[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: announce: readahead-1.4



At 6:09 AM -0800 3/2/07, Steve G wrote:
>> It's one rule:
>>
>>	rc |= audit_rule_syscallbyname_data(audit_rule, "open");
>>	rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
>>	rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
>>	rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
>>	rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");
>
>I think you are missing some events. I added a feature to autrace to help with
>threat modeling. (The idea is run your program with autrace -r, exercise it,
>extract audit data, and feed that to UML diagrammer.) I would suggest
>using code
>similar to the threat model:
>
>                rc |= audit_rule_syscallbyname_data(rule, "open");
>                rc |= audit_rule_syscallbyname_data(rule, "creat");
>                rc |= audit_rule_syscallbyname_data(rule, "truncate");
>                rc |= audit_rule_syscallbyname_data(rule, "rename");
>                rc |= audit_rule_syscallbyname_data(rule, "unlink");
>                rc |= audit_rule_syscallbyname_data(rule, "mknod");
>                rc |= audit_rule_syscallbyname_data(rule, "mkdir");
>                rc |= audit_rule_syscallbyname_data(rule, "rmdir");
>                rc |= audit_rule_syscallbyname_data(rule, "chdir");
>                rc |= audit_rule_syscallbyname_data(rule, "chown");
>                rc |= audit_rule_syscallbyname_data(rule, "lchown");
>                rc |= audit_rule_syscallbyname_data(rule, "chmod");
>                rc |= audit_rule_syscallbyname_data(rule, "link");
>                rc |= audit_rule_syscallbyname_data(rule, "symlink");
>                rc |= audit_rule_syscallbyname_data(rule, "readlink");
>                rc |= audit_rule_syscallbyname_data(rule, "execve");
>                rc |= audit_rule_syscallbyname_data(rule, "connect");
>                rc |= audit_rule_syscallbyname_data(rule, "bind");
>                rc |= audit_rule_syscallbyname_data(rule, "accept");
>                rc |= audit_rule_syscallbyname_data(rule, "sendto");
>                rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
>                rc |= audit_rule_syscallbyname_data(rule, "sendfile");
>
>which admittedly does not contain the *at syscalls. The threat model is so
>that you can see all the boundaries/resources that your apps are using.
>You could turn off the networking, mknod, & mkdir if you like.
 ...

Probably none of the added syscalls refer to files that are being read
from?  I suppose readhead could cache the inodes, but I don't think it is
doing any of that now.  I don't think that even 'creat' or 'truncate' make
sense.

Is there a way to tell if a file is opened for reading from the message?
Only files that are read from should be readahead.
-- 
____________________________________________________________________
TonyN.:'                       <mailto:tonynelson georgeanelson com>
      '                              <http://www.georgeanelson.com/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]