process auditing and events

# Process Auditing and Events with osquery --- ## Recap - Events in osquery - FIM - Needs Configuration - Opting in, and enabling specific features - Often platform specific - Performance considerations - e.g. can't enable file events on entire FS --- ## Process Auditing - What? Allows us to record process executions (`process_events` table) - Why? Detect malicious processes - How? Most OS provide introspection capabilities - Linux -- audit/bpf, macOS -- EndpointSecurity, openBSM (deprecated), Windows -- ETW --- ## Terminology - audit subsystem: Linux kernel's subsystem providing introspection capabilities - audit consumer: the application that "subscribes" to kernel events, in this case it's osquery - auditd: the default userland application that can collect/log audit events --- ## Caveats - Process auditing: monitoring `execve()` family of syscalls - Or more thorougly `fork()` and `clone()` syscalls too - This means that shell builtins (`echo`, `export`) do not generate events, because they happen within the shell's process - Performance overhead: monitoring each and every syscall adds some performance overhead - this can result in dropped events from the kernel or from osquery - make sure osquery is the only audit consumer on the host --- ## Basic Configuration - `--disable_audit=false`: enable audit in osquery - `--audit_allow_config=true`: osquery is allowed to manage audit config - advanced: set this to `false` if you use `auditd/auditctl` to set your own audit rules/config - `--audit_allow_process_events=true`: allow osquery to record process executions (`execve() syscalls`) - (Optional): `--audit_allow_fork_process_events`: allow osquery to record `fork()/clone()` syscalls - `--audit_persist=true`: allow osquery to reconnect to audit subsystem if the connection is lost --- ## Demo --- ## Socket Auditing and `socket_events` - Similar to processes, we want to introspect when a process makes a network connection - i.e. `bind()` and `connect()` syscall - Add `--audit_allow_sockets=true`