diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index a876c872f7..38c283c7f0 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -60,6 +60,8 @@ BoolEnvVar use_podman_ce("ROX_COLLECTOR_CE_USE_PODMAN", false); BoolEnvVar enable_introspection("ROX_COLLECTOR_INTROSPECTION_ENABLE", false); +BoolEnvVar track_send_recv("ROX_COLLECTOR_TRACK_SEND_RECV", false); + // Collector arguments alternatives StringEnvVar log_level("ROX_COLLECTOR_LOG_LEVEL"); IntEnvVar scrape_interval("ROX_COLLECTOR_SCRAPE_INTERVAL"); @@ -103,9 +105,16 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { use_docker_ce_ = use_docker_ce.value(); use_podman_ce_ = use_podman_ce.value(); enable_introspection_ = enable_introspection.value(); + track_send_recv_ = track_send_recv.value(); for (const auto& syscall : kSyscalls) { - syscalls_.push_back(syscall); + syscalls_.emplace_back(syscall); + } + + if (track_send_recv_) { + for (const auto& syscall : kSendRecvSyscalls) { + syscalls_.emplace_back(syscall); + } } // Get hostname @@ -454,7 +463,8 @@ std::ostream& operator<<(std::ostream& os, const CollectorConfig& c) { << ", set_import_users:" << c.ImportUsers() << ", collect_connection_status:" << c.CollectConnectionStatus() << ", enable_detailed_metrics:" << c.EnableDetailedMetrics() - << ", enable_external_ips:" << c.EnableExternalIPs(); + << ", enable_external_ips:" << c.EnableExternalIPs() + << ", track_send_recv:" << c.TrackingSendRecv(); } // Returns size of ring buffers to be allocated. diff --git a/collector/lib/CollectorConfig.h b/collector/lib/CollectorConfig.h index 1d803ed1e3..e62cdf8dca 100644 --- a/collector/lib/CollectorConfig.h +++ b/collector/lib/CollectorConfig.h @@ -48,6 +48,14 @@ class CollectorConfig { #endif "vfork", }; + static constexpr const char* kSendRecvSyscalls[] = { + "sendto", + "sendmsg", + "sendmmsg", + "recvfrom", + "recvmsg", + "recvmmsg", + }; static const UnorderedSet kIgnoredL4ProtoPortPairs; static constexpr bool kEnableProcessesListeningOnPorts = true; @@ -82,6 +90,7 @@ class CollectorConfig { bool UseDockerCe() const { return use_docker_ce_; } bool UsePodmanCe() const { return use_podman_ce_; } bool IsIntrospectionEnabled() const { return enable_introspection_; } + bool TrackingSendRecv() const { return track_send_recv_; } const std::vector& GetConnectionStatsQuantiles() const { return connection_stats_quantiles_; } double GetConnectionStatsError() const { return connection_stats_error_; } unsigned int GetConnectionStatsWindow() const { return connection_stats_window_; } @@ -122,6 +131,7 @@ class CollectorConfig { bool use_docker_ce_; bool use_podman_ce_; bool enable_introspection_; + bool track_send_recv_; std::vector connection_stats_quantiles_; double connection_stats_error_; unsigned int connection_stats_window_; diff --git a/collector/lib/NetworkSignalHandler.cpp b/collector/lib/NetworkSignalHandler.cpp index 9e35003960..8a1f4e2f71 100644 --- a/collector/lib/NetworkSignalHandler.cpp +++ b/collector/lib/NetworkSignalHandler.cpp @@ -24,6 +24,17 @@ EventMap modifiers = { {"connect<", Modifier::ADD}, {"accept<", Modifier::ADD}, {"getsockopt<", Modifier::ADD}, + {"sendto<", Modifier::ADD}, + {"sendto>", Modifier::ADD}, + {"sendmsg<", Modifier::ADD}, + {"sendmsg>", Modifier::ADD}, + {"sendmmsg<", Modifier::ADD}, + {"recvfrom<", Modifier::ADD}, + {"recvfrom>", Modifier::ADD}, + {"recvmsg<", Modifier::ADD}, + {"recvmsg>", Modifier::ADD}, + {"recvmmsg<", Modifier::ADD}, + {"recvmmsg>", Modifier::ADD}, }, Modifier::INVALID, }; @@ -31,7 +42,7 @@ EventMap modifiers = { } // namespace NetworkSignalHandler::NetworkSignalHandler(sinsp* inspector, std::shared_ptr conn_tracker, system_inspector::Stats* stats) - : event_extractor_(std::make_unique()), conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true) { + : event_extractor_(std::make_unique()), conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true), track_send_recv_(false) { event_extractor_->Init(inspector); } @@ -141,6 +152,28 @@ SignalHandler::Result NetworkSignalHandler::HandleSignal(sinsp_evt* evt) { } std::vector NetworkSignalHandler::GetRelevantEvents() { + if (track_send_recv_) { + return { + "close<", + "shutdown<", + "connect<", + "accept<", + "getsockopt<", + "sendto<", + "sendto>", + "sendmsg<", + "sendmsg>", + "sendmmsg<", + "recvfrom<", + "recvfrom>", + "recvmsg<", + "recvmsg>", + "recvmmsg<", + "recvmmsg>", + "recvmsg<", + "recvmsg>", + }; + } return {"close<", "shutdown<", "connect<", "accept<", "getsockopt<"}; } diff --git a/collector/lib/NetworkSignalHandler.h b/collector/lib/NetworkSignalHandler.h index 79c77b3682..a6fbba0085 100644 --- a/collector/lib/NetworkSignalHandler.h +++ b/collector/lib/NetworkSignalHandler.h @@ -29,6 +29,7 @@ class NetworkSignalHandler final : public SignalHandler { bool Stop() override; void SetCollectConnectionStatus(bool collect_connection_status) { collect_connection_status_ = collect_connection_status; } + void SetTrackSendRecv(bool track_send_recv) { track_send_recv_ = track_send_recv; } private: std::optional GetConnection(sinsp_evt* evt); @@ -38,6 +39,7 @@ class NetworkSignalHandler final : public SignalHandler { system_inspector::Stats* stats_; bool collect_connection_status_; + bool track_send_recv_; }; } // namespace collector diff --git a/collector/lib/system-inspector/Service.cpp b/collector/lib/system-inspector/Service.cpp index 99b9fd2cbf..54a7a45a79 100644 --- a/collector/lib/system-inspector/Service.cpp +++ b/collector/lib/system-inspector/Service.cpp @@ -46,6 +46,7 @@ void Service::Init(const CollectorConfig& config, std::shared_ptr(inspector_.get(), conn_tracker, &userspace_stats_); network_signal_handler_->SetCollectConnectionStatus(config.CollectConnectionStatus()); + network_signal_handler_->SetTrackSendRecv(config.TrackingSendRecv()); AddSignalHandler(std::move(network_signal_handler_)); } diff --git a/falcosecurity-libs b/falcosecurity-libs index 40fbddbbb4..985c1c1cf3 160000 --- a/falcosecurity-libs +++ b/falcosecurity-libs @@ -1 +1 @@ -Subproject commit 40fbddbbb43330c1a289123989a53b3943498165 +Subproject commit 985c1c1cf3ba4e1fee92919f845d2238f66a2751