12/16/2020, 6:22 PM
what kind of system calls would you like to trace?

Rares Ion

02/08/2021, 4:17 PM
Hello, I am trying to build a host-based intrusion detection system for my 3rd-year project. I am trying to get system calls that an application usually makes like execve, mmap, read, write, delete, fork, pipe, permission changes, etc..  but I am not interested in the syscalls regarding sockets. I have made the query:   "query": "SELECT pid, path, syscall, mode, cmdline, cmdline_size, cwd, uid, gid, parent, time, uptime FROM process_events;",  in the config files but the only system call it returns is execve for some reason. Do you know why this is happening?😕


02/08/2021, 4:21 PM
Hey @Rares Ion , yes this is normal, only a specific set of system calls is captured by osquery. This can be normally tweaked a little with some configuration flags but it's always mostly about process execution and sockets
4:23 PM
You could implement your own table as an extension using osquery-go , osquery-python or the native C++ sdk
4:26 PM
For the event source, you can either use BPF • With our BPF libraries, in C++ • With BCC, in C++ or Python .. or Audit, by writing an audisp plugin (first tutorial found on Google): https://security-plus-data-science.blogspot.com/2017/04/writing-basic-audispd-plugin.html
4:26 PM
If you are ok with C++, our BPF libraries are probably the easiest route since you can just point them at any system call and it will return everything
4:27 PM
And you can also optionally trace libraries/binaries system wide: https://asciinema.org/a/ZIxGquPIQdG2aAZdO5nNV2cCw