Need Help: How to capture exact user commands in userspace with help of aya::helpers module #1282
Description
Hello,
I want to capture and store somewhere what user has enter commands in terminal like (ls, whoami, nmap) or any executable script like /tmp/x.sh.
I'm using fish terminal.
so i'm getting result after parsing in userspace as:
"Event from CPU 3: pid=4766 uid=1000 comm="fish\0\0\0\0\0\0\0\0\0\0\0\0"
[INFO rwatch::rule_engine] received command: fish"
so I'm not able to find any way to capture what user has hit in the terminal.
please need some guidance regarding this.
I have generated the project template using aya-template.
// this is in ebpf space
pub fn rwatch(ctx: TracePointContext) -> u32 {
match try_rwatch(ctx) {
Ok(ret) => ret,
Err(ret) => ret,
}
}
fn try_rwatch(ctx: TracePointContext) -> Result<u32, u32> {
let pid_tgid = bpf_get_current_pid_tgid();
let pid = (pid_tgid >> 32) as u32;
let uid_gid = bpf_get_current_uid_gid();
let uid = (uid_gid & 0xFFFFFFFF) as u32;
let comm = bpf_get_current_comm().unwrap_or([0; 16]);
let event = ExecEvent { pid, uid, comm };
unsafe {
let events = core::ptr::addr_of_mut!(EVENTS);
(*events).output(&ctx, &event, 0);
}
Ok(0)
}
// ---------------------------------------------------------------------------------------------------
// below is in userspace
task::spawn(async move {
let mut buffers = (0..10)
.map(|_| BytesMut::with_capacity(1024))
.collect::<Vec<_>>();
loop {
let events = buf.read_events(&mut buffers).await?;
for i in 0..events.read {
let buf = &buffers[i];
if buf.len() < std::mem::size_of::<ExecEvent>() {
continue;
}
// let ptr = buf.as_ptr() as *const ExecEvent;
let event = unsafe { std::ptr::read_unaligned(buf.as_ptr() as *const ExecEvent) };
println!(
"Event from CPU {}: pid={} uid={} comm={:?}",
cpu_id,
event.pid,
event.uid,
std::str::from_utf8(&event.comm).unwrap_or("<invalid utf8>")
);
}
}
#[allow(unreachable_code)]
Ok::<_, PerfBufferError>(())
});
```
`