#82 Action to produce short reports

0xrawsec · Sep 28, 2021 · c3ec844 · c3ec844
1 parent 63d7a08
commit c3ec844
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 13 deletions.
diff --git a/hids/hids.go b/hids/hids.go
@@ -707,7 +707,7 @@ func (h *HIDS) handleManagerCommand(cmd *api.Command) {
  case "report":
  cmd.Unrunnable()
  cmd.ExpectJSON = true
- cmd.Stdout = h.Report()
+ cmd.Stdout = h.Report(false)
  case "processes":
  h.processTracker.RLock()
  cmd.Unrunnable()
@@ -834,7 +834,7 @@ func (h *HIDS) IsHIDSEvent(e *event.EdrEvent) bool {
 
 // Report generate a forensic ready report (meant to be dumped)
 // this method is blocking as it runs commands and wait after those
-func (h *HIDS) Report() (r Report) {
+func (h *HIDS) Report(light bool) (r Report) {
  r.StartTime = time.Now()
 
  // generate a report for running processes or those terminated still having one child or more
@@ -847,10 +847,13 @@ func (h *HIDS) Report() (r Report) {
  // Drivers loaded
  r.Drivers = h.processTracker.Drivers
 
- // run all the commands configured to inculde in the report
- r.Commands = h.config.Report.PrepareCommands()
- for i := range r.Commands {
- r.Commands[i].Run()
+ // if this is a light report, we don't run the commands
+ if !light {
+ // run all the commands configured to include in the report
+ r.Commands = h.config.Report.PrepareCommands()
+ for i := range r.Commands {
+ r.Commands[i].Run()
+ }
  }
 
  r.StopTime = time.Now()

diff --git a/hids/hookdefs.go b/hids/hookdefs.go
@@ -40,6 +40,7 @@ const (
  ActionFiledump = "filedump"
  ActionRegdump = "regdump"
  ActionReport = "report"
+ ActionBrief = "brief"
 )
 
 var (
@@ -359,7 +360,9 @@ func hookHandleActions(h *HIDS, e *event.EdrEvent) {
  case ActionFiledump:
  dumpFilesRtn(h, e)
  case ActionReport:
- dumpReportRtn(h, e)
+ dumpReportRtn(h, e, false)
+ case ActionBrief:
+ dumpReportRtn(h, e, true)
  default:
  log.Errorf("Cannot handle %s action as it is unknown", action)
  }
@@ -1153,7 +1156,7 @@ func dumpFilesRtn(h *HIDS, e *event.EdrEvent) {
  }()
 }
 
-func hookDumpReport(h *HIDS, e *event.EdrEvent) {
+/*func hookDumpReport(h *HIDS, e *event.EdrEvent) {
  // We have to check that if we are handling one of
  // our event and we don't want to dump ourself
  if h.IsHIDSEvent(e) {
@@ -1171,9 +1174,9 @@ func hookDumpReport(h *HIDS, e *event.EdrEvent) {
  }
 
  dumpReportRtn(h, e)
-}
+}*/
 
-func dumpReportRtn(h *HIDS, e *event.EdrEvent) {
+func dumpReportRtn(h *HIDS, e *event.EdrEvent, light bool) {
  // make it non blocking
  go func() {
  h.hookSemaphore.Acquire()
@@ -1188,18 +1191,16 @@ func dumpReportRtn(h *HIDS, e *event.EdrEvent) {
  return
  }
  reportPath := dumpPrepareDumpFilename(e, h.config.Dump.Dir, guid, "report.json")
- //psPath := dumpPrepareDumpFilename(e, h.config.Dump.Dir, guid, "ps.json")
  dumpEventAndCompress(h, e, guid)
  if c.EnableReporting {
  log.Infof("Generating IR report: %s", guid)
- if b, err := json.Marshal(h.Report()); err != nil {
+ if b, err := json.Marshal(h.Report(light)); err != nil {
  log.Errorf("Failed to JSON encode report: %s", guid)
  } else {
  utils.HidsWriteFile(reportPath, b)
  h.compress(reportPath)
  }
  log.Infof("Finished generating report: %s", guid)
  }
-
  }()
 }