Linux process credentials
On Linux each process has various associated user, group IDs, capabilities, secure management flags, keyring, LSM security that are used part of the security checks upon acting on other objects. These are called the task privileges or process credentials.
Changing the process credentials is a standard operation to perform privileged actions or to execute commands as another user. The obvious example is sudo that allows to gain high privileges and run commands as root or another user. An other example is services or containers that can gain high privileges during execution to perform restricted operations.
Composition of Linux process credentials
Traditional UNIX credentials
- Real User ID
- Real Group ID
- Effective, Saved and FS User ID
- Effective, Saved and FS Group ID
- Supplementary groups
- Set of permitted capabilities: a limiting superset for the effective capabilities.
- Set of inheritable capabilities: the set that may get passed across
- Set of effective capabilities: the set of capabilities a task is actually allowed to make use of itself.
- Set of bounding capabilities: limits the capabilities that may be inherited
execve(2), especially when a binary is executed that will execute as UID 0.
Secure management flags (securebits).
These govern the way the UIDs/GIDs and capabilities are manipulated and
inherited over certain operations such as
Linux Security Module (LSM)
The LSM framework provides a mechanism for various security checks to be hooked by new kernel extensions. Tasks can have extra controls part of LSM on what operations they are allowed to perform.
Tetragon Process Credentials monitoring
Monitoring Linux process credentials is a good practice to idenfity programs
running with high privileges. Tetragon allows retrieving Linux process credentials
Generally it is better to monitor in internal kernel functions. For further details please read Advantages and disadvantages of kernel layer monitoring compared to the system call layer section.
Monitor Process Credentials changes at the System Call layer
Monitor system calls that change Process Credentials
Monitor Process Credentials changes at the Kernel layer
Monitor Process Credentials changes at the kernel layer