announce: readahead-1.4
Steve G
linux_4ever at yahoo.com
Fri Mar 2 14:09:38 UTC 2007
> It's one rule:
>
> rc |= audit_rule_syscallbyname_data(audit_rule, "open");
> rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
> rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
> rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
> rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");
I think you are missing some events. I added a feature to autrace to help with
threat modeling. (The idea is run your program with autrace -r, exercise it,
extract audit data, and feed that to UML diagrammer.) I would suggest using code
similar to the threat model:
rc |= audit_rule_syscallbyname_data(rule, "open");
rc |= audit_rule_syscallbyname_data(rule, "creat");
rc |= audit_rule_syscallbyname_data(rule, "truncate");
rc |= audit_rule_syscallbyname_data(rule, "rename");
rc |= audit_rule_syscallbyname_data(rule, "unlink");
rc |= audit_rule_syscallbyname_data(rule, "mknod");
rc |= audit_rule_syscallbyname_data(rule, "mkdir");
rc |= audit_rule_syscallbyname_data(rule, "rmdir");
rc |= audit_rule_syscallbyname_data(rule, "chdir");
rc |= audit_rule_syscallbyname_data(rule, "chown");
rc |= audit_rule_syscallbyname_data(rule, "lchown");
rc |= audit_rule_syscallbyname_data(rule, "chmod");
rc |= audit_rule_syscallbyname_data(rule, "link");
rc |= audit_rule_syscallbyname_data(rule, "symlink");
rc |= audit_rule_syscallbyname_data(rule, "readlink");
rc |= audit_rule_syscallbyname_data(rule, "execve");
rc |= audit_rule_syscallbyname_data(rule, "connect");
rc |= audit_rule_syscallbyname_data(rule, "bind");
rc |= audit_rule_syscallbyname_data(rule, "accept");
rc |= audit_rule_syscallbyname_data(rule, "sendto");
rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
rc |= audit_rule_syscallbyname_data(rule, "sendfile");
which admittedly does not contain the *at syscalls. The threat model is so that
you can see all the boundaries/resources that your apps are using. You could turn
off the networking, mknod, & mkdir if you like.
> I'll try to check it and prepare some numbers. Maybe it's really so
> fast. No clue now.
1 rule is not a big deal.
-Steve
____________________________________________________________________________________
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front
More information about the fedora-devel-list
mailing list