Jenkins when it is finished ecexuting things for a job on an agent when it finishes like to tidy up (aka kill) any errant processes that have been started tht the build scripts failed to terminate (pesky build scripts!).
In order to do this it sets a special environment variable, which is then inherited by all processes that it spawns (there are ways to avoid this but...) So when the build has finished it looks for all processes that have this special variable set so it can kill them. In order to get the environment variables from a process it needs to be able to read certain portions - and this is probably what is being reported as it tries to open the process to read its environment. Either that - or it is the lookig for the parent/child relationship (to find the spawned process) that is flagging it. Or... its not Jenkins at all but somethign that has been launched as Jenkins. https://github.com/jenkinsci/jenkins/blob/fb6a03c2507536d944032dbef337c51e43ceaa5e/core/src/main/java/hudson/util/ProcessTree.java#L544-L664 https://github.com/jenkinsci/winp/blob/master/native/winp.cpp /James On Thursday, August 17, 2023 at 8:56:52 AM UTC+1 amedee....@gmail.com wrote: > Hi, > > Security question here. > > Is there any reason why Jenkins would ever need to request the content of > c:\windows\system32\lsass.exe (Local Security Authority Subsystem Service)? > > The endpoint protection on the Jenkins device is denying Jenkins access to > lsass.exe, and the devs are unable to tell me why their favorite automation > tool needs to do an activity that is highly suspicious in terms of > security. Adversaries may attempt to access credential material stored in > the process memory of the Local Security Authority Subsystem Service. > > I was hoping that the community could help me here. I have no direct > access to the Jenkins device, I only see suspicious events being reported > by the endpoint security software. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f08c4f35-8ca6-4a75-8657-58c7eca9e1acn%40googlegroups.com.
