Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sampling exclude #1314

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

wangyongfeng5
Copy link

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap

/area libpman

Does this PR require a change in the driver versions?

/version driver-API-version-minor

What this PR does / why we need it:
Support an option to prevent certain system calls from being discarded during sampling.
Because some events that seem important on the user side need to be preserved in the sample

@poiana
Copy link
Contributor

poiana commented Aug 31, 2023

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@poiana
Copy link
Contributor

poiana commented Aug 31, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangyongfeng5
Once this PR has been reviewed and has the lgtm label, please assign incertum for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

Signed-off-by: Manny Wang <[email protected]>
@Andreagit97 Andreagit97 added this to the 0.14.0 milestone Aug 31, 2023
@incertum
Copy link
Contributor

incertum commented Sep 1, 2023

Hi 👋 @wangyongfeng5

In addition to the global setting (not doing any sampling)

if (!settings->dropping_mode)
which for the Falco use case is disabled by default, we also have the flag
if (drop_flags & UF_NEVER_DROP)
UF_NEVER_DROP, see syscall table
[__NR_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_19_E, PPME_SYSCALL_EXECVE_19_X, PPM_SC_EXECVE},

Would it be possible to summarize the gaps of the existing UF_NEVER_DROP flag and mechanisms?

Lastly is this contribution intended to benefit the Falco client (where primary use cases are threat detection and compliance auditing) or a custom client?

@wangyongfeng5
Copy link
Author

wangyongfeng5 commented Sep 1, 2023

Lastly is this contribution intended to benefit the Falco client (where primary use cases are threat detection and compliance auditing) or a custom client?

It's for a custom client. So we can't use UF_NEVER_DROP because it is static and cannot change with different scenes.

I think which system calls should be excluded from sampling should be an option rather than static, and other similar options, such as whether to enable sampling or not, are per-user, so this option should also be per-user.

@incertum
Copy link
Contributor

incertum commented Sep 1, 2023

Understood @wangyongfeng5 re this PR and the other one. Those are quite significant changes that align with custom clients and not the Falco client.

Would it be ok to defer discussions until after Falco 0.36 release (aka in Oct 2023)? Possibly maybe it would make sense to jump on a community call and discuss or brainstorm more broadly to see if multiple custom clients can benefit from such capabilities and how a best approach would look like as we also need to ensure that new changes and major refactors are ok to maintain going forward.

@Andreagit97 Andreagit97 modified the milestones: 0.14.0, TBD Nov 6, 2023
@poiana
Copy link
Contributor

poiana commented Feb 4, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented May 6, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Aug 5, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Nov 4, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants