NoteThe Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.
|
Represents a set of processes.
Tag Attributes
These are XML attributes of the tag itself, as opposed to the attributes of the Entity
monitored by Integrity Monitoring Rules.
Attribute
|
Description
|
Required
|
Default Value
|
Allowed Values
|
onChange
|
Will be monitored in real time
|
No
|
false
|
true, false
|
Entity Set Attributes
These are the attributes of the Entity that can be monitored by Integrity Monitoring
Rules.
-
CommandLine: The full command-line as shown by "ps -f" (Unix), "ps w" (Linux), or Process Explorer (Windows).
-
Group: The group under which the process is running.
-
Under Unix this is the "effective" group ID of the process, which determines shared resource access and, in some cases, file access. Group ID can change if the process drops privileges or otherwise switches its effective group credentials. For example, a program could change group IDs temporarily and obtain write privileges to copy installation files into a directory where the user has read-only privileges.
-
On Windows this is the “current" Primary Group of the process as established by a user-specific access token created at login, which sets access and resource privileges for the user and any processes they execute.
Note
In addition to a Primary Group, Windows processes typically have one or more additional group credentials associated with them. These additional group credentials are not monitored by the Agent – they can be viewed in the Security tab of the process properties in Process Explorer.
-
-
Parent: The PID of the process that created this process.
-
Path: The full path to the binary of the process. On Windows, this comes from the GetModuleFileNameEx() API. On Linux and Solaris 10, it comes from reading the symlink /proc/{pid}/exe or /proc/{pid}/path/a.out respectively. (Not available on Solaris 9 and AIX.)
-
Process: The short name of the process binary (no path). For example, for "c:\windows\notepad.exe" it would be "notepad.exe" and for "/usr/local/bin/httpd" it would be "httpd".
-
Threads: The number of threads currently executing in the process.
-
User: The user under which the process is running. Under Unix this is the "effective" user ID of the process, which can change over time if the process drops privileges or otherwise switches its effective user credentials.
Short Hand Attributes
- STANDARD: CommandLine, Group, Parent, Path (where available), Process User
Meaning of "Key"
The key is a combination of the "Process" attribute (the short name of the executable)
and the PID. The PID is appended to the name with a path separator in between, ex.
notepad.exe\1234 on Windows and httpd/1234 on Unix. The use of the path separator
is to allow include or exclude matching of key="abc//" to work as expected.
Sub Elements
- Include
- Exclude
See Integrity monitoring rules language for a general description of include for their allowed attributes and sub elements.
Only information specific to includes and excludes relating to this EntitySet class
are included here.
Special attributes of Include and Exclude for ProcessSets
The following example would monitor the set of running processes for notepad.exe regardless
of the PID.
<ProcessSet> <include key="notepad.exe\/" /> </ProcessSet>
Various other attributes of a process can be used in include and exclude feature tests.
The feature tests support Unix glob-style wildcarding with /* and ?, and there is
no normalization of path separators or other characters - it is a simple glob-style
match against the value of the attribute.
CommandLine: Checks for a wildcard match against the commandLine attribute of the process. The
following example would monitor any process whose command-line matches "/httpd /":
<ProcessSet> <include commandLine="/httpd /" /> </ProcessSet>
Group: Checks for a wildcard match against the group attribute of the process. The text
version of the group name is used rather than the numeric form: use "daemon" rather
than "2" to test for the daemon group on Linux. The following example would monitor
any process running as one of the groups root, daemon, or lp:
<ProcessSet> <include group="root" /> <include group="daemon" /> <include group="lp" /> </ProcessSet>
Path: Checks for a wildcard match against the path attribute of the process. The path
attribute is not available on some platforms. The following example would monitor
any process whose binary resides under System32:
<ProcessSet> <include path="/\System32\/" /> </ProcessSet>
User: Checks for a wildcard match against the user attribute of the process. The text
version of the user name is used rather than the numeric form: use "root" rather than
"0" (zero) to test for the superuser on Unix. The following example would monitor
any process running as one of the built in system users (ex. NT AUTHORITY\SYSTEM,
NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE):
<ProcessSet> <include user="NT AUTHORITY\/" /> </ProcessSet>