-
Hi Kfir, thanks for this awesome utility. It helped me a lot.
Your utility, execmon, works well on kernels up till 4.5. I'd tested it on Ubuntu 16.04 with kernel 4.4.
Till kernel 4.5, assembly st…
-
read HOME dir through
```bash
/usr/bin/getent passwd $UID | cut -d: -f6
```
the UID could be obtained through sig info or even easier:
/usr/bin/id call to execve gives UID as first entry
-
Hi there,
From what I understand on how firejail is working:
* (from documentation):
> if the blocked system calls would also block Firejail from operating, they are handled by adding a
> …
-
|Wazuh version|Component|Install type|Install method|Platform|
|---|---|---|---|---|
| 4.3.0 | Analysisd | Manager | Packages/Sources | OS version |
There is a bug when working with sibling decod…
-
Higher network latency and Higher CPU usage after install auditbeat
Are there any solution to reduce network latency and CPU usage?
Here is my config file
auditbeat.yml
```
rate_limit: 1024
…
-
I want a `execve` to be blocked only on the subproccess NsJail creates. However, the seccomp filter seems to affect the NsJail process itself too. A seccomp violation is triggered before the subproces…
-
## Current situation
The current situation is that in some gadgets (e.g exec) we get the path to the file of the process but in most gadgets we don't.
## Impact
We need the path for many use …
-
|Wazuh version| Component | Action type |
|---| --- | --- |
| 4.3.8 | Decoders | Error/Improve |
## Description
A user reported that an `auditd` log was not being correctly decoded, after doin…
-
chdir and related syscalls are emulated so changes to the tracee cwd are not tracked. Since almost all syscalls depending on the cwd are also emulated, as far as I know, tracee replay behavior only de…
-
Hey!
First of all, I'm really not sure on which side this issue actually is nor if this is a "supported" scenario at all.
In [systemd](https://github.com/systemd/systemd) when we test *everythin…