Generating Seccomp BPF Filters with libbseccomp in Go
// +build linux
package main
import (
"log"
"os"
Andrew Kroh andrewkroh
View auditbeat-seccom-x86_64.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| seccomp: | |
| default_action: errno | |
| syscalls: | |
| - names: | |
| - accept | |
| - accept4 | |
| - arch_prctl | |
| - bind | |
| - brk | |
| - clone |
View analyzing-bpf.md
View seccomp-violation.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@timestamp": "2018-04-08T19:29:14.461Z", | |
| "@metadata": { | |
| "beat": "auditbeat", | |
| "type": "doc", | |
| "version": "6.2.2" | |
| }, | |
| "event": { | |
| "action": "violated-seccomp-policy", | |
| "module": "auditd", |
View socket.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <libproc.h> | |
| #include <sys/proc_info.h> | |
| static const char* USAGE = "Usage: %s pid\n"; | |
| static const char* INVALID_PID = "Invalid pid: %s\n"; | |
| static const char* UNABLE_TO_GET_PROC_FDS = "Unable to get open file handles for %d\n"; | |
| static const char* OUT_OF_MEMORY = "Out of memory. Unable to allocate buffer with %d bytes\n"; |
View gist:f49a0f4d5df4396a38007f067c0a4e86
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am andrewkroh on github. | |
| * I am andrewkroh (https://keybase.io/andrewkroh) on keybase. | |
| * I have a public key whose fingerprint is 3244 3ADF 2BE8 47C2 B49D 729B 0558 8481 AB5B 6468 | |
| To claim this, I am signing this object: |
andrewkroh
/ main.go
Created Sep 20, 2017
Go seccomp-bpf example using Google Kafel to generate BPF filter
View main.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "errors" | |
| "log" | |
| "os/exec" | |
| "syscall" | |
| "unsafe" | |
| ) |
View aws-sns.groovy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Amazon SNS Event Publisher | |
| * | |
| * Copyright 2016 Andrew Kroh | |
| */ | |
| import java.text.DateFormat | |
| import java.text.SimpleDateFormat | |
| import javax.crypto.Mac | |
| import javax.crypto.spec.SecretKeySpec |
View elasticsearch.groovy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Elasticsearch Event Publisher | |
| * | |
| * Copyright 2017 Andrew Kroh | |
| */ | |
| import java.text.DateFormat; | |
| import java.text.SimpleDateFormat; | |
| definition( |
andrewkroh
/ Microsoft-Windows-FileInfoMinifilter.txt
Last active Jan 7, 2022
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
View Microsoft-Windows-FileInfoMinifilter.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Id : 1 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, fi:FileNameCreate} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> |
andrewkroh
/ Microsoft-Windows-Security-Auditing.txt
Created Feb 2, 2017
Microsoft-Windows-Security-Auditing Messages from Windows 2012 Server
View Microsoft-Windows-Security-Auditing.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Id : 4608 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {} | |
| Template : |