-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an auditd-based process tracker event artifact for Linux #3546
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really good! Thanks for this artifact
timestamp( | ||
string=Timestamp) AS start_time, | ||
NULL AS end_time | ||
FROM scope() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably dont need a SELECT here - just use a dict() directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, but I am not sure that the result will be any better or more readable?
NULL AS start_time, | ||
timestamp( | ||
string=Timestamp) AS end_time | ||
FROM scope() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here - generally SELECT from scope() means it is not needed
- Refer to auditctl using absolute path - Check whether /sbin/auditctl exists - All commands now depend on auditctl to exist before doing anything - Add a number of informational log messages - Let user specify auditctl path (it may also be in /usr/sbin/auditctl) - Add missing 'install' command in apt-get - Move preconditions that didn't really do anything from WHERE to a guard around the whole query (execves ran anyway)
In particular, include all UIDs, making the output from process_tracker_pslist(), as well as the raw updates sent in the event artifact, far more useful in investigations.
This artifact provides updates to the process tracker in a very similar fashion as *Windows.Events.TrackProcesses*. It uses the integrated `audit()` function and inserts rules as it runs, and removes them in an `atexit()` call. I haven't found a way to audit process exits when neither "exit" nor "exit_group" are called by the process. Auditing the sys. calls "sigreturn"/"rt_sigreturn" does not seem to help. I haven't created any test code, as this would probably require mocking code in go. I'll give it a shot if needed.
This artifact provides updates to the process tracker in a very similar fashion as *Windows.Events.TrackProcesses*. It uses the integrated `audit()` function and inserts rules as it runs, and removes them in an `atexit()` call. I haven't found a way to audit process exits when neither "exit" nor "exit_group" are called by the process. Auditing the sys. calls "sigreturn"/"rt_sigreturn" does not seem to help. I haven't created any test code, as this would probably require mocking code in go. I'll give it a shot if needed.
This artifact provides updates to the process tracker in a very similar fashion as Windows.Events.TrackProcesses. It uses the integrated
audit()
function and inserts rules as it runs, and removes them in anatexit()
call. I haven't found a way to audit process exits when neither "exit" nor "exit_group" are called by the process. Auditing the sys. calls "sigreturn"/"rt_sigreturn" does not seem to help.I haven't created any test code, as this would probably require mocking code in go. I'll give it a shot if needed.