ProcessSet

The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on Deep Security Agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.

Represents a set of processes.

Tag Attributes

These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
onChange Will be monitored in real time No false true, false

Entity Set Attributes

These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules.

  • CommandLine: The full command-line as shown by "ps -f" (Unix), "ps w" (Linux), or Process Explorer (Windows).
  • Group: The group under which the process is running.
    • Under Unix this is the "effective" group ID of the process, which determines shared resource access and, in some cases, file access. Group ID can change if the process drops privileges or otherwise switches its effective group credentials. For example, a program could change group IDs temporarily and obtain write privileges to copy installation files into a directory where the user has read-only privileges.
    • On Windows this is the “current" Primary Group of the process as established by a user-specific access token created at login, which sets access and resource privileges for the user and any processes they execute.
    • In addition to a Primary Group, Windows processes typically have one or more additional group credentials associated with them. These additional group credentials are not monitored by the Agent – they can be viewed in the Security tab of the process properties in Process Explorer.

  • Parent: The PID of the process that created this process.
  • Path: The full path to the binary of the process.On Windows, this comes from the GetModuleFileNameEx() API. On Linux it comes from reading the symlink /proc/{pid}/exe.
  • Process: The short name of the process binary (no path). For example, for "c:\windows\notepad.exe" it would be "notepad.exe" and for "/usr/local/bin/httpd" it would be "httpd".
  • Threads: The number of threads currently executing in the process.
  • User: The user under which the process is running. Under Unix this is the "effective" user ID of the process, which can change over time if the process drops privileges or otherwise switches its effective user credentials.

Short Hand Attributes

  • STANDARD: CommandLine, Group, Parent, Path (where available), Process User

Meaning of "Key"

The key is a combination of the "Process" attribute (the short name of the executable) and the PID. The PID is appended to the name with a path separator in between, ex. notepad.exe\1234 on Windows and httpd/1234 on Unix. The use of the path separator is to allow include or exclude matching of key="abc/*" to work as expected.

Sub Elements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of include for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.

Special attributes of Include and Exclude for ProcessSets:

The following example would monitor the set of running processes for notepad.exe regardless of the PID.

<ProcessSet>
<include key="notepad.exe\*" />
</ProcessSet>

Various other attributes of a process can be used in include and exclude feature tests. The feature tests support Unix glob-style wildcarding with * and ?, and there is no normalization of path separators or other characters - it is a simple glob-style match against the value of the attribute.

CommandLine

Checks for a wildcard match against the commandLine attribute of the process. The following example would monitor any process whose command-line matches "*httpd *":

<ProcessSet>
<include commandLine="*httpd *" />
</ProcessSet>

Group

Checks for a wildcard match against the group attribute of the process. The text version of the group name is used rather than the numeric form: use "daemon" rather than "2" to test for the daemon group on Linux. The following example would monitor any process running as one of the groups root, daemon, or lp:

<ProcessSet>
<include group="root" />
<include group="daemon" />
<include group="lp" />
</ProcessSet>

Path

Checks for a wildcard match against the path attribute of the process. The path attribute is not available on some platforms. The following example would monitor any process whose binary resides under System32:

<ProcessSet>
<include path="*\System32\*" />
</ProcessSet>

User

Checks for a wildcard match against the user attribute of the process. The text version of the user name is used rather than the numeric form: use "root" rather than "0" (zero) to test for the superuser on Unix. The following example would monitor any process running as one of the built in system users (ex. NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE):

<ProcessSet>
<include user="NT AUTHORITY\*" />
</ProcessSet>