mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-15 06:19:12 +00:00
Destroyed Sysdig notes (markdown)
Henri DF
116
Sysdig-notes.md
116
Sysdig-notes.md
@@ -1,116 +0,0 @@
|
||||
## Notes on sysdig
|
||||
|
||||
### Missing/undecoded syscalls
|
||||
|
||||
- `fchmodat` needs to be decoded (from a quick experimentation, this is the one used by e.g. `/bin/chmod` on a recent linux system).
|
||||
|
||||
|
||||
### Outbound UDP traffic support
|
||||
UDP can be sent either via `sendto` or via `send`
|
||||
|
||||
#### `connect`
|
||||
The `nc` tool uses `connect`. The commands below validate that sysdig decodes UDP `connect()`s properly. Note that the 'enter' connect does not pass the filter (the state table is only updated on the syscall return?)
|
||||
|
||||
|
||||
`echo -n “foo” | nc -4u -w1 10.0.2.15 1500`
|
||||
|
||||
```
|
||||
$ sudo sysdig 'proc.name=nc and fd.l4proto=udp'
|
||||
1617 00:09:09.388994739 0 nc (12310) < connect res=0 tuple=10.0.2.15:52575->10.0.2.15:1500
|
||||
1618 00:09:09.388995574 0 nc (12310) > fcntl fd=3(<4u>10.0.2.15:52575->10.0.2.15:1500) cmd=5(F_SETFL)
|
||||
1619 00:09:09.388995725 0 nc (12310) < fcntl res=0(<p>)
|
||||
1624 00:09:09.389009055 0 nc (12310) > write fd=3(<4u>10.0.2.15:52575->10.0.2.15:1500) size=9
|
||||
1625 00:09:09.389026498 0 nc (12310) < write res=9 data=...foo...
|
||||
1628 00:09:09.389028747 0 nc (12310) > shutdown fd=3(<4u>10.0.2.15:52575->10.0.2.15:1500) how=1(SHUT_WR)
|
||||
1629 00:09:09.389029898 0 nc (12310) < shutdown res=0
|
||||
```
|
||||
|
||||
#### `sendto`
|
||||
|
||||
```
|
||||
00:23 vagrant@vagrant-ubuntu-trusty-64:~
|
||||
$ sudo sysdig 'syscall.type = sendto'
|
||||
684 00:23:20.935487226 0 a.out (12527) > sendto fd=3(<4>) size=16 tuple=0.0.0.0:12345->0.0.0.0:12345
|
||||
685 00:23:20.935518814 0 a.out (12527) < sendto res=16 data=..09.....9......
|
||||
```
|
||||
|
||||
```
|
||||
00:22 vagrant@vagrant-ubuntu-trusty-64:~
|
||||
$ sudo sysdig 'fd.l4proto=udp'
|
||||
1104 00:23:09.296146765 0 a.out (12524) < sendto res=16 data=..09............
|
||||
```
|
||||
|
||||
|
||||
|
||||
```
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
main()
|
||||
{
|
||||
|
||||
int sd;
|
||||
struct sockaddr_in server;
|
||||
char buf[512];
|
||||
int rc;
|
||||
|
||||
server.sin_family = AF_INET;
|
||||
server.sin_addr.s_addr = htonl(INADDR_ANY);
|
||||
server.sin_port = htons(12345);
|
||||
|
||||
sd = socket (AF_INET,SOCK_DGRAM,0);
|
||||
|
||||
bind ( sd, (struct sockaddr *) &server, sizeof(server));
|
||||
|
||||
sendto(sd, &server, sizeof(server), 0, (struct sockaddr *)&server, sizeof(server));
|
||||
}
|
||||
```
|
||||
|
||||
### Writing to the filesystem
|
||||
|
||||
From some quick c experimentation:
|
||||
- It is possible to create a file with `O_RDONLY | O_CREAT` but it is not possible to then write to it.
|
||||
- It is possible to open a file with `O_RDONLY | O_APPEND` but it is not possible to write to it.
|
||||
|
||||
|
||||
```
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int fd;
|
||||
|
||||
if(2 != argc) {
|
||||
printf("\n Usage : \n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
errno = 0;
|
||||
fd = open(argv[1],O_RDONLY | O_CREAT);
|
||||
|
||||
if(-1 == fd) {
|
||||
printf("\n open() failed with error [%s]\n",strerror(errno));
|
||||
return 1;
|
||||
} else {
|
||||
printf("\n open() Successful\n");
|
||||
}
|
||||
|
||||
const char *hello = "Hello";
|
||||
int ret = write(fd, hello, sizeof(hello));
|
||||
if(-1 == ret) {
|
||||
printf("\n write() failed with error [%s]\n",strerror(errno));
|
||||
return 1;
|
||||
} else {
|
||||
printf("\n write() Successful\n");
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
Reference in New Issue
Block a user