To track deletion of files using tracee

[Dinakaranevil]

Is it recommended to track deletion of files using tracee

I tried to track the security_inode_unlink system call along with execve system call

I opened an other terminal and deleted files using rm command sometimes it was not able to detect the deletion of files sometimes .Can someone suggest me a better approach to track deletion of files

[yanivagman]

Hello @Dinakaranevil ,

Can you please provide the exact command you used to start tracee with?
It will also help if you can describe a case where using security_inode_unlink didn't work.

[Dinakaranevil]

sudo docker run --name tracee1 --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest trace --trace event=execve,securitrity_inode_unlink

i tried to run the above command in one terminal

and just tried to create and delete file using it

commands are
touch h1.c
rm h1.c

it was able to track deletion of files but sometimes i was not able to track them

my assumptions are
if any other process tries to delete files like my chrome browsers at that scenario not able to track them

[yanivagman]

my assumptions are
if any other process tries to delete files like my chrome browsers at that scenario not able to track them

This shouldn't be the problem - processes can delete files concurrently, and tracee should be able to track all of the events.
To remove noise you can filter for events generated by rm by adding --trace comm=rm

[Dinakaranevil]

can we combine both comm as well as event arguments together

[yanivagman]

Sure, you can use --trace flag multiple times:
--trace event=execve,securitrity_inode_unlink --trace comm=rm

[yanivagman]

One more thing you can try is using the unlink and unlinkat events, in addition to security_inode_unlink:
sudo ./tracee-ebpf -t e=unlink,unlinkat,security_inode_unlink
Is there a case where you get unlink(at) event and not security_inode_unlink event? Is there a case that none of these events appear when you delete a file?

[Dinakaranevil]

Hi @yanivagman ,
is there any way to install ./tracee-ebpf this insted of using the docker image

[yanivagman]

You can either use the docker image with the trace subcommand like you did above, download the tar.gz from releases, or compile tracee-ebpf locally.

[Dinakaranevil]

hi @yanivagman ,
how is the pathname acquired by using any bpf helper function or something else is done can you give your insights on this .

[yanivagman]

Here is how it is done for security_inode_unlink:
https://github.com/aquasecurity/tracee/blob/main/tracee-ebpf/tracee/tracee.bpf.c#L2612

[Dinakaranevil]

hi @yanivagman
a)wanted to add a custom function when the deletion of a particular file happens any particular approach that you would like to recommend
b)Is there anyway to debug the code like bpf_trace_printk to debug the programme in tracee.bpf.c programme

[yanivagman]

a) security_inode_unlink should be a good option.
b) To debug tracee.bpf.c I usually create a custom event (~10-15 lines of code in total), and send the output to tracee like any other event. Then I filter by the event I added and any other events I want to debug.
This way, you can get all the debug info and the event you are debugging in a synchronous way. For example, if debugging security_inode_unlink, you can add a new unlink_debug event, and start tracee with four events: unlink,unlinkat,security_inode_unlink,unlink_debug. You can then craft unlink_debug to output whatever you want by changing the types in consts.go.

[Dinakaranevil]

hi @yanivagman ,
may be i was not clear in explaining my point

a)wanted to add a custom function when the deletion of a particular file happens any particular approach that you would like to recommend

i wanted to add a custom function basically to take back up of files before the file is getting deleted

b)Is there anyway to debug the code like bpf_trace_printk to debug the programme in tracee.bpf.c programme

y cant i trace the variables on trace pipe i am not getting any errors while building the project from source nor any output on the trace_pipe

[yanivagman]

i wanted to add a custom function basically to take back up of files before the file is getting deleted

Tracee events are not inline, meaning, by the time you will get the unlink event, the file have already been deleted, so you can't create a backup of it.

y cant i trace the variables on trace pipe i am not getting any errors while building the project from source nor any output on the trace_pipe

Technically, this should work, but I never tried to use trace_pipe to debug tracee (I explained how I usually debug things in the bpf code above).

[Dinakaranevil]

Hi @yanivagman ,

Tracee events are not inline, meaning, by the time you will get the unlink event, the file have already been deleted, so you can't create a backup of it.

But this can be mechanism can be implemented using ebpf right ???

[yanivagman]

To implement such a mechanism (copy before delete) your program will need to be able to read (and copy) the file content before deletion. As ebpf doesn't provide any interface (helpers) to the file system, this copy will have to take place in user space (unless the file is in memory, and then theoretically you can copy it using bpf_probe_read() calls).
If you are using tracepoints/kprobes (such the ones used by tracee), then by the time you will read these events in userspace, the file has probably already been deleted.
It might be possible to use LSM-BPF programs to deny the deletion of files, report to user space, copy in user space, then delete the file. The problem with such approach is that from the application point of view (which deletes the file), it will be seen as if the delete operation failed.
Maybe there are other ways to implement such a mechanism using ebpf, but no simple solution comes to my mind.