-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmonitor.sh
More file actions
49 lines (45 loc) · 1.55 KB
/
Copy pathmonitor.sh
File metadata and controls
49 lines (45 loc) · 1.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env bpftrace
/*
* monitor.sh - trace process executions and socket creation.
*
* Emits one line per event:
* TIME: .. | [EXEC] PID: .. UID: .. Parent: .. COMM: .. | ARGS: <cmd>
* TIME: .. | [SOCK] PID: .. UID: .. Parent: .. COMM: .. | FAMILY: n TYPE: n PROTO: n
*
* The output is consumed by process_tree.py - keep the line format stable.
*/
BEGIN
{
/* Processes whose events are infrastructure noise, skipped for both EXEC
and SOCK. "sed" is excluded to avoid a feedback loop with the sed-based
log cleaner used downstream. */
@skip["sed"] = 1;
@skip["vmtoolsd"] = 1;
@skip["wazuh-modulesd"] = 1;
@skip["wazuh-logcollec"] = 1;
@skip["systemd-network"] = 1;
@skip["systemd-resolve"] = 1;
}
/* 1. Trace process executions */
tracepoint:syscalls:sys_enter_execve,
tracepoint:syscalls:sys_enter_execveat
/ @skip[comm] == 0 /
{
printf("TIME: %s | [EXEC] PID: %-6d UID: %-4d Parent: %-6d COMM: %-15s | ARGS: ",
strftime("%H:%M:%S", nsecs), pid, uid, curtask->parent->pid, comm);
/* join() prints the argv joined by spaces and terminates with a newline. */
join(args->argv);
}
/* 2. Trace socket initializations */
tracepoint:syscalls:sys_enter_socket
/ @skip[comm] == 0 /
{
printf("TIME: %s | [SOCK] PID: %-6d UID: %-4d Parent: %-6d COMM: %-15s | FAMILY: %-3d TYPE: %-3d PROTO: %-3d\n",
strftime("%H:%M:%S", nsecs), pid, uid, curtask->parent->pid, comm,
args->family, args->type, args->protocol);
}
END
{
/* Don't dump the @skip map to stdout on exit. */
clear(@skip);
}