@yeet/opensnoop
0.1.0
12
12
opensnoop is a utility for tracing and logging open system calls as they happen. It captures essential details such as file names, execution context of the calling process, and user information with close to zero performance overhead. Ideal for auditing third party dependencies, troubleshooting file permission errors, and compliance monitoring for FIPS, PCIDSS, Fedramp, SOC 2.
Installation
Use yeet to install this package
sudo yeet install opensnoop
0.1.0Dual BSD / GPLPublic
Get Started
1. Install yeet
2. Deploy opensnoop
3. Create a collection
4. Monitor events
Data Schema
Each time an open
syscall occurs, a new row is added to the collection with the following schema:
Field | Type | Description |
---|---|---|
timestamp | DATE | The time when the open syscall occurred. |
seq_no | INT | A sequential number for the open event. |
event | JSON | Contains details about the open event. |
Opensnoop Event
Field | Type | Description |
---|---|---|
pid | INT | The process ID of the calling process. |
tgid | INT | The thread group ID of the calling process. |
ppid | INT | The parent process ID of the calling process. |
cgroup_id | STRING | The ID of the control group of the calling process. |
cgroup_name | STRING | The name of the control group of the calling process. |
uid | INT | The ID of the user who triggered the open. |
gid | INT | The group ID of the user who triggered the open. |
latency_ns | INT | How long the open took to complete in nanoseconds. |
fd | INT | The file descriptor of the opened file. |
comm | STRING | The command name of the calling process. |
path | STRING | The path of the opened file. |
Example query:
You can query this collection using the SQL Editor.
SELECT
timestamp,
seq_no,
event->>'$.pid' AS pid,
event->>'$.tgid' AS tgid,
event->>'$.ppid' AS ppid,
event->>'$.cgroup_id' AS cgroup_id,
event->>'$.cgroup_name' AS cgroup_name,
event->>'$.uid' AS uid,
event->>'$.gid' AS gid,
CAST(event->>'$.latency_ns' AS INT) AS latency_ns,
event->>'$.fd' AS fd,
event->>'$.comm' AS comm,
event->>'$.path' AS path
FROM opensnoop
ORDER BY seq_no DESC
Key Details:
JSON Path Extraction
- The syntax
event->>'$.property_name'
is used to extract properties from the JSON event object without enclosing them in quotes.
CAST Function
latency_ns
is cast to an integer, as it is initially treated as a string. This conversion ensures it can be correctly visualized or processed numerically.
Examples
All examples use opensnoop
as the collection name. Change the collection name to match your collection.
Visualize the number of file opens grouped by process
SELECT
event->>'$.comm' AS comm,
COUNT(*) AS open_count
FROM opensnoop
GROUP BY comm
ORDER BY open_count DESC
Chart Configuration:
Chart type: Categorical Chart
Visualize top 10 files opened on system
SELECT
event->>'$.path' AS path,
COUNT(*) AS open_count
FROM opensnoop
GROUP BY path
ORDER BY open_count DESC
LIMIT 10
Chart Configuration:
Chart type: Bar Chart
Visualize file opens as they happen
SELECT
timestamp,
CAST(event->>'$.latency_ns' as INT) AS latency_ns
FROM opensnoop
Chart Configuration:
Chart type: Bar Chart
List all file open syscalls in order
SELECT
event->>'$.path' AS path,
FROM opensnoop
ORDER BY timestamp desc
Grid Result:
View all files opened by a process
SELECT
event->>'$.comm' AS comm,
count(*) AS open_count
FROM opensnoop
WHERE event->>'$.comm' LIKE '%postgres%'
GROUP BY comm
ORDER BY open_count DESC