一个绕过osquery socket日志监控的小技巧(非阻塞调用connect)
https://github.com/osquery/osquery/issues/6609
很久之前提的一个issue,最近刚好看又有人遇到了相同的问题。
osquery 处理系统调用时会默认将状态码错误的调用直接丢弃,无法通过audit获取相应系统调用事件
osquery 获取socket events
https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#linux-socket-auditing-using-audit
osquery 通过audit 读取系统syscall 日志,同时将网络连接相关信息存入 socket_events 表,查询时,直接
select * from socket_events;// 得到的数据格式{"action": "added","columns": {"time": "1527895541","success": "1","remote_port": "80","action": "connect","auid": "1000","family": "2","local_address": "","local_port": "0","path": "/usr/bin/curl","pid": "30220","remote_address": "172.217.164.110"},"unixTime": 1527895545,"hostIdentifier": "vagrant","name": "socket_events","numerics": false}
数据丢失发生在osquery 处理audit 日志时:
下方关键数据处理逻辑,导致数据丢失
当status != yes 时即丢弃掉用日志;
https://github.com/osquery/osquery/blob/56efd73165e53a65b7e0bd148e801d05fecae32e/osquery/events/linux/auditeventpublisher.cpp#L244
正常情况下丢弃不成功的系统调用日志是没问题的,可惜 linux 的 connect (syscall=42) 有点特殊,
connect 调用存在阻塞和非阻塞调用两种,
非阻塞调用的情况下,系统直接返回错误码 -115,但是实际上这个socket连接还是可以被使用
以下写法发起的非阻塞调用,osquery 不会记录socket日志
import socketsock = socket.socket()sock.setblocking(False)sock.connect(('www.google.com',443))