Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
Zlexis
02/17/2020, 8:52 PMI have a task to monitor outbound connections from production environments. One item that keeps showing up is
sudo ls /proc/12345/fds
seph
02/17/2020, 9:04 PMWhat query are you running?
z
Zlexis
02/17/2020, 9:18 PMSELECT user.username, proc.name, hash.md5, socket.pid, proc.path, proc.cmdline, socket.local_port, socket.remote_port, socket.remote_address FROM process_open_sockets as socket, processes as proc, users as user, hash as hash where socket.local_port not in (select port from listening_ports) and socket.local_port != 0 and socket.pid = proc.pid and user.uid = proc.uid and hash.path = proc.path;s
seph
02/17/2020, 9:27 PMIt would not surprise me if sudo did something that looked like a socket. That table is more than just network sockets.
If things change fast, you'll see a race condition for pid reuse.
z
Zlexis
02/17/2020, 10:37 PMIs there a qualifier in the process_open_sockets table that indicates whether it is a network socket? I don't have access to the box to manually query it.
s
seph
02/18/2020, 3:06 AMBoth
process_open_socketslistening_ports