threatseer
threatseer copied to clipboard
dustin-decker
efficient linux security monitoring
desired features: - triage and respond to alerts - sort by time, severity within window, severity within window grouped by agent - configure rules and see stats - view and...
Add agent token auth via gRPC. Also think about API for managing tokens, and adding state storage to the threatseer servers.
Implement Actions API on the agent's gRPC server. initial actions: 1. upload process_id binary to object storage 2. kill process_id
- collect and emit engine pipeline stats - track TCP connections and provide stats for the server component. maybe expose connection pool options.
Load file / directory monitoring rules from yaml config and use to generate this part of the agent sensor subscription: https://github.com/dustin-decker/threatseer/blob/master/server/daemon/subscription.go#L32
Add a configurable rate limiter for events. Per-source at minimum, so we get some of every type, and maybe overall rate limiter too?
For events identified by PID we need to resolve it back to container, pod, and namespace, and any other context passed down that we want to send. https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/ https://stackoverflow.com/questions/24406743/coreos-get-docker-container-name-by-pid