Why does Jenkins need to read the memory of lsass.exe?
136 views
Skip to first unread message
Amedee Van Gasse
Aug 17, 2023, 3:56:52 AM8/17/23
to Jenkins Users
Hi,
Security question here.
Is there any reason why Jenkins would ever need to request the content of c:\windows\system32\lsass.exe (Local Security Authority Subsystem Service)?
The endpoint protection on the Jenkins device is denying Jenkins access to lsass.exe, and the devs are unable to tell me why their favorite automation tool needs to do an activity that is highly suspicious in terms of security. Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service.
The endpoint protection on the Jenkins device is denying Jenkins access to lsass.exe, and the devs are unable to tell me why their favorite automation tool needs to do an activity that is highly suspicious in terms of security. Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service.
I was hoping that the community could help me here. I have no direct access to the Jenkins device, I only see suspicious events being reported by the endpoint security software.
jn...@cloudbees.com
Sep 8, 2023, 1:19:53 PM9/8/23
to Jenkins Users
Jenkins when it is finished ecexuting things for a job on an agent when it finishes like to tidy up (aka kill) any errant processes that have been started tht the build scripts failed to terminate (pesky build scripts!).
In order to do this it sets a special environment variable, which is then inherited by all processes that it spawns (there are ways to avoid this but...)
So when the build has finished it looks for all processes that have this special variable set so it can kill them. In order to get the environment variables from a process it needs to be able to read certain portions - and this is probably what is being reported as it tries to open the process to read its environment.
Either that - or it is the lookig for the parent/child relationship (to find the spawned process) that is flagging it.
Or... its not Jenkins at all but somethign that has been launched as Jenkins.
https://github.com/jenkinsci/jenkins/blob/fb6a03c2507536d944032dbef337c51e43ceaa5e/core/src/main/java/hudson/util/ProcessTree.java#L544-L664
/James
In order to do this it sets a special environment variable, which is then inherited by all processes that it spawns (there are ways to avoid this but...)
So when the build has finished it looks for all processes that have this special variable set so it can kill them. In order to get the environment variables from a process it needs to be able to read certain portions - and this is probably what is being reported as it tries to open the process to read its environment.
Either that - or it is the lookig for the parent/child relationship (to find the spawned process) that is flagging it.
Or... its not Jenkins at all but somethign that has been launched as Jenkins.
https://github.com/jenkinsci/jenkins/blob/fb6a03c2507536d944032dbef337c51e43ceaa5e/core/src/main/java/hudson/util/ProcessTree.java#L544-L664
/James
Reply all
Reply to author
Forward
0 new messages