New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for processing KILL syscall #6435
Add support for processing KILL syscall #6435
Conversation
e39c2fe
to
9dfc9cb
Compare
Hi, this PR adds the capability of capturing
References: |
Add support for processing KILL, TKILL and TGKILL syscalls. The first message of the SYSCALL message type is handled in a similar way as EXECVE as the structure is more or less the same. Three additional fields are parsed from the message which are "ses" (session of the process), "comm" (the command that was executed, eg: the script name in case of a /bin/bash invoke) and "tty" (the controlling terminal for the process). These fields will not be published though since the table schema doesn't support it at the moment. The above feature is activated using the --audit_allow_kill_process_events=true Sample columns: ``` "columns": { "atime": "1589007635", "auid": "4294967295", "btime": "0", "cmdline": "", "ctime": "1587237608", "cwd": "", "egid": "1000", "euid": "1000", "fsgid": "1000", "fsuid": "1000", "gid": "1000", "mode": "0755", "mtime": "1586904788", "owner_gid": "", "owner_uid": "", "parent": "4781", "path": "/home/p0n002h/code-server-3.1.1-linux-x86_64/node", "pid": "4795", "sgid": "1000", "suid": "1000", "syscall": "kill", "time": "1589052835", "uid": "1000", "uptime": "26902" } ``` Note that the TGKILL syscall is recommended to not be used from the linux manpages.
9dfc9cb
to
ce95d68
Compare
The audit messages for KILL contains a message of the type OBJ_PID that contains information about the process on which the KILL syscall was issued to. Add fields ocomm, oauid and oses to the AuditEvent. Note: This will not be published in the SQL tables as the moment because the schema isn't modified to accomodate it.
TEST_F(ProcessEventsTests, kill_syscall_event_processing) { | ||
// clang-format off | ||
const RawAuditEvent kSampleKillEvent = { | ||
{ 1300, "audit(1588703361.452:26860): arch=c000003e syscall=62 success=yes exit=0 a0=6334 a1=f a2=0 a3=7f8b95cbbcc0 items=0 ppid=6198 pid=6199 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=5 comm=\"bash\" exe=\"/bin/bash\" key=226B696C6C73686F7422" }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the three kill
system calls all generating the same records? Is the 'syscall' field value the only difference between the different events that we could encounter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you taking a look at the PR.
Since KILL
is also a syscall (the other 2 as well), I believe they should present the same audit record type 1300 and with similar structure. I haven't explicitly tested TKILL
and TGKILL
. I will try to produce those audit events as well.
Add support for processing KILL, TKILL and TGKILL syscalls. The first
message of the SYSCALL message type is handled in a similar way as
EXECVE as the structure is more or less the same.
Three additional fields are parsed from the message which are "ses"
(session of the process), "comm" (the command that was executed, eg: the
script name in case of a /bin/bash invoke) and "tty" (the controlling
terminal for the process). These fields will not be published though
since the table schema doesn't support it at the moment.
The above feature is activated using the
Sample columns: