Skip to content

[Security][8.18] Document enhanced Linux process command line visibility #275

New issue
New issue
Closed
Enhancement
Closed
[Security][8.18] Document enhanced Linux process command line visibility#275
Enhancement
Assignees
benironside
Labels
Team:SecurityIssues owned by the Security Docs TeamdocumentationImprovements or additions to documentationenhancementNew feature or request
@benironside

Description

@benironside
benironside
opened on Feb 1, 2025

Description

On Linux systems with kernel versions below 5.10.16 (basically the systems that leverage kprobe for instrumentation), process command lines get cut off after 800 characters. This creates a security risk, attackers could hide malicious payloads by adding them after the 800 character limit.

We're going to change this behavior and need to document the new limits and truncation behavior.

Resources

https://github.com/elastic/security-team/issues/11339

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

What release is this request related to?

8.18

Collaboration model

The documentation team

Point of contact.

Main contact: @nick-alayil

Stakeholders:

Metadata

Metadata

Assignees

Labels

Team:SecurityIssues owned by the Security Docs TeamdocumentationImprovements or additions to documentationenhancementNew feature or request

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions