Channels
#general
Title
# general
a
Artem
05/16/2022, 10:20 AMHello!
Found interesting query from security perspective https://github.com/Cisco-Talos/osquery_queries/blob/master/linux_forensics/linux_forensics_processes_with_deleted_binary.yaml, but also found some trouble with detecting Docker related process.
It looks like this table can detect process details, but can not determine if process started from container so there is no source binary on direct host machine. It gives lots of false positive results.
Is it possible to solve this problem some way?
I think I found some kind of bypass using query:
SELECT * FROM processes WHERE on_disk=0 AND pid NOT IN (SELECT pid FROM docker_container_processes where id=(SELECT id FROM docker_containers))on_diskdocker_container_processesa
alessandrogario
05/17/2022, 2:02 PM
Huge workaround, but you could try to use the
filepid_with_namespacea
Artem
05/17/2022, 6:02 PM@alessandrogario hi! could you please give some example for this?
a
alessandrogario
05/17/2022, 6:03 PM
using WHERE pid_with_namespace = PID allows you to join the mount namespace of another process
this would allow you to test whether the file actually exists in the mount namespace of the container
a
Artem
05/17/2022, 6:14 PM@alessandrogario thank you! Sounds like cool idea, but I don’t see now the way to find file related to containered process using
docker_container_processesa
alessandrogario
05/17/2022, 6:15 PM
the idea is to rebuild the on_disk column manually
using the file table + pid_with_namespace
a
Artem
05/17/2022, 6:30 PMDo you mean an attempt to find file with with same name as for the process name? Is ut correct?
a
alessandrogario
05/18/2022, 7:31 PM
Yes, that is correct
👍 1
a
Artem
05/18/2022, 8:16 PM@alessandrogario thank you for details! I’ll try it!
14 Views