Title
#general
a

Artem

05/16/2022, 10:20 AM
Hello! Found interesting query from security perspective https://github.com/Cisco-Talos/osquery_queries/blob/master/linux_forensics/linux_forensics_processes_with_deleted_binary.yaml, but also found some trouble with detecting Docker related process. It looks like this table can detect process details, but can not determine if process started from container so there is no source binary on direct host machine. It gives lots of false positive results. Is it possible to solve this problem some way?
3:22 PM
I think I found some kind of bypass using query:
SELECT * FROM processes WHERE on_disk=0 AND pid NOT IN (SELECT pid FROM docker_container_processes where id=(SELECT id FROM docker_containers))
Using it I can find processes without disk binary on host machine via exclude of processes inside containers. Bad part of this is the lack of proper detecting processes without binary inside containers. There is no
on_disk
parameter in
docker_container_processes
table. Su currently this detection can work properly only on host machine.
a

alessandrogario

05/17/2022, 2:02 PM
Huge workaround, but you could try to use the
file
table +
pid_with_namespace
a

Artem

05/17/2022, 6:02 PM
@alessandrogario hi! could you please give some example for this?
a

alessandrogario

05/17/2022, 6:03 PM
using WHERE pid_with_namespace = PID allows you to join the mount namespace of another process
6:04 PM
this would allow you to test whether the file actually exists in the mount namespace of the container
a

Artem

05/17/2022, 6:14 PM
@alessandrogario thank you! Sounds like cool idea, but I don’t see now the way to find file related to containered process using
docker_container_processes
table, there is no such column.
a

alessandrogario

05/17/2022, 6:15 PM
the idea is to rebuild the on_disk column manually
6:15 PM
using the file table + pid_with_namespace
a

Artem

05/17/2022, 6:30 PM
Do you mean an attempt to find file with with same name as for the process name? Is ut correct?
a

alessandrogario

05/18/2022, 7:31 PM
Yes, that is correct
a

Artem

05/18/2022, 8:16 PM
@alessandrogario thank you for details! I’ll try it!