Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
n
nebi
07/30/2018, 1:30 AMbut there is no entry for this command
y
yuvalapidot
07/30/2018, 12:08 PMProcess table does not log scripts (like the one you described). However, i believe that the curl process should appear. If you run a query for the processes table right when the curl is running, it should be showing, but it might be hard to get it in the exact moment in time.
s
stefanmaerz
07/30/2018, 12:44 PMyeah that is what i was thinking. you are probably creating a race condition. I bet you will see the curl process if you download a big file (that takes more time) using curl
a
ag4ve
07/30/2018, 11:11 PMAuditd (kernel hook) should see the processes - while and test are (most likely) internal to your shell
Also, I'm pretty sure audit won't directly catch echo > /dev/tcp/ip/port stuff if you're trying to catch that type of behavior