From a1b290a267043cad49e8a581ad26ec174f99f0eb Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 13:11:37 +0200 Subject: [PATCH 01/11] added logs --- ProcessTree.cpp | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index c2dc49e..0891b36 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -334,12 +334,21 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource std::unique_lock process_write_lock(_process_write_mutex); std::shared_ptr process; - std::string containerid = ExtractContainerId(exe, cmdline); + std::string containerid = ExtractContainerId(exe, cmdline); + std::string cgroupContainerid; + + if (containerid.empty()) { + auto p_temp = ReadProcEntry(pid); + if (p_temp) { + cgroupContainerid = p_temp->_cgroupContainerId; + } + } auto it = _processes.find(pid); if (it != _processes.end()) { process = it->second; { + Logger::Debug("IB Updating process %d", pid); std::lock_guard _lock(process->_mutex); process->_source = source; process->_uid = uid; @@ -349,6 +358,7 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource process->_containeridfromhostprocess = containerid; } if (ppid != process->_ppid) { + Logger::Debug("IB Updating process %d ppid from %d to %d", pid, process->_ppid, ppid); auto it2 = _processes.find(process->_ppid); if (it2 != _processes.end()) { auto oldparent = it2->second; @@ -359,9 +369,11 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource } it2 = _processes.find(ppid); if (it2 != _processes.end()) { + Logger::Debug("IB Updating process %d ppid %d", pid, ppid); auto parentproc = it2->second; parentproc->_children.emplace_back(pid); { + Logger::Debug("IB Updating process %d containerid", pid); std::lock_guard _lock(process->_mutex); if (!(parentproc->_containeridfromhostprocess).empty()) { process->_containerid = parentproc->_containeridfromhostprocess; @@ -384,6 +396,7 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource auto p = it2->second; if (p->_exec_propagation > 0) { { + Logger::Debug("IB _exec_propagation Updating process %d", c); std::lock_guard _lock(process->_mutex); p->_source = source; p->_exe = exe; @@ -412,6 +425,7 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource auto parentproc = it2->second; parentproc->_children.emplace_back(pid); { + Logger::Debug("IB parentproc->_children.emplace_back Updating process %d containerid", pid); std::lock_guard _lock(process->_mutex); if (!(parentproc->_containeridfromhostprocess).empty()) { process->_containerid = parentproc->_containeridfromhostprocess; @@ -442,11 +456,9 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource // such as when a process is the root process of a container or when the process is // started by a web service or another system service that does not pass the container // ID through the command line arguments. - if (process->_containerid.empty()) { - auto p_temp = ReadProcEntry(pid); - if (p_temp) { - process->_containerid = p_temp->_cgroupContainerId; - } + if (process->_containerid.empty()) { + Logger::Debug("IB updating containerid from cgroup for process %d", pid); + process->_containerid = cgroupContainerid; } return process; From 8fc6d09a9765354e7fd0864479f970ddc00f5c13 Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 15:09:43 +0200 Subject: [PATCH 02/11] Implement PID extraction from event and update container ID handling in ProcessTree --- ProcessTree.cpp | 11 ++++++----- RawEventProcessor.cpp | 24 ++++++++++++++++++++++++ RawEventProcessor.h | 1 + 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index 0891b36..97fb43b 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -335,14 +335,14 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource std::shared_ptr process; std::string containerid = ExtractContainerId(exe, cmdline); - std::string cgroupContainerid; + /*std::string cgroupContainerid; if (containerid.empty()) { auto p_temp = ReadProcEntry(pid); if (p_temp) { cgroupContainerid = p_temp->_cgroupContainerId; } - } + } */ auto it = _processes.find(pid); if (it != _processes.end()) { @@ -396,7 +396,6 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource auto p = it2->second; if (p->_exec_propagation > 0) { { - Logger::Debug("IB _exec_propagation Updating process %d", c); std::lock_guard _lock(process->_mutex); p->_source = source; p->_exe = exe; @@ -425,7 +424,6 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource auto parentproc = it2->second; parentproc->_children.emplace_back(pid); { - Logger::Debug("IB parentproc->_children.emplace_back Updating process %d containerid", pid); std::lock_guard _lock(process->_mutex); if (!(parentproc->_containeridfromhostprocess).empty()) { process->_containerid = parentproc->_containeridfromhostprocess; @@ -458,7 +456,7 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource // ID through the command line arguments. if (process->_containerid.empty()) { Logger::Debug("IB updating containerid from cgroup for process %d", pid); - process->_containerid = cgroupContainerid; + process->_containerid = process->_cgroupContainerId; } return process; @@ -534,6 +532,7 @@ std::shared_ptr ProcessTree::GetInfoForPid(int pid) // If container ID is still empty, set it to be the cgroup container ID if (process->_containerid.empty()) { + Logger::Debug("IB In GetInfoForPid. Updating containerid from cgroup for process %d", pid); process->_containerid = process->_cgroupContainerId; } @@ -701,6 +700,8 @@ std::shared_ptr ProcessTree::ReadProcEntry(int pid) process->_ppid = pinfo->ppid(); process->_exe = pinfo->exe(); process->_cgroupContainerId = pinfo->container_id(); + Logger::Debug("CGroup container id for %d is %s", pid, process->_cgroupContainerId.c_str()); + pinfo->format_cmdline(process->_cmdline); process->_containeridfromhostprocess = ExtractContainerId(process->_exe, process->_cmdline); return process; diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index 95c81c8..3d14e9d 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -52,6 +52,16 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { auto rec = event.begin(); auto rtype = static_cast(rec.RecordType()); + if (rtype == RecordType::EXECVE) + { + _pid = GetPidFromEvent(event); + if (_pid != -1) { + if (_processTree) { + _processTree->GetInfoForPid(pid); + } + } + } + if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH || rtype == RecordType::SOCKADDR || rtype == RecordType::INTEGRITY_RULE) { if (!process_syscall_event(event)) { @@ -62,6 +72,20 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { } } +int RawEventProcessor::GetPidFromEvent(const Event& event) { + for (const auto& rec : event.Records()) { + auto pid_field = rec.FieldByName("pid"); + if (pid_field) { + const char* pid_value = pid_field.RawValuePtr(); + if (pid_value) { + return atoi(pid_value); + } + } + } + // Return -1 if PID is not found + return -1; +} + void RawEventProcessor::process_event(const Event& event) { using namespace std::string_view_literals; diff --git a/RawEventProcessor.h b/RawEventProcessor.h index 9444cdd..6dadb26 100644 --- a/RawEventProcessor.h +++ b/RawEventProcessor.h @@ -50,6 +50,7 @@ class RawEventProcessor { bool add_gid_field(const std::string_view& name, int gid, field_type_t ft); bool add_str_field(const std::string_view& name, const std::string_view& val, field_type_t ft); bool generate_proc_event(ProcessInfo* pinfo, uint64_t sec, uint32_t nsec); + int GetPidFromEvent(const Event& event); std::shared_ptr _builder; std::shared_ptr _user_db; From 6358fa43985696e2689e316d2bddfcafb142905f Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 15:41:29 +0200 Subject: [PATCH 03/11] Rename GetPidFromEvent to get_pid_from_event for consistency and update references accordingly --- RawEventProcessor.cpp | 8 ++++---- RawEventProcessor.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index 3d14e9d..a23e9dd 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -54,10 +54,10 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { if (rtype == RecordType::EXECVE) { - _pid = GetPidFromEvent(event); + _pid = get_pid_from_event(event); if (_pid != -1) { if (_processTree) { - _processTree->GetInfoForPid(pid); + _processTree->GetInfoForPid(_pid); } } } @@ -72,8 +72,8 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { } } -int RawEventProcessor::GetPidFromEvent(const Event& event) { - for (const auto& rec : event.Records()) { +int RawEventProcessor::get_pid_from_event(const Event& event) { + for (auto& rec : event) { auto pid_field = rec.FieldByName("pid"); if (pid_field) { const char* pid_value = pid_field.RawValuePtr(); diff --git a/RawEventProcessor.h b/RawEventProcessor.h index 6dadb26..29982b2 100644 --- a/RawEventProcessor.h +++ b/RawEventProcessor.h @@ -50,7 +50,7 @@ class RawEventProcessor { bool add_gid_field(const std::string_view& name, int gid, field_type_t ft); bool add_str_field(const std::string_view& name, const std::string_view& val, field_type_t ft); bool generate_proc_event(ProcessInfo* pinfo, uint64_t sec, uint32_t nsec); - int GetPidFromEvent(const Event& event); + int get_pid_from_event(const Event& event); std::shared_ptr _builder; std::shared_ptr _user_db; From 578c1982137efc20172343f164f458fbeb9aae47 Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 16:57:34 +0200 Subject: [PATCH 04/11] Enhance logging in ProcessTree and RawEventProcessor for better debugging and traceability --- ProcessTree.cpp | 14 ++++++-------- RawEventProcessor.cpp | 10 +++++++++- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index 97fb43b..2e3e6ec 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -334,15 +334,11 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource std::unique_lock process_write_lock(_process_write_mutex); std::shared_ptr process; - std::string containerid = ExtractContainerId(exe, cmdline); - /*std::string cgroupContainerid; + std::string containerid = ExtractContainerId(exe, cmdline); if (containerid.empty()) { - auto p_temp = ReadProcEntry(pid); - if (p_temp) { - cgroupContainerid = p_temp->_cgroupContainerId; - } - } */ + auto p_temp = ReadProcEntry(pid); + } auto it = _processes.find(pid); if (it != _processes.end()) { @@ -455,7 +451,7 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource // started by a web service or another system service that does not pass the container // ID through the command line arguments. if (process->_containerid.empty()) { - Logger::Debug("IB updating containerid from cgroup for process %d", pid); + Logger::Debug("IB updating containerid %s from cgroup for process %d ", process->_cgroupContainerId.c_str(), pid); process->_containerid = process->_cgroupContainerId; } @@ -508,6 +504,7 @@ void ProcessTree::Clean() std::shared_ptr ProcessTree::GetInfoForPid(int pid) { + Logger::Debug("IB In GetInfoForPid. pid: %d", pid); std::unique_lock process_write_lock(_process_write_mutex); auto it = _processes.find(pid); if (it != _processes.end() && it->second->_source != ProcessTreeSource_pnotify) { @@ -690,6 +687,7 @@ std::shared_ptr ProcessTree::ReadProcEntry(int pid) { std::shared_ptr process = std::make_shared(ProcessTreeSource_procfs, pid); + Logger::Debug("IB Reading proc entry for %d", pid); auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT); if (!pinfo) { return nullptr; diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index a23e9dd..95b9a92 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -54,12 +54,18 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { if (rtype == RecordType::EXECVE) { + Logger::Debug("IB RawEventProcessor: ProcessData: EXECVE event"); _pid = get_pid_from_event(event); if (_pid != -1) { - if (_processTree) { + if (_processTree) { + Logger::Debug("IB RawEventProcessor: ProcessData: GetInfoForPid: %d", _pid); _processTree->GetInfoForPid(_pid); } } + else + { + Logger::Error("IB RawEventProcessor: ProcessData: EXECVE event without PID"); + } } if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH || @@ -75,9 +81,11 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { int RawEventProcessor::get_pid_from_event(const Event& event) { for (auto& rec : event) { auto pid_field = rec.FieldByName("pid"); + Logger::Debug("IB RawEventProcessor: get_pid_from_event: pid_field: %s", pid_field.RawValuePtr()); if (pid_field) { const char* pid_value = pid_field.RawValuePtr(); if (pid_value) { + Logger::Debug("IB RawEventProcessor: get_pid_from_event: pid_value: %s", pid_value); return atoi(pid_value); } } From 3503d872ed9b1c76c9b2a29d69d00616e3921f07 Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 19:45:18 +0200 Subject: [PATCH 05/11] Refactor ProcessTree and RawEventProcessor to enhance container ID handling and logging --- ProcessTree.cpp | 15 +++++++++++---- RawEventProcessor.cpp | 4 ++-- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index 2e3e6ec..0b63ef6 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -335,9 +335,11 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource std::shared_ptr process; std::string containerid = ExtractContainerId(exe, cmdline); + std::string cgroupContainerid; if (containerid.empty()) { - auto p_temp = ReadProcEntry(pid); + auto p_temp = ReadProcEntry(pid); + cgroupContainerid = p_temp->_cgroupContainerId; } auto it = _processes.find(pid); @@ -451,8 +453,12 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource // started by a web service or another system service that does not pass the container // ID through the command line arguments. if (process->_containerid.empty()) { - Logger::Debug("IB updating containerid %s from cgroup for process %d ", process->_cgroupContainerId.c_str(), pid); - process->_containerid = process->_cgroupContainerId; + Logger::Debug("IB updating containerid %s from cgroup for process %d, temp cgroupContainerid: %s ", process->_cgroupContainerId.c_str(), pid, cgroupContainerid); + if (!cgroupContainerid.empty()) { + process->_containerid = cgroupContainerid; + } else if (!(process->_cgroupContainerId).empty()) { + process->_containerid = process->_cgroupContainerId; + } } return process; @@ -690,6 +696,7 @@ std::shared_ptr ProcessTree::ReadProcEntry(int pid) Logger::Debug("IB Reading proc entry for %d", pid); auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT); if (!pinfo) { + Logger::Error("IB Failed to open proc entry for %d", pid); return nullptr; } @@ -698,7 +705,7 @@ std::shared_ptr ProcessTree::ReadProcEntry(int pid) process->_ppid = pinfo->ppid(); process->_exe = pinfo->exe(); process->_cgroupContainerId = pinfo->container_id(); - Logger::Debug("CGroup container id for %d is %s", pid, process->_cgroupContainerId.c_str()); + Logger::Debug("IB CGroup container id for %d is %s", pid, process->_cgroupContainerId.c_str()); pinfo->format_cmdline(process->_cmdline); process->_containeridfromhostprocess = ExtractContainerId(process->_exe, process->_cmdline); diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index 95b9a92..71030bd 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -52,9 +52,9 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { auto rec = event.begin(); auto rtype = static_cast(rec.RecordType()); - if (rtype == RecordType::EXECVE) + if (rtype == RecordType::EXECVE || rtype == RecordType::SYSCALL) { - Logger::Debug("IB RawEventProcessor: ProcessData: EXECVE event"); + Logger::Debug("IB RawEventProcessor: ProcessData: %d event", rtype); _pid = get_pid_from_event(event); if (_pid != -1) { if (_processTree) { From fc2681978397e547123a51e4af3c85fd82c5823a Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 22:32:23 +0200 Subject: [PATCH 06/11] Refactor ProcessInfo and RawEventProcessor to improve PID and cgroup handling --- ProcessInfo.cpp | 18 +++++++++--------- ProcessTree.h | 3 ++- RawEventProcessor.cpp | 18 ++++-------------- 3 files changed, 15 insertions(+), 24 deletions(-) diff --git a/ProcessInfo.cpp b/ProcessInfo.cpp index 14cfe1f..b19d77a 100644 --- a/ProcessInfo.cpp +++ b/ProcessInfo.cpp @@ -447,29 +447,29 @@ bool ProcessInfo::read(int pid) { snprintf(path.data(), path.size(), "/proc/%d/exe", pid); - int pret = read_and_parse_stat(pid); + int pret = read_and_parse_cgroup(pid); if (pret != 0) { if (pret > 0) { - Logger::Warn("Failed to parse /proc/%d/stat", pid); + Logger::Warn("Failed to parse /proc/%d/cgroup", pid); + } + else{ + Logger::Warn("Wrong cgroup format for /proc/%d/cgroup", pid); } return false; } - pret = read_and_parse_status(pid); + pret = read_and_parse_stat(pid); if (pret != 0) { if (pret > 0) { - Logger::Warn("Failed to parse /proc/%d/status", pid); + Logger::Warn("Failed to parse /proc/%d/stat", pid); } return false; } - pret = read_and_parse_cgroup(pid); + pret = read_and_parse_status(pid); if (pret != 0) { if (pret > 0) { - Logger::Warn("Failed to parse /proc/%d/cgroup", pid); - } - else{ - Logger::Warn("Wrong cgroup format for /proc/%d/cgroup", pid); + Logger::Warn("Failed to parse /proc/%d/status", pid); } return false; } diff --git a/ProcessTree.h b/ProcessTree.h index 5b4275b..35a2638 100644 --- a/ProcessTree.h +++ b/ProcessTree.h @@ -224,6 +224,8 @@ class ProcessTree: public RunBase { std::shared_ptr AddProcess(enum ProcessTreeSource source, int pid, int ppid, int uid, int gid, const std::string& exe, const std::string& cmdline); void Clean(); std::shared_ptr GetInfoForPid(int pid); + std::shared_ptr ReadProcEntry(int pid); + void PopulateTree(); void UpdateFlags(); void ShowTree(); @@ -239,7 +241,6 @@ class ProcessTree: public RunBase { void AddPid(int pid, int ppid); void AddPid(int pid); void RemovePid(int pid); - std::shared_ptr ReadProcEntry(int pid); void ApplyFlags(const std::shared_ptr& process); void SetContainerId(const std::shared_ptr& p, const std::string& containerid); diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index 71030bd..aa04ecf 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -50,26 +50,17 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { } auto rec = event.begin(); - auto rtype = static_cast(rec.RecordType()); + auto rtype = static_cast(rec.RecordType()); - if (rtype == RecordType::EXECVE || rtype == RecordType::SYSCALL) - { - Logger::Debug("IB RawEventProcessor: ProcessData: %d event", rtype); + if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH || + rtype == RecordType::SOCKADDR || rtype == RecordType::INTEGRITY_RULE) { _pid = get_pid_from_event(event); if (_pid != -1) { if (_processTree) { - Logger::Debug("IB RawEventProcessor: ProcessData: GetInfoForPid: %d", _pid); - _processTree->GetInfoForPid(_pid); + _processTree->ReadProcEntry(_pid); } } - else - { - Logger::Error("IB RawEventProcessor: ProcessData: EXECVE event without PID"); - } - } - if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH || - rtype == RecordType::SOCKADDR || rtype == RecordType::INTEGRITY_RULE) { if (!process_syscall_event(event)) { process_event(event); } @@ -81,7 +72,6 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { int RawEventProcessor::get_pid_from_event(const Event& event) { for (auto& rec : event) { auto pid_field = rec.FieldByName("pid"); - Logger::Debug("IB RawEventProcessor: get_pid_from_event: pid_field: %s", pid_field.RawValuePtr()); if (pid_field) { const char* pid_value = pid_field.RawValuePtr(); if (pid_value) { From 7c14deb971079ebdcae44bbe60c867fc9925ad32 Mon Sep 17 00:00:00 2001 From: iritb Date: Thu, 9 Jan 2025 23:42:04 +0200 Subject: [PATCH 07/11] Comment out PID extraction in RawEventProcessor for debugging purposes --- RawEventProcessor.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index aa04ecf..05e48ce 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -54,12 +54,12 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH || rtype == RecordType::SOCKADDR || rtype == RecordType::INTEGRITY_RULE) { - _pid = get_pid_from_event(event); + /*_pid = get_pid_from_event(event); if (_pid != -1) { if (_processTree) { _processTree->ReadProcEntry(_pid); } - } + }*/ if (!process_syscall_event(event)) { process_event(event); From 63689cde6065ae11caa0d68ff5ebd78a899ac8d5 Mon Sep 17 00:00:00 2001 From: iritb Date: Sat, 11 Jan 2025 10:18:08 +0200 Subject: [PATCH 08/11] Add ExtractContainerIdFromCgroup method and update AddProcess to use it --- ProcessTree.cpp | 19 ++++++++++++++++--- ProcessTree.h | 4 ++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index 0b63ef6..705a6e4 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -337,9 +337,8 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource std::string containerid = ExtractContainerId(exe, cmdline); std::string cgroupContainerid; - if (containerid.empty()) { - auto p_temp = ReadProcEntry(pid); - cgroupContainerid = p_temp->_cgroupContainerId; + if (containerid.empty()) { + cgroupContainerid = ExtractContainerIdFromCgroup(pid); } auto it = _processes.find(pid); @@ -651,6 +650,20 @@ void ProcessTree::SetContainerId(const std::shared_ptr& p, cons } } +std::string ProcessTree::ExtractContainerIdFromCgroup(const int pid) +{ + std::string containerid = ""; + auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT); + if (!pinfo) { + Logger::Error("IB Failed to open proc entry for %d", pid); + return containerid; + } + + containerid = pinfo->container_id(); + Logger::Debug("IB (2) CGroup container id for %d is %s", pid, containerid.c_str()); + return containerid; +} + std::string ProcessTree::ExtractContainerId(const std::string& exe, const std::string& cmdline) { // cmdline example: diff --git a/ProcessTree.h b/ProcessTree.h index 35a2638..d45d397 100644 --- a/ProcessTree.h +++ b/ProcessTree.h @@ -224,14 +224,13 @@ class ProcessTree: public RunBase { std::shared_ptr AddProcess(enum ProcessTreeSource source, int pid, int ppid, int uid, int gid, const std::string& exe, const std::string& cmdline); void Clean(); std::shared_ptr GetInfoForPid(int pid); - std::shared_ptr ReadProcEntry(int pid); void PopulateTree(); void UpdateFlags(); void ShowTree(); void ShowProcess(std::shared_ptr p); static std::string ExtractContainerId(const std::string& exe, const std::string& cmdline); - + std::string ExtractContainerIdFromCgroup(const int pid) protected: void on_stopping() override; @@ -243,6 +242,7 @@ class ProcessTree: public RunBase { void RemovePid(int pid); void ApplyFlags(const std::shared_ptr& process); void SetContainerId(const std::shared_ptr& p, const std::string& containerid); + std::shared_ptr ReadProcEntry(int pid); std::shared_ptr _user_db; std::shared_ptr _filtersEngine; From b3a5e96b01fc08264e93a1d44e7a27d5dc1b8b3e Mon Sep 17 00:00:00 2001 From: iritb Date: Sat, 11 Jan 2025 14:53:32 +0200 Subject: [PATCH 09/11] typo --- ProcessTree.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ProcessTree.h b/ProcessTree.h index d45d397..1d1dbf2 100644 --- a/ProcessTree.h +++ b/ProcessTree.h @@ -230,7 +230,7 @@ class ProcessTree: public RunBase { void ShowTree(); void ShowProcess(std::shared_ptr p); static std::string ExtractContainerId(const std::string& exe, const std::string& cmdline); - std::string ExtractContainerIdFromCgroup(const int pid) + std::string ExtractContainerIdFromCgroup(const int pid); protected: void on_stopping() override; From b58055bb2a57ae64ab06dd6649d19853d5f49720 Mon Sep 17 00:00:00 2001 From: iritb Date: Sat, 11 Jan 2025 23:05:39 +0200 Subject: [PATCH 10/11] Refactor logging in ProcessTree and RawEventProcessor for improved clarity and debugging --- ProcessTree.cpp | 13 +++++-------- RawEventProcessor.cpp | 7 ++++--- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index 705a6e4..824a67a 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -345,7 +345,6 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource if (it != _processes.end()) { process = it->second; { - Logger::Debug("IB Updating process %d", pid); std::lock_guard _lock(process->_mutex); process->_source = source; process->_uid = uid; @@ -355,7 +354,6 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource process->_containeridfromhostprocess = containerid; } if (ppid != process->_ppid) { - Logger::Debug("IB Updating process %d ppid from %d to %d", pid, process->_ppid, ppid); auto it2 = _processes.find(process->_ppid); if (it2 != _processes.end()) { auto oldparent = it2->second; @@ -366,11 +364,9 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource } it2 = _processes.find(ppid); if (it2 != _processes.end()) { - Logger::Debug("IB Updating process %d ppid %d", pid, ppid); auto parentproc = it2->second; parentproc->_children.emplace_back(pid); { - Logger::Debug("IB Updating process %d containerid", pid); std::lock_guard _lock(process->_mutex); if (!(parentproc->_containeridfromhostprocess).empty()) { process->_containerid = parentproc->_containeridfromhostprocess; @@ -451,8 +447,8 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource // such as when a process is the root process of a container or when the process is // started by a web service or another system service that does not pass the container // ID through the command line arguments. + Logger::Info("IB Updating containerid %s from cgroup for process %d, _cgroupContainerId %s, temp cgroupContainerid: %s ", process->_containerid.c_str(), pid, process->_cgroupContainerId.c_str(), cgroupContainerid.c_str()); if (process->_containerid.empty()) { - Logger::Debug("IB updating containerid %s from cgroup for process %d, temp cgroupContainerid: %s ", process->_cgroupContainerId.c_str(), pid, cgroupContainerid); if (!cgroupContainerid.empty()) { process->_containerid = cgroupContainerid; } else if (!(process->_cgroupContainerId).empty()) { @@ -655,7 +651,7 @@ std::string ProcessTree::ExtractContainerIdFromCgroup(const int pid) std::string containerid = ""; auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT); if (!pinfo) { - Logger::Error("IB Failed to open proc entry for %d", pid); + Logger::Error("IB Failed to open proc entry for %d (ExtractContainerIdFromCgroup)", pid); return containerid; } @@ -706,12 +702,13 @@ std::shared_ptr ProcessTree::ReadProcEntry(int pid) { std::shared_ptr process = std::make_shared(ProcessTreeSource_procfs, pid); - Logger::Debug("IB Reading proc entry for %d", pid); + Logger::Debug("IB Reading proc entry for %d before OpenPid", pid); auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT); if (!pinfo) { - Logger::Error("IB Failed to open proc entry for %d", pid); + Logger::Error("IB Failed to open proc entry for %d (ReadProcEntry)", pid); return nullptr; } + Logger::Info("IB Reading proc entry for %d after OpenPid", pid); process->_uid = pinfo->uid(); process->_gid = pinfo->gid(); diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index 05e48ce..f9bd775 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -54,12 +54,13 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH || rtype == RecordType::SOCKADDR || rtype == RecordType::INTEGRITY_RULE) { - /*_pid = get_pid_from_event(event); + _pid = get_pid_from_event(event); if (_pid != -1) { if (_processTree) { - _processTree->ReadProcEntry(_pid); + auto contId = _processTree->ExtractContainerIdFromCgroup(_pid); + Logger::Debug("IB RawEventProcessor: ProcessData for %d: ContainerId: %s", _pid, contId.c_str()); } - }*/ + } if (!process_syscall_event(event)) { process_event(event); From 67c2923313e635bdc951c5144f5365a37687dffe Mon Sep 17 00:00:00 2001 From: iritb Date: Sun, 12 Jan 2025 13:10:44 +0200 Subject: [PATCH 11/11] Enhance container ID extraction in ProcessTree and RawEventProcessor for improved clarity and functionality --- ProcessTree.cpp | 3 ++- RawEventProcessor.cpp | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ProcessTree.cpp b/ProcessTree.cpp index 824a67a..d6c429f 100644 --- a/ProcessTree.cpp +++ b/ProcessTree.cpp @@ -448,6 +448,7 @@ std::shared_ptr ProcessTree::AddProcess(enum ProcessTreeSource // started by a web service or another system service that does not pass the container // ID through the command line arguments. Logger::Info("IB Updating containerid %s from cgroup for process %d, _cgroupContainerId %s, temp cgroupContainerid: %s ", process->_containerid.c_str(), pid, process->_cgroupContainerId.c_str(), cgroupContainerid.c_str()); + auto __cgroupContainerid = ExtractContainerIdFromCgroup(pid); if (process->_containerid.empty()) { if (!cgroupContainerid.empty()) { process->_containerid = cgroupContainerid; @@ -656,7 +657,7 @@ std::string ProcessTree::ExtractContainerIdFromCgroup(const int pid) } containerid = pinfo->container_id(); - Logger::Debug("IB (2) CGroup container id for %d is %s", pid, containerid.c_str()); + Logger::Debug("IB CGroup container id for %d is %s", pid, containerid.c_str()); return containerid; } diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp index f9bd775..1ff5846 100644 --- a/RawEventProcessor.cpp +++ b/RawEventProcessor.cpp @@ -57,8 +57,7 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) { _pid = get_pid_from_event(event); if (_pid != -1) { if (_processTree) { - auto contId = _processTree->ExtractContainerIdFromCgroup(_pid); - Logger::Debug("IB RawEventProcessor: ProcessData for %d: ContainerId: %s", _pid, contId.c_str()); + auto contId = _processTree->ExtractContainerIdFromCgroup(_pid); } }