Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a few more items to live_response/process/procfs_information.yaml #35

Closed
tclahr opened this issue Mar 1, 2022 · 1 comment
Closed

Add a few more items to live_response/process/procfs_information.yaml #35

tclahr opened this issue Mar 1, 2022 · 1 comment
Assignees
@tclahr
Labels
type: artifact Improvements or additions to artifacts

Comments

@tclahr
Copy link
Owner

tclahr commented Mar 1, 2022

Update live_response/process/procfs_information.yaml to collect the following artifacts:

  • "ls -l /proc/[0-9]*/cwd" is one of my go-to items for detecting suspicious processes-- when the CWD is /tmp/.ICEd-unix/fooTWUX67 you know you have a problem
  • "cat /proc/%line%/stack" can sometimes reveal details of process behavior-- e.g., waiting on a socket, etc
  • "cat /proc/%line%/status" has lots of extra process detail, including PPID etc

Please refer to discussion #34
@tclahr tclahr added the type: artifact Improvements or additions to artifacts label Mar 1, 2022
@tclahr tclahr self-assigned this Mar 1, 2022
tclahr added a commit that referenced this issue Mar 11, 2022
@tclahr
artf: new artifacts
c55fbbb 
The following new artifacts were added:
  - ls -l /proc/<PID>/cwd
  - cat /proc/<PID>/stack
  - cat /proc/<PID>/status

Issue #35

Signed-off-by: Thiago Canozzo Lahr <tclahr@br.ibm.com>
tclahr added a commit that referenced this issue Mar 11, 2022
@tclahr
docs: new artifacts
97fea4d 
The following artifacts were added:
  - ls -l /proc/<PID>/cwd
  - cat /proc/<PID>/stack
  - cat /proc/<PID>/status

Issue #35

Signed-off-by: Thiago Canozzo Lahr <tclahr@br.ibm.com>
@tclahr tclahr mentioned this issue Mar 16, 2022
Merged
@tclahr
Copy link
Owner Author

tclahr commented Mar 16, 2022

Merged into develop branch via PR #39

@tclahr tclahr closed this as completed Apr 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tclahr tclahr

Labels
type: artifact Improvements or additions to artifacts
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tclahr