Add process.thread.capabilities #2245
Conversation
| description: > | ||
| This is a limiting superset for the effective capabilities that the | ||
| thread may assume. | ||
| example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]" |
There was a problem hiding this comment.
If this is the format we expect to use then I recommend adding a pattern so that automated validation can yield warnings when the format is not followed. I am thinking ^(CAP_[A-Z_]+|\d+)$ which allows software to insert the capability number if it is unaware the associated name.
example:
Line 70 in ce9dbe7
There was a problem hiding this comment.
super cool! @andrewkroh thanks for the suggestion
There was a problem hiding this comment.
Field definitions and their descriptions look great.
@nicholasberlin Can you also make this change underneath the process object in schemas/subsets/main.yml, re-run make, and commit the changed files? Right now, the new fields aren't populating in all the expected places.
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 50312f7b..0b953e32 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -309,6 +309,10 @@ fields:
fields:
id: {}
name: {}
+ capabilities:
+ fields:
+ effective: {}
+ permitted: {}
title: {}
tty:
fields:
@@ -443,6 +447,10 @@ fields:
fields:
id: {}
name: {}
+ capabilities:
+ fields:
+ effective: {}
+ permitted: {}
title: {}
tty:
fields: "*"
|
cc/ @DefSecSentinel and @imays11 Please review this ECS addition to ensure it matches your expectations. |
|
Looks good to me |
|
Looks great @norrietaylor |
Being able to gather and track Linux capabilities for a process (thread) could allow us to detect and prevent various activities such as container escapes, privilege escalation and exploitation.