process-monitor: Print container info from the header, remove it from…

… payload
exein-io · Nov 13, 2023 · edc2124 · edc2124
1 parent 97fba8a
commit edc2124
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 65 deletions.
diff --git a/crates/modules/process-monitor/src/lib.rs b/crates/modules/process-monitor/src/lib.rs
@@ -4,7 +4,7 @@ use anyhow::Context;
 use bpf_common::{
     aya::maps::HashMap,
     ebpf_program,
-    parsing::{containers::ContainerError, procfs, BufferIndex, IndexError},
+    parsing::{containers::ContainerError, BufferIndex, IndexError},
     program::BpfContext,
     BpfSender, Pid, Program, ProgramBuilder, ProgramError,
 };
@@ -119,7 +119,7 @@ fn extract_parameters(argv: &[u8]) -> Vec<String> {
 
 pub mod pulsar {
     use super::*;
-    use bpf_common::{parsing::containers::ContainerInfo, program::BpfEvent, BpfSenderWrapper};
+    use bpf_common::{program::BpfEvent, BpfSenderWrapper};
     use pulsar_core::pdk::{
         process_tracker::TrackerUpdate, CleanExit, IntoPayload, ModuleContext, ModuleError,
         Payload, PulsarModule, ShutdownSignal, Version,
@@ -228,58 +228,22 @@ pub mod pulsar {
         type Error = ProcessEventError;
         fn try_into_payload(event: BpfEvent<ProcessEvent>) -> Result<Payload, ProcessEventError> {
             let BpfEvent {
-                pid,
-                payload,
-                buffer,
-                ..
+                payload, buffer, ..
             } = event;
             Ok(match payload {
-                ProcessEvent::Fork {
-                    ppid,
-                    namespaces,
-                    is_new_container,
-                    ..
-                } => {
-                    let container = match procfs::get_process_container_id(pid) {
-                        Ok(Some(container_id)) => {
-                            Some(ContainerInfo::from_container_id(container_id)?)
-                        }
-                        Ok(None) => None,
-                        Err(_) => None,
-                    };
-
-                    Payload::Fork {
-                        ppid: ppid.as_raw(),
-                        namespaces,
-                        is_new_container,
-                        container,
-                    }
-                }
+                ProcessEvent::Fork { ppid, .. } => Payload::Fork {
+                    ppid: ppid.as_raw(),
+                },
                 ProcessEvent::Exec {
                     filename,
                     argc,
                     argv,
-                    namespaces,
-                    is_new_container,
                     ..
-                } => {
-                    let container = match procfs::get_process_container_id(pid) {
-                        Ok(Some(container_id)) => {
-                            Some(ContainerInfo::from_container_id(container_id)?)
-                        }
-                        Ok(None) => None,
-                        Err(_) => None,
-                    };
-
-                    Payload::Exec {
-                        filename: filename.string(&buffer)?,
-                        argc: argc as usize,
-                        argv: extract_parameters(argv.bytes(&buffer)?).into(),
-                        namespaces,
-                        is_new_container,
-                        container,
-                    }
-                }
+                } => Payload::Exec {
+                    filename: filename.string(&buffer)?,
+                    argc: argc as usize,
+                    argv: extract_parameters(argv.bytes(&buffer)?).into(),
+                },
                 ProcessEvent::Exit { exit_code } => Payload::Exit { exit_code },
                 ProcessEvent::ChangeParent { ppid } => Payload::ChangeParent {
                     ppid: ppid.as_raw(),

diff --git a/crates/pulsar-core/src/event.rs b/crates/pulsar-core/src/event.rs
@@ -39,18 +39,28 @@ impl fmt::Display for Event {
         let pid = &header.pid;
         let payload = self.payload();
 
+        let process_info = match header.container {
+            Some(ref container) => {
+                let container_image = &container.image;
+                let container_image_digest = &container.image_digest;
+
+                format!("{container_image} {container_image_digest} {image} ({pid})")
+            }
+            None => format!("{image} ({pid})"),
+        };
+
         if let Some(Threat {
             source,
             description,
             extra: _,
         }) = &self.header().threat
         {
             if f.alternate() {
-                writeln!(f, "[{time} \x1b[1;30;43mTHREAT\x1b[0m {image} ({pid})] [{source} - {description}] {payload}")
+                writeln!(f, "[{time} \x1b[1;30;43mTHREAT\x1b[0m {process_info}] [{source} - {description}] {payload}")
             } else {
                 writeln!(
                     f,
-                    "[{time} THREAT {image} ({pid})] [{source} - {description}] {payload}"
+                    "[{time} THREAT {process_info}] [{source} - {description}] {payload}"
                 )
             }
         } else {
@@ -198,19 +208,11 @@ pub enum Payload {
     },
     Fork {
         ppid: i32,
-        namespaces: Namespaces,
-        is_new_container: bool,
-        #[validatron(skip)]
-        container: Option<ContainerInfo>,
     },
     Exec {
         filename: String,
         argc: usize,
         argv: Argv,
-        namespaces: Namespaces,
-        is_new_container: bool,
-        #[validatron(skip)]
-        container: Option<ContainerInfo>,
     },
     Exit {
         exit_code: u32,
@@ -297,14 +299,8 @@ impl fmt::Display for Payload {
             Payload::FileLink { source, destination, hard_link } => write!(f,"File Link {{ source: {source}, destination: {destination}, hard_link: {hard_link} }}"),
             Payload::FileRename { source, destination } => write!(f,"File Rename {{ source: {source}, destination {destination} }}"),
             Payload::ElfOpened { filename, flags } => write!(f,"Elf Opened {{ filename: {filename}, flags: {flags} }}"),
-            Payload::Fork { ppid, container, .. } => match container {
-                Some(container) => write!(f,"Fork {{ ppid: {ppid}, container: {container} }}"),
-                None => write!(f,"Fork {{ ppid: {ppid} }}"),
-            },
-            Payload::Exec { filename, argc, argv, container, .. } => match container {
-                Some(container) => write!(f,"Exec {{ filename: {filename}, argc: {argc}, argv: {argv}, container: {container} }}"),
-                None => write!(f,"Exec {{ filename: {filename}, argc: {argc}, argv: {argv} }}"),
-            },
+            Payload::Fork { ppid } => write!(f,"Fork {{ ppid: {ppid} }}"),
+            Payload::Exec { filename, argc, argv } => write!(f,"Exec {{ filename: {filename}, argc: {argc}, argv: {argv} }}"),
             Payload::Exit { exit_code } => write!(f,"Exit {{ exit_code: {exit_code} }}"),
             Payload::ChangeParent { ppid } => write!(f,"Parent changed {{ ppid: {ppid} }}"),
             Payload::CgroupCreated { cgroup_path, cgroup_id } => write!(f,"Cgroup created {{ cgroup_path: {cgroup_path}, cgroup_id: {cgroup_id} }}"),