ProcessSet

Represents a set of processes.

Tag Attributes

These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
onChange Will be monitored in real time No false true, false

Entity Set Attributes

These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules.

  • CommandLine: The full command-line as shown by "ps -f" (Unix), "ps w" (Linux), or Process Explorer (Windows).
  • Group: The group under which the process is running. Under Unix this is the "effective" group ID of the process, which can change over time if the process drops privileges or otherwise switches its effective group credentials. On Windows this is the current Primary Group of the process as returned by the Win32 API GetTokenInformation with a TokenInformationClass of TokenPrimaryGroup. This is the default Primary Group SID for newly created objects. In addition to a Primary Group, processes typically have one or more group credentials associated with them. Those additional group credentials are not monitored by the Agent - they can be viewed on the "Security" tab of the process properties in Process Explorer.
  • Parent: The PID of the process that created this process.
  • Path: The full path to the binary of the process. Not available on Solaris 8 & 9 nor HP-UX. On Windows this comes from the GetModuleFileNameEx() API. On Linux and Solaris 10 it comes from reading the symlink /proc/{pid}/exe or /proc/{pid}/path/a.out respectively.
  • Process: The short name of the process binary (no path). For example, for "c:\windows\notepad.exe" it would be "notepad.exe" and for "/usr/local/bin/httpd" it would be "httpd".
  • Threads: The number of threads currently executing in the process. Not available on HP-UX.
  • User: The user under which the process is running. Under Unix this is the "effective" user ID of the process, which can change over time if the process drops privileges or otherwise switches its effective user credentials.

Short Hand Attributes

  • STANDARD: CommandLine, Group, Parent, Path (where available), Process User

Meaning of "Key"

The key is a combination of the "Process" attribute (the short name of the executable) and the PID. The PID is appended to the name with a path separator in between, ex. notepad.exe\1234 on Windows and httpd/1234 on Unix. The use of the path separator is to allow include or exclude matching of key="abc/*" to work as expected.

Sub Elements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of include for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.

Special attributes of Include and Exclude for ProcessSets:

The following example would monitor the set of running processes for notepad.exe regardless of the PID.

<ProcessSet>
<include key="notepad.exe\*" />
</ProcessSet>

Various other attributes of a process can be used in include and exclude feature tests. The feature tests support Unix glob-style wildcarding with * and ?, and there is no normalization of path separators or other characters - it is a simple glob-style match against the value of the attribute.

CommandLine

Checks for a wildcard match against the commandLine attribute of the process. The following example would monitor any process whose command-line matches "*httpd *":

<ProcessSet>
<include commandLine="*httpd *" />
</ProcessSet>

Group

Checks for a wildcard match against the group attribute of the process. The text version of the group name is used rather than the numeric form: use "daemon" rather than "2" to test for the daemon group on Linux. The following example would monitor any process running as one of the groups root, daemon, or lp:

<ProcessSet>
<include group="root" />
<include group="daemon" />
<include group="lp" />
</ProcessSet>

Path

Checks for a wildcard match against the path attribute of the process. The path attribute is not available on some platforms. The following example would monitor any process whose binary resides under System32:

<ProcessSet>
<include path="*\System32\*" />
</ProcessSet>

User

Checks for a wildcard match against the user attribute of the process. The text version of the user name is used rather than the numeric form: use "root" rather than "0" (zero) to test for the superuser on Unix. The following example would monitor any process running as one of the built in system users (ex. NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE):

<ProcessSet>
<include user="NT AUTHORITY\*" />
</ProcessSet>