diff --git a/CMakeLists.txt b/CMakeLists.txt index 371e35a..11729aa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -104,6 +104,21 @@ set(SYSMON_COMMON_SOURCE_DIR "${CMAKE_SOURCE_DIR}/sysmonCommon/") set(SYSMON_TESTS_SOURCE_DIR "${CMAKE_SOURCE_DIR}/sysmonCommon/UnitTests/") endif() +# +# Compress man page +# +set(SYSMON_COMPRESS_MAN "sysmon.8.gz") + +add_custom_target(SYSMON_MAN_COMPRESS ALL + DEPENDS ${PROJECT_BINARY_DIR}/${SYSMON_COMPRESS_MAN} + ) + +add_custom_command(OUTPUT ${PROJECT_BINARY_DIR}/${SYSMON_COMPRESS_MAN} + COMMAND gzip -f -c "${CMAKE_SOURCE_DIR}/package/usr/share/man/man8/sysmon.8" > ${PROJECT_BINARY_DIR}/${SYSMON_COMPRESS_MAN} + COMMENT "Compressing Sysmon man page" + DEPENDS "${CMAKE_SOURCE_DIR}/package/usr/share/man/man8/sysmon.8" + ) + # # make sysmon # diff --git a/INSTALL.md b/INSTALL.md index e7d7c56..64bcb01 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,6 +1,6 @@ # Install Sysmon -## Ubuntu 18.04, 20.04 & 21.04 +## Ubuntu 18.04, 20.04 & 22.04 #### 1. Register Microsoft key and feed ```sh wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb @@ -51,23 +51,11 @@ sudo apt-get update sudo apt-get install sysmonforlinux ``` -## Fedora 33 +## Fedora 36 #### 1. Register Microsoft key and feed ```sh sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc -sudo wget -q -O /etc/yum.repos.d/microsoft-prod.repo https://packages.microsoft.com/config/fedora/33/prod.repo -``` - -#### 2. Install SysmonForLinux -```sh -sudo dnf install sysmonforlinux -``` - -## Fedora 34 -#### 1. Register Microsoft key and feed -```sh -sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc -sudo wget -q -O /etc/yum.repos.d/microsoft-prod.repo https://packages.microsoft.com/config/fedora/34/prod.repo +sudo wget -q -O /etc/yum.repos.d/microsoft-prod.repo https://packages.microsoft.com/config/fedora/36/prod.repo ``` #### 2. Install SysmonForLinux @@ -87,10 +75,11 @@ sudo wget -q -O /etc/yum.repos.d/microsoft-prod.repo https://packages.microsoft. sudo dnf install sysmonforlinux ``` -## CentOS 8 +## RHEL 9 #### 1. Register Microsoft key and feed ```sh -sudo rpm -Uvh https://packages.microsoft.com/config/centos/8/packages-microsoft-prod.rpm +sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc +sudo wget -q -O /etc/yum.repos.d/microsoft-prod.repo https://packages.microsoft.com/config/rhel/9/prod.repo ``` #### 2. Install SysmonForLinux @@ -98,6 +87,7 @@ sudo rpm -Uvh https://packages.microsoft.com/config/centos/8/packages-microsoft- sudo dnf install sysmonforlinux ``` + ## openSUSE 15 #### 1. Register Microsoft key and feed ```sh diff --git a/makePackages.sh b/makePackages.sh index 358b9e0..4eb281a 100755 --- a/makePackages.sh +++ b/makePackages.sh @@ -57,7 +57,8 @@ fi mkdir -p "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}" cp -a "${CMAKE_SOURCE_DIR}/package/DEBIAN" "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/" cp "${PROJECT_BINARY_DIR}/DEBIANcontrol" "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/DEBIAN/control" -cp -a "${CMAKE_SOURCE_DIR}/package/usr" "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/" +mkdir -p "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/usr/share/man/man8" +cp -a "${PROJECT_BINARY_DIR}/sysmon.8.gz" "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/usr/share/man/man8" mkdir -p "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/usr/bin" cp "${PROJECT_BINARY_DIR}/sysmon" "${PROJECT_BINARY_DIR}/deb/${DEB_PACKAGE_NAME}/usr/bin/" @@ -73,7 +74,7 @@ fi mkdir -p "${PROJECT_BINARY_DIR}/rpm/${RPM_PACKAGE_NAME}/SPECS" cp -a "${PROJECT_BINARY_DIR}/SPECS.spec" "${PROJECT_BINARY_DIR}/rpm/${RPM_PACKAGE_NAME}/SPECS/${RPM_PACKAGE_NAME}.spec" mkdir "${PROJECT_BINARY_DIR}/rpm/${RPM_PACKAGE_NAME}/BUILD/" -cp "${CMAKE_SOURCE_DIR}/package/usr/share/man/man8/sysmon.8.gz" "${PROJECT_BINARY_DIR}/sysmon" "${PROJECT_BINARY_DIR}/rpm/${RPM_PACKAGE_NAME}/BUILD/" +cp "${PROJECT_BINARY_DIR}/sysmon.8.gz" "${PROJECT_BINARY_DIR}/sysmon" "${PROJECT_BINARY_DIR}/rpm/${RPM_PACKAGE_NAME}/BUILD/" # make the rpm if [ "$RPMBUILD" != "" ]; then diff --git a/package/usr/share/man/man8/sysmon.8 b/package/usr/share/man/man8/sysmon.8 new file mode 100644 index 0000000..ad1c753 --- /dev/null +++ b/package/usr/share/man/man8/sysmon.8 @@ -0,0 +1,93 @@ +.\" Manpage for Sysinternals Sysmon For Linux. +.\" Contact via http://github/Sysinternals to correct errors or typos. +.TH SYSMON 8 "23 Feb 2023" "1.1.0" "System Manager's Manual" + +.SH NAME +sysmon \- System Monitor from Sysinternals + +.SH SYNOPSIS +sysmon [options] + +.SH DESCRIPTION +System Monitor (Sysmon) is a system service and set of eBPF programs that, +once installed on a system, remains resident across system reboots to monitor +and log system activity to the Syslog. It provides detailed information about +process creations, network connections, and file creations and deletions. By +collecting the events it generates using SIEM agents and subsequently analyzing +them, you can identify malicious or anomalous activity and understand how +intruders and malware operate on your network. + +Note that Sysmon does not provide analysis of the events it generates, nor does +it attempt to protect or hide itself from attackers. + +Sysmon includes the following capabilities: + +.IP \[bu] 2 +Logs process creation with full command line for both current and parent +processes. +.IP \[bu] +Includes a process GUID in process create events to allow for correlation of +events even when Linux reuses process IDs. +.IP \[bu] +Includes a session GUID in each event to allow correlation of events on same +logon session. +.IP \[bu] +Logs file creations and deletions. +.IP \[bu] +Logs opens for raw read access of disks and volumes. +.IP \[bu] +Optionally logs network connections, including each connection’s source +process, IP addresses and port numbers. +.IP \[bu] +Logs ptrace (process access) activity. +.IP \[bu] +Rule filtering to include or exclude certain events dynamically. + +.PP +Events are stored in the Syslog, often found at /var/log/syslog. + +Use the '\-? config' command for configuration file documentation. More +examples are available on the Sysinternals website. + +Specify '\-accepteula' to automatically accept the EULA on installation. + +Neither install nor uninstall requires a reboot. + +.SH OPTIONS + \-c [config] Update configuration of an installed Sysmon driver or dump the + current configuration if no other argument is provided. Optionally + take a configuration file. + \-i [config] Install service and driver. Optionally take a configuration file. + \-s Print configuration schema definition of the specified version. + Specify 'all' to dump all schema versions (default is latest)). + \-u Uninstall service and driver. Adding force causes uninstall to proceed + even when some components are not installed. + \-btf Uses the specified offline BTF file. + \-? Help. + \-? config Configuration help. + \-accepteula Accept the EULA. + +.SH SEE ALSO +ps(1), perf(1), top(1), procmon(1), procdump(1) + +.SH BUGS +No known bugs. + +.SH NOTES +File paths are typically constructed in eBPF by traversing the file system. +It is possible that system limits will in some cases prevent the full path +from being recovered. In this situations, the first character of the path will +be a '+' to indicate that more directories may have preceded it. + +.SH AUTHOR +Sysinternals - www.sysinternals.com + +Mark Russinovich, Thomas Garnier and Kevin Sheldrake + +Copyright (C) 2014-2023 Microsoft Corporation + +.SH COPYRIGHT +The userland part of Sysmon is licensed under MIT; the eBPF parts are licensed +under GPL2. + + diff --git a/package/usr/share/man/man8/sysmon.8.gz b/package/usr/share/man/man8/sysmon.8.gz deleted file mode 100644 index 056ab3e..0000000 Binary files a/package/usr/share/man/man8/sysmon.8.gz and /dev/null differ