At 6:09 AM -0800 3/2/07, Steve G wrote: >> It's one rule: >> >> rc |= audit_rule_syscallbyname_data(audit_rule, "open"); >> rc |= audit_rule_syscallbyname_data(audit_rule, "creat"); >> rc |= audit_rule_syscallbyname_data(audit_rule, "truncate"); >> rc |= audit_rule_syscallbyname_data(audit_rule, "execve"); >> rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile"); > >I think you are missing some events. I added a feature to autrace to help with >threat modeling. (The idea is run your program with autrace -r, exercise it, >extract audit data, and feed that to UML diagrammer.) I would suggest >using code >similar to the threat model: > > rc |= audit_rule_syscallbyname_data(rule, "open"); > rc |= audit_rule_syscallbyname_data(rule, "creat"); > rc |= audit_rule_syscallbyname_data(rule, "truncate"); > rc |= audit_rule_syscallbyname_data(rule, "rename"); > rc |= audit_rule_syscallbyname_data(rule, "unlink"); > rc |= audit_rule_syscallbyname_data(rule, "mknod"); > rc |= audit_rule_syscallbyname_data(rule, "mkdir"); > rc |= audit_rule_syscallbyname_data(rule, "rmdir"); > rc |= audit_rule_syscallbyname_data(rule, "chdir"); > rc |= audit_rule_syscallbyname_data(rule, "chown"); > rc |= audit_rule_syscallbyname_data(rule, "lchown"); > rc |= audit_rule_syscallbyname_data(rule, "chmod"); > rc |= audit_rule_syscallbyname_data(rule, "link"); > rc |= audit_rule_syscallbyname_data(rule, "symlink"); > rc |= audit_rule_syscallbyname_data(rule, "readlink"); > rc |= audit_rule_syscallbyname_data(rule, "execve"); > rc |= audit_rule_syscallbyname_data(rule, "connect"); > rc |= audit_rule_syscallbyname_data(rule, "bind"); > rc |= audit_rule_syscallbyname_data(rule, "accept"); > rc |= audit_rule_syscallbyname_data(rule, "sendto"); > rc |= audit_rule_syscallbyname_data(rule, "recvfrom"); > rc |= audit_rule_syscallbyname_data(rule, "sendfile"); > >which admittedly does not contain the *at syscalls. The threat model is so >that you can see all the boundaries/resources that your apps are using. >You could turn off the networking, mknod, & mkdir if you like. ... Probably none of the added syscalls refer to files that are being read from? I suppose readhead could cache the inodes, but I don't think it is doing any of that now. I don't think that even 'creat' or 'truncate' make sense. Is there a way to tell if a file is opened for reading from the message? Only files that are read from should be readahead. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> ' <http://www.georgeanelson.com/> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
