@yeet/opensnoop
opensnoop is a lightweight, high-performance tool designed to monitor and log all open system calls in real time. It efficiently captures detailed file access data such as file names, process IDs, and user information, all with minimal system overhead. Ideal for security auditing and troubleshooting, opensnoop provides comprehensive visibility into every file opened on the system, enhancing observability and security. It integrates seamlessly into your existing infrastructure.
Installation
Use yeet to install this package
sudo yeet install opensnoop
opensnoop is a lightweight, high-performance tool designed to monitor and log all open system calls in real time. It efficiently captures detailed file access data such as file names, process IDs, and user information, all with minimal system overhead. Ideal for security auditing and troubleshooting, opensnoop provides comprehensive visibility into every file opened on the system, enhancing observability and security. It integrates seamlessly into your existing infrastructure.
Get Started
1. Install yeet
2. Deploy opensnoop
3. Create a collection
4. Monitor events
Data Schema
Each time an open syscall occurs, a new row is added to the collection with the following schema:
| Field | Type | Description |
|---|---|---|
| timestamp | Date | The time when the open syscall occurred. |
| seq_no | Int | A sequential number for the open event. |
| event | OpensnoopEvent | Contains details about the open event. |
Opensnoop Event
| Field | Type | Description |
|---|---|---|
| pid | int | The process ID of the executed command. |
| tgid | int | The thread group ID of the executed command. |
| ppid | int | The parent process ID of the executed command. |
| cgroup_id | string | The ID of the control group associated with the process. |
| cgroup_name | string | The name of the control group associated with the process. |
| uid | int | The user who triggered the open. |
| gid | int | The group ID of the user. |
| latency_ns | int | How long the open took to complete in nanoseconds. |
| fd | int | The file descriptor of the opened file. |
| comm | string | The command name of the executed process. |
| path | string | The path of the opened file. |
Example query:
You can query this collection using the SQL Editor.
SELECT
timestamp,
seq_no,
event->>'$.pid' AS pid,
event->>'$.tgid' AS tgid,
event->>'$.ppid' AS ppid,
event->>'$.cgroup_id' AS cgroup_id,
event->>'$.cgroup_name' AS cgroup_name,
event->>'$.uid' AS uid,
event->>'$.gid' AS gid,
CAST(event->>'$.latency_ns' AS int) AS latency_ns,
event->>'$.fd' AS fd,
event->>'$.comm' AS comm,
event->>'$.path' AS path
FROM <your_collection_name_here>
ORDER BY seq_no DESC
Key Details:
JSON Path Extraction
- The syntax
event->>'$.property_name'is used to extract properties from the JSON event object without enclosing them in quotes.
CAST Function
latency_nsis cast to an integer, as it is initially treated as a string. This conversion ensures it can be correctly visualized or processed numerically.