Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add metric for when the file on disk is not the file being evaluated #1348

Merged
merged 5 commits into from
May 16, 2024
Merged

Add metric for when the file on disk is not the file being evaluated #1348

merged 5 commits into from
May 16, 2024

Conversation

mlw
Copy link
Member

@mlw mlw commented May 15, 2024

Adds a new metric that tracks cases where the file reported in EXEC events is not the same file currently on disk.

Test setup:
Create some binary named t. In one terminal, run the following to rapidly change t devno/inode pair:

cp t t1
cp t t2
while [[ true ]]; do rm ./t; cp ./t1 ./t; sleep 0; rm ./t; cp ./t2 ./t; sleep 0; done

In a second terminal, continuously execute the binary:

while [[ true ]]; do ./t > /dev/null; done

Sample santactl metrics output:

  Metric Name               | /santa/event_stat_change_count
  Description               | Count of times a stat info changed for a binary being evalauted
  Type                      | SNTMetricTypeCounter
  Field                     | step=MessageCreate,error=0
  Created                   | 2024-05-15T00:47:07.050Z
  Last Updated              | 2024-05-15T00:47:07.050Z
  Data                      | 70
  Field                     | step=MessageCreate,error=2
  Created                   | 2024-05-15T00:47:07.050Z
  Last Updated              | 2024-05-15T00:47:07.050Z
  Data                      | 62
  Field                     | step=NoChange,error=0
  Created                   | 2024-05-14T23:47:10.405Z
  Last Updated              | 2024-05-15T00:47:07.050Z
  Data                      | 1252973

@mlw mlw added metrics Code / work related to Santa observability / monitoring santad Work related to the Santa Daemon labels May 15, 2024
@mlw mlw added this to the 2024.5 milestone May 15, 2024
@mlw mlw requested a review from a team as a code owner May 15, 2024 01:01
@mlw mlw marked this pull request as draft May 15, 2024 01:43
@mlw mlw force-pushed the stat-change-metrics branch 2 times, most recently from ae3bd79 to 0a7bf6f Compare May 15, 2024 03:54
@mlw mlw marked this pull request as ready for review May 15, 2024 03:57
@mlw mlw requested a review from tburgin May 15, 2024 20:36
tburgin
tburgin previously approved these changes May 16, 2024
View reviewed changes
Source/santad/EventProviders/EndpointSecurity/Message.mm Outdated Show resolved Hide resolved
Source/santad/EventProviders/EndpointSecurity/Message.mm Outdated Show resolved Hide resolved
Source/santad/EventProviders/EndpointSecurity/Message.mm Outdated Show resolved Hide resolved
@mlw mlw requested a review from tburgin May 16, 2024 19:36
@mlw mlw merged commit 9b184ed into google:main May 16, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tburgin tburgin tburgin approved these changes

Assignees
No one assigned
Labels
metrics Code / work related to Santa observability / monitoring santad Work related to the Santa Daemon
Projects
None yet
Milestone
2024.5
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mlw @tburgin