lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <r3nd2chjkxc.fsf@perdido.sfo.corp.google.com>
Date:	Sun, 03 Aug 2014 14:57:35 -0700
From:	Peter Moody <pmoody@...gle.com>
To:	Alex Elsayed <eternaleye@...il.com>
Cc:	linux-security-module@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH v2 0/2] RFC, aiding pid/network correlation


On Sat, Aug 02 2014 at 20:41, Alex Elsayed wrote:
> Peter Moody wrote:
>
>> 
>> On Sat, Aug 02 2014 at 19:47, Alex Elsayed wrote:
>>>> #2012/04/08 05:03:03# global-pid=3720 result=allowed priority=100 / read
>>>> path="/tmp/file1" task.pid=3720 task.ppid=3653 task.uid=0 task.gid=0
>>>> task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0
>>>> task.fsgid=0 task.type!=execute_handler task.exe="/bin/cat"
>>>> task.domain="/usr/sbin/sshd" path.uid=0 path.gid=0 path.ino=2113451
>>>> path.major=8 path.minor=1 path.perm=0644 path.type=file
>>>> path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0
>>>> path.parent.ino=2097153 path.parent.major=8 path.parent.minor=1
>>>> path.parent.perm=01777 path.parent.type=directory
>>>> path.parent.fsmagic=0xEF53
>>>
>>> Actually, now that I look at that, you'd need to audit 'domain
>>> transition' events too - since that contains all the relevant PIDs, then
>>> the most recent domain transition with all of the right PIDs is
>>> sufficient to rebuild the tree back to init (recursively)
>> 
>> How are network events logged? The documentation on caitsith.sourceforge
>> is lacking.
>
> It depends on the event - if you look at the per-event docs[1], you'll see 
> the variables it'll log. For instance, inet_stream_bind has 'ip', 'port', 
> and 'task.$attribute' listed (and hyperlinked), so it'll log like this:

Is this all caitsaith-specific? I don't see how to test what you're
describing with tomoyo.

 Cheers,
 peter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ