Skip to content

fix active response process identity validation#45

Merged
Karib0u merged 5 commits into
mainfrom
codex/revalidate-process-identity
Jun 1, 2026
Merged

fix active response process identity validation#45
Karib0u merged 5 commits into
mainfrom
codex/revalidate-process-identity

Conversation

@Karib0u
Copy link
Copy Markdown
Owner

@Karib0u Karib0u commented May 31, 2026

Summary

  • add process identity capture with PID, image path, process start time, and optional command-line hash
  • re-query live process identity immediately before active-response termination
  • skip and log active responses when the live process no longer matches the alert identity

Root cause

Active response made the termination decision from the PID and image stored in the alert context. If that PID was reused before the worker executed, termination could target a different process.

Validation

  • cargo test --no-run
  • cargo test --test active_response
  • cargo test response::tests::validate_process_identity

Windows target compile was attempted locally, but x86_64-pc-windows-msvc is not installed on this machine.

@Karib0u Karib0u changed the title [codex] fix active response process identity validation fix active response process identity validation May 31, 2026
Karib0u and others added 4 commits June 1, 2026 19:21
@Karib0u @claude
fix(windows): populate process_start_time in ETW process fields
7ceb4f2 
The active-response identity work added a process_start_time field to
ProcessCreationFields and updated every constructor except the
Windows-only ETW decoder (not compilable on the author's macOS host),
breaking the Windows build with E0063.

Populate it from creation_time_with_fallback — the same value used to
build the ProcessStartKey immediately below.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Karib0u
Merge remote-tracking branch 'origin/main' into codex/revalidate-proc…
9cde3ef 
…ess-identity
@Karib0u @claude
fix(macos): populate process_start_time in ESF process fields
ca41407 
Merging main brought in the macOS Endpoint Security sensor (#46), whose
two ProcessCreationFields constructors predate the process_start_time
field and so broke the macOS build with E0063.

Exec events carry the start time (reuse raw.start_time, same value as
the ProcessStartKey); exit events have no start time, so None.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Karib0u
Merge branch 'main' into codex/revalidate-process-identity
3970705
@Karib0u Karib0u marked this pull request as ready for review June 1, 2026 17:37
@Karib0u Karib0u merged commit 77db777 into main Jun 1, 2026
12 checks passed
@Karib0u Karib0u deleted the codex/revalidate-process-identity branch June 1, 2026 17:38
@Karib0u Karib0u mentioned this pull request Jun 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Karib0u