Open gabriellandau opened 3 days ago
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
@andrewkroh said that go-sysinfo has similar code which can likely be improved: https://github.com/elastic/go-sysinfo/blob/323c852f7ef4e11d668f3eb99ecaf9c6baa967c9/providers/windows/process_windows.go#L266-L285
FYI @VihasMakwana since you have been addressing some of the other unnecessary sources of errors in the system module.
MetricBeat uses gosigar for ProcMem and ProcArgs. Both of these calls request
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
which can trigger credential dumping false positives in third-party security software. We can avoid this problem with two simple changes, reducing SDH, customer headache, and vulnerabilities/blindspots created through customer exceptions in their security software. As a benefit, we'll be able to collect some data that we couldn't collect previously.ProcMem::Get()
ProcMem::Get()
requestsPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
here. The handle is forGetProcessMemoryInfo
. The docs forGetProcessMemoryInfo
state thatPROCESS_VM_READ
is only needed for XP and Server 2003. Agent no longer supports either of those platforms, so let's stop requesting/requiringPROCESS_VM_READ
.Another important point is that we will never successfully acquire a
PROCESS_VM_READ
handle on any Protected Process or PPL, meaning this function will always fail on those processes. Since it's unnecessary forGetProcessMemoryInfo
, then this function is failing needlessly on such processes. As a simple test for this, check whether you are getting memory information forservices.exe
which always runs as PPL.ProcArgs::Get()
ProcArgs::Get()
requestsPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
here.lsass.exe
never has a meaningful command line (screenshot below), so can we skip callingProcArgs::Get()
onlsass.exe
?Its PID can be found in the registry. We can query that value once and cache the value because it will never change until reboot. This LSA exclusion logic may be better put outside of gosigar itself.
For confirmed bugs, please report: