announce: readahead-1.4
Tony Nelson
tonynelson at georgeanelson.com
Fri Mar 2 19:32:43 UTC 2007
At 6:09 AM -0800 3/2/07, Steve G wrote:
>> It's one rule:
>>
>> rc |= audit_rule_syscallbyname_data(audit_rule, "open");
>> rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
>> rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
>> rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
>> rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");
>
>I think you are missing some events. I added a feature to autrace to help with
>threat modeling. (The idea is run your program with autrace -r, exercise it,
>extract audit data, and feed that to UML diagrammer.) I would suggest
>using code
>similar to the threat model:
>
> rc |= audit_rule_syscallbyname_data(rule, "open");
> rc |= audit_rule_syscallbyname_data(rule, "creat");
> rc |= audit_rule_syscallbyname_data(rule, "truncate");
> rc |= audit_rule_syscallbyname_data(rule, "rename");
> rc |= audit_rule_syscallbyname_data(rule, "unlink");
> rc |= audit_rule_syscallbyname_data(rule, "mknod");
> rc |= audit_rule_syscallbyname_data(rule, "mkdir");
> rc |= audit_rule_syscallbyname_data(rule, "rmdir");
> rc |= audit_rule_syscallbyname_data(rule, "chdir");
> rc |= audit_rule_syscallbyname_data(rule, "chown");
> rc |= audit_rule_syscallbyname_data(rule, "lchown");
> rc |= audit_rule_syscallbyname_data(rule, "chmod");
> rc |= audit_rule_syscallbyname_data(rule, "link");
> rc |= audit_rule_syscallbyname_data(rule, "symlink");
> rc |= audit_rule_syscallbyname_data(rule, "readlink");
> rc |= audit_rule_syscallbyname_data(rule, "execve");
> rc |= audit_rule_syscallbyname_data(rule, "connect");
> rc |= audit_rule_syscallbyname_data(rule, "bind");
> rc |= audit_rule_syscallbyname_data(rule, "accept");
> rc |= audit_rule_syscallbyname_data(rule, "sendto");
> rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
> rc |= audit_rule_syscallbyname_data(rule, "sendfile");
>
>which admittedly does not contain the *at syscalls. The threat model is so
>that you can see all the boundaries/resources that your apps are using.
>You could turn off the networking, mknod, & mkdir if you like.
...
Probably none of the added syscalls refer to files that are being read
from? I suppose readhead could cache the inodes, but I don't think it is
doing any of that now. I don't think that even 'creat' or 'truncate' make
sense.
Is there a way to tell if a file is opened for reading from the message?
Only files that are read from should be readahead.
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the fedora-devel-list
mailing list