Collecting system wide provenance on Linux with CamFlow

The CamFlow reporter collects provenance from across the operating system using a Linux kernel with CamFlow enabled.

This reporter is built automatically when SPADE's top-level make command is issued.

Requirements

Before this reporter can be used, CamFlow must be installed, as described here.

To ensure that CamFlow records are sent to a pipe and are in SPADE JSON, edit /etc/camflowd.ini to specify:

[general]
output = fifo
format = spade_json

To ensure vertex endpoints are specified before each edge, edit /etc/camflow.ini to specify:

[compression]
duplicate = true

Restart the CamFlow services:

sudo systemctl enable camconfd.service
sudo systemctl enable camflowd.service

(CamFlow configuration details are here.)

---

Real-time collection

The CamFlow reporter can be started using SPADE's controller:

-> add reporter CamFlow
Adding reporter CamFlow... done

---

Saving the CamFlow records

For debugging purposes, CamFlow records can be saved as a log. To store them in /tmp/camflow.log, edit /etc/camflowd.ini to specify:

[general]
output = log
format = spade_json

[log]
path=/tmp/camflow.log

---

Using a saved log

Instead of collecting CamFlow records from the running system, a previously saved log can be used by specifying it with the inputLog argument.

For example, to read records from the file /tmp/camflow.log, this command can be used to start the reporter in the SPADE controller:

-> add reporter CamFlow inputLog=/tmp/camflow.log
Adding reporter CamFlow... done

The end of CamFlow log processing is reported in SPADE's log (that is stored in log/SPADE_<date>-<time>.log).