Make attributes that compose a fingerprint configurable #26
Labels
kind/feature
adds (or enhances) new functionality
milestone/backlog
no target release (work unplanned)
Today, to generate a process fingerprint (
proctor fp
), we take the checksum value of the process and its parents SHAs and combine it to create a new checksum, which is the fingerprint.The primary use-case of fingerprinting is anomaly detection. As such, the only variance that would cause a different SHA is if the binary of the process or parent process changes. This may not be enough for all users.
The issues proposes introducing configuration where a user may choose the attributes of a process that should be used to generate the fingerprint. This configuration should be global to proctor and stored in a configuration file. Proctor's parsing of this configuration file should then be passed into plib when gathering data.
The text was updated successfully, but these errors were encountered: