Security Events¶
Understanding Signatures in Tracee¶
In Tracee, a signature is a set of criteria designed to detect specific system activities based on events such as syscalls, network interactions, and LSM hook occurrences. When these foundational system events align with the conditions set by a signature, Tracee generates a corresponding "security event." This process enables Tracee to actively monitor and report potential security concerns arising from observed system interactions.
Functionality and Scope of Signatures¶
The signatures documented herein focus on key system operations. For instance,
one signature identifies attempts to manipulate the syscall tables or the
/proc filesystem, operations that are indicative of rootkit behaviors. Another
detects the dynamic introduction of new executables into the system, flagging
potential security issues. Upon a match, these signatures prompt Tracee to
produce a security event, capturing the specifics of the underlying event and
any associated implications.
The Role of Security Events in Tracee¶
Security events play a critical role in maintaining system integrity. They provide an analytical layer, translating raw events like syscalls into actionable insights about potential threats or anomalies. With the power of eBPF, Tracee efficiently monitors system activities in real-time, generating security events that equip users with the information they need to assess and respond to the state of their digital environments.
Be Prepared!¶
For optimal utilization of Tracee and effective response to potential threats, we strongly recommend readers to meticulously review each security event documentation page.
A good understanding of what each signature detects will empower users to make informed decisions and take appropriate actions when a security event arises. Being well-versed in the nuances of each signature ensures that you're not just alerted to risks, but also equipped to address them effectively.
List of Default Security Events¶
| Name of Signature | Description |
|---|---|
| Anti-Debugging Technique | Detects anti-debugging techniques. |
| ASLR Inspection | Detects ASLR inspections. |
| Cgroups notify_on_release File Modification | Monitors notify_on_release file changes in cgroups. |
| Cgroups Release Agent File Modification | Detects changes to the cgroup release_agent. |
| Core Dumps Config File Modification | Monitors core dump configuration alterations. |
| Default Dynamic Loader Modification | Tracks changes to the default binary loader. |
| Container Device Mount | Detects unauthorized container device mounts. |
| Docker Socket Abuse | Flags potential Docker socket misuse. |
| Dropped Executables | Detects runtime-dropped executables. |
| Dynamic Code Loading | Monitors dynamic code loading events. |
| Fileless Execution | Flags fileless execution techniques. |
| Hidden Executable File Creation | Detects creation of hidden executable files. |
| Illegitimate Shell | Flags unauthorized or unexpected shell executions. |
| Kernel Module Loading | Monitors kernel module load events. |
| Kubernetes API Server Connection | Detects connections to the Kubernetes API server. |
| Kubernetes TLS Certificate Theft | Flags potential theft of Kubernetes certificates. |
| LD_PRELOAD Code Injection | Monitors LD_PRELOAD injection attempts. |
| File Operations Hooking on Proc Filesystem | Detects hooks on file operations in /proc. |
| Kcore Memory File Read | Monitors reads of /proc/kcore. |
| Process Memory Access | Flags unauthorized /proc/mem access. |
| Procfs Mem Code Injection | Detects code injections via /proc/mem. |
| Process VM Write Code Injection | Monitors injections via process_vm_writev. |
| Ptrace Code Injection | Detects ptrace-facilitated code injections. |
| RCD Modification | Monitors changes to the remote control daemon. |
| Sched Debug Reconnaissance | Flags /proc/sched_debug reconnaissance. |
| Scheduled Tasks Modification | Tracks modifications to scheduled tasks. |
| Process Standard Input/Output over Socket | Detects IO redirection over sockets. |
| Sudoers File Modification | Monitors alterations to the sudoers file. |
| Syscall Table Hooking | Detects syscall table hook attempts. |
| System Request Key Configuration Modification | Monitors system request key configuration changes. |