-
Notifications
You must be signed in to change notification settings - Fork 77
System calls underlying CDM events
Ashish Gehani edited this page Mar 21, 2017
·
15 revisions
SPADE's CDM Storage translates OPM relations from the Audit Reporter into CDM events. The table below summarizes the audited system calls and corresponding CDM events emitted.
System call | CDM event |
---|---|
clone() | EVENT_CLONE / EVENT_FORK |
fork() vfork() |
EVENT_FORK |
setuid() setreuid() setresuid() |
EVENT_CHANGE_PRINCIPAL |
exit() exit_group() |
EVENT_EXIT |
accept() accept4() |
EVENT_ACCEPT |
pread64() read() readv() |
EVENT_READ |
recvfrom() recvmsg() |
EVENT_RECVMSG |
chmod() fchmod() fchmodat() |
EVENT_MODIFY_FILE_ATTRIBUTES |
connect() | EVENT_CONNECT |
ftruncate() truncate() |
EVENT_TRUNCATE |
mprotect() | EVENT_MPROTECT |
sendto() sendmsg() |
EVENT_SENDMSG |
unlink() unlinkat() |
EVENT_UNLINK |
close() | EVENT_CLOSE |
execve() | EVENT_EXECUTE |
link() linkat() symlink() symlinkat() |
EVENT_LINK |
mmap() | EVENT_MMAP |
open() openat() creat() |
EVENT_OPEN |
pwrite64() write() writev() |
EVENT_WRITE |
rename() renameat() |
EVENT_RENAME |
bind() dup() dup2() dup3() mknod() mknodat() pipe() pipe2() |
None* |
*Interpretation has indirect effect
This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- Setting up SPADE
- Storing provenance
-
Collecting provenance
- Across the operating system
- Limiting collection to a part of the filesystem
- From an external application
- With compile-time instrumentation
- Using the reporting API
- Of transactions in the Bitcoin blockchain
- Filtering provenance
- Viewing provenance
-
Querying SPADE
- Illustrative example
- Transforming query responses
- Protecting query responses
- Miscellaneous