YPM

@yeet/opensnoop

12

opensnoop is a utility for tracing and logging open system calls as they happen. It captures essential details such as file names, execution context of the calling process, and user information with close to zero performance overhead. Ideal for auditing third party dependencies, troubleshooting file permission errors, and compliance monitoring for FIPS, PCIDSS, Fedramp, SOC 2.

Installation

Use yeet to install this package

sudo yeet install opensnoop
0.1.0Dual BSD / GPLPublic

img

Get Started

1. Install yeet

2. Deploy opensnoop

3. Create a collection

4. Monitor events

Data Schema

Each time an open syscall occurs, a new row is added to the collection with the following schema:

FieldTypeDescription
timestampDATEThe time when the open syscall occurred.
seq_noINTA sequential number for the open event.
eventJSONContains details about the open event.

Opensnoop Event

FieldTypeDescription
pidINTThe process ID of the calling process.
tgidINTThe thread group ID of the calling process.
ppidINTThe parent process ID of the calling process.
cgroup_idSTRINGThe ID of the control group of the calling process.
cgroup_nameSTRINGThe name of the control group of the calling process.
uidINTThe ID of the user who triggered the open.
gidINTThe group ID of the user who triggered the open.
latency_nsINTHow long the open took to complete in nanoseconds.
fdINTThe file descriptor of the opened file.
commSTRINGThe command name of the calling process.
pathSTRINGThe path of the opened file.

Example query:

You can query this collection using the SQL Editor.

SELECT
  timestamp,
  seq_no,
  event->>'$.pid' AS pid,
  event->>'$.tgid' AS tgid,
  event->>'$.ppid' AS ppid,
  event->>'$.cgroup_id' AS cgroup_id,
  event->>'$.cgroup_name' AS cgroup_name,
  event->>'$.uid' AS uid,
  event->>'$.gid' AS gid,
  CAST(event->>'$.latency_ns' AS INT) AS latency_ns,
  event->>'$.fd' AS fd,
  event->>'$.comm' AS comm,
  event->>'$.path' AS path
FROM opensnoop
ORDER BY seq_no DESC

Key Details:

JSON Path Extraction

  • The syntax event->>'$.property_name' is used to extract properties from the JSON event object without enclosing them in quotes.

CAST Function

  • latency_ns is cast to an integer, as it is initially treated as a string. This conversion ensures it can be correctly visualized or processed numerically.

Examples

All examples use opensnoop as the collection name. Change the collection name to match your collection.

Visualize the number of file opens grouped by process

SELECT
  event->>'$.comm' AS comm,
  COUNT(*) AS open_count
FROM opensnoop
GROUP BY comm
ORDER BY open_count DESC

Chart Configuration:

Chart type: Categorical Chart

img

Visualize top 10 files opened on system

SELECT
  event->>'$.path' AS path,
  COUNT(*) AS open_count
FROM opensnoop
GROUP BY path
ORDER BY open_count DESC
LIMIT 10

Chart Configuration:

Chart type: Bar Chart

img

Visualize file opens as they happen

SELECT
  timestamp,
  CAST(event->>'$.latency_ns' as INT) AS latency_ns
FROM opensnoop

Chart Configuration:

Chart type: Bar Chart

img

List all file open syscalls in order

SELECT
  event->>'$.path' AS path,
FROM opensnoop
ORDER BY timestamp desc

Grid Result:

img

View all files opened by a process

SELECT
  event->>'$.comm' AS comm,
  count(*) AS open_count
FROM opensnoop
WHERE event->>'$.comm' LIKE '%postgres%'
GROUP BY comm
ORDER BY open_count DESC

Grid Result:

img