- Stage: 2 (candidate)
- Date: 2022/08/16
The goal of the RFC is to introduce new fields to the 'process' fieldset to track input and output data from processes. The initial implementation will be focused on capturing Linux TTY output. Each event will contain a maximum number of bytes of output data (configurable) along with context about which tty, and process generated the output. This data can drive new visualizations in Kibana as well as providing more information to security analysts.
see: 0035/process.yml
A new "io" field is added to the top level process fieldset. The key use case is capturing text output to TTY, however, the fieldset has been structured to be extensible to handle input and output from files and sockets, as well non-text (binary) data.
- process.io (type: object)
- process.io.type (type: keyword, for now the only value will be "tty", but in future "file" and "socket" may be added)
- process.io.text (type: wildcard, a line-oriented chunk of tty output text)
- process.io.total_bytes_captured (type: number)
- process.io.total_bytes_skipped (type: number)
- process.io.max_bytes_per_process_exceeded (type: boolean)
- process.io.bytes_skipped (type: object array)
- process.io.bytes_skipped.offset (type: number)
- process.io.bytes_skipped.length (type: number)
Two new fields will be added to the process.tty object to track terminal window size
- process.tty.rows (type: long, the height of the terminal)
- process.tty.columns (type: long, the max character width of each line)
Possible future additions to support non utf-8 data:
- process.io.bytes (type: binary, a single base64 encoded string)
These fields will primarily be used to replay and visualize TTY output for a Linux session. Output to a TTY contains terminal control codes. These control codes can represent visual editing (cursor movements), as well as partial screen updates in graphical modes. Libraries like xtermjs.org are well suited to handle the rendering of terminal output. This will give security analysts additional means to investigate Linux sessions.
{
event: {
kind: 'event',
action: 'text_output' (for now the only action type, though one could imagine values like: text_input, binary_output, binary_input)
},
process: {
args: ['ls'],
executable: '/bin/ls',
...other_process_details,
entry_leader: <entry_context>,
session_leader: <session_context>,
tty: {
char_device: {
major: 1,
minor: 128
},
rows: 24,
columns: 80,
},
io: {
type: "tty",
text: "hello world/n#!/bin/bash\ngoodbyeworld",
total_bytes_captured: 1024,
total_bytes_skipped: 160,
bytes_skipped: [
{ offset: 512, length: 128 },
{ offset: 768, length: 32 }
]
// future binary support
bytes: "<base64encodedstring>"
}
}
}
- Data exfiltration. TTY output is a sensitive surface area to expose. It should be featured gated, and an opt in for customers, at least until we implement some robust "regex scrubbing/redaction" mechanisms.
- Per event batch size should be considered. If batch size is too big, alerting on IO data becomes fuzzy, as rules are evaluated on the document level, not on an individual line of output. This could make it a challenge to figure out what part of the message triggered the alert.
The following are the people that consulted on the contents of this RFC.
- @mitodrummer | author
- @m-sample | subject matter expert
- @norrietaylor| subject matter expert
- @mattnite | subject matter expert
- @tabell | subject matter expert
- Stage 1: #1956