Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Tracee > Privilege Escalation >

Aslr Inspection Detected

INFO
Source
Tracee
ID
TRC-109
Version
1
Date
10 Apr 2024

Aslr Inspection Detected

The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.

MITRE ATT&CK

Privilege Escalation: Exploitation for Privilege Escalation

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type AslrInspection struct {
	cb       detect.SignatureHandler
	aslrPath string
}

func (sig *AslrInspection) Init(ctx detect.SignatureContext) error {
	sig.cb = ctx.Callback
	sig.aslrPath = "/proc/sys/kernel/randomize_va_space"
	return nil
}

func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-109",
		Version:     "1",
		Name:        "ASLR inspection detected",
		EventName:   "aslr_inspection",
		Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",
		Properties: map[string]interface{}{
			"Severity":             0,
			"Category":             "privilege-escalation",
			"Technique":            "Exploitation for Privilege Escalation",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
			"external_id":          "T1068",
		},
	}, nil
}

func (sig *AslrInspection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "security_file_open", Origin: "*"},
	}, nil
}

func (sig *AslrInspection) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("failed to cast event's payload")
	}

	switch eventObj.EventName {
	case "security_file_open":
		pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
		if err != nil {
			return err
		}

		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
		if err != nil {
			return err
		}

		if pathname == sig.aslrPath && helpers.IsFileRead(flags) {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(&detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        nil,
			})
		}
	}

	return nil
}

func (sig *AslrInspection) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *AslrInspection) Close() {}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use