Title
#general
a

alessandrogario

04/11/2020, 3:25 PM
@Prateek Kumar Nischal that event will never be picked up unless osquery is updated to parse it
3:35 PM
You can start by updating the following files: osquery/tables/events/linux/process_events.cpp osquery/events/linux/process_events.h osquery/events/linux/auditdnetlink.cpp
3:36 PM
It is mostly adding the
__NR_kill
in the std::unorderd_sets and then enable handling of the event
3:37 PM
osquery/tables/events/linux/process_events.cpp
  - Add __NR_kill to kSyscallNameMap
  - Update the `else` case in `if (is_exec_syscall) {`

osquery/events/linux/process_events.h
  - Add kKillProcessEventsSyscalls with __NR_kill

osquery/events/linux/auditdnetlink.cpp
  Inside `if (FLAGS_audit_allow_process_events) {`

  Add
    for (int syscall : kKillProcessEventsSyscalls) {
      monitored_syscall_list_.insert(syscall);
    }

Additional updates
 - Could be worth adding a `audit_allow_kill_process_events` flag
 - There are other kill syscalls that may be interesting to support
3:37 PM
Then you may want to test it with
--verbose
and see what happens
p

Prateek Kumar Nischal

04/11/2020, 5:59 PM
Awesome, thanks for the reply. I was guessing there wasn't an implementation for parsing the KILL syscall. But, I have one question, why weren;t there any events when there was 3 rules, execve, execveat and kill. From what I am guessing, if there aren't processors for kill, it should just have ignored those events and the
--audit_debug=true
should anyways print those raw audit logs right..
5:59 PM
And I will certainly try to contribute back 😄