Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for processing KILL syscall #6435

Merged
merged 2 commits into from Jul 21, 2020
Merged

Add support for processing KILL syscall #6435

merged 2 commits into from Jul 21, 2020

Conversation

prateeknischal
Copy link
Contributor

@prateeknischal prateeknischal commented May 9, 2020
edited

Add support for processing KILL, TKILL and TGKILL syscalls. The first
message of the SYSCALL message type is handled in a similar way as
EXECVE as the structure is more or less the same.

Three additional fields are parsed from the message which are "ses"
(session of the process), "comm" (the command that was executed, eg: the
script name in case of a /bin/bash invoke) and "tty" (the controlling
terminal for the process). These fields will not be published though
since the table schema doesn't support it at the moment.

The above feature is activated using the

--audit_allow_kill_process_events=true

Sample columns:

"columns": {
  "atime": "1589007635",
  "auid": "4294967295",
  "btime": "0",
  "cmdline": "",
  "ctime": "1587237608",
  "cwd": "",
  "egid": "1000",
  "euid": "1000",
  "fsgid": "1000",
  "fsuid": "1000",
  "gid": "1000",
  "mode": "0755",
  "mtime": "1586904788",
  "owner_gid": "",
  "owner_uid": "",
  "parent": "4781",
  "path": "/home/p0n002h/code-server-3.1.1-linux-x86_64/node",
  "pid": "4795",
  "sgid": "1000",
  "suid": "1000",
  "syscall": "kill",
  "time": "1589052835",
  "uid": "1000",
  "uptime": "26902"
}

@prateeknischal
Copy link
Contributor Author

prateeknischal commented May 9, 2020
edited

Hi, this PR adds the capability of capturing KILL syscall and publish those results in the process_events table. I see that there are 2 problems while capturing the syscall.

  • There process_events schema will need to add a couple of fields that are disjoint to the KILL syscall, for example, ses, comm and possibly tty. This information will help in getting more information on the event. Since, it's a kill syscall, this netlink message would be the last place where we can get information about the process, so we should try to get as much as possible while we are at it.
  • There is another message type in the sequence, OBJ_PID that contains information about the target process to which the syscall was sent. Again, since it's a kill syscall, this would be the last time we would be able to get that info. We should think about adding some more fields to add that information.

References:

@prateeknischal
Add support for processing KILL syscall
ce95d68 
Add support for processing KILL, TKILL and TGKILL syscalls. The first
message of the SYSCALL message type is handled in a similar way as
EXECVE as the structure is more or less the same.

Three additional fields are parsed from the message which are "ses"
(session of the process), "comm" (the command that was executed, eg: the
script name in case of a /bin/bash invoke) and "tty" (the controlling
terminal for the process). These fields will not be published though
since the table schema doesn't support it at the moment.

The above feature is activated using the
    --audit_allow_kill_process_events=true

Sample columns:
```
"columns": {
  "atime": "1589007635",
  "auid": "4294967295",
  "btime": "0",
  "cmdline": "",
  "ctime": "1587237608",
  "cwd": "",
  "egid": "1000",
  "euid": "1000",
  "fsgid": "1000",
  "fsuid": "1000",
  "gid": "1000",
  "mode": "0755",
  "mtime": "1586904788",
  "owner_gid": "",
  "owner_uid": "",
  "parent": "4781",
  "path": "/home/p0n002h/code-server-3.1.1-linux-x86_64/node",
  "pid": "4795",
  "sgid": "1000",
  "suid": "1000",
  "syscall": "kill",
  "time": "1589052835",
  "uid": "1000",
  "uptime": "26902"
}
```

Note that the TGKILL syscall is recommended to not be used from the
linux manpages.
@prateeknischal
Add target process information on a KILL syscall
32c57e0 
The audit messages for KILL contains a message of the type OBJ_PID that
contains information about the process on which the KILL syscall was
issued to.

Add fields ocomm, oauid and oses to the AuditEvent.

Note: This will not be published in the SQL tables as the moment because
the schema isn't modified to accomodate it.
@theopolis theopolis added events Related to osquery's evented tables or eventing subsystem Linux feature labels May 25, 2020
alessandrogario
alessandrogario reviewed May 27, 2020
View reviewed changes
osquery/tables/events/tests/linux/process_events_tests.cpp
TEST_F(ProcessEventsTests, kill_syscall_event_processing) {
// clang-format off
const RawAuditEvent kSampleKillEvent = {
{ 1300, "audit(1588703361.452:26860): arch=c000003e syscall=62 success=yes exit=0 a0=6334 a1=f a2=0 a3=7f8b95cbbcc0 items=0 ppid=6198 pid=6199 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=5 comm=\"bash\" exe=\"/bin/bash\" key=226B696C6C73686F7422" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the three kill system calls all generating the same records? Is the 'syscall' field value the only difference between the different events that we could encounter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you taking a look at the PR.

Since KILL is also a syscall (the other 2 as well), I believe they should present the same audit record type 1300 and with similar structure. I haven't explicitly tested TKILL and TGKILL. I will try to produce those audit events as well.

@theopolis theopolis merged commit cd11220 into osquery:master Jul 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alessandrogario alessandrogario alessandrogario left review comments

@theopolis theopolis theopolis approved these changes

Assignees

@alessandrogario alessandrogario

Labels
events Related to osquery's evented tables or eventing subsystem feature Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@prateeknischal @theopolis @alessandrogario