logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Command Line Redirection Events are Missing

EDR: Command Line Redirection Events are Missing

Environment

  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions

Question

Why in the captured events for the following command "find / -perm -u=s -type f 2>/dev/null" the 2>/dev/null is stripped from the command line

Answer

  • These redirections look like part of the command, but they are actually controlling shell behavior before the command is executed
  • When bash runs a command like this, it does this:
    1. Fork to create a new process
    2. Open a file handle to /dev/null
    3. Remap that over the stderr file descriptor
    4. Exec the command line not including any redirections
  • In this kind of syntax, the find command never sees these redirections; it’s not part of the command, it’s something bash does to the environment before running the command

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎04-28-2023
Views:
268
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.