ 79 | binutils \ 80 | bzip2 \ 81 | perl \ 82 | glibc-static \ 83 | diffutils \ 84 | kmod \ 85 | zlib-devel \ 86 | xz \ 87 | apr-devel \ 88 | apr-util-devel \ 89 | openssl-devel \ 90 | flex \ 91 | bison \ 92 | libstdc++-static \ 93 | boost-static \ 94 | bc \ 95 | libasan \ 96 | libubsan \ 97 | llvm-toolset \ 98 | bpftool \ 99 | libzstd-devel \ 100 | elfutils-libelf-devel \ 101 | && dnf -y clean all ; rm -rf /var/cache/{dnf,yum} 102 | 103 | 104 | elif [ "${MODE}" == "driver" ] ; then 105 | # packages for driver image 106 | 107 | subscription-manager repos --enable="codeready-builder-for-rhel-9-$(/bin/arch)-rpms" && \ 108 | dnf -y update && \ 109 | dnf -y install \ 110 | gcc \ 111 | gcc-c++ \ 112 | gcc-toolset-12-gcc \ 113 | make \ 114 | cmake \ 115 | pkgconfig \ 116 | autoconf \ 117 | wget \ 118 | libtool \ 119 | patch \ 120 | binutils \ 121 | bzip2 \ 122 | perl \ 123 | glibc-static \ 124 | diffutils \ 125 | kmod \ 126 | xz \ 127 | openssl-devel \ 128 | flex \ 129 | bison \ 130 | libstdc++-static \ 131 | bc \ 132 | libasan \ 133 | libubsan \ 134 | llvm-toolset \ 135 | elfutils-libelf-devel \ 136 | && dnf -y clean all ; rm -rf /var/cache/{dnf,yum} 137 | 138 | elif [ "${MODE}" == "test-extra" ] ; then 139 | # additional packages for testing 140 | 141 | dnf -y --noplugins install python38 python38-devel python38-wheel 142 | ln -s /usr/bin/python3 /usr/bin/python 143 | mkdir -p /usr/local/lib/python3.8/site-packages 144 | 145 | else 146 | echo "Unsupported mode: ${MODE}" 147 | exit 1 148 | fi 149 | 150 | exit 0 151 | -------------------------------------------------------------------------------- /scripts/installUBIDependencyWoSubManager.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) 2019 IBM Corporation. 4 | # 5 | # Authors: 6 | # Frederico Araujo 7 | # Teryl Taylor 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | # dependencies 21 | 22 | # Install required dependencies to the UBI base image. 23 | # Based on mode, it installs different set of dependencies. 24 | # Modes supported: base and test-extra. 25 | set -ex 26 | MODE=${1:-base} 27 | 28 | echo "Install Dependency under mode: ${MODE}" 29 | 30 | # 31 | # Clean up function 32 | # 33 | cleanup() { 34 | dnf -y clean all && rm -rf /var/cache/dnf 35 | } 36 | trap cleanup EXIT 37 | 38 | if [ "${MODE}" == "base" ] ; then 39 | # packages for base image 40 | dnf -y install --disableplugin=subscription-manager \ 41 | http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/centos-gpg-keys-8.2-2.2004.0.1.el8.noarch.rpm http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/centos-repos-8.2-2.2004.0.1.el8.x86_64.rpm 42 | dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm 43 | dnf -y install \ 44 | --disableplugin=subscription-manager \ 45 | --disablerepo=ubi-8-appstream \ 46 | --disablerepo=ubi-8-baseos \ 47 | --disablerepo=ubi-8-codeready-builder \ 48 | --enablerepo=PowerTools \ 49 | gcc \ 50 | gcc-c++ \ 51 | make \ 52 | cmake \ 53 | pkgconfig \ 54 | autoconf \ 55 | gettext-devel \ 56 | wget \ 57 | automake \ 58 | libtool \ 59 | patch \ 60 | binutils \ 61 | bzip2 \ 62 | perl \ 63 | glibc-static \ 64 | diffutils \ 65 | kmod \ 66 | xz \ 67 | apr-devel \ 68 | apr-util-devel \ 69 | openssl-devel \ 70 | flex \ 71 | bison \ 72 | libstdc++-static \ 73 | boost-static \ 74 | elfutils-libelf-devel \ 75 | sparsehash-devel \ 76 | snappy-devel \ 77 | jsoncpp-devel \ 78 | glog-devel \ 79 | llvm-toolset 80 | 81 | dnf -y install \ 82 | --disableexcludes=all \ 83 | --disableplugin=subscription-manager \ 84 | --disablerepo=ubi-8-appstream \ 85 | --disablerepo=ubi-8-baseos \ 86 | --disablerepo=ubi-8-codeready-builder \ 87 | --enablerepo=epel \ 88 | dkms 89 | 90 | elif [ "${MODE}" == "test-extra" ] ; then 91 | # additional packages for testing 92 | 93 | dnf -y --noplugins install python38 python38-devel python38-wheel 94 | ln -s /usr/bin/python3 /usr/bin/python 95 | mkdir -p /usr/local/lib/python3.8/site-packages 96 | 97 | else 98 | echo "Unsupported mode: ${MODE}" 99 | exit 1 100 | fi 101 | 102 | exit 0 103 | -------------------------------------------------------------------------------- /scripts/runFormat: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | clang-format-10 -i $1 3 | -------------------------------------------------------------------------------- /scripts/service/bin/sysflow: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | SYSFLOW=/usr/lib/systemd/system/sysflow.service 5 | SFPROCESSOR=/usr/lib/systemd/system/sysflow-processor.service 6 | SFCOLLECTOR=/usr/lib/systemd/system/sysflow-collector.service 7 | DKMS=/etc/sysflow/modules/src/dkms 8 | MAKE=make 9 | 10 | status () { 11 | systemctl status "sysflow*" 12 | } 13 | 14 | start () { 15 | if test -f "$ENVFILE"; then 16 | echo "SysFlow service configuration file not found in $CONFIGPATH" 17 | fi 18 | if ! command -v dkms &> /dev/null; then 19 | echo "dkms not found, installing..." 20 | if ! command -v $MAKE &> /dev/null; then 21 | echo "make not found, trying to use prepackaged make binary..." 22 | MAKE=/etc/sysflow/modules/bin/make 23 | fi 24 | if [ "$(grep -Ei 'debian|buntu|mint' /etc/*release)" ]; then 25 | $MAKE -C $DKMS install-debian 26 | elif [ "$(grep -Ei 'fedora|redhat|cent' /etc/*release)" ]; then 27 | $MAKE -C $DKMS install-redhat 28 | else 29 | echo "Cannot install dkms. Unrecognized Linux distribution." 30 | fi 31 | fi 32 | if test -f "$SYSFLOW"; then 33 | systemctl enable sysflow 34 | fi 35 | if test -f "$SFPROCESSOR"; then 36 | systemctl enable sysflow-processor 37 | fi 38 | if test -f "$SFCOLLECTOR"; then 39 | systemctl enable sysflow-collector 40 | fi 41 | systemctl start sysflow 42 | } 43 | 44 | stop () { 45 | systemctl stop sysflow 46 | if test -f "$SYSFLOW"; then 47 | systemctl disable sysflow 48 | fi 49 | if test -f "$SFPROCESSOR"; then 50 | systemctl disable sysflow-processor 51 | fi 52 | if test -f "$SFCOLLECTOR"; then 53 | systemctl disable sysflow-collector 54 | fi 55 | systemctl daemon-reload 56 | systemctl reset-failed 57 | } 58 | 59 | systemctl daemon-reload 60 | if [ "$1" == "status" ]; then 61 | status 62 | elif [ "$1" == "start" ]; then 63 | echo "Starting SysFlow..." 64 | start 65 | elif [ "$1" == "stop" ]; then 66 | echo "Stopping SysFlow..." 67 | stop 68 | else 69 | echo "Usage: sysflow [status|start|stop]" 70 | fi 71 | 72 | -------------------------------------------------------------------------------- /scripts/service/conf/sysflow.env: -------------------------------------------------------------------------------- 1 | # SysFlow service configuration parameters. 2 | 3 | # SysFlow agent ID, included in the SysFlow headers. 4 | # This value should be unique (e.g., node ID, IP address). 5 | # Default: $(hostname). 6 | # NODE_ID= 7 | 8 | # Endpoint IP address. 9 | # Default: $(hostname -I | awk '{print $1}'). 10 | # NODE_IP= 11 | 12 | # SysFlow pipeline configuration path. 13 | CONFIG_PATH=/etc/sysflow/pipelines/pipeline.local.json 14 | 15 | # SysFlow processor plugin directory. 16 | PLUGIN_DIR=/etc/sysflow/plugins 17 | 18 | # SysFlow domain socket for collector-processor communication. 19 | SOCKET=/sock/sysflow.sock 20 | 21 | # This value is used by the driver loader to determine the location of the 22 | # ebpf probe. If just using the default location, this variable can be left 23 | # commented out as it is already set. Only uncomment if setting a new path for 24 | # the ebpf probe. 25 | #FALCO_BPF_PROBE="" 26 | 27 | # Additional driver settings. 28 | #DRIVER_TYPE can be kmod (kernel module), ebpf, or ebpf-core (CORE ebpf) 29 | DRIVER_TYPE=ebpf 30 | DRIVERS_REPO=https://download.falco.org/driver 31 | DRIVER_NAME=falco 32 | # Uncomment DRIVER_OPTS if you don't want the driver to download a pre-compiled probe. 33 | #DRIVER_OPTS=--compile 34 | 35 | # Optimization settings. Changing these defaults can signifincatly increase event rates. 36 | # Drop mode removes syscalls inside the kernel before they are passed up to the collector, 37 | # resulting in much better performance, less spilled events, but does remove mmaps from output 38 | ENABLE_DROP_MODE=1 39 | # Enables the creation of process flows, aggregating thread events. 40 | ENABLE_PROC_FLOW=1 41 | # Filters out any descriptor that is not a file, including unix sockets and pipes 42 | FILE_ONLY=1 43 | # sets mode for file reads: 44 | # "0" enables recording all file reads as flows. 45 | # "1" disables all file reads. 46 | # "2" disables recording file reads to noisy directories: "/proc/", "/dev/", "/sys/", "//sys/", "/lib/", "/lib64/", "/usr/lib/", "/usr/lib64/" 47 | FILE_READ_MODE=1 48 | -------------------------------------------------------------------------------- /scripts/service/driver/cleanup: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | DRIVER_SRC_PATH=$(find /usr/src -name "falco-*") 4 | [ ${DRIVER_TYPE} == "kmod" ] && /etc/sysflow/driver/falco-driver-loader --clean 5 | [ -f "${DRIVER_SRC_PATH}/bpf/Makefile" ] && make -C ${DRIVER_SRC_PATH}/bpf clean 6 | [ -d "${DRIVER_SRC_PATH}/bpf" ] && cd ${DRIVER_SRC_PATH}/bpf && rm -rf .cache* .tmp* *.tmp *.ll *.symvers 7 | rm -rf /run/sysflow 8 | -------------------------------------------------------------------------------- /scripts/service/driver/start: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | if command -v hostname &> /dev/null 5 | then 6 | export HOSTNAME=$(hostname) 7 | if command -v awk &> /dev/null 8 | then 9 | export NODE_IP=$(hostname -I | awk '{print $1}') 10 | fi 11 | fi 12 | 13 | export HOME=/run/sysflow 14 | if [ "${DRIVER_TYPE}" == "ebpf-core" ] || [ -z "${DRIVER_TYPE}" ]; then 15 | /etc/sysflow/driver/falcoctl driver config --type modern_ebpf 16 | elif [ "${DRIVER_TYPE}" == "ebpf" ]; then 17 | export DRIVER_TYPE="ebpf" 18 | if [ -z "${FALCO_BPF_PROBE}" ]; then 19 | export FALCO_BPF_PROBE="" 20 | fi 21 | else 22 | /etc/sysflow/driver/falcoctl driver config --type ${DRIVER_TYPE} 23 | fi 24 | /etc/sysflow/driver/falcoctl driver install --compile=true --download=true 25 | /usr/bin/sysporter -e ${NODE_ID:-${HOSTNAME}} -u ${SOCKET:-/sock/sysflow.sock} ${DRIVER_TYPE:+-k} "${DRIVER_TYPE}" ${FILTER:+-f "$FILTER"} 26 | -------------------------------------------------------------------------------- /scripts/service/systemd/sysflow-collector.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=SysFlow cloud-native system telemetry (collector) 3 | Documentation=https://sysflow.readthedocs.io 4 | PartOf=sysflow.service 5 | After=sysflow.service 6 | 7 | [Service] 8 | Type=simple 9 | User=root 10 | EnvironmentFile=/etc/sysflow/conf/sysflow.env 11 | PassEnvironment=NODE_ID NODE_IP FALCO_BPF_PROBE DRIVER_TYPE DRIVERS_REPO DRIVER_NAME DRIVER_OPTS ENABLE_DROP_MODE ENABLE_PROC_FLOW FILE_ONLY FILE_READ_MODE FILTER 12 | ExecStart=/etc/sysflow/driver/start 13 | ExecStopPost=/etc/sysflow/driver/cleanup 14 | UMask=0077 15 | TimeoutSec=30 16 | RestartSec=15s 17 | Restart=on-failure 18 | PrivateTmp=true 19 | NoNewPrivileges=yes 20 | ProtectHome=read-only 21 | ProtectSystem=full 22 | ReadWritePaths=/usr/src 23 | ProtectKernelTunables=true 24 | RestrictAddressFamilies=~AF_PACKET 25 | KillSignal=SIGKILL 26 | 27 | [Install] 28 | WantedBy=sysflow-processor.service 29 | -------------------------------------------------------------------------------- /scripts/service/systemd/sysflow.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=SysFlow cloud-native system telemetry 3 | Documentation=https://sysflow.readthedocs.io 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/bin/true 8 | RemainAfterExit=yes 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /src/libs/MurmurHash3.h: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // MurmurHash3 was written by Austin Appleby, and is placed in the public 3 | // domain. The author hereby disclaims copyright to this source code. 4 | 5 | #ifndef _MURMURHASH3_H_ 6 | #define _MURMURHASH3_H_ 7 | 8 | //----------------------------------------------------------------------------- 9 | // Platform-specific functions and macros 10 | 11 | // Microsoft Visual Studio 12 | 13 | #if defined(_MSC_VER) && (_MSC_VER < 1600) 14 | 15 | typedef unsigned char uint8_t; 16 | typedef unsigned int uint32_t; 17 | typedef unsigned __int64 uint64_t; 18 | 19 | // Other compilers 20 | 21 | #else // defined(_MSC_VER) 22 | 23 | #include 24 | 25 | #endif // !defined(_MSC_VER) 26 | 27 | //----------------------------------------------------------------------------- 28 | 29 | void MurmurHash3_x86_32(const void *key, int len, uint32_t seed, void *out); 30 | 31 | void MurmurHash3_x86_128(const void *key, int len, uint32_t seed, void *out); 32 | 33 | void MurmurHash3_x64_128(const void *key, int len, uint32_t seed, void *out); 34 | 35 | //----------------------------------------------------------------------------- 36 | 37 | #endif // _MURMURHASH3_H_ 38 | -------------------------------------------------------------------------------- /src/libs/containercontext.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_CONT_ 21 | #define _SF_CONT_ 22 | #include 23 | 24 | #include "datatypes.h" 25 | #include "k8scontext.h" 26 | #include "sysflow.h" 27 | #include "sysflowcontext.h" 28 | #include "sysflowwriter.h" 29 | #include 30 | #define CONT_TABLE_SIZE 100 31 | #define INCOMPLETE "incomplete" 32 | #define INCOMPLETE_IMAGE "incomplete:incomplete" 33 | 34 | namespace container { 35 | class ContainerContext { 36 | private: 37 | ContainerTable m_containers; 38 | context::SysFlowContext *m_cxt; 39 | writer::SysFlowWriter *m_writer; 40 | sfk8s::K8sContext *m_k8sCxt; 41 | ContainerObj *createContainer(sinsp_threadinfo *ti); 42 | void setContainer(ContainerObj **cont, sinsp_container_info::ptr_t container); 43 | void reupPod(sinsp_threadinfo *ti, ContainerObj *cont); 44 | 45 | public: 46 | ContainerContext(context::SysFlowContext *cxt, writer::SysFlowWriter *writer, 47 | sfk8s::K8sContext *k8sCxt); 48 | virtual ~ContainerContext(); 49 | ContainerObj *getContainer(sinsp_threadinfo *ti); 50 | ContainerObj *getContainer(const std::string &id); 51 | bool exportContainer(const std::string &id); 52 | int derefContainer(const std::string &id); 53 | void clearAllContainers(); 54 | void clearContainers(); 55 | inline int getSize() { return m_containers.size(); } 56 | }; 57 | } // namespace container 58 | #endif 59 | -------------------------------------------------------------------------------- /src/libs/controlflowprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_CONT_FLOW_ 21 | #define _SF_CONT_FLOW_ 22 | #include "logger.h" 23 | #include "op_flags.h" 24 | #include "processeventprocessor.h" 25 | #include "sysflowcontext.h" 26 | #include "sysflowwriter.h" 27 | #include "utils.h" 28 | #include 29 | 30 | namespace controlflow { 31 | class ControlFlowProcessor { 32 | private: 33 | processevent::ProcessEventProcessor *m_procEvtPrcr; 34 | context::SysFlowContext *m_cxt; 35 | process::ProcessContext *m_processCxt; 36 | writer::SysFlowWriter *m_writer; 37 | ProcessFlowSet *m_pfSet; 38 | time_t m_lastCheck; 39 | DEFINE_LOGGER(); 40 | void updateProcFlow(ProcessFlowObj *pf, OpFlags flag, sinsp_evt *ev); 41 | void populateProcFlow(ProcessFlowObj *pf, OpFlags flag, sinsp_evt *ev, 42 | ProcessObj *proc); 43 | void processNewFlow(sinsp_evt *ev, ProcessObj *proc, OpFlags flag); 44 | void processFlow(sinsp_evt *ev, OpFlags flag); 45 | void removeAndWriteProcessFlow(ProcessObj *proc); 46 | 47 | public: 48 | inline int getSize() { return m_pfSet->size(); } 49 | int handleProcEvent(sinsp_evt *ev, OpFlags flag); 50 | ControlFlowProcessor(context::SysFlowContext *cxt, 51 | writer::SysFlowWriter *writer, 52 | process::ProcessContext *processCxt, 53 | dataflow::DataFlowProcessor *dfPrcr); 54 | virtual ~ControlFlowProcessor(); 55 | int checkForExpiredRecords(); 56 | void printFlowStats(); 57 | void exportProcessFlow(ProcessFlowObj *pfo); 58 | void setUID(sinsp_evt *ev); 59 | }; 60 | } // namespace controlflow 61 | 62 | #endif 63 | -------------------------------------------------------------------------------- /src/libs/dataflowprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_DATA_FLOW_ 21 | #define _SF_DATA_FLOW_ 22 | #include "fileeventprocessor.h" 23 | #include "fileflowprocessor.h" 24 | #include "logger.h" 25 | #include "networkflowprocessor.h" 26 | #include "op_flags.h" 27 | #include "sysflowcontext.h" 28 | #include "sysflowwriter.h" 29 | #include 30 | 31 | namespace dataflow { 32 | class DataFlowProcessor { 33 | private: 34 | networkflow::NetworkFlowProcessor *m_netflowPrcr; 35 | fileflow::FileFlowProcessor *m_fileflowPrcr; 36 | fileevent::FileEventProcessor *m_fileevtPrcr; 37 | context::SysFlowContext *m_cxt; 38 | process::ProcessContext *m_procCxt; 39 | DataFlowSet m_dfSet; 40 | time_t m_lastCheck; 41 | DEFINE_LOGGER(); 42 | 43 | public: 44 | inline int getNFSize() { return m_netflowPrcr->getSize(); } 45 | inline int getFFSize() { return m_fileflowPrcr->getSize(); } 46 | int handleDataEvent(sinsp_evt *ev, OpFlags flag); 47 | DataFlowProcessor(context::SysFlowContext *cxt, writer::SysFlowWriter *writer, 48 | process::ProcessContext *processCxt, 49 | file::FileContext *fileCxt); 50 | virtual ~DataFlowProcessor(); 51 | int checkForExpiredRecords(); 52 | void printFlowStats(); 53 | int removeAndWriteDFFromProc(ProcessObj *proc, int64_t tid); 54 | }; 55 | } // namespace dataflow 56 | 57 | #endif 58 | -------------------------------------------------------------------------------- /src/libs/file_types.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_FILE_TYPES_ 21 | #define __SF_FILE_TYPES_ 22 | enum FileType { 23 | SF_FILE = 'f', 24 | SF_DIR = 'd', 25 | SF_IPv4 = '4', 26 | SF_IPv6 = '6', 27 | SF_UNIX = 'u', 28 | SF_PIPE = 'p', 29 | SF_UNK = '?' 30 | }; 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /src/libs/filecontext.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "filecontext.h" 21 | #include 22 | 23 | using file::FileContext; 24 | 25 | FileContext::FileContext(container::ContainerContext *containerCxt, 26 | writer::SysFlowWriter *writer) { 27 | m_writer = writer; 28 | m_containerCxt = containerCxt; 29 | m_files.set_empty_key("-1"); 30 | m_files.set_deleted_key("-2"); 31 | } 32 | 33 | FileContext::~FileContext() { clearAllFiles(); } 34 | 35 | FileObj *FileContext::createFile(sinsp_evt *ev, std::string path, char typechar, 36 | SFObjectState state, std::string key) { 37 | auto *f = new FileObj(); 38 | f->key = std::move(key); 39 | f->file.state = state; 40 | f->file.ts = ev->get_ts(); 41 | utils::generateFOID(f->key, &(f->file.oid)); 42 | f->file.path = std::move(path); 43 | f->file.restype = typechar; 44 | sinsp_threadinfo *ti = ev->get_thread_info(); 45 | sinsp_threadinfo *mt = ti->get_main_thread(); 46 | if (mt == nullptr) { 47 | mt = ti; 48 | } 49 | ContainerObj *cont = m_containerCxt->getContainer(mt); 50 | if (cont != nullptr) { 51 | f->file.containerId.set_string(cont->cont.id); 52 | } else { 53 | f->file.containerId.set_null(); 54 | } 55 | return f; 56 | } 57 | FileObj *FileContext::getFile(sinsp_evt *ev, sinsp_fdinfo *fdinfo, 58 | SFObjectState state, bool &created) { 59 | return getFile(ev, fdinfo->m_name, fdinfo->get_typechar(), state, created); 60 | } 61 | FileObj *FileContext::getFile(sinsp_evt *ev, const std::string &path, 62 | char typechar, SFObjectState state, 63 | bool &created) { 64 | sinsp_threadinfo *ti = ev->get_thread_info(); 65 | created = true; 66 | std::string key; 67 | key.reserve(ti->m_container_id.length() + path.length()); 68 | key += ti->m_container_id; 69 | key += path; 70 | FileTable::iterator f = m_files.find(key); 71 | FileObj *file = nullptr; 72 | if (f != m_files.end()) { 73 | created = false; 74 | if (f->second->written) { 75 | return f->second; 76 | } 77 | file = f->second; 78 | file->file.state = SFObjectState::REUP; 79 | } 80 | if (file == nullptr) { 81 | file = createFile(ev, path, typechar, state, key); 82 | } 83 | m_files[key] = file; 84 | m_writer->writeFile(&(file->file)); 85 | file->written = true; 86 | return file; 87 | } 88 | 89 | FileObj *FileContext::getFile(const std::string &key) { 90 | FileTable::iterator f = m_files.find(key); 91 | if (f != m_files.end()) { 92 | if (!f->second->written) { 93 | f->second->file.state = SFObjectState::REUP; 94 | m_writer->writeFile(&(f->second->file)); 95 | f->second->written = true; 96 | } 97 | return f->second; 98 | } 99 | return nullptr; 100 | } 101 | 102 | FileObj *FileContext::exportFile(const std::string &key) { 103 | FileTable::iterator f = m_files.find(key); 104 | if (f != m_files.end()) { 105 | if (!f->second->written) { 106 | f->second->file.state = SFObjectState::REUP; 107 | m_writer->writeFile(&(f->second->file)); 108 | f->second->written = true; 109 | } 110 | return f->second; 111 | } 112 | return nullptr; 113 | } 114 | 115 | void FileContext::clearFiles() { 116 | for (FileTable::iterator it = m_files.begin(); it != m_files.end(); ++it) { 117 | if (it->second->refs == 0) { 118 | FileObj *file = it->second; 119 | m_files.erase(it); 120 | delete file; 121 | } else { 122 | it->second->written = false; 123 | } 124 | } 125 | } 126 | 127 | void FileContext::clearAllFiles() { 128 | for (FileTable::iterator it = m_files.begin(); it != m_files.end(); ++it) { 129 | delete it->second; 130 | } 131 | } 132 | -------------------------------------------------------------------------------- /src/libs/filecontext.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_FILE_ 21 | #define _SF_FILE_ 22 | #include "containercontext.h" 23 | #include "datatypes.h" 24 | #include "sysflow.h" 25 | #include "sysflowwriter.h" 26 | 27 | using sysflow::SFObjectState; 28 | 29 | namespace file { 30 | class FileContext { 31 | private: 32 | writer::SysFlowWriter *m_writer; 33 | FileTable m_files; 34 | container::ContainerContext *m_containerCxt; 35 | void clearAllFiles(); 36 | 37 | public: 38 | FileContext(container::ContainerContext *containerCxt, 39 | writer::SysFlowWriter *writer); 40 | virtual ~FileContext(); 41 | FileObj *getFile(sinsp_evt *ev, sinsp_fdinfo *fdinfo, SFObjectState state, 42 | bool &created); 43 | FileObj *getFile(sinsp_evt *ev, const std::string &path, char typechar, 44 | SFObjectState state, bool &created); 45 | FileObj *getFile(const std::string &key); 46 | FileObj *createFile(sinsp_evt *ev, std::string path, char typechar, 47 | SFObjectState state, std::string key); 48 | FileObj *exportFile(const std::string &key); 49 | void clearFiles(); 50 | inline int getSize() { return m_files.size(); } 51 | }; 52 | } // namespace file 53 | 54 | #endif 55 | -------------------------------------------------------------------------------- /src/libs/fileeventprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_FILE_EVT 21 | #define _SF_FILE_EVT 22 | #include "file_types.h" 23 | #include "filecontext.h" 24 | #include "logger.h" 25 | #include "processcontext.h" 26 | #include "syscall_defs.h" 27 | #include "sysflow.h" 28 | #include "sysflowwriter.h" 29 | #include "utils.h" 30 | #include 31 | 32 | namespace fileevent { 33 | class FileEventProcessor { 34 | private: 35 | process::ProcessContext *m_processCxt; 36 | writer::SysFlowWriter *m_writer; 37 | file::FileContext *m_fileCxt; 38 | FileEvent m_fileEvt; 39 | int writeFileEvent(sinsp_evt *ev, OpFlags flag); 40 | int writeLinkEvent(sinsp_evt *ev, OpFlags flag); 41 | DEFINE_LOGGER(); 42 | 43 | public: 44 | FileEventProcessor(writer::SysFlowWriter *writer, 45 | process::ProcessContext *procCxt, 46 | file::FileContext *fileCxt); 47 | virtual ~FileEventProcessor(); 48 | int handleFileFlowEvent(sinsp_evt *ev, OpFlags flag); 49 | }; 50 | } // namespace fileevent 51 | #endif 52 | -------------------------------------------------------------------------------- /src/libs/fileflowprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_FILE_FLOW_ 21 | #define _SF_FILE_FLOW_ 22 | #include "datatypes.h" 23 | #include "file_types.h" 24 | #include "filecontext.h" 25 | #include "logger.h" 26 | #include "op_flags.h" 27 | #include "processcontext.h" 28 | #include "readonly.h" 29 | #include "sysflow.h" 30 | #include "sysflowcontext.h" 31 | #include "sysflowwriter.h" 32 | #include 33 | #include 34 | 35 | namespace fileflow { 36 | class FileFlowProcessor { 37 | private: 38 | context::SysFlowContext *m_cxt; 39 | process::ProcessContext *m_processCxt; 40 | writer::SysFlowWriter *m_writer; 41 | DataFlowSet *m_dfSet; 42 | file::FileContext *m_fileCxt; 43 | void populateFileFlow(FileFlowObj *ff, OpFlags flag, sinsp_evt *ev, 44 | ProcessObj *proc, FileObj *file, std::string flowkey, 45 | sinsp_fdinfo *fdinfo, int64_t fd); 46 | void updateFileFlow(FileFlowObj *ff, OpFlags flag, sinsp_evt *ev, 47 | sinsp_fdinfo *fdinfo); 48 | void processExistingFlow(sinsp_evt *ev, ProcessObj *proc, FileObj *file, 49 | OpFlags flag, std::string flowkey, FileFlowObj *ff, 50 | sinsp_fdinfo *fdinfo); 51 | void processNewFlow(sinsp_evt *ev, ProcessObj *proc, FileObj *file, 52 | OpFlags flag, const std::string &flowkey, 53 | sinsp_fdinfo *fdinfo, int64_t fd); 54 | void removeAndWriteFileFlow(ProcessObj *proc, FileObj *file, FileFlowObj **nf, 55 | std::string flowkey); 56 | void removeFileFlow(ProcessObj *proc, FileObj *file, FileFlowObj **ff, 57 | const std::string &flowkey); 58 | int removeFileFlowFromSet(FileFlowObj **ffo, bool deleteFileFlow); 59 | void removeAndWriteRelatedFlows(ProcessObj *proc, FileFlowObj *ffo, 60 | uint64_t endTs); 61 | int createConsumerRecord(sinsp_evt *ev, ProcessObj *proc, FileObj *file, 62 | OpFlags flag, sinsp_fdinfo *fdinfo, int64_t fd); 63 | DEFINE_LOGGER(); 64 | 65 | public: 66 | FileFlowProcessor(context::SysFlowContext *cxt, writer::SysFlowWriter *writer, 67 | process::ProcessContext *procCxt, DataFlowSet *dfSet, 68 | file::FileContext *fileCxt); 69 | virtual ~FileFlowProcessor(); 70 | int handleFileFlowEvent(sinsp_evt *ev, OpFlags flag); 71 | inline int getSize() { return m_processCxt->getNumFileFlows(); } 72 | int removeAndWriteFFFromProc(ProcessObj *proc, int64_t tid); 73 | void removeFileFlow(DataFlowObj *dfo); 74 | void exportFileFlow(DataFlowObj *dfo, time_t now); 75 | }; 76 | } // namespace fileflow 77 | #endif 78 | -------------------------------------------------------------------------------- /src/libs/k8scontext.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_K8S_ 21 | #define _SF_K8S_ 22 | #include 23 | 24 | #include "json/json.h" 25 | 26 | #include "datatypes.h" 27 | #include "logger.h" 28 | #include "sysflow.h" 29 | #include "sysflowcontext.h" 30 | #include "sysflowwriter.h" 31 | #include 32 | 33 | #define K8S_TABLE_SIZE 100 34 | 35 | namespace sfk8s { 36 | class K8sContext { 37 | private: 38 | PodTable m_pods; 39 | context::SysFlowContext *m_cxt; 40 | writer::SysFlowWriter *m_writer; 41 | /* std::shared_ptr createPod(const k8s_pod_t *p, 42 | const k8s_state_t &k8sState); 43 | */ 44 | public: 45 | K8sContext(context::SysFlowContext *cxt, writer::SysFlowWriter *writer); 46 | virtual ~K8sContext(); 47 | std::shared_ptr getPod(sinsp_threadinfo *ti); 48 | std::shared_ptr getPod(const std::string &id); 49 | bool exportPod(const std::string &id); 50 | int derefPod(const std::string &id); 51 | void clearAllPods(); 52 | void clearPods(); 53 | inline int getSize() { return m_pods.size(); } 54 | void updateCompState(sysflow::K8sAction action, sysflow::K8sComponent comp, 55 | const Json::Value &root); 56 | 57 | private: 58 | void updateAndWritePodState(std::string &uid); 59 | DEFINE_LOGGER(); 60 | }; 61 | } // namespace sfk8s 62 | #endif 63 | -------------------------------------------------------------------------------- /src/libs/k8seventprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_K8S_EVT 21 | #define _SF_K8S_EVT 22 | #include "k8scontext.h" 23 | #include "logger.h" 24 | #include "syscall_defs.h" 25 | #include "sysflow.h" 26 | #include "sysflowwriter.h" 27 | #include "utils.h" 28 | #include "json/json.h" 29 | #include 30 | 31 | namespace k8sevent { 32 | class K8sEventProcessor { 33 | private: 34 | sfk8s::K8sContext *m_k8sCxt; 35 | writer::SysFlowWriter *m_writer; 36 | sysflow::K8sEvent m_k8sEvt; 37 | DEFINE_LOGGER(); 38 | 39 | public: 40 | K8sEventProcessor(writer::SysFlowWriter *writer, sfk8s::K8sContext *k8sCxt); 41 | virtual ~K8sEventProcessor(); 42 | int handleK8sEvent(sinsp_evt *ev); 43 | 44 | private: 45 | sysflow::K8sComponent getK8sComponent(Json::Value &root); 46 | sysflow::K8sAction getAction(Json::Value &root); 47 | }; 48 | } // namespace k8sevent 49 | #endif 50 | -------------------------------------------------------------------------------- /src/libs/libsysflow-musl.mri: -------------------------------------------------------------------------------- 1 | create libsysflow_with_deps.a 2 | addlib /usr/local/sysflow/lib/libsysflow.a 3 | addlib /usr/local/sysflow/modules/lib/falcosecurity/libs.a 4 | addlib /usr/local/sysflow/modules/lib/libavrocpp_s.a 5 | addlib /usr/local/sysflow/modules/lib/libxxhash.a 6 | addlib /usr/lib/libboost_iostreams.a 7 | addlib /usr/local/lib/libsnappy.a 8 | addlib /usr/local/lib/libglog.a 9 | save 10 | end 11 | -------------------------------------------------------------------------------- /src/libs/libsysflow.mri: -------------------------------------------------------------------------------- 1 | create libsysflow_with_deps.a 2 | addlib /usr/local/sysflow/lib/libsysflow.a 3 | addlib /usr/local/sysflow/modules/lib/falcosecurity/libs.a 4 | addlib /usr/local/sysflow/modules/lib/libavrocpp_s.a 5 | addlib /usr/local/sysflow/modules/lib/libxxhash.a 6 | addlib /usr/lib64/libboost_iostreams.a 7 | addlib /usr/local/lib64/libsnappy.a 8 | addlib /usr/local/lib64/libglog.a 9 | save 10 | end 11 | -------------------------------------------------------------------------------- /src/libs/logger.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_LOGGER 21 | #define __SF_LOGGER 22 | #include 23 | 24 | #include 25 | 26 | #define CREATE_LOGGER(ClassName, logger) 27 | #define CREATE_LOGGER_2(logger) 28 | #define CREATE_MAIN_LOGGER() 29 | #define DEFINE_LOGGER() 30 | #define m_logger 31 | 32 | #define CONFIGURE_LOGGER(logConfig) \ 33 | if (!google::IsGoogleLoggingInitialized()) { \ 34 | google::InitGoogleLogging(logConfig); \ 35 | } 36 | 37 | #define SHUTDOWN_LOGGER() google::ShutdownGoogleLogging(); 38 | #define CATCH_LOGGER_EXCEPTION() 39 | 40 | #define SF_TRACE(logger, message) VLOG(2) << message; 41 | #define SF_DEBUG(logger, message) VLOG(1) << message; 42 | #define SF_INFO(logger, message) LOG(INFO) << message; 43 | #define SF_WARN(logger, message) LOG(WARNING) << message; 44 | #define SF_ERROR(logger, message) LOG(ERROR) << message; 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /src/libs/modutils.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | #include "modutils.h" 20 | 21 | #include "logger.h" 22 | #include "sysflowexception.h" 23 | #include 24 | #include 25 | #define FALCO_STR "falco " 26 | #define FALCO_STATE "Live" 27 | 28 | CREATE_LOGGER_2("sysflow.modutils"); 29 | 30 | void modutils::checkProbeExistsPermits(std::string &path) { 31 | char *abspath = realpath(path.c_str(), NULL); 32 | if (abspath == NULL) { 33 | if (errno == EACCES) { 34 | throw sfexception::SysFlowException( 35 | std::string("A portion of probe path '") + path + 36 | std::string("' is permission denied."), 37 | sfexception::ProbeAccessDenied); 38 | } else if (errno == EIO) { 39 | throw sfexception::SysFlowException( 40 | std::string("Error reading probe file system path '") + path + 41 | std::string("'."), 42 | sfexception::ErrorReadingFileSystem); 43 | } else if (errno == ENOENT) { 44 | throw sfexception::SysFlowException( 45 | std::string("Probe does not appear to exist '") + path + 46 | std::string("'."), 47 | sfexception::ProbeNotExist); 48 | } else if (errno == ENOTDIR) { 49 | throw sfexception::SysFlowException( 50 | std::string("A component of the probe prefix is not a directory'") + 51 | path + std::string("'."), 52 | sfexception::ProbeCheckError); 53 | } 54 | } else { 55 | free(abspath); 56 | } 57 | } 58 | 59 | void modutils::checkForFalcoKernMod() { 60 | FILE *fd; 61 | size_t len; 62 | ssize_t bytes; 63 | char *line = NULL; 64 | char *modname = NULL; 65 | char *state = NULL; 66 | bool found = false; 67 | if ((fd = fopen("/proc/modules", "r")) != NULL) { 68 | while ((bytes = getline(&line, &len, fd)) != -1) { 69 | modname = strstr(line, FALCO_STR); 70 | if (modname && modname == line) { 71 | SF_INFO(m_logger, "Found Kernel Module: " << line) 72 | state = strstr(line, FALCO_STATE); 73 | if (!state) { 74 | SF_WARN(m_logger, "Falco module is not live.") 75 | } 76 | found = true; 77 | break; 78 | } 79 | } 80 | fclose(fd); 81 | if (!found) { 82 | throw sfexception::SysFlowException(std::string("Kernel module ") + 83 | std::string(FALCO_STR) + 84 | std::string("is not loaded."), 85 | sfexception::ProbeNotLoaded); 86 | } 87 | } 88 | if (line) { 89 | free(line); 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /src/libs/modutils.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_MOD_UTILS_ 21 | #define _SF_MOD_UTILS_ 22 | #include 23 | 24 | namespace modutils { 25 | void checkProbeExistsPermits(std::string &path); 26 | void checkForFalcoKernMod(); 27 | } // namespace modutils 28 | #endif -------------------------------------------------------------------------------- /src/libs/networkflowprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_NET_FLOW_ 21 | #define _SF_NET_FLOW_ 22 | #include "datatypes.h" 23 | #include "logger.h" 24 | #include "op_flags.h" 25 | #include "processcontext.h" 26 | #include "sysflow.h" 27 | #include "sysflowcontext.h" 28 | #include "sysflowwriter.h" 29 | #include 30 | #include 31 | 32 | namespace networkflow { 33 | class NetworkFlowProcessor { 34 | private: 35 | context::SysFlowContext *m_cxt; 36 | process::ProcessContext *m_processCxt; 37 | writer::SysFlowWriter *m_writer; 38 | DataFlowSet *m_dfSet; 39 | DEFINE_LOGGER(); 40 | void canonicalizeKey(sinsp_fdinfo *fdinfo, NFKey *key, uint64_t tid, 41 | uint64_t fd); 42 | void canonicalizeKey(NetFlowObj *nf, NFKey *key); 43 | void populateNetFlow(NetFlowObj *nf, OpFlags flag, sinsp_evt *ev, 44 | ProcessObj *proc); 45 | void updateNetFlow(NetFlowObj *nf, OpFlags flag, sinsp_evt *ev); 46 | void processExistingFlow(sinsp_evt *ev, ProcessObj *proc, OpFlags flag, 47 | NFKey key, NetFlowObj *nf); 48 | void processNewFlow(sinsp_evt *ev, ProcessObj *proc, OpFlags flag, NFKey key); 49 | void removeAndWriteNetworkFlow(ProcessObj *proc, NetFlowObj **nf, NFKey *key); 50 | void removeNetworkFlow(ProcessObj *proc, NetFlowObj **nf, NFKey *key); 51 | int32_t getProtocol(scap_l4_proto proto); 52 | int removeNetworkFlowFromSet(NetFlowObj **nfo, bool deleteNetFlow); 53 | void removeAndWriteRelatedFlows(ProcessObj *proc, NFKey *key, uint64_t endTs); 54 | 55 | public: 56 | NetworkFlowProcessor(context::SysFlowContext *cxt, 57 | writer::SysFlowWriter *writer, 58 | process::ProcessContext *procCxt, DataFlowSet *dfSet); 59 | virtual ~NetworkFlowProcessor(); 60 | int handleNetFlowEvent(sinsp_evt *ev, OpFlags flag); 61 | inline int getSize() { return m_processCxt->getNumNetworkFlows(); } 62 | int removeAndWriteNFFromProc(ProcessObj *proc, int64_t tid); 63 | void removeNetworkFlow(DataFlowObj *dfo); 64 | void exportNetworkFlow(DataFlowObj *dfo, time_t now); 65 | }; 66 | } // namespace networkflow 67 | #endif 68 | -------------------------------------------------------------------------------- /src/libs/op_flags.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_OP_FLAGS 21 | #define __SF_OP_FLAGS 22 | 23 | enum OpFlags { 24 | OP_CLONE = (1 << 0), 25 | OP_EXEC = (1 << 1), 26 | OP_EXIT = (1 << 2), 27 | OP_SETUID = (1 << 3), 28 | OP_SETNS = (1 << 4), 29 | OP_ACCEPT = (1 << 5), 30 | OP_CONNECT = (1 << 6), 31 | OP_OPEN = (1 << 7), 32 | OP_READ_RECV = (1 << 8), 33 | OP_WRITE_SEND = (1 << 9), 34 | OP_CLOSE = (1 << 10), 35 | OP_TRUNCATE = (1 << 11), 36 | OP_SHUTDOWN = (1 << 12), 37 | OP_MMAP = (1 << 13), 38 | OP_DIGEST = (1 << 14), 39 | OP_MKDIR = (1 << 15), 40 | OP_RMDIR = (1 << 16), 41 | OP_LINK = (1 << 17), 42 | OP_UNLINK = (1 << 18), 43 | OP_SYMLINK = (1 << 19), 44 | OP_RENAME = (1 << 20) 45 | }; 46 | 47 | #define IS_FILE_EVT(FLAG) \ 48 | ((FLAG) == OP_MKDIR || (FLAG) == OP_RMDIR || (FLAG) == OP_LINK || \ 49 | (FLAG) == OP_UNLINK || (FLAG) == OP_SYMLINK || (FLAG) == OP_RENAME) 50 | 51 | #endif 52 | -------------------------------------------------------------------------------- /src/libs/processcontext.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_PROC_ 21 | #define _SF_PROC_ 22 | #include "containercontext.h" 23 | #include "datatypes.h" 24 | #include "filecontext.h" 25 | #include "logger.h" 26 | #include "op_flags.h" 27 | #include "sysflow.h" 28 | #include "sysflowcontext.h" 29 | #include "utils.h" 30 | #include 31 | 32 | #define PROC_TABLE_SIZE 50000 33 | #define PROC_DEL_EXPIRED 1.0 34 | namespace process { 35 | class ProcessContext { 36 | private: 37 | context::SysFlowContext *m_cxt; 38 | writer::SysFlowWriter *m_writer; 39 | container::ContainerContext *m_containerCxt; 40 | ProcessTable m_procs; 41 | file::FileContext *m_fileCxt; 42 | OIDQueue m_delProcQue; 43 | ProcessFlowSet m_pfSet; 44 | time_t m_delProcTime; 45 | DEFINE_LOGGER(); 46 | void writeProcessAndAncestors(ProcessObj *proc); 47 | void reupContainer(sinsp_threadinfo *ti, ProcessObj *proc); 48 | 49 | public: 50 | ProcessContext(context::SysFlowContext *cxt, 51 | container::ContainerContext *ccxt, file::FileContext *fileCxt, 52 | writer::SysFlowWriter *writer); 53 | virtual ~ProcessContext(); 54 | void updateProcess(Process *proc, sinsp_evt *ev, SFObjectState state); 55 | ProcessObj *createProcess(sinsp_threadinfo *ti, sinsp_evt *ev, 56 | SFObjectState state); 57 | ProcessObj *getProcess(sinsp_evt *ev, SFObjectState state, bool &created); 58 | ProcessObj *getProcess(OID *oid); 59 | ProcessObj *getProcess(int64_t pid); 60 | void printAncestors(Process *proc); 61 | bool isAncestor(OID *oid, Process *proc); 62 | void clearProcesses(); 63 | void clearAllProcesses(); 64 | void deleteProcess(ProcessObj **proc); 65 | void markForDeletion(ProcessObj **proc); 66 | ProcessObj *exportProcess(OID *oid); 67 | void printNetworkFlow(ProcessObj *proc); 68 | void printStats(); 69 | int removeProcessFromSet(ProcessObj *proc, bool checkForErr); 70 | inline int getSize() { return m_procs.size(); } 71 | inline int getNumNetworkFlows() { 72 | int total = 0; 73 | for (ProcessTable::iterator it = m_procs.begin(); it != m_procs.end(); 74 | it++) { 75 | total += it->second->netflows.size(); 76 | } 77 | return total; 78 | } 79 | inline int getNumFileFlows() { 80 | int total = 0; 81 | for (ProcessTable::iterator it = m_procs.begin(); it != m_procs.end(); 82 | it++) { 83 | total += it->second->fileflows.size(); 84 | } 85 | return total; 86 | } 87 | 88 | inline void checkForDeletion() { 89 | time_t curTime = utils::getCurrentTime(m_cxt); 90 | if (difftime(curTime, m_delProcTime) <= PROC_DEL_EXPIRED) { 91 | return; 92 | } 93 | SF_DEBUG(m_logger, "Checking process queue for deletion. Queue Size: " 94 | << m_delProcQue.size()) 95 | for (auto it = m_delProcQue.begin(); it != m_delProcQue.end(); ++it) { 96 | if (difftime(curTime, (*it)->exportTime) >= PROC_DEL_EXPIRED) { 97 | SF_DEBUG(m_logger, "Proc expired: " << (*it)->oid.hpid) 98 | ProcessObj *p = getProcess(&((*it)->oid)); 99 | if (p != nullptr) { 100 | SF_DEBUG(m_logger, "Deleting process: " << p->proc.oid.hpid) 101 | deleteProcess(&p); 102 | } else { 103 | SF_DEBUG(m_logger, 104 | "Unable to find process in cache: " << (*it)->oid.hpid) 105 | } 106 | delete (*it); 107 | it = m_delProcQue.erase(it); 108 | } else { 109 | break; 110 | } 111 | } 112 | m_delProcTime = utils::getCurrentTime(m_cxt); 113 | } 114 | ProcessFlowSet *getPFSet(); 115 | }; 116 | } // namespace process 117 | #endif 118 | -------------------------------------------------------------------------------- /src/libs/processeventprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_PROC_EVT_ 21 | #define _SF_PROC_EVT_ 22 | #include "dataflowprocessor.h" 23 | #include "logger.h" 24 | #include "processcontext.h" 25 | #include "sysflow.h" 26 | #include "sysflowwriter.h" 27 | #include "utils.h" 28 | #include 29 | #include 30 | #define SF_UID "uid" 31 | 32 | namespace processevent { 33 | class ProcessEventProcessor { 34 | public: 35 | ProcessEventProcessor(writer::SysFlowWriter *writer, 36 | process::ProcessContext *pc, 37 | dataflow::DataFlowProcessor *dfPrcr); 38 | virtual ~ProcessEventProcessor(); 39 | void writeCloneEvent(sinsp_evt *ev); 40 | void writeExitEvent(sinsp_evt *ev); 41 | void writeExecEvent(sinsp_evt *ev); 42 | void writeSetUIDEvent(sinsp_evt *ev); 43 | void setUID(sinsp_evt *ev); 44 | 45 | private: 46 | writer::SysFlowWriter *m_writer; 47 | process::ProcessContext *m_processCxt; 48 | dataflow::DataFlowProcessor *m_dfPrcr; 49 | sysflow::ProcessEvent m_procEvt; 50 | std::string m_uid; 51 | DEFINE_LOGGER(); 52 | }; 53 | } // namespace processevent 54 | #endif 55 | -------------------------------------------------------------------------------- /src/libs/readonly.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef READ_ONLY_ 21 | #define READ_ONLY_ 22 | #define FILE_READS_ENABLED 0 23 | #define FILE_READS_DISABLED 1 24 | #define FILE_READS_SELECT 2 25 | #include "op_flags.h" 26 | #define NUM_PREFIXES 8 27 | 28 | static std::string s_paths[NUM_PREFIXES] = { 29 | "/proc/", "/dev/", "/sys/", "//sys/", 30 | "/lib/", "/lib64/", "/usr/lib/", "/usr/lib64/"}; 31 | 32 | inline bool prefix_match(std::string path, std::string match) { 33 | if (path.length() < match.length()) { 34 | return false; 35 | } 36 | 37 | for (size_t i = 0; i < match.length(); i++) { 38 | if (path[i] != match[i]) { 39 | return false; 40 | } 41 | } 42 | return true; 43 | } 44 | 45 | #define SHOULD_WRITE(ff, proc, file) \ 46 | int readMode = m_cxt->getFileRead(); \ 47 | bool match = false; \ 48 | if ((readMode == FILE_READS_DISABLED || readMode == FILE_READS_SELECT) && \ 49 | ((ff->fileflow.openFlags & PPM_O_RDONLY) == PPM_O_RDONLY || \ 50 | ((ff->fileflow.opFlags & OP_READ_RECV) == OP_READ_RECV && \ 51 | (ff->fileflow.opFlags & OP_WRITE_SEND) != OP_WRITE_SEND && \ 52 | (ff->fileflow.opFlags & OP_MMAP) != OP_MMAP))) { \ 53 | if (readMode != FILE_READS_DISABLED) { \ 54 | for (int i = 0; i < NUM_PREFIXES; i++) { \ 55 | if (prefix_match(ff->flowkey, s_paths[i])) { \ 56 | match = true; \ 57 | break; \ 58 | } \ 59 | } \ 60 | } else { \ 61 | match = true; \ 62 | } \ 63 | } \ 64 | if (!match) { \ 65 | m_writer->writeFileFlow(&(ff->fileflow), proc, file); \ 66 | } 67 | #endif 68 | -------------------------------------------------------------------------------- /src/libs/sfcallbackwriter.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sfcallbackwriter.h" 21 | #include "sysflowprocessor.h" 22 | 23 | using writer::SFCallbackWriter; 24 | 25 | SFCallbackWriter::SFCallbackWriter(context::SysFlowContext *cxt, time_t start, 26 | SysFlowCallback callback, 27 | sysflowprocessor::SysFlowProcessor *proc) 28 | : writer::SysFlowWriter(cxt, start) { 29 | m_callback = callback; 30 | m_sysflowProc = proc; 31 | } 32 | 33 | SFCallbackWriter::~SFCallbackWriter() {} 34 | 35 | int SFCallbackWriter::initialize() { 36 | writeHeader(); 37 | return 0; 38 | } 39 | 40 | void SFCallbackWriter::reset(time_t curTime) { writeHeader(); } 41 | -------------------------------------------------------------------------------- /src/libs/sfcallbackwriter.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_CALLBACK_WRITER_ 21 | #define __SF_CALLBACK_WRITER_ 22 | #include "sysflow.h" 23 | #include "sysflow/enums.hh" 24 | #include "sysflowcontext.h" 25 | #include "sysflowprocessor.h" 26 | #include "sysflowwriter.h" 27 | 28 | using sysflow::SysFlow; 29 | 30 | namespace writer { 31 | class SFCallbackWriter : public writer::SysFlowWriter { 32 | private: 33 | sysflowprocessor::SysFlowProcessor *m_sysflowProc; 34 | SysFlowCallback m_callback; 35 | sysflow::SFHeader m_header; 36 | 37 | public: 38 | SFCallbackWriter(context::SysFlowContext *cxt, time_t start, 39 | SysFlowCallback callback, 40 | sysflowprocessor::SysFlowProcessor *proc); 41 | virtual ~SFCallbackWriter(); 42 | inline void write(SysFlow *flow) {} 43 | inline void write(SysFlow *flow, Process *proc, File *file1 = nullptr, 44 | File *file2 = nullptr) { 45 | switch (flow->rec.idx()) { 46 | case SF_HEADER: { 47 | m_header = flow->rec.get_SFHeader(); 48 | break; 49 | } 50 | case SF_CONT: 51 | case SF_FILE_OBJ: 52 | case SF_PROC: { 53 | break; 54 | } 55 | default: { 56 | sysflow::Container *cont = nullptr; 57 | if (proc != nullptr && !proc->containerId.is_null()) { 58 | cont = m_sysflowProc->getContainer(proc->containerId.get_string()); 59 | } 60 | m_callback(&m_header, cont, proc, file1, file2, flow); 61 | break; 62 | } 63 | } 64 | } 65 | int initialize(); 66 | void reset(time_t curTime); 67 | bool needsReset() { return false; } 68 | }; 69 | } // namespace writer 70 | #endif 71 | -------------------------------------------------------------------------------- /src/libs/sffilewriter.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sffilewriter.h" 21 | 22 | using writer::SFFileWriter; 23 | 24 | SFFileWriter::SFFileWriter(context::SysFlowContext *cxt, time_t start) 25 | : writer::SysFlowWriter(cxt, start), m_dfw(nullptr) { 26 | m_sysfSchema = utils::loadSchema(); 27 | } 28 | 29 | SFFileWriter::~SFFileWriter() { 30 | if (m_dfw != nullptr) { 31 | m_dfw->close(); 32 | delete m_dfw; 33 | } 34 | } 35 | 36 | int SFFileWriter::initialize() { 37 | time_t curTime = time(nullptr); 38 | std::string ofile = getFileName(curTime); 39 | m_dfw = new avro::DataFileWriter(ofile.c_str(), m_sysfSchema, 40 | COMPRESS_BLOCK_SIZE, 41 | avro::Codec::DEFLATE_CODEC); 42 | setHeaderFile(ofile); 43 | writeHeader(); 44 | return 0; 45 | } 46 | 47 | std::string SFFileWriter::getFileName(time_t curTime) { 48 | std::string ofile; 49 | if (m_start > 0) { 50 | if (m_cxt->hasPrefix()) { 51 | ofile = m_cxt->getOutputFile() + "." + std::to_string(curTime); 52 | } else { 53 | ofile = m_cxt->getOutputFile() + std::to_string(curTime); 54 | } 55 | } else { 56 | if (m_cxt->hasPrefix()) { 57 | ofile = m_cxt->getOutputFile(); 58 | } else { 59 | ofile = m_cxt->getOutputFile() + std::to_string(curTime); 60 | } 61 | } 62 | return ofile; 63 | } 64 | 65 | void SFFileWriter::reset(time_t curTime) { 66 | std::string ofile = getFileName(curTime); 67 | setHeaderFile(ofile); 68 | m_numRecs = 0; 69 | m_dfw->close(); 70 | delete m_dfw; 71 | m_dfw = new avro::DataFileWriter(ofile.c_str(), m_sysfSchema, 72 | COMPRESS_BLOCK_SIZE, 73 | avro::Codec::DEFLATE_CODEC); 74 | m_start = curTime; 75 | writeHeader(); 76 | } 77 | -------------------------------------------------------------------------------- /src/libs/sffilewriter.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_FILE_WRITER_ 21 | #define __SF_FILE_WRITER_ 22 | #include "avro/Compiler.hh" 23 | #include "avro/DataFile.hh" 24 | #include "avro/Decoder.hh" 25 | #include "avro/Encoder.hh" 26 | #include "avro/ValidSchema.hh" 27 | #include "sysflow.h" 28 | #include "sysflowcontext.h" 29 | #include "sysflowwriter.h" 30 | #include "utils.h" 31 | #define COMPRESS_BLOCK_SIZE 80000 32 | 33 | using sysflow::SysFlow; 34 | 35 | namespace writer { 36 | class SFFileWriter : public writer::SysFlowWriter { 37 | private: 38 | avro::ValidSchema m_sysfSchema; 39 | avro::DataFileWriter *m_dfw; 40 | std::string getFileName(time_t curTime); 41 | 42 | public: 43 | SFFileWriter(context::SysFlowContext *cxt, time_t start); 44 | virtual ~SFFileWriter(); 45 | inline void write(SysFlow *flow, sysflow::Process *, sysflow::File *, 46 | sysflow::File *) { 47 | write(flow); 48 | } 49 | inline void write(SysFlow *flow) { m_dfw->write(*flow); } 50 | int initialize(); 51 | void reset(time_t curTime); 52 | bool needsReset() { return false; } 53 | }; 54 | } // namespace writer 55 | #endif 56 | -------------------------------------------------------------------------------- /src/libs/sfmodes.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2021 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_MODES_ 21 | #define __SF_MODES_ 22 | #include 23 | #include 24 | 25 | static const std::unordered_set SF_FLOW_SC_SET{ 26 | PPM_SC_ACCEPT, PPM_SC_ACCEPT4, PPM_SC_BIND, PPM_SC_CHMOD, 27 | PPM_SC_CLONE, PPM_SC_CLONE3, PPM_SC_CLOSE, PPM_SC_CONNECT, 28 | PPM_SC_CREAT, PPM_SC_EXECVE, PPM_SC_EXECVEAT, PPM_SC_FORK, 29 | PPM_SC_LINK, PPM_SC_LINKAT, PPM_SC_LISTEN, PPM_SC_MMAP, 30 | PPM_SC_MMAP2, PPM_SC_MKDIR, PPM_SC_MKDIRAT, PPM_SC_OPEN, 31 | PPM_SC_OPENAT, PPM_SC_OPENAT2, PPM_SC_PREAD64, PPM_SC_PREADV, 32 | PPM_SC_PWRITEV, PPM_SC_PWRITE64, PPM_SC_READ, PPM_SC_READV, 33 | PPM_SC_RECVFROM, PPM_SC_RECVMMSG, PPM_SC_RECVMSG, PPM_SC_RENAME, 34 | PPM_SC_RENAMEAT, PPM_SC_RENAMEAT2, PPM_SC_RMDIR, PPM_SC_SENDMMSG, 35 | PPM_SC_SENDMSG, PPM_SC_SENDTO, PPM_SC_SETNS, PPM_SC_SETRESUID, 36 | PPM_SC_SETRESUID32, PPM_SC_SETUID, PPM_SC_SETUID32, PPM_SC_SHUTDOWN, 37 | PPM_SC_SOCKETPAIR, PPM_SC_SYMLINK, PPM_SC_SYMLINKAT, PPM_SC_UNLINK, 38 | PPM_SC_UNLINKAT, PPM_SC_VFORK, PPM_SC_WRITE, PPM_SC_WRITEV, 39 | }; 40 | 41 | static const std::unordered_set SF_CONSUMER_SC_SET{ 42 | PPM_SC_ACCEPT, PPM_SC_ACCEPT4, PPM_SC_CHMOD, PPM_SC_CLONE, 43 | PPM_SC_CLONE3, PPM_SC_CLOSE, PPM_SC_CONNECT, PPM_SC_CREAT, 44 | PPM_SC_EXECVE, PPM_SC_EXECVEAT, PPM_SC_FORK, PPM_SC_LINK, 45 | PPM_SC_LINKAT, PPM_SC_MKDIR, PPM_SC_MKDIRAT, PPM_SC_OPEN, 46 | PPM_SC_OPENAT, PPM_SC_OPENAT2, PPM_SC_RECVFROM, PPM_SC_RECVMMSG, 47 | PPM_SC_RECVMSG, PPM_SC_RENAME, PPM_SC_RENAMEAT, PPM_SC_RENAMEAT2, 48 | PPM_SC_RMDIR, PPM_SC_SENDMMSG, PPM_SC_SENDMSG, PPM_SC_SENDTO, 49 | PPM_SC_SETRESUID, PPM_SC_SETRESUID32, PPM_SC_SETUID, PPM_SC_SETUID32, 50 | PPM_SC_SOCKETPAIR, PPM_SC_SYMLINK, PPM_SC_SYMLINKAT, PPM_SC_UNLINK, 51 | PPM_SC_UNLINKAT, PPM_SC_VFORK, 52 | }; 53 | 54 | static const std::unordered_set SF_NO_FILES_SC_SET{ 55 | PPM_SC_ACCEPT, PPM_SC_ACCEPT4, PPM_SC_CLONE, PPM_SC_CLONE3, 56 | PPM_SC_CLOSE, PPM_SC_CONNECT, PPM_SC_CREAT, PPM_SC_EXECVE, 57 | PPM_SC_EXECVEAT, PPM_SC_FORK, PPM_SC_OPEN, PPM_SC_OPENAT, 58 | PPM_SC_OPENAT2, PPM_SC_RECVFROM, PPM_SC_RECVMMSG, PPM_SC_RECVMSG, 59 | PPM_SC_SENDMMSG, PPM_SC_SENDMSG, PPM_SC_SENDTO, PPM_SC_SETRESUID, 60 | PPM_SC_SETRESUID32, PPM_SC_SETUID, PPM_SC_SETUID32, PPM_SC_SOCKETPAIR, 61 | PPM_SC_VFORK, 62 | }; 63 | #endif 64 | -------------------------------------------------------------------------------- /src/libs/sfmultiwriter.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2021 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sfmultiwriter.h" 21 | 22 | using writer::SFMultiWriter; 23 | 24 | SFMultiWriter::SFMultiWriter(context::SysFlowContext *cxt, time_t start) 25 | : writer::SysFlowWriter(cxt, start), m_sockWriter(cxt, start), 26 | m_fileWriter(cxt, start) {} 27 | 28 | SFMultiWriter::~SFMultiWriter() {} 29 | 30 | int SFMultiWriter::initialize() { 31 | m_fileWriter.initialize(); 32 | m_sockWriter.setHeaderFile(m_fileWriter.getHeaderFile()); 33 | m_sockWriter.initialize(); 34 | return 0; 35 | } 36 | 37 | void SFMultiWriter::reset(time_t curTime) { 38 | m_fileWriter.reset(curTime); 39 | m_sockWriter.setHeaderFile(m_fileWriter.getHeaderFile()); 40 | m_sockWriter.reset(curTime); 41 | m_numRecs = 0; 42 | m_start = curTime; 43 | } 44 | -------------------------------------------------------------------------------- /src/libs/sfmultiwriter.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2021 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_MULTI_WRITER_ 21 | #define __SF_MULTI_WRITER_ 22 | #include "sffilewriter.h" 23 | #include "sfsockwriter.h" 24 | #include "sysflowcontext.h" 25 | #include "sysflowwriter.h" 26 | using sysflow::SysFlow; 27 | 28 | namespace writer { 29 | class SFMultiWriter : public writer::SysFlowWriter { 30 | private: 31 | SFSocketWriter m_sockWriter; 32 | SFFileWriter m_fileWriter; 33 | DEFINE_LOGGER(); 34 | 35 | public: 36 | SFMultiWriter(context::SysFlowContext *cxt, time_t start); 37 | virtual ~SFMultiWriter(); 38 | inline void write(SysFlow *flow, sysflow::Process *, sysflow::File *, 39 | sysflow::File *) { 40 | write(flow); 41 | } 42 | inline void write(SysFlow *flow) { 43 | m_sockWriter.write(flow); 44 | m_fileWriter.write(flow); 45 | } 46 | int initialize(); 47 | void reset(time_t curTime); 48 | bool needsReset() { 49 | return m_sockWriter.needsReset() || m_fileWriter.needsReset(); 50 | } 51 | }; 52 | } // namespace writer 53 | #endif 54 | -------------------------------------------------------------------------------- /src/libs/sfsockwriter.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sfsockwriter.h" 21 | 22 | using writer::SFSocketWriter; 23 | 24 | CREATE_LOGGER(SFSocketWriter, "sysflow.sfsocketwriter"); 25 | 26 | SFSocketWriter::SFSocketWriter(context::SysFlowContext *cxt, time_t start) 27 | : writer::SysFlowWriter(cxt, start), m_sock(0), m_errTimer(0), 28 | m_reconnectInterval(CONNECT_INTERVAL), m_reset(false) { 29 | m_sockPath = m_cxt->getSocketFile(); 30 | } 31 | 32 | SFSocketWriter::~SFSocketWriter() { close(m_sock); } 33 | 34 | int SFSocketWriter::initialize() { 35 | m_outStream = avro::ostreamOutputStream(m_stringStream, 16); 36 | m_encoder = avro::binaryEncoder(); 37 | m_encoder->init(*m_outStream); 38 | int res = connectSocket(); 39 | if (res == -1) { 40 | m_errTimer = time(nullptr); 41 | } 42 | writeHeader(); 43 | return 0; 44 | } 45 | 46 | int SFSocketWriter::connectSocket() { 47 | close(m_sock); 48 | struct sockaddr_un addr; 49 | if ((m_sock = socket(AF_UNIX, SOCK_SEQPACKET, 0)) < 0) { 50 | SF_ERROR(m_logger, "Unable to create domain socket object. Error Code: " 51 | << std::strerror(errno)); 52 | return -1; 53 | } 54 | memset(&addr, 0, sizeof(addr)); 55 | addr.sun_family = AF_UNIX; 56 | strncpy(addr.sun_path, m_sockPath.c_str(), sizeof(addr.sun_path) - 1); 57 | if (connect(m_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { 58 | SF_ERROR(m_logger, "Unable to connect to domain socket: " 59 | << m_sockPath 60 | << ". Error Code: " << std::strerror(errno)); 61 | return -1; 62 | } 63 | return 0; 64 | } 65 | 66 | void SFSocketWriter::reset(time_t curTime) { 67 | m_numRecs = 0; 68 | m_start = curTime; 69 | writeHeader(); 70 | m_reset = false; 71 | } 72 | -------------------------------------------------------------------------------- /src/libs/sfsockwriter.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_SOCK_WRITER_ 21 | #define __SF_SOCK_WRITER_ 22 | #include "avro/Decoder.hh" 23 | #include "avro/Encoder.hh" 24 | #include "sysflow.h" 25 | #include "sysflowcontext.h" 26 | #include "sysflowwriter.h" 27 | #include "utils.h" 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | using sysflow::SysFlow; 37 | 38 | #define CONNECT_INTERVAL 10 39 | 40 | namespace writer { 41 | class SFSocketWriter : public writer::SysFlowWriter { 42 | private: 43 | int m_sock; 44 | std::string m_sockPath; 45 | avro::EncoderPtr m_encoder; 46 | std::ostringstream m_stringStream; 47 | std::unique_ptr m_outStream; 48 | time_t m_errTimer; 49 | time_t m_reconnectInterval; 50 | bool m_reset; 51 | DEFINE_LOGGER(); 52 | int connectSocket(); 53 | 54 | public: 55 | SFSocketWriter(context::SysFlowContext *cxt, time_t start); 56 | virtual ~SFSocketWriter(); 57 | 58 | inline void write(SysFlow *flow, sysflow::Process *, sysflow::File *, 59 | sysflow::File *) { 60 | write(flow); 61 | } 62 | 63 | inline void write(SysFlow *flow) { 64 | if (m_errTimer == 0) { 65 | avro::encode(*m_encoder, *flow); 66 | m_encoder->flush(); 67 | if (send(m_sock, (const void *)m_stringStream.str().c_str(), 68 | m_stringStream.str().size(), 0) < 0) { 69 | SF_ERROR(m_logger, "Unable to send on domain socket: " 70 | << m_sockPath 71 | << ". Error Code: " << std::strerror(errno)); 72 | m_errTimer = time(nullptr); 73 | } 74 | m_stringStream.str(""); 75 | m_stringStream.clear(); 76 | } else { 77 | time_t curTime = time(nullptr); 78 | double interval = difftime(curTime, m_errTimer); 79 | if (interval >= m_reconnectInterval) { 80 | SF_WARN(m_logger, 81 | "Trying to reconnect to socket " << m_sockPath.c_str()) 82 | int res = connectSocket(); 83 | if (res == 0) { 84 | SF_WARN(m_logger, 85 | "Successfully reconnected to socket " << m_sockPath.c_str()) 86 | m_errTimer = 0; 87 | m_reconnectInterval = CONNECT_INTERVAL; 88 | m_reset = true; 89 | } else { 90 | m_reconnectInterval = 2 * m_reconnectInterval; 91 | if (m_reconnectInterval > 8 * CONNECT_INTERVAL) { 92 | SF_ERROR( 93 | m_logger, 94 | "Unable to connect to domain socket within interval. Exiting!"); 95 | pid_t myPid = getpid(); 96 | kill(myPid, SIGINT); 97 | } 98 | } 99 | } 100 | } 101 | } 102 | int initialize(); 103 | void reset(time_t curTime); 104 | bool needsReset() { return m_reset; } 105 | }; 106 | } // namespace writer 107 | #endif 108 | -------------------------------------------------------------------------------- /src/libs/sysflow.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SYSFLOW_WRAP 21 | #define __SYSFLOW_WRAP 22 | #include "sysflow/sysflow.hh" 23 | #endif 24 | -------------------------------------------------------------------------------- /src/libs/sysflow_config.h.in: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SYSFLOW_CONFIG 21 | #define __SYSFLOW_CONFIG 22 | #define SF_VERSION SYSFLOW_VERSION 23 | #define SF_BUILD SYSFLOW_BUILD_NUMBER 24 | #endif 25 | -------------------------------------------------------------------------------- /src/libs/sysflowcontext.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_CONTEXT_ 21 | #define _SF_CONTEXT_ 22 | #include 23 | 24 | #include 25 | 26 | #include "logger.h" 27 | #include "readonly.h" 28 | #include "sfconfig.h" 29 | #include "sysflow.h" 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #define DRIVER_LOG "DRIVER_LOG" 38 | #define NODE_IP "NODE_IP" 39 | #define ENABLE_DROP_MODE "ENABLE_DROP_MODE" 40 | #define FILE_READ_MODE "FILE_READ_MODE" 41 | #define FILE_ONLY "FILE_ONLY" 42 | #define ENABLE_STATS "ENABLE_STATS" 43 | #define ENABLE_PROC_FLOW "ENABLE_PROC_FLOW" 44 | #define SF_K8S_API_URL "SF_K8S_API_URL" 45 | #define SF_K8S_API_CERT "SF_K8S_API_CERT" 46 | #define SF_PROBE_BPF_FILEPATH ".falco/falco-bpf.o" 47 | #define SF_BPF_ENV_VARIABLE "FALCO_BPF_PROBE" 48 | #define DRIVER_HOME "HOME" 49 | 50 | namespace context { 51 | 52 | class SysFlowContext { 53 | private: 54 | int m_nfExportInterval; 55 | int m_nfExpireInterval; 56 | bool m_offline; 57 | int m_statsInterval; 58 | std::string m_nodeIP; 59 | bool m_k8sEnabled; 60 | SysFlowCallback m_callback; 61 | SysFlowConfig *m_config; 62 | bool m_hasPrefix; 63 | std::string m_ebpfProbe; 64 | sinsp *m_inspector; 65 | DEFINE_LOGGER(); 66 | void loadDriverInfo(); 67 | void checkModule(); 68 | void openInspector(libsinsp::events::set ppm_sc); 69 | libsinsp::events::set 70 | getSyscallSet(libsinsp::events::set ppmScSet = {}); 71 | 72 | public: 73 | SysFlowContext(SysFlowConfig *config); 74 | virtual ~SysFlowContext(); 75 | uint64_t timeStamp{}; 76 | std::string getExporterID(); 77 | std::string getNodeIP(); 78 | SysFlowCallback getCallback() { return m_callback; } 79 | inline void setNodeIP(std::string nodeIP) { m_nodeIP = nodeIP; } 80 | inline bool isOffline() { return m_offline; } 81 | inline bool hasCallback() { return m_callback != nullptr; } 82 | inline sinsp *getInspector() { return m_inspector; } 83 | inline int getNFExportInterval() { return m_nfExportInterval; } 84 | inline int getNFExpireInterval() { return m_nfExpireInterval; } 85 | inline std::string getOutputFile() { return m_config->filePath; } 86 | inline std::string getSocketFile() { return m_config->socketPath; } 87 | inline bool isDomainSocket() { return !m_config->socketPath.empty(); } 88 | inline bool isOutputFile() { return !m_config->filePath.empty(); } 89 | inline std::string getScapFile() { return m_config->scapInputPath; } 90 | inline bool hasPrefix() { return m_hasPrefix; } 91 | inline int getFileDuration() { return m_config->rotateInterval; } 92 | inline bool isFilterContainers() { return m_config->filterContainers; } 93 | inline bool isStatsEnabled() { return m_config->enableStats; } 94 | inline bool isProcessFlowEnabled() { return m_config->enableProcessFlow; } 95 | inline int getStatsInterval() { return m_statsInterval; } 96 | inline bool isFileOnly() { return m_config->fileOnly; } 97 | inline int getFileRead() { return m_config->fileReadMode; } 98 | inline bool isK8sEnabled() { return m_k8sEnabled; } 99 | inline bool isConsumerMode() { 100 | return m_config->collectionMode == SFSysCallMode::SFConsumerMode; 101 | } 102 | inline bool isNoFilesMode() { 103 | return m_config->collectionMode == SFSysCallMode::SFNoFilesMode; 104 | } 105 | }; 106 | } // namespace context 107 | 108 | #endif 109 | -------------------------------------------------------------------------------- /src/libs/sysflowexception.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sysflowexception.h" 21 | #include "scap.h" 22 | 23 | sfexception::SysFlowException::SysFlowException(std::string message) 24 | : std::runtime_error(message) { 25 | setErrorCode(message); 26 | } 27 | 28 | void sfexception::SysFlowException::setErrorCode(std::string message) { 29 | m_code = LibsError; 30 | std::size_t found = message.find("Driver supports API version"); 31 | if (found != std::string::npos) { 32 | m_code = DriverLibsMismatch; 33 | return; 34 | } 35 | 36 | found = message.find("missing api_version section"); 37 | if (found != std::string::npos) { 38 | m_code = DriverLibsMismatch; 39 | return; 40 | } 41 | 42 | found = message.find("Make sure you have root credentials and that the falco " 43 | "module is loaded."); 44 | if (found != std::string::npos) { 45 | m_code = ProbeAccessDenied; 46 | return; 47 | } 48 | } 49 | 50 | sfexception::SysFlowError sfexception::getErrorCodeFromScap(int32_t ec) { 51 | SysFlowError err = LibsError; 52 | switch (ec) { 53 | case SCAP_SUCCESS: 54 | case SCAP_FAILURE: 55 | case SCAP_TIMEOUT: 56 | case SCAP_EOF: 57 | break; 58 | case SCAP_ILLEGAL_INPUT: 59 | case SCAP_INPUT_TOO_SMALL: 60 | case SCAP_UNEXPECTED_BLOCK: 61 | err = EventParsingError; 62 | break; 63 | case SCAP_NOTFOUND: 64 | err = ProcResourceNotFound; 65 | break; 66 | case SCAP_VERSION_MISMATCH: 67 | err = DriverLibsMismatch; 68 | break; 69 | case SCAP_NOT_SUPPORTED: 70 | err = OperationNotSupported; 71 | break; 72 | default: 73 | break; 74 | } 75 | return err; 76 | } 77 | -------------------------------------------------------------------------------- /src/libs/sysflowexception.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SYSFLOW_EXCEPTION__ 21 | #define __SYSFLOW_EXCEPTION__ 22 | 23 | #include 24 | #include 25 | 26 | namespace sfexception { 27 | 28 | enum SysFlowError { 29 | LibsError, 30 | ProbeAccessDenied, 31 | ProbeNotExist, 32 | ErrorReadingFileSystem, 33 | NameTooLong, 34 | ProbeCheckError, 35 | ProbeNotLoaded, 36 | DriverLibsMismatch, 37 | EventParsingError, 38 | ProcResourceNotFound, 39 | OperationNotSupported 40 | }; 41 | 42 | class SysFlowException : public std::runtime_error { 43 | private: 44 | SysFlowError m_code; 45 | void setErrorCode(std::string message); 46 | 47 | public: 48 | SysFlowException(std::string message); 49 | SysFlowException(std::string message, SysFlowError code) 50 | : std::runtime_error(message), m_code(code) {} 51 | SysFlowError getErrorCode() { return m_code; } 52 | }; 53 | 54 | SysFlowError getErrorCodeFromScap(int32_t ec); 55 | 56 | } // namespace sfexception 57 | 58 | #endif 59 | -------------------------------------------------------------------------------- /src/libs/sysflowlibs.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sysflowlibs.hpp" 21 | #include "scap.h" 22 | #include "scap_open_exception.h" 23 | #include "sinsp_exception.h" 24 | #include "sysflow_config.h" 25 | #include "sysflowcontext.h" 26 | #include "sysflowprocessor.h" 27 | #include 28 | 29 | using sysflowlibscpp::SysFlowDriver; 30 | 31 | SysFlowDriver::SysFlowDriver(SysFlowConfig *conf) { 32 | try { 33 | CONFIGURE_LOGGER(conf->appName.c_str()) 34 | m_cxt = new context::SysFlowContext(conf); 35 | m_processor = new sysflowprocessor::SysFlowProcessor(m_cxt, nullptr); 36 | } catch (const sinsp_exception &ex) { 37 | SF_ERROR(logger, "Runtime exception on module load: " << ex.what()); 38 | SHUTDOWN_LOGGER() 39 | throw sfexception::SysFlowException(ex.what()); 40 | } 41 | } 42 | 43 | SysFlowDriver::~SysFlowDriver() { 44 | delete m_processor; 45 | SHUTDOWN_LOGGER() 46 | } 47 | 48 | SysFlowConfig *sysflowlibscpp::InitializeSysFlowConfig() { 49 | SysFlowConfig *conf = new SysFlowConfig(); 50 | conf->filterContainers = false; 51 | conf->rotateInterval = 300; 52 | conf->samplingRatio = 1; 53 | conf->criTO = 30; 54 | conf->enableStats = false; 55 | conf->enableProcessFlow = true; 56 | conf->fileOnly = true; 57 | conf->fileReadMode = 2; 58 | conf->dropMode = true; 59 | conf->callback = nullptr; 60 | conf->debugMode = false; 61 | conf->moduleChecks = true; 62 | conf->singleBufferDimension = DEFAULT_DRIVER_BUFFER_BYTES_DIM; 63 | conf->appName = "sysflowlibs"; 64 | conf->collectionMode = SFSysCallMode::SFFlowMode; 65 | conf->cpuBuffers = 0; 66 | conf->driverType = NO_DRIVER; 67 | return conf; 68 | } 69 | 70 | void SysFlowDriver::exit() { m_processor->exit(); } 71 | 72 | int SysFlowDriver::run() { 73 | try { 74 | return m_processor->run(); 75 | } catch (const sinsp_exception &ex) { 76 | SF_ERROR(logger, "Runtime exception caught in main loop: " << ex.what()); 77 | throw sfexception::SysFlowException(ex.what()); 78 | } catch (const avro::Exception &aex) { 79 | SF_ERROR(logger, 80 | "Runtime avro exception caught in main loop: " << aex.what()); 81 | throw sfexception::SysFlowException(aex.what()); 82 | } 83 | return 0; 84 | } 85 | 86 | std::string SysFlowDriver::getVersion() { 87 | std::stringstream str; 88 | str << SF_VERSION << "+" << SF_BUILD; 89 | return str.str(); 90 | } 91 | -------------------------------------------------------------------------------- /src/libs/sysflowlibs.hpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2022 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SYSFLOW_LIBS_C_PLUS_PLUS_API__ 21 | #define __SYSFLOW_LIBS_C_PLUS_PLUS_API__ 22 | #include "sfconfig.h" 23 | #include "sysflowexception.h" 24 | #include 25 | namespace writer { 26 | class SysFlowWriter; 27 | } 28 | namespace context { 29 | class SysFlowContext; 30 | } 31 | 32 | namespace sysflowprocessor { 33 | class SysFlowProcessor; 34 | } 35 | 36 | namespace sysflowlibscpp { 37 | 38 | SysFlowConfig *InitializeSysFlowConfig(); 39 | 40 | class SysFlowDriver { 41 | private: 42 | context::SysFlowContext *m_cxt; 43 | writer::SysFlowWriter *m_writer; 44 | sysflowprocessor::SysFlowProcessor *m_processor; 45 | 46 | public: 47 | explicit SysFlowDriver(SysFlowConfig *conf); 48 | virtual ~SysFlowDriver(); 49 | void exit(); 50 | int run(); 51 | std::string getVersion(); 52 | }; 53 | 54 | } // namespace sysflowlibscpp 55 | 56 | #endif // __SYSFLOW_LIBS_C_PLUS_PLUS_API__ 57 | -------------------------------------------------------------------------------- /src/libs/sysflowprocessor.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Teryl Taylor 5 | * Frederico Araujo 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef __SF_PROCESSOR_ 21 | #define __SF_PROCESSOR_ 22 | #include "containercontext.h" 23 | #include "controlflowprocessor.h" 24 | #include "dataflowprocessor.h" 25 | #include "filecontext.h" 26 | #include "k8scontext.h" 27 | #include "k8seventprocessor.h" 28 | #include "logger.h" 29 | #include "processcontext.h" 30 | #include "sffilewriter.h" 31 | #include "sfmultiwriter.h" 32 | #include "sfsockwriter.h" 33 | #include "syscall_defs.h" 34 | #include "sysflowcontext.h" 35 | #include 36 | #include 37 | #include 38 | 39 | namespace sysflowprocessor { 40 | class SysFlowProcessor { 41 | public: 42 | explicit SysFlowProcessor(context::SysFlowContext *cxt, 43 | writer::SysFlowWriter *writer = nullptr); 44 | virtual ~SysFlowProcessor(); 45 | inline void exit() { m_exit = true; } 46 | int run(); 47 | sysflow::Container *getContainer(const std::string &containerId); 48 | sysflow::Process *getProcess(sysflow::OID &oid); 49 | 50 | private: 51 | DEFINE_LOGGER(); 52 | bool m_exit; 53 | writer::SysFlowWriter *m_writer; 54 | context::SysFlowContext *m_cxt; 55 | container::ContainerContext *m_containerCxt; 56 | file::FileContext *m_fileCxt; 57 | process::ProcessContext *m_processCxt; 58 | controlflow::ControlFlowProcessor *m_ctrlPrcr; 59 | dataflow::DataFlowProcessor *m_dfPrcr; 60 | sfk8s::K8sContext *m_k8sCxt; 61 | k8sevent::K8sEventProcessor *m_k8sPrcr; 62 | time_t m_statsTime; 63 | void clearTables(); 64 | int checkForExpiredRecords(); 65 | bool checkAndRotateFile(); 66 | void printStats(); 67 | }; 68 | } // namespace sysflowprocessor 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /src/libs/sysflowwriter.cpp: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #include "sysflowwriter.h" 21 | 22 | using writer::SysFlowWriter; 23 | 24 | SysFlowWriter::SysFlowWriter(context::SysFlowContext *cxt, time_t start) 25 | : m_start(start), m_version(0), m_hdrFile("") { 26 | m_cxt = cxt; 27 | m_start = start; 28 | m_version = utils::getSchemaVersion(); 29 | } 30 | 31 | void SysFlowWriter::writeHeader() { 32 | m_header.version = m_version; 33 | m_header.exporter = m_cxt->getExporterID(); 34 | m_header.ip = m_cxt->getNodeIP(); 35 | m_header.filename = m_hdrFile; 36 | m_flow.rec.set_SFHeader(m_header); 37 | m_numRecs++; 38 | write(&m_flow); 39 | } 40 | -------------------------------------------------------------------------------- /src/libs/utils.h: -------------------------------------------------------------------------------- 1 | /** Copyright (C) 2019 IBM Corporation. 2 | * 3 | * Authors: 4 | * Frederico Araujo 5 | * Teryl Taylor 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * http://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | **/ 19 | 20 | #ifndef _SF_UTILS_ 21 | #define _SF_UTILS_ 22 | #include "avro/Compiler.hh" 23 | #include "avro/ValidSchema.hh" 24 | #include "ghc/fs_std.hpp" 25 | #include "sysflow.h" 26 | #include "sysflowcontext.h" 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #define SCH_FIELDS_STR "fields" 37 | #define SCH_TYPE_STR "type" 38 | #define SCH_NAME_STR "name" 39 | #define SCH_SFHEADER_STR "SFHeader" 40 | #define SCH_VERSION_STR "version" 41 | #define SCH_DEFAULT_STR "default" 42 | 43 | using sysflow::OID; 44 | 45 | typedef std::array FOID; 46 | struct NFKey; 47 | 48 | namespace utils { 49 | static const std::string EMPTY_STR = ""; 50 | int64_t getFlags(sinsp_evt *ev); 51 | bool isCloneThreadSet(sinsp_evt *ev); 52 | int64_t getFD(sinsp_evt *ev); 53 | bool isMapAnonymous(sinsp_evt *ev); 54 | int64_t getIntParam(sinsp_evt *ev, std::string pname); 55 | std::string getUserName(context::SysFlowContext *cxt, std::string &containerId, 56 | uint32_t uid); 57 | std::string getGroupName(context::SysFlowContext *cxt, std::string &containerId, 58 | uint32_t gid); 59 | bool isInContainer(sinsp_evt *ev); 60 | int64_t getSyscallResult(sinsp_evt *ev); 61 | avro::ValidSchema loadSchema(); 62 | time_t getExportTime(context::SysFlowContext *cxt); 63 | NFKey *getNFDelKey(); 64 | NFKey *getNFEmptyKey(); 65 | OID *getOIDDelKey(); 66 | OID *getOIDEmptyKey(); 67 | void generateFOID(const std::string &key, FOID *foid); 68 | std::string getPath(sinsp_evt *ev, const std::string ¶Name); 69 | fs::path getCanonicalPath(const std::string &fileName); 70 | std::string getAbsolutePath(sinsp_threadinfo *ti, int64_t dirfd, 71 | const std::string &fileName); 72 | std::string getAbsolutePath(sinsp_threadinfo *ti, const std::string &fileName); 73 | int64_t getFD(sinsp_evt *ev, const std::string ¶Name); 74 | int64_t getSchemaVersion(); 75 | 76 | inline time_t getCurrentTime(context::SysFlowContext *cxt) { 77 | if (cxt->isOffline()) { 78 | return (cxt->timeStamp) / 1000000000; 79 | } 80 | return time(nullptr); 81 | } 82 | 83 | inline uint64_t getSinspTime(context::SysFlowContext *cxt) { 84 | if (cxt->isOffline()) { 85 | return cxt->timeStamp; 86 | } 87 | return sinsp_utils::get_current_time_ns(); 88 | } 89 | 90 | inline void strToIP(const char *str, std::vector &ip) { 91 | struct in_addr ipv4; 92 | struct in6_addr ipv6; 93 | if (inet_pton(AF_INET, str, &ipv4)) { 94 | ip.push_back(static_cast(ipv4.s_addr)); 95 | } else if (inet_pton(AF_INET, str, &ipv6)) { 96 | int64_t i64 = 97 | static_cast((((uint64_t)ipv6.s6_addr32[1]) << 32) | 98 | static_cast(ipv6.s6_addr32[0])); 99 | ip.push_back(i64); 100 | i64 = static_cast((((uint64_t)ipv6.s6_addr32[3]) << 32) | 101 | static_cast(ipv6.s6_addr32[2])); 102 | ip.push_back(i64); 103 | } 104 | } 105 | 106 | #define CHAR_MAP_STR "0123456789abcdef" 107 | 108 | inline char *itoa(int val, int base) { 109 | 110 | static char buf[32] = {0}; 111 | 112 | int i = 30; 113 | bool neg = (val < 0); 114 | if (neg) { 115 | val = -val; 116 | } 117 | for (; val && i; --i, val /= base) { 118 | buf[i] = CHAR_MAP_STR[val % base]; 119 | } 120 | if (neg) { 121 | buf[i] = '-'; 122 | return &buf[i]; 123 | } 124 | return &buf[i + 1]; 125 | } 126 | } // namespace utils 127 | #endif 128 | -------------------------------------------------------------------------------- /tests/alpine/alpine.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/alpine/alpine.scap -------------------------------------------------------------------------------- /tests/alpine/alpine.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/alpine/alpine.sf -------------------------------------------------------------------------------- /tests/client-server/client.c: -------------------------------------------------------------------------------- 1 | // Write CPP code here 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #define MAX 80 8 | #define PORT 8080 9 | #define SA struct sockaddr 10 | void func(int sockfd) 11 | { 12 | char buff[MAX]; 13 | int n; 14 | for (;;) { 15 | bzero(buff, sizeof(buff)); 16 | printf("Enter the string : "); 17 | n = 0; 18 | while ((buff[n++] = getchar()) != '\n') 19 | ; 20 | write(sockfd, buff, sizeof(buff)); 21 | bzero(buff, sizeof(buff)); 22 | read(sockfd, buff, sizeof(buff)); 23 | printf("From Server : %s", buff); 24 | if ((strncmp(buff, "exit", 4)) == 0) { 25 | printf("Client Exit...\n"); 26 | break; 27 | } 28 | } 29 | } 30 | 31 | int main() 32 | { 33 | int sockfd, connfd; 34 | struct sockaddr_in servaddr, cli; 35 | 36 | // socket create and varification 37 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 38 | if (sockfd == -1) { 39 | printf("socket creation failed...\n"); 40 | exit(0); 41 | } 42 | else 43 | printf("Socket successfully created..\n"); 44 | bzero(&servaddr, sizeof(servaddr)); 45 | 46 | // assign IP, PORT 47 | servaddr.sin_family = AF_INET; 48 | servaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); 49 | servaddr.sin_port = htons(PORT); 50 | 51 | // connect the client socket to server socket 52 | if (connect(sockfd, (SA*)&servaddr, sizeof(servaddr)) != 0) { 53 | printf("connection with the server failed...\n"); 54 | exit(0); 55 | } 56 | else 57 | printf("connected to the server..\n"); 58 | 59 | // function for chat 60 | func(sockfd); 61 | 62 | // close the socket 63 | close(sockfd); 64 | } 65 | 66 | -------------------------------------------------------------------------------- /tests/client-server/server.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #define MAX 80 8 | #define PORT 8080 9 | #define SA struct sockaddr 10 | 11 | // Function designed for chat between client and server. 12 | void func(int sockfd) 13 | { 14 | char buff[MAX]; 15 | int n; 16 | // infinite loop for chat 17 | for (;;) { 18 | bzero(buff, MAX); 19 | 20 | // read the message from client and copy it in buffer 21 | read(sockfd, buff, sizeof(buff)); 22 | // print buffer which contains the client contents 23 | printf("From client: %s\t To client : ", buff); 24 | bzero(buff, MAX); 25 | n = 0; 26 | // copy server message in the buffer 27 | while ((buff[n++] = getchar()) != '\n') 28 | ; 29 | 30 | // and send that buffer to client 31 | write(sockfd, buff, sizeof(buff)); 32 | 33 | // if msg contains "Exit" then server exit and chat ended. 34 | if (strncmp("exit", buff, 4) == 0) { 35 | printf("Server Exit...\n"); 36 | break; 37 | } 38 | } 39 | } 40 | 41 | // Driver function 42 | int main() 43 | { 44 | int sockfd, connfd, len; 45 | struct sockaddr_in servaddr, cli; 46 | 47 | // socket create and verification 48 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 49 | if (sockfd == -1) { 50 | printf("socket creation failed...\n"); 51 | exit(0); 52 | } 53 | else 54 | printf("Socket successfully created..\n"); 55 | bzero(&servaddr, sizeof(servaddr)); 56 | 57 | // assign IP, PORT 58 | servaddr.sin_family = AF_INET; 59 | servaddr.sin_addr.s_addr = htonl(INADDR_ANY); 60 | servaddr.sin_port = htons(PORT); 61 | 62 | // Binding newly created socket to given IP and verification 63 | if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) { 64 | printf("socket bind failed...\n"); 65 | exit(0); 66 | } 67 | else 68 | printf("Socket successfully binded..\n"); 69 | 70 | // Now server is ready to listen and verification 71 | if ((listen(sockfd, 5)) != 0) { 72 | printf("Listen failed...\n"); 73 | exit(0); 74 | } 75 | else 76 | printf("Server listening..\n"); 77 | len = sizeof(cli); 78 | 79 | // Accept the data packet from client and verification 80 | connfd = accept(sockfd, (SA*)&cli, &len); 81 | if (connfd < 0) { 82 | printf("server acccept failed...\n"); 83 | exit(0); 84 | } 85 | else 86 | printf("server acccept the client...\n"); 87 | 88 | // Function for chatting between client and server 89 | func(connfd); 90 | 91 | // After chatting close the socket 92 | close(sockfd); 93 | } 94 | 95 | -------------------------------------------------------------------------------- /tests/client-server/tcp-client-server.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/client-server/tcp-client-server.scap -------------------------------------------------------------------------------- /tests/client-server/tcp-client-server.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/client-server/tcp-client-server.sf -------------------------------------------------------------------------------- /tests/files/files.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | int main( int argc, const char* argv[] ) 6 | { 7 | FILE* fp = fopen("/tmp/tested_file.txt", "w+"); 8 | fprintf(fp, "This is testing for fprintf...\n"); 9 | fclose(fp); 10 | 11 | FILE* fp2 = fopen("/tmp/tested_file2.txt", "w+"); 12 | fprintf(fp2, "This is testing file2 for fprintf...\n"); 13 | fclose(fp2); 14 | 15 | FILE* fp3 = fopen("/tmp/tested_file3.txt", "w+"); 16 | fprintf(fp3, "This is testing file3 for fprintf...\n"); 17 | fclose(fp3); 18 | 19 | FILE* f = fopen("./tested_file_test.txt", "w+"); 20 | fprintf(f, "This is testing_file_test for fprintf...\n"); 21 | fclose(f); 22 | 23 | int res = mkdir("/tmp/testing_dir", S_IRWXU); 24 | printf("The res of the mkdir 1 is %d\n", res); 25 | 26 | res = mkdir("./testing_dir", S_IRWXU); 27 | printf("The res of the mkdir 2 is %d\n", res); 28 | 29 | res = rmdir("/tmp/testing_dir"); 30 | printf("The res of the rmdir is %d\n", res); 31 | 32 | res = rmdir("./testing_dir"); 33 | printf("The res of the second rmdir is %d\n", res); 34 | 35 | res = chmod("/tmp/tested_file.txt", S_IRWXU); 36 | printf("The res of the chmod is %d\n", res); 37 | 38 | res = chown("/tmp/tested_file.txt", 500, 500); 39 | printf("The res of the chmod is %d\n", res); 40 | 41 | res = link("/tmp/tested_file.txt", "./tested_file.txt"); 42 | printf("The res of the link is %d\n", res); 43 | 44 | res = symlink("/tmp/tested_file2.txt", "./tested_file2.txt"); 45 | printf("The res of the symlink is %d\n", res); 46 | 47 | res = rename("/tmp/tested_file3.txt", "/tmp/tested_file4.txt"); 48 | printf("The res of the rename is %d\n", res); 49 | 50 | res = unlink("/tmp/tested_file.txt"); 51 | printf("The res of the unlink is %d\n", res); 52 | res = unlink("./tested_file.txt"); 53 | printf("The res of the unlink2 is %d\n", res); 54 | res = unlink("./tested_file2.txt"); 55 | printf("The res of the unlink3 is %d\n", res); 56 | res = unlink("/tmp/tested_file2.txt"); 57 | printf("The res of the unlink 4 is %d\n", res); 58 | res = unlink("./tested_file_test.txt"); 59 | printf("The res of the unlink5 is %d\n", res); 60 | res = unlink("/tmp/tested_file4.txt"); 61 | printf("The res of the unlink6 is %d\n", res); 62 | 63 | } 64 | 65 | -------------------------------------------------------------------------------- /tests/files/files.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/files/files.scap -------------------------------------------------------------------------------- /tests/files/files.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/files/files.sf -------------------------------------------------------------------------------- /tests/files/filesat.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | int main( int argc, const char* argv[] ) 10 | { 11 | 12 | DIR* dir = opendir("/tmp/"); 13 | int dfd = dirfd(dir); 14 | 15 | printf("The dir fd is %d, Errno %d\n", dfd, errno); 16 | 17 | 18 | int f = openat(dfd, "tested_file.txt", O_WRONLY | O_CREAT); 19 | 20 | printf("The fd is %d, Errno %d\n", f, errno); 21 | 22 | if(f != -1) { 23 | char buff[100]; 24 | strcpy(buff, "This is testing for fprintf...\n"); 25 | write(f, buff, strlen(buff)); 26 | close(f); 27 | } 28 | 29 | 30 | 31 | 32 | FILE* fp2 = fopen("/tmp/tested_file2.txt", "w+"); 33 | fprintf(fp2, "This is testing file2 for fprintf...\n"); 34 | fclose(fp2); 35 | 36 | FILE* fp3 = fopen("/tmp/tested_file3.txt", "w+"); 37 | fprintf(fp3, "This is testing file3 for fprintf...\n"); 38 | fclose(fp3); 39 | 40 | FILE* fp = fopen("./tested_file_test.txt", "w+"); 41 | fprintf(fp, "This is testing_file_test for fprintf...\n"); 42 | fclose(fp); 43 | 44 | int res = mkdirat(dfd, "/tmp/testing_dir", S_IRWXU); 45 | printf("The res of the mkdir 1 is %d\n", res); 46 | 47 | res = mkdirat(AT_FDCWD, "./testing_dir", S_IRWXU); 48 | printf("The res of the mkdir 2 is %d\n", res); 49 | 50 | res = rmdir("/tmp/testing_dir"); 51 | printf("The res of the rmdir is %d\n", res); 52 | 53 | res = rmdir("./testing_dir"); 54 | printf("The res of the second rmdir is %d\n", res); 55 | 56 | //res = chmod("/tmp/tested_file.txt", S_IRWXU); 57 | //printf("The res of the chmod is %d\n", res); 58 | 59 | //res = chown("/tmp/tested_file.txt", 500, 500); 60 | //printf("The res of the chmod is %d\n", res); 61 | 62 | res = linkat(dfd, "./tested_file.txt", AT_FDCWD, "./tested_file.txt", 0); 63 | printf("The res of the link is %d\n", res); 64 | 65 | res = symlinkat("/tmp/tested_file2.txt", AT_FDCWD, "./tested_file2.txt"); 66 | printf("The res of the symlink is %d\n", res); 67 | 68 | res = renameat(dfd, "./tested_file3.txt", AT_FDCWD, "/tmp/tested_file4.txt"); 69 | printf("The res of the rename is %d\n", res); 70 | 71 | res = unlinkat(dfd, "./tested_file.txt", 0); 72 | printf("The res of the unlink is %d\n", res); 73 | res = unlinkat(AT_FDCWD, "./tested_file.txt", 0); 74 | printf("The res of the unlink2 is %d\n", res); 75 | res = unlinkat(AT_FDCWD, "./tested_file2.txt", 0); 76 | printf("The res of the unlink3 is %d\n", res); 77 | res = unlinkat(dfd, "/tmp/tested_file2.txt", 0); 78 | printf("The res of the unlink 4 is %d\n", res); 79 | res = unlinkat(AT_FDCWD, "./tested_file_test.txt", 0); 80 | printf("The res of the unlink5 is %d\n", res); 81 | res = unlinkat(dfd, "../tmp/tested_file4.txt", 0); 82 | printf("The res of the unlink6 is %d\n", res); 83 | closedir(dir); 84 | } 85 | 86 | -------------------------------------------------------------------------------- /tests/files/filesat.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/files/filesat.scap -------------------------------------------------------------------------------- /tests/files/filesat.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/files/filesat.sf -------------------------------------------------------------------------------- /tests/files/make.sh: -------------------------------------------------------------------------------- 1 | gcc -o filer files.c 2 | gcc -o filesat filesat.c 3 | -------------------------------------------------------------------------------- /tests/mpm-event/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4 2 | COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf 3 | COPY ./htdocs/ /usr/local/apache2/htdocs/ 4 | -------------------------------------------------------------------------------- /tests/mpm-event/README.md: -------------------------------------------------------------------------------- 1 | ### This sample contains two basic tests: 2 | 3 | * full capture: records the container scap from launch to tests (`./run`, `./test` command sequence) 4 | * cold start capture: records the already started container scap from tests (`./test` command sequence) 5 | 6 | ### To install ab: 7 | ``` 8 | sudo apt-get install apache2-utils 9 | ``` 10 | 11 | ### To build and run samples: 12 | ``` 13 | ./build 14 | ./run 15 | ``` 16 | 17 | ### To generate workload: 18 | ``` 19 | ./test 20 | ``` 21 | 22 | ### To capture scap: 23 | ``` 24 | ./capture 25 | ``` 26 | -------------------------------------------------------------------------------- /tests/mpm-event/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker build -t httpd_event . 3 | -------------------------------------------------------------------------------- /tests/mpm-event/capture: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo sysdig container.name=$1 -w $2 3 | -------------------------------------------------------------------------------- /tests/mpm-event/cold_start_capture.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-event/cold_start_capture.scap -------------------------------------------------------------------------------- /tests/mpm-event/cold_start_capture.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-event/cold_start_capture.sf -------------------------------------------------------------------------------- /tests/mpm-event/full_capture.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-event/full_capture.scap -------------------------------------------------------------------------------- /tests/mpm-event/full_capture.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-event/full_capture.sf -------------------------------------------------------------------------------- /tests/mpm-event/htdocs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | This is a test! 4 | 5 | 6 | -------------------------------------------------------------------------------- /tests/mpm-event/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker run -d --name httpd_event -p 8090:80 httpd_event 3 | -------------------------------------------------------------------------------- /tests/mpm-event/test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ab -n 25 -c 3 http://localhost:8090/index.html 3 | -------------------------------------------------------------------------------- /tests/mpm-preforked/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4 2 | COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf 3 | COPY ./htdocs/ /usr/local/apache2/htdocs/ 4 | -------------------------------------------------------------------------------- /tests/mpm-preforked/README.md: -------------------------------------------------------------------------------- 1 | ### This sample contains two basic tests: 2 | 3 | * full capture: records the container scap from launch to tests (`./run`, `./test` command sequence) 4 | * cold start capture: records the already started container scap from tests (`./test` command sequence) 5 | 6 | ### To install ab: 7 | ``` 8 | sudo apt-get install apache2-utils 9 | ``` 10 | 11 | ### To build and run samples: 12 | ``` 13 | ./build 14 | ./run 15 | ``` 16 | 17 | ### To generate workload: 18 | ``` 19 | ./test 20 | ``` 21 | 22 | ### To capture scap: 23 | ``` 24 | ./capture 25 | ``` 26 | -------------------------------------------------------------------------------- /tests/mpm-preforked/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker build -t httpd_preforked . 3 | -------------------------------------------------------------------------------- /tests/mpm-preforked/capture: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo sysdig container.name=$1 -w $2 3 | -------------------------------------------------------------------------------- /tests/mpm-preforked/cold_start_capture.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-preforked/cold_start_capture.scap -------------------------------------------------------------------------------- /tests/mpm-preforked/cold_start_capture.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-preforked/cold_start_capture.sf -------------------------------------------------------------------------------- /tests/mpm-preforked/full_capture.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-preforked/full_capture.scap -------------------------------------------------------------------------------- /tests/mpm-preforked/full_capture.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-preforked/full_capture.sf -------------------------------------------------------------------------------- /tests/mpm-preforked/htdocs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | This is a test! 4 | 5 | 6 | -------------------------------------------------------------------------------- /tests/mpm-preforked/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker run -d --name httpd_preforked -p 8090:80 httpd_preforked 3 | -------------------------------------------------------------------------------- /tests/mpm-preforked/test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ab -n 25 -c 3 http://localhost:8090/index.html 3 | -------------------------------------------------------------------------------- /tests/mpm-worker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4 2 | COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf 3 | COPY ./htdocs/ /usr/local/apache2/htdocs/ 4 | -------------------------------------------------------------------------------- /tests/mpm-worker/README.md: -------------------------------------------------------------------------------- 1 | ### This sample contains two basic tests: 2 | 3 | * full capture: records the container scap from launch to tests (`./run`, `./test` command sequence) 4 | * cold start capture: records the already started container scap from tests (`./test` command sequence) 5 | 6 | ### To install ab: 7 | ``` 8 | sudo apt-get install apache2-utils 9 | ``` 10 | 11 | ### To build and run samples: 12 | ``` 13 | ./build 14 | ./run 15 | ``` 16 | 17 | ### To generate workload: 18 | ``` 19 | ./test 20 | ``` 21 | 22 | ### To capture scap: 23 | ``` 24 | ./capture 25 | ``` 26 | -------------------------------------------------------------------------------- /tests/mpm-worker/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker build -t httpd_worker . 3 | -------------------------------------------------------------------------------- /tests/mpm-worker/capture: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo sysdig container.name=$1 -w $2 3 | -------------------------------------------------------------------------------- /tests/mpm-worker/cold_start_capture.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-worker/cold_start_capture.scap -------------------------------------------------------------------------------- /tests/mpm-worker/cold_start_capture.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-worker/cold_start_capture.sf -------------------------------------------------------------------------------- /tests/mpm-worker/full_capture.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-worker/full_capture.scap -------------------------------------------------------------------------------- /tests/mpm-worker/full_capture.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/mpm-worker/full_capture.sf -------------------------------------------------------------------------------- /tests/mpm-worker/htdocs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | This is a test! 4 | 5 | 6 | -------------------------------------------------------------------------------- /tests/mpm-worker/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker run -d --name httpd_worker -p 8090:80 httpd_worker 3 | -------------------------------------------------------------------------------- /tests/mpm-worker/test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ab -n 25 -c 3 http://localhost:8090/index.html 3 | -------------------------------------------------------------------------------- /tests/namespaces/create_ns.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo umount -l /tmp/ns; rm -r /tmp/ns 3 | mkdir -p /tmp/ns 4 | sudo mount --bind --make-private /tmp/ns /tmp/ns 5 | touch /tmp/ns/pid 6 | sudo unshare --pid=/tmp/ns/pid -f 7 | -------------------------------------------------------------------------------- /tests/namespaces/enter_ns.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo nsenter --pid=/tmp/ns/pid -- /bin/bash 3 | -------------------------------------------------------------------------------- /tests/namespaces/setns.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/namespaces/setns.scap -------------------------------------------------------------------------------- /tests/namespaces/setns.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/namespaces/setns.sf -------------------------------------------------------------------------------- /tests/nginx/nginx.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nginx/nginx.scap -------------------------------------------------------------------------------- /tests/nginx/nginx.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nginx/nginx.sf -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763289: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763289 -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763289.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763289.sf -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763319: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763319 -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763319.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763319.sf -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763349: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763349 -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763349.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763349.sf -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763379: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763379 -------------------------------------------------------------------------------- /tests/nodejs/mon.1544763379.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/nodejs/mon.1544763379.sf -------------------------------------------------------------------------------- /tests/objectstore/README.md: -------------------------------------------------------------------------------- 1 | # MinIO 2 | To obtain keys: 3 | ``` 4 | ./run 5 | sudo docker logs minio 6 | ``` 7 | 8 | To use MinIO client: 9 | Command-line Access: https://docs.minio.io/docs/minio-client-quickstart-guide 10 | ``` 11 | $ mc config host add minio http://172.17.0.4:9000 12 | $ mc ls minio/play 13 | $ mc cp --recursive minio/play /tmp/ 14 | $ mc cp --recursive minio/play /tmp/ 15 | $ mc cp --recursive /tmp/play/* minio/play/ 16 | ``` 17 | 18 | 19 | -------------------------------------------------------------------------------- /tests/objectstore/capture: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo sysdig container.name=$1 -w $2 3 | -------------------------------------------------------------------------------- /tests/objectstore/client: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | docker pull minio/mc 3 | docker run minio/mc ls play 4 | -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1544763289/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"38071ee85aa3db25d5ab95c1a615a9de"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1544763319/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"f6e2a60578b342a7bec5b59f9ae7f56a"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1544763349/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"6afda85a4ebf6141e9afabb6126f6170"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1544763379/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"4f2bff3b5d7b636f5a8338e73ba8388f"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1548965896/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"2733701089f5eabaecc17ef95a373697"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1548965926/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"98d6eb0609784408e2f56178aef1486e"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1548965956/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"1f081b7eaa6568ada648a033b9eb3009"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1548965986/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"287d87eff2ab03d3f55615f92c2802f8"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/mon.1548966016/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"9821aa37dae2a9644ad170cfb770ba0c"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/buckets/play/tcpclientserver/fs.json: -------------------------------------------------------------------------------- 1 | {"version":"1.0.2","checksum":{"algorithm":"","blocksize":0,"hashes":null},"meta":{"content-type":"application/octet-stream","etag":"794e950698de80cf71d9cd5885f12495"}} -------------------------------------------------------------------------------- /tests/objectstore/data/.minio.sys/format.json: -------------------------------------------------------------------------------- 1 | {"version":"1","format":"fs","fs":{"version":"2"}} -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1544763289: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1544763289 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1544763319: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1544763319 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1544763349: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1544763349 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1544763379: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1544763379 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1548965896: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1548965896 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1548965926: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1548965926 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1548965956: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1548965956 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1548965986: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1548965986 -------------------------------------------------------------------------------- /tests/objectstore/data/play/mon.1548966016: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/mon.1548966016 -------------------------------------------------------------------------------- /tests/objectstore/data/play/tcpclientserver: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/data/play/tcpclientserver -------------------------------------------------------------------------------- /tests/objectstore/download.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/download.scap -------------------------------------------------------------------------------- /tests/objectstore/download.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/download.sf -------------------------------------------------------------------------------- /tests/objectstore/ls.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/ls.scap -------------------------------------------------------------------------------- /tests/objectstore/ls.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/ls.sf -------------------------------------------------------------------------------- /tests/objectstore/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo docker run -d -p 9000:9000 --name minio -v $PWD/data:/data minio/minio server /data 3 | -------------------------------------------------------------------------------- /tests/objectstore/upload.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/upload.scap -------------------------------------------------------------------------------- /tests/objectstore/upload.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/objectstore/upload.sf -------------------------------------------------------------------------------- /tests/rename/rename.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/rename/rename.scap -------------------------------------------------------------------------------- /tests/rename/rename.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/rename/rename.sf -------------------------------------------------------------------------------- /tests/rename/rename2at.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/rename/rename2at.scap -------------------------------------------------------------------------------- /tests/rename/rename2at.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/rename/rename2at.sf -------------------------------------------------------------------------------- /tests/setuid/make.sh: -------------------------------------------------------------------------------- 1 | gcc -O2 -ggdb -o setuid setuid.c 2 | -------------------------------------------------------------------------------- /tests/setuid/setuid.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | int main(void) 6 | { 7 | int current_uid = getuid(); 8 | printf("My UID is: %d. My GID is: %dn", current_uid, getgid()); 9 | system("/usr/bin/id"); 10 | if (setuid(500)) 11 | { 12 | perror("setuid"); 13 | return 1; 14 | } 15 | //I am now root! 16 | printf("My UID is: %d. My GID is: %dn", getuid(), getgid()); 17 | system("/usr/bin/id"); 18 | //Time to drop back to regular user privileges 19 | setuid(current_uid); 20 | printf("My UID is: %d. My GID is: %dn", getuid(), getgid()); 21 | system("/usr/bin/id"); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /tests/setuid/setuid.scap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/setuid/setuid.scap -------------------------------------------------------------------------------- /tests/setuid/setuid.sf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sysflow-telemetry/sf-collector/3c3b43273da9f560f6dfc86dff02103901572a98/tests/setuid/setuid.sf --------------------------------------------------------------------------------