[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: announce: readahead-1.4



> It's one rule:
>
>	rc |= audit_rule_syscallbyname_data(audit_rule, "open");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");

I think you are missing some events. I added a feature to autrace to help with
threat modeling. (The idea is run your program with autrace -r, exercise it,
extract audit data, and feed that to UML diagrammer.) I would suggest using code
similar to the threat model:

                rc |= audit_rule_syscallbyname_data(rule, "open");
                rc |= audit_rule_syscallbyname_data(rule, "creat");
                rc |= audit_rule_syscallbyname_data(rule, "truncate");
                rc |= audit_rule_syscallbyname_data(rule, "rename");
                rc |= audit_rule_syscallbyname_data(rule, "unlink");
                rc |= audit_rule_syscallbyname_data(rule, "mknod");
                rc |= audit_rule_syscallbyname_data(rule, "mkdir");
                rc |= audit_rule_syscallbyname_data(rule, "rmdir");
                rc |= audit_rule_syscallbyname_data(rule, "chdir");
                rc |= audit_rule_syscallbyname_data(rule, "chown");
                rc |= audit_rule_syscallbyname_data(rule, "lchown");
                rc |= audit_rule_syscallbyname_data(rule, "chmod");
                rc |= audit_rule_syscallbyname_data(rule, "link");
                rc |= audit_rule_syscallbyname_data(rule, "symlink");
                rc |= audit_rule_syscallbyname_data(rule, "readlink");
                rc |= audit_rule_syscallbyname_data(rule, "execve");
                rc |= audit_rule_syscallbyname_data(rule, "connect");
                rc |= audit_rule_syscallbyname_data(rule, "bind");
                rc |= audit_rule_syscallbyname_data(rule, "accept");
                rc |= audit_rule_syscallbyname_data(rule, "sendto");
                rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
                rc |= audit_rule_syscallbyname_data(rule, "sendfile");

which admittedly does not contain the *at syscalls. The threat model is so that
you can see all the boundaries/resources that your apps are using. You could turn
off the networking, mknod, & mkdir if you like.

> I'll try to check it and prepare some numbers. Maybe it's really so
> fast. No clue now.

1 rule is not a big deal.

-Steve


 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]