alessandrogario
04/11/2020, 3:25 PM__NR_kill
in the std::unorderd_sets and then enable handling of the eventosquery/tables/events/linux/process_events.cpp
- Add __NR_kill to kSyscallNameMap
- Update the `else` case in `if (is_exec_syscall) {`
osquery/events/linux/process_events.h
- Add kKillProcessEventsSyscalls with __NR_kill
osquery/events/linux/auditdnetlink.cpp
Inside `if (FLAGS_audit_allow_process_events) {`
Add
for (int syscall : kKillProcessEventsSyscalls) {
monitored_syscall_list_.insert(syscall);
}
Additional updates
- Could be worth adding a `audit_allow_kill_process_events` flag
- There are other kill syscalls that may be interesting to support
--verbose
and see what happensPrateek Kumar Nischal
04/11/2020, 5:59 PM--audit_debug=true
should anyways print those raw audit logs right..