Yaniv Agman
Yaniv Agman
## Prerequisites - [ ] This issue is an EPIC issue (add label: EPIC). - [ ] This issue is an EPIC TASK (add issue to EPIC description). Select one...
The current entrypoint of the tracee container is entrypoint.sh. This is a simple bash script that starts both tracee-ebpf and tracee-rules, and connects them with a pipe. Although simple, this...
## Initial Checklist - [ ] There is an issue describing the need for this PR. - [x] Git log contains summary of the change. - [x] Git log contains...
On newer kernels (>=5.5), there are four new bpf helper functions which are safer to use. These are: bpf_probe_read_user(), bpf_probe_read_user_str(), bpf_probe_read_kernel(), bpf_probe_read_kernel_str() (For more info about these helpers also see...
Add HTTP request event ( can include the command, headers, host, uri, protocol...) Add HTTP response event ( can include status code, headers, protocol...)
## Prerequisites - [ ] This issue is an EPIC issue (add label: EPIC). - [ ] This issue is an EPIC TASK (add issue to EPIC description). Select one...
When system load is high, we might be required to drop some events/rules. Currently we don't have a mechanism to prioritize events/rules, neither a mechanism to reduce load consumed by...
We alreaady decode some of the syscall arguments (see #493), but there are stil some syscall arguments for which we don't decode the argument values although it can be useful....
We currently only print libbpf messages which have WARN level. If debug flag was given, we should also print debug messages from libbpf. Example: https://github.com/libbpf/libbpf-bootstrap/blob/master/src/bootstrap.c#L62
We now have our own implementation to bump the rlimit_memlock, which is required on older kernels (< 5.11). libbpf recently merged https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=e542f2c4cd16 - this will allow us to remove our...