lib/processes.cf
See the processes
promises documentation for a
comprehensive reference on the body types and attributes used here.
To use these bodies, add the following to your policy:
body file control
{
inputs => { "processes.cf" }
}
process_select bodies
exclude_procs
Prototype: exclude_procs(x)
Description: Select all processes excluding those matching x
Arguments:
x
: Regular expression matching the command/cmd field of the processes that should be excluded
Implementation:
body process_select exclude_procs(x)
{
command => "$(x)";
process_result => "!command";
}
days_older_than
Prototype: days_older_than(d)
Description: Select all processes that are older than d
days
Arguments:
d
: Days that processes need to be old to be selected
Implementation:
body process_select days_older_than(d)
{
stime_range => irange(ago(0,0,"$(d)",0,0,0),now);
process_result => "!stime";
}
by_owner
Prototype: by_owner(u)
Description: Select processes owned by user u
Arguments:
u
: The name of the user
Matches processes against the given username and the given username's uid in case only uid is visible in process list.
Implementation:
body process_select by_owner(u)
{
process_owner => { "$(u)", canonify(getuid("$(u)")) };
process_result => "process_owner";
}
by_pid
Prototype: by_pid(pid)
Description: Select a process matching the given PID
Arguments:
pid
: PID of the process to be matched
Implementation:
body process_select by_pid(pid)
{
pid => irange("$(pid)","$(pid)");
process_result => "pid";
}
process_count bodies
any_count
Prototype: any_count(cl)
Description: Define class cl
if the process is running
Arguments:
cl
: Name of the class to be defined
Implementation:
body process_count any_count(cl)
{
match_range => "0,0";
out_of_range_define => { "$(cl)" };
}
check_range
Prototype: check_range(name, lower, upper)
Description: Define a class if the number of processes is not within the specified range.
Arguments:
name
: The name part of the class$(name)_out_of_range
lower
: The lower bound of the rangeupper
: The upper bound of the range
Implementation:
body process_count check_range(name,lower,upper)
{
match_range => irange("$(lower)","$(upper)");
out_of_range_define => { "$(name)_out_of_range" };
}
agent bundles
process_kill
Prototype: process_kill(name)
Description: Kill a process by name (can be a regular expression)
Arguments:
name
: the regular expression or string
Example:
methods:
"kill" usebundle => process_kill("badprocess");
Implementation:
bundle agent process_kill(name)
{
processes:
!windows::
# Signals are presented as an ordered list to the process.
"$(name)" signals => { "term", "kill" };
windows::
# On Windows, only the kill signal is supported, which terminates the process.
"$(name)" signals => { "kill" };
}