Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
alessandrogario
04/11/2020, 3:25 PM@Prateek Kumar Nischal that event will never be picked up unless osquery is updated to parse it
You can start by updating the following files:
osquery/tables/events/linux/process_events.cpp
osquery/events/linux/process_events.h
osquery/events/linux/auditdnetlink.cpp
It is mostly adding the
__NR_killosquery/tables/events/linux/process_events.cpp
- Add __NR_kill to kSyscallNameMap
- Update the `else` case in `if (is_exec_syscall) {`
osquery/events/linux/process_events.h
- Add kKillProcessEventsSyscalls with __NR_kill
osquery/events/linux/auditdnetlink.cpp
Inside `if (FLAGS_audit_allow_process_events) {`
Add
for (int syscall : kKillProcessEventsSyscalls) {
monitored_syscall_list_.insert(syscall);
}
Additional updates
- Could be worth adding a `audit_allow_kill_process_events` flag
- There are other kill syscalls that may be interesting to supportThen you may want to test it with
--verbosep
Prateek Kumar Nischal
04/11/2020, 5:59 PMAwesome, thanks for the reply. I was guessing there wasn't an implementation for parsing the KILL syscall. But, I have one question, why weren;t there any events when there was 3 rules, execve, execveat and kill. From what I am guessing, if there aren't processors for kill, it should just have ignored those events and the
--audit_debug=trueAnd I will certainly try to contribute back 😄