search

WhiteBeamSec / WhiteBeam

WhiteBeam: Transparent endpoint security
Other
95 stars 13 forks source link

Linux LD_PRELOAD/LD_AUDIT library: Missing program name #44

Open noproto opened 2 years ago

noproto commented 2 years ago

Some executables are missing a name in log files and baselines (missing WB_PROG environment variable?).

Erroneous output:

| Detection: executed /usr/lib/ubuntu-advantage/apt-esm-hook (VerifyCanExecute) | 3 |
| Detection: accessed file with invalid file hash /usr/lib/ubuntu-advantage/apt-esm-hook (VerifyFileHash) | 3 |

Expected output:

| Detection: /opt/WhiteBeam/whitebeam executed /lib/x86_64-linux-gnu/libnss_dns.so.2 (la_objsearch)                                                              | 1     |
| Detection: /opt/WhiteBeam/whitebeam executed /lib/x86_64-linux-gnu/libnss_files.so.2 (la_objsearch)                                                            | 1     |
noproto commented 2 years ago

Going to switch to getauxval of AT_EXECFN instead of using procfs, which should fix other issues too.