Re: announce: readahead-1.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> It's one rule:
>
>	rc |= audit_rule_syscallbyname_data(audit_rule, "open");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
>	rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");

I think you are missing some events. I added a feature to autrace to help with
threat modeling. (The idea is run your program with autrace -r, exercise it,
extract audit data, and feed that to UML diagrammer.) I would suggest using code
similar to the threat model:

                rc |= audit_rule_syscallbyname_data(rule, "open");
                rc |= audit_rule_syscallbyname_data(rule, "creat");
                rc |= audit_rule_syscallbyname_data(rule, "truncate");
                rc |= audit_rule_syscallbyname_data(rule, "rename");
                rc |= audit_rule_syscallbyname_data(rule, "unlink");
                rc |= audit_rule_syscallbyname_data(rule, "mknod");
                rc |= audit_rule_syscallbyname_data(rule, "mkdir");
                rc |= audit_rule_syscallbyname_data(rule, "rmdir");
                rc |= audit_rule_syscallbyname_data(rule, "chdir");
                rc |= audit_rule_syscallbyname_data(rule, "chown");
                rc |= audit_rule_syscallbyname_data(rule, "lchown");
                rc |= audit_rule_syscallbyname_data(rule, "chmod");
                rc |= audit_rule_syscallbyname_data(rule, "link");
                rc |= audit_rule_syscallbyname_data(rule, "symlink");
                rc |= audit_rule_syscallbyname_data(rule, "readlink");
                rc |= audit_rule_syscallbyname_data(rule, "execve");
                rc |= audit_rule_syscallbyname_data(rule, "connect");
                rc |= audit_rule_syscallbyname_data(rule, "bind");
                rc |= audit_rule_syscallbyname_data(rule, "accept");
                rc |= audit_rule_syscallbyname_data(rule, "sendto");
                rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
                rc |= audit_rule_syscallbyname_data(rule, "sendfile");

which admittedly does not contain the *at syscalls. The threat model is so that
you can see all the boundaries/resources that your apps are using. You could turn
off the networking, mknod, & mkdir if you like.

> I'll try to check it and prepare some numbers. Maybe it's really so
> fast. No clue now.

1 rule is not a big deal.

-Steve


 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux