Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Tracee > Discovery >

Sched_debug CPU File Was Read

LOW
Source
Tracee
ID
TRC-1029
Version
1
Date
10 Apr 2024

Sched_debug CPU File Was Read

The sched_debug file was read. This file contains information about your CPU and processes. Adversaries may read this file in order to gather that information for their use.

MITRE ATT&CK

Discovery: Container and Resource Discovery

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type SchedDebugRecon struct {
	cb              detect.SignatureHandler
	schedDebugPaths []string
}

func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error {
	sig.cb = ctx.Callback
	sig.schedDebugPaths = []string{"/proc/sched_debug", "/sys/kernel/debug/sched/debug"}
	return nil
}

func (sig *SchedDebugRecon) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1029",
		Version:     "1",
		Name:        "sched_debug CPU file was read",
		EventName:   "sched_debug_recon",
		Description: "The sched_debug file was read. This file contains information about your CPU and processes. Adversaries may read this file in order to gather that information for their use.",
		Properties: map[string]interface{}{
			"Severity":             1,
			"Category":             "discovery",
			"Technique":            "Container and Resource Discovery",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336",
			"external_id":          "T1613",
		},
	}, nil
}

func (sig *SchedDebugRecon) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "security_file_open", Origin: "container"},
	}, nil
}

func (sig *SchedDebugRecon) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {
	case "security_file_open":
		pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
		if err != nil {
			return err
		}

		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
		if err != nil {
			return err
		}

		if helpers.IsFileRead(flags) {
			for _, schedDebugPath := range sig.schedDebugPaths {
				if pathname == schedDebugPath {
					metadata, err := sig.GetMetadata()
					if err != nil {
						return err
					}
					sig.cb(&detect.Finding{
						SigMetadata: metadata,
						Event:       event,
						Data:        nil,
					})

					return nil
				}
			}
		}
	}

	return nil
}

func (sig *SchedDebugRecon) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *SchedDebugRecon) Close() {}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use