Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Process dataset: Only report processes with executable #11232

Merged
merged 3 commits into from
Mar 14, 2019
Merged

[Auditbeat] Process dataset: Only report processes with executable #11232

merged 3 commits into from
Mar 14, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Mar 13, 2019

The process dataset currently reports a lot of kernel processes on Linux, e.g. kworker/2:0, kworker/2:1, kworker/3:1, cpuhp/1.

I think we should exclude those. They don't provide a lot of value, the names are not unique, and they will not be able to use potential future features like process executable hashes.

@cwurm cwurm added review needs_backport PR is waiting to be backported to other branches. Auditbeat SecOps breaking change labels Mar 13, 2019
@cwurm cwurm requested a review from andrewkroh March 13, 2019 15:14
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@cwurm cwurm requested a review from a team as a code owner March 13, 2019 15:14
andrewkroh
andrewkroh reviewed Mar 13, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are that any cases Windows or Darwin where the exe can be empty?

I understand the Linux path very well, but not much the implications of this filter on other operating systems. I want to make sure that there isn't something that a user can do to cause the APIs that return the executable to fail which then cause us to not report their process.

Another option here would be to filter processes on Linux that are owned by root, start with [, end with], and have no executable. That would match [kworker/u3:0] for sure. Or are those [ ] brackets added by ps?

@adriansr
Copy link
Contributor

adriansr commented Mar 13, 2019
edited
Loading

Under Windows, I can't see a case where exe can be empty.

Another option here would be to filter processes on Linux that are owned by root, start with [, end with], and have no executable. That would match [kworker/u3:0] for sure. Or are those [ ] brackets added by ps?

Is this the process title as returned by ps? This can be changed by a running process by rewritting argv[0], so it will allow an attacker to hide a process from us.

@cwurm
Copy link
Contributor Author

cwurm commented Mar 14, 2019
edited
Loading

Are that any cases Windows or Darwin where the exe can be empty?

Good question. I've tested it by inverting the condition (only report processes that have no exe) and on both platforms it didn't output anything, at least on my machines.

Another option here would be to filter processes on Linux that are owned by root, start with [, end with], and have no executable. That would match [kworker/u3:0] for sure. Or are those [ ] brackets added by ps?

The brackets are by ps.

To be extra conservative, we could only exclude processes (1) on Linux, that are (2) owned by root (3), and (3) have no exe. That way, macOS and Windows are not impacted, and if a user has root on Linux, they can do almost anything anyway, including messing with the Auditbeat process. I'll push a change to that effect.

andrewkroh
andrewkroh approved these changes Mar 14, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cwurm cwurm merged commit 115eeb7 into elastic:master Mar 14, 2019
@cwurm cwurm deleted the process_only_with_exe branch March 14, 2019 22:12
@cwurm cwurm mentioned this pull request Mar 14, 2019
Merged
cwurm pushed a commit to cwurm/beats that referenced this pull request Mar 14, 2019
[Auditbeat] Process dataset: Only report processes with executable (e…
7c7b015 
…lastic#11232)

Excludes kernel processes on Linux. They don't provide a lot of value, the names are not unique, and they will not be able to use potential future features like process executable hashes.

(cherry picked from commit 115eeb7)
@cwurm cwurm added v7.0.0 and removed needs_backport PR is waiting to be backported to other branches. labels Mar 14, 2019
cwurm pushed a commit that referenced this pull request Mar 15, 2019
[Auditbeat] Cherry-pick #11232 to 7.0: Process dataset: Only report p…
dc3b6da 
…rocesses with executable (#11258)

Cherry-pick of PR #11232 to 7.0 branch. Original message: 

Excludes kernel processes on Linux. They don't provide a lot of value, the names are not unique, and they will not be able to use potential future features like process executable hashes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Auditbeat breaking change review v7.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cwurm @elasticmachine @adriansr @andrewkroh