Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ProcMon

ProcMon is the main detector that collects information about process being spawned and detached. Information about living process is stored in shared eBPF map and in Process cache in user space. Every other detector needs ProcMon that monitors process execs and exits. This detector can not be disabled.

Required Linux Kernel Version

6.2 or greater

Config Description

It is possible to enable IMA hashes of executed binary in process information. To enable put this to config (false by default):

ima_hash: true

It is possible to set garbage collection period in seconds for PROCMON_PROC_MAP (process info in eBPF). Default value is 30 sec.

gc_period: 30

Process Hooks

ProcMon helps to monitor privilege escalation during process execution. It uses LSM hooks for this:

  • security_task_fix_setuid
  • security_capset
  • security_task_prctl
  • security_create_user_ns

To enable setuid events put this to config:

setuid:
  enabled: true

Enabling capset events:

capset:
  enabled: true

Enabling prctl events:

prctl:
  enabled: true

Enabling create_user_ns events:

create_user_ns:
  enabled: true

Enabling ptrace_access_check events:

ptrace_access_check:
  enabled: true

ProcMon supports process filtering.

Cred filter can be applied to these hooks:

  • security_task_fix_setuid
  • security_capset
  • security_create_user_ns

Config example:

setuid:
  enabled: true
  cred_filter:
    uid_filter:
      euid:
      - 0
capset:
  enabled: true
  cred_filter:
    cap_filter:
      effective:
      - "ANY"
create_user_ns:
  enabled: true
  cred_filter:
    cap_filter:
      effective:
      - "CAP_SYS_ADMIN"
      deny_list: true
process_filter:
  uid:
    - 0
  euid:
    - 0
  auid:
    - 1000
  binary:
    prefix:
      - /usr/bin/
      - /usr/sbin/