SysEnumMon
Experimental. This detector differs from the others: it correlates observations across a process tree rather than reporting single events. Correlation is currently tied to the direct parent, so processes spawned indirectly (
find -exec,bash -c) may evade it, and the shared correlation state is read under RCU with time checks, so simultaneous hits on multiple CPUs can race. The behaviour and configuration may change once it gathers real-world feedback.
Detector correlates system enumeration (reconnaissance) activity. Automated privilege
escalation scanners (PEASS-ng: LinPEAS, LinEnum, pspy and similar) perform many small
enumeration steps in a short time: they execute information gathering binaries (id,
whoami, uname, netstat and so on) and read sensitive files (/etc/shadow,
/etc/ssh/* and so on). A single step is legitimate on its own, so an alert is raised only
when several distinct observations from the watch list accumulate inside one process tree
within a sliding time window.
Supported LSM hooks:
bprm_check_securityhook observes executed binary names onexecve.file_openhook observes opened file paths.
Both hooks are always loaded, there is no per-hook enable switch. SysEnumMon depends on ProcMon.
Required Linux Kernel Version
6.2 or greater
Config Description
SysEnumMon does not provide rule-based filtering or sandbox mode. It is configured by a watch list and two correlation parameters:
chain_size- thresholdK: number of distinct observations from the watch list that must occur within the window to raise an alert.Kmust not exceed 7, the per-process chain capacity.window_size_sec- sliding window lengthWin seconds. Only observations seen within the lastWseconds are kept in a process tree’s chain: as new observations arrive, any leading observation older thanWseconds is dropped from the chain. An alert is raised whenKdistinct observations fall inside the sameW-second window.bprm_check.name- list of binary names matched onexecve.file_open.path- list of exact file paths matched onfile_open.file_open.path_prefix- list of path prefixes matched onfile_open(longest prefix match).
Observations are de-duplicated, so repeating the same entry does not advance the counter:
a script that calls id in a loop does not raise an alert. The total number of unique watch
list entries (names + paths + prefixes) must not exceed 256.
Example
chain_size: 3
window_size_sec: 10
bprm_check:
name:
- id
- whoami
- uname
- netstat
- ss
- getcap
file_open:
path:
- /etc/shadow
path_prefix:
- /etc/ssh