From 8eaadd3f73f6ad660ab6a1988f3116fbca71e3ff Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Sun, 21 Jan 2024 18:52:20 -0800 Subject: [PATCH] Add normalization for exit_group syscall The exit_group syscall terminates all threads in a process, and is normally used to exit a process. This normalization adds 'end' action and type to the process ECS document. --- aucoalesce/normalizations.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml index 563e343..db3b273 100644 --- a/aucoalesce/normalizations.yaml +++ b/aucoalesce/normalizations.yaml @@ -548,6 +548,15 @@ normalizations: ecs: <<: *ecs-process type: change + - action: end + object: + what: process + how: syscall + syscalls: + # exit_group - exit all threads in a process + - exit_group + ecs: *ecs-process + type: end # Currently unhandled # this list comes from parsing linux man pages at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git @@ -673,7 +682,6 @@ normalizations: # acct - switch process accounting on or off # sigsuspend - wait for a signal # rt_sigsuspend - wait for a signal - # exit_group - exit all threads in a process # socket - create an endpoint for communication # ioctl_userfaultfd - create a file descriptor for handling page faults in user space # sched_get_priority_max - get static priority range