Skip to content

Instantly share code, notes, and snippets.

Avatar

Andrew Kroh andrewkroh

View GitHub Profile
@andrewkroh
andrewkroh / auditbeat-seccom-x86_64.yml
Last active Apr 23, 2018
Elastic Beat Seccomp Profiles
View auditbeat-seccom-x86_64.yml
seccomp:
default_action: errno
syscalls:
- names:
- accept
- accept4
- arch_prctl
- bind
- brk
- clone
@andrewkroh
andrewkroh / analyzing-bpf.md
Created Apr 9, 2018
Seccomp BPF Filter Analysis in Go
View analyzing-bpf.md

Generating Seccomp BPF Filters with libbseccomp in Go

// +build linux

package main

import (
	"log"
	"os"
@andrewkroh
andrewkroh / seccomp-violation.json
Created Apr 8, 2018
Auditbeat Event for a Seccomp Violation
View seccomp-violation.json
{
"@timestamp": "2018-04-08T19:29:14.461Z",
"@metadata": {
"beat": "auditbeat",
"type": "doc",
"version": "6.2.2"
},
"event": {
"action": "violated-seccomp-policy",
"module": "auditd",
@andrewkroh
andrewkroh / socket.c
Last active Apr 11, 2019
Socket info on BSD
View socket.c
#include <stdio.h>
#include <stdlib.h>
#include <libproc.h>
#include <sys/proc_info.h>
static const char* USAGE = "Usage: %s pid\n";
static const char* INVALID_PID = "Invalid pid: %s\n";
static const char* UNABLE_TO_GET_PROC_FDS = "Unable to get open file handles for %d\n";
static const char* OUT_OF_MEMORY = "Out of memory. Unable to allocate buffer with %d bytes\n";
View gist:f49a0f4d5df4396a38007f067c0a4e86
### Keybase proof
I hereby claim:
* I am andrewkroh on github.
* I am andrewkroh (https://keybase.io/andrewkroh) on keybase.
* I have a public key whose fingerprint is 3244 3ADF 2BE8 47C2 B49D 729B 0558 8481 AB5B 6468
To claim this, I am signing this object:
@andrewkroh
andrewkroh / main.go
Created Sep 20, 2017
Go seccomp-bpf example using Google Kafel to generate BPF filter
View main.go
package main
import (
"errors"
"log"
"os/exec"
"syscall"
"unsafe"
)
@andrewkroh
andrewkroh / aws-sns.groovy
Created Mar 23, 2017
AWS SNS Output for SmartThings
View aws-sns.groovy
/**
* Amazon SNS Event Publisher
*
* Copyright 2016 Andrew Kroh
*/
import java.text.DateFormat
import java.text.SimpleDateFormat
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
@andrewkroh
andrewkroh / elasticsearch.groovy
Created Mar 23, 2017
Elasticsearch Output for SmartThings Events
View elasticsearch.groovy
/**
* Elasticsearch Event Publisher
*
* Copyright 2017 Andrew Kroh
*/
import java.text.DateFormat;
import java.text.SimpleDateFormat;
definition(
@andrewkroh
andrewkroh / Microsoft-Windows-FileInfoMinifilter.txt
Last active Jan 7, 2022
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
View Microsoft-Windows-FileInfoMinifilter.txt
Id : 1
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {, fi:FileNameCreate}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
@andrewkroh
andrewkroh / Microsoft-Windows-Security-Auditing.txt
Created Feb 2, 2017
Microsoft-Windows-Security-Auditing Messages from Windows 2012 Server
View Microsoft-Windows-Security-Auditing.txt
Id : 4608
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template :