getgroups16 - returns the supplementary group IDs of the calling process.
getgroups16 is a syscall used to retrieve a list of supplementary group IDs of the calling process. This list is stored as an array of group IDs, with a size given by the first parameter. This array is written to the second parameter. The syscall is equivalent to calling getgroups() with a maximum of 16 entries in the array.
If the flag
parse-arguments is given, the list is parsed and written to a buffer containing a null-terminated array of strings, delimited by index numbers. This allows for a more user-friendly representation of the output. This can be a useful utility when kprobing related to supplementary groups.
int[K] - number of entries in the supplementary group array. If
parse-argumentsis given, this is the maximum length of the output buffer.
old_gid_t*[K] - pointer to the array in which the list of group IDs is stored. If
parse-argumentsis given, this is a pointer to the output buffer.
- K - Originated from kernel-space.
Hooking getgroups16 allows for recording when the process attempts to fetch its supplementary group IDs. By observing when and where this happens, performance and security issues can be detected, such as authentication problems, or attempts to access data that the user should not have access to, violating the principle of least privilege.
Example Use Case¶
getgroups16 can be used to watch for processes that fetch their supplementary group IDs and make sure that those calls happen when expected, such as during authentication. It can help identify processes that are misusing the supplementary groups for which it is not intended and give detailed information about where and when this happens, should that be occurring.
parse-arguments has not been tested thoroughly, so any issues while using it should be reported in order to ensure that the user gets the expected output.
getgroups() - similar to getgroups16, but with a higher (32) limit for supplementary group IDs.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.