Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify Property Definitions on Process Object #47

Closed
ikiril01 opened this issue Nov 22, 2017 · 8 comments
Closed

Clarify Property Definitions on Process Object #47

ikiril01 opened this issue Nov 22, 2017 · 8 comments
Labels
Severity: Breaking For forward or backwards breaking changes Status: Closed Done STIX: Observables Target: STIX-2.1 Type: Clarification
Milestone
2.1-wd05

Comments

@ikiril01
Copy link

Jason had some confusion with regards to the process image name vs filename vs command line on the Cyber Observable Process Object and when you'd use each, so we should try to clarify the descriptions of these properties as necessary.
@ikiril01
Copy link
Author

So I think the biggest issue here is that the name property is duplicative with respect to binary_ref.name . Given that the "name" of a process tends to almost always be the filename of the binary, I would suggest that we deprecate name.

@ikiril01
Copy link
Author

ikiril01 commented Nov 27, 2017
edited
Loading

As far as command_line, I would suggest updating the description from the existing:

"Specifies the full command line used in executing the process, including the process name (depending on the operating system)."

To the new version:

"Specifies the full command line used in executing the process, including the process name (which may be specified individually via the binary_ref.name property) and any arguments."

@ikiril01
Copy link
Author

FYI, this is what Osquery has for these properties:

name | TEXT | The process path or shorthand argv[0]
path | TEXT | Path to executed binary
cmdline | TEXT | Complete argv

@johnwunder
Copy link

I've had this same question, definitely agree with fixing this for 2.1.

@treyka
Copy link

treyka commented Nov 29, 2017

There are plenty of cases where a process name doesn't align with the binary filepath. For example, in *nix, where you have one binary with a number of different executable symlinks pointing to it and the binary alters its behavior based on how it's called (i.e., argv[0].) Similarly, in Windows™ where you have a callable DLL (with a main() function) with symbolic links as in the previous example.

@ikiril01
Copy link
Author

ikiril01 commented Nov 30, 2017
edited
Loading

@treyka interesting. I ran an experiment on this on my MacBook, and it least in OS X it looks like the name of the symlink is captured in the command-line (CMD) but not the name of the process.

ikirillov@foo-PC:~$ top
58548  iBooks     

ikirillov@foo-PC:~$ ps -p 58548
  PID TTY           TIME CMD
58548 ttys010    0:01.00 ./iBooks-foo

@treyka treyka added Phase: 3-Final Review Severity: Breaking For forward or backwards breaking changes and removed Need to Discuss labels Apr 13, 2018
@jordan2175 jordan2175 added this to the 2.1-csd02-wd05 milestone May 29, 2019
@ikiril01
Copy link
Author

ikiril01 commented Jul 3, 2019

@jordan2175 it looks like we've already made these changes to the Process SCO (name has been deprecated, the description for command_line has been updated, etc.), so there's nothing else that needs to be done here.

@jordan2175
Copy link

Looks like this was done some time back. Closing.

@StephenOTT StephenOTT mentioned this issue Nov 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Severity: Breaking For forward or backwards breaking changes Status: Closed Done STIX: Observables Target: STIX-2.1 Type: Clarification
Projects
None yet
Milestone
2.1-wd05
Development

No branches or pull requests
4 participants
@johnwunder @treyka @ikiril01 @jordan2175