Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[auditd-sus-exec] False positives for wrapped executables on NixOS #1116

Open
poperigby opened this issue Sep 17, 2024 · 0 comments
Open

[auditd-sus-exec] False positives for wrapped executables on NixOS #1116

poperigby opened this issue Sep 17, 2024 · 0 comments

Comments

@poperigby
Copy link

Describe the bug
On NixOS, certain executables are wrapped, meaning the executable in PATH is just a symlink to an executable named in the following way /nix/store/<hash>/bin/.<program>-wrapped. As you can see, this will cause auditd-sus-exec to trigger because the name of the executable starts with a .

To Reproduce

  1. cscli collections install crowdsecurity/auditd
  2. nix run nixpkgs#bat

Expected behavior
auditd-sus-exec is not triggered

Additional context

Here's the output of cscli inspect -d <id> after running the reproduction steps:

################################################################################################

 - ID           : 57019
 - Date         : 2024-09-17T20:27:34Z
 - Machine      : haddock
 - Simulation   : false
 - Reason       : crowdsecurity/auditd-sus-exec
 - Events Count : 1
 - Scope:Value  : pid:1490985
 - Country      :
 - AS           :
 - Begin        : 2024-09-17 20:27:33.593681519 +0000 UTC
 - End          : 2024-09-17 20:27:33.593681569 +0000 UTC
 - UUID         : 135593bd-676f-43e6-b402-22e2a66ba0f6


 - Events  :

- Date: 2024-09-17 13:27:33 -0700 -0700
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│       Key       │                             Value                            │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ auditd_eventid  │ 390521                                                       │
│ auid            │ 1000                                                         │
│ comm            │ .bat-wrapped                                                 │
│ datasource_path │ /var/log/audit/audit.log                                     │
│ datasource_type │ file                                                         │
│ euid            │ 1000                                                         │
│ exe             │ /nix/store/vgrwgqhsyw7ghcyirfbp3jdn3frjz6ms-bat-0.24.0/bin/. │
│                 │ bat-wrapped                                                  │
│ gid             │ 100                                                          │
│ log_type        │ execve                                                       │
│ pid             │ 1491779                                                      │
│ ppid            │ 1490985                                                      │
│ ses             │ 13                                                           │
│ str_GID         │ users                                                        │
│ str_UID         │ cassidy                                                      │
│ subj            │ kernel                                                       │
│ timestamp       │ 2024-09-17T13:27:33-07:00                                    │
│ tty             │ pts1                                                         │
│ uid             │ 1000                                                         │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@poperigby