Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ProcMon

ProcMon is the main detector that collects information about process being spawned and detached. Information about living process is stored in shared eBPF map and in Process cache in user space. Every other detector needs ProcMon that monitors process execs and exits. This detector cannot be disabled.

Required Linux Kernel Version

6.2 or greater

Config Description

It is possible to enable IMA hashes of executed binary in process information. To enable put this to config (false by default):

ima_hash: true

It is possible to set garbage collection period in seconds for PROCMON_PROC_MAP (process info in eBPF). Default value is 30 sec.

gc_period: 30

Process Hooks

ProcMon helps to monitor privilege escalation during process execution. It uses LSM hooks for this:

  • security_task_fix_setuid (config name: setuid)
  • security_task_fix_setgid (config name: setgid)
  • security_capset (config name: capset)
  • security_task_prctl (config name: prctl)
  • security_create_user_ns (config name: create_user_ns)
  • security_ptrace_access_check (config name: ptrace_access_check)
  • security_bprm_check (config name: bprm_check)

To enable hook:

<hook>:
  enabled: true

Event Filtering

All hooks support scope filtering.

The following list of hooks support event filtering by rules and sandbox mode:

  • security_task_fix_setuid
  • security_task_fix_setgid
  • security_capset
  • security_create_user_ns
  • security_bprm_check

security_task_fix_setuid

setuid supports the following filtering attributes:

  • uid - new uid
  • euid - new euid

Example

setuid:
  enabled: true
  rules:
  - rule: UidTestRule
    event: uid == 1000 AND euid == 0

security_task_fix_setgid

setgid supports the following filtering attributes:

  • gid - new gid
  • egid - new egid

Example

setgid:
  enabled: true
  rules:
  - rule: GidTestRule
    event: gid == 1000 AND egid == 0

security_capset

capset supports the following filtering attributes:

  • ecaps - new effective capabilities
  • pcaps - new permitted capabilities

List of capabilities can be found in capabilities(7). we support a placeholder ANY_CAPS that matches all capabilities. Expression ecaps in ["ANY_CAPS"] or ecaps == "ANY_CAPS" checks if any capability is set.

Example

setcaps:
  enabled: true
  rules:
  - rule: CapsTestRule
    event: ecaps == "CAP_SYS_ADMIN"

security_create_user_ns

create_user_ns supports the following filtering attributes:

  • ecaps - effective capabilities
  • euid - effective uid

Example

create_user_ns:
  enabled: true
  rules:
  - rule: UnprivNsTestRule
    event: NOT ecaps == "CAP_SYS_ADMIN"

security_bprm_check

bprm_check supports the following filtering attributes:

  • path - absolute path of executed binary via exec
  • name - name of executed binary via exec
  • path_prefix - absolute path prefix of executed binary via exec

Example

bprm_check:
  enabled: true
  rules:
  - rule: TestBprmCheck
    event: path_prefix == "/tmp" AND name == "ls"