process_execute_failed¶

Intro¶

process_execute_failed - a failed process execution occurred.

Description¶

An event marking that a process execution failure has occurred. This event helps in monitoring failed executions, with the ability to access (mostly - see below) kernel provided arguments. This is a high-level event, planned to include all the failure cases of process execution, while providing as much as possible the arguments as used by the kernel.

Arguments¶

path:const char*[K] - the path to the file as provided by the user.
binary.path:const char*[K] - the binary path being executed.
binary.device_id:dev_t[K] - the device id of the binary being executed.
binary.inode_number:unsigned long[K] - the inode number of the binary being executed.
binary.ctime:unsigned long[K] - the change time (ctime) of the binary being executed.
binary.inode_mode:u64[K] - the inode mode of the binary being executed.
interpreter_path:const char*[K] - the path to the interpreter used.
stdin_type:umode_t[K] - the stdin type.
stdin_path:char*[K] - the stdin path.
kernel_invoked:int[K] - whether this execution was initiated by the kernel (or user-space).
environment:const char*const*[U,TOCTOU] - the environment variables of this execution.
arguments:const char*const*[U,TOCTOU] - the arguments of this execution.

Hooks¶

exec_binprm¶

Type¶

kprobe

Purpose¶

To retrieve the arguments of exec_binprm. Used for kernels older than 5.8.

exec_binprm¶

Type¶

kretprobe

Purpose¶

To retrieve the return value of exec_binprm and generate the event. Used for kernels older than 5.8.

security_bprm_creds_for_exec¶

Type¶

kprobe

Purpose¶

To retrieve the arguments for the event. Relevant from kernel version 5.8 onwards, as the function was added in that kernel.

sys_enter¶

Type¶

tracepoint

Purpose¶

To obtain the return code of the execution, determining whether to generate the event. For a failed execution, an event will be generated using the information from the security_bprm_creds_for_exec hook. Relevant from kernel version 5.8 onwards, matching the security_bprm_creds_for_exec hook.

Example Use Case¶

./tracee -e process_execution_failed

Issues¶

The exec_binprm symbol is not available in some systems, potentially resulting in the failure to load the event in kernels older than 5.8. For kernels older than 5.8, the event only encompasses failed executions occurring within exec_binprm. Other failures may occur at an earlier stage. Newer versions do not account for failures before security_bprm_creds_for_exec, which precedes exec_binprm.

execve,execveat,bprm_check,sched_process_exec

process_execute_failed¶

Intro¶

Description¶

Arguments¶

Hooks¶

exec_binprm¶

Type¶

Purpose¶

exec_binprm¶

Type¶

Purpose¶

security_bprm_creds_for_exec¶

Type¶

Purpose¶

sys_enter¶

Type¶

Purpose¶

Example Use Case¶

Issues¶

Related Events¶