Processes Bundles and Bodies

Table of Contents

See the processes promises documentation for a comprehensive reference on the body types and attributes used here.

To use these bodies, add the following to your policy:

body file control
{
    inputs => { "processes.cf" }
}

agent bundles

process_kill

Prototype: process_kill(name)

Description: Kill a process by name (can be a regular expression)

Arguments:

  • name: the regular expression or string

Example:

methods:
     "kill" usebundle => process_kill("badprocess");

Implementation:

bundle agent process_kill(name)
{
  processes:
    !windows::
      # Signals are presented as an ordered list to the process.
      "$(name)" signals => { "term", "kill" };
    windows::
      # On Windows, only the kill signal is supported, which terminates the process.
      "$(name)" signals => { "kill" };
}

process_select bodies

exclude_procs

Prototype: exclude_procs(x)

Description: Select all processes excluding those matching x

Arguments:

  • x: Regular expression matching the command/cmd field of the processes that should be excluded

Implementation:

body process_select exclude_procs(x)
{
      command => "$(x)";
      process_result => "!command";
}

days_older_than

Prototype: days_older_than(d)

Description: Select all processes that are older than d days

Arguments:

  • d: Days that processes need to be old to be selected

Implementation:

body process_select days_older_than(d)
{
      stime_range    => irange(ago(0,0,"$(d)",0,0,0),now);
      process_result => "!stime";
}

by_owner

Prototype: by_owner(u)

Description: Select processes owned by user u

Arguments:

  • u: The name of the user

Matches processes against the given username and the given username's uid in case only uid is visible in process list.

Implementation:

body process_select by_owner(u)
{
      process_owner => { "$(u)", canonify(getuid("$(u)")) };
      process_result => "process_owner";
}

by_pid

Prototype: by_pid(pid)

Description: Select a process matching the given PID

Arguments:

  • pid: PID of the process to be matched

Implementation:

body process_select by_pid(pid)
{
      pid => irange("$(pid)","$(pid)");
      process_result => "pid";
}

process_count bodies

any_count

Prototype: any_count(cl)

Description: Define class cl if the process is running

Arguments:

  • cl: Name of the class to be defined

Implementation:

body process_count any_count(cl)
{
      match_range => "0,0";
      out_of_range_define => { "$(cl)" };
}

check_range

Prototype: check_range(name, lower, upper)

Description: Define a class if the number of processes is not within the specified range.

Arguments:

  • name: The name part of the class $(name)_out_of_range
  • lower: The lower bound of the range
  • upper: The upper bound of the range

Implementation:

body process_count check_range(name,lower,upper)
{
      match_range => irange("$(lower)","$(upper)");
      out_of_range_define => { "$(name)_out_of_range" };
}