-
Notifications
You must be signed in to change notification settings - Fork 78
Audit provenance
Hassaan edited this page Mar 10, 2017
·
58 revisions
The Audit reporter transforms records into an Open Provenance Model (OPM) representation.
The table below outlines the key-value annotations that decorate the OPM elements generated.
| OPM element | Annotation Key | Annotation Value's semantics | Annotation Value's type | Presence |
|---|---|---|---|---|
| Agent | ||||
uid |
operating system identifier of user that ran the program | unsigned integer |
required | |
euid |
operating system identifier of effective user of program | unsigned integer |
required | |
gid |
operating system identifier of user's group when they ran the program | unsigned integer |
required | |
egid |
operating system identifier of effective group of program | unsigned integer |
required | |
suid |
saved identifier when program's effective user has changed | unsigned integer |
optional | |
sgid |
saved identifier when program's effective group has changed | unsigned integer |
optional | |
fsuid |
program's user identifier for filesystem access checks | unsigned integer |
optional | |
fsgid |
program's group identifier for filesystem access checks | unsigned integer |
optional | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem |
string (as enumerated) | required | |
| Process | ||||
name |
command used to invoke program | string | optional | |
pid |
operating system process identifier | integer | required | |
ppid |
parent's process identifier | integer | required | |
cwd |
only for process from operation execve, current working directory of user (in the shell when they ran the program) |
string | optional | |
command line |
only for process from operation execve, program name and arguments provided |
string | optional | |
start time |
if known, when the process started (in Unix time) | floating point |
optional | |
unit |
only if BEEP used, unique identifier of unit (with 0 denoting the non-unit part of the process) |
long integer |
optional | |
count |
only if BEEP used and unit≠0, number of times entire unit loop ran previously |
long integer |
optional | |
iteration |
only if BEEP used and unit≠0, number of times count instance of unit loop has iterated |
long integer |
optional | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
| Artifact | ||||
path |
only for artifact types file, named pipe, and unix socket, location in the local filesystem |
string | optional | |
memory address |
only for artifact type memory, location in memory |
integer (in hexadecimal) | optional | |
source address |
only for artifact type network socket, host from which connection originates |
dotted octet | optional | |
source port |
only for artifact type network socket, connection port used at originating host |
unsigned short integer |
optional | |
destination address |
only for artifact type network socket, host at which connection terminates |
dotted octet | optional | |
destination port |
only for artifact type network socket, connection port used at terminating host |
unsigned short integer |
optional | |
version |
only for artifact types file, named pipe, unnamed pipe, memory, unix socket, and unknown, how many times it has been written |
integer | optional | |
epoch |
only for artifact types file, named pipe, unnamed pipe, unix socket, network socket, and unknown, how many times it has been created |
integer | optional | |
subtype |
can be one of: file - for filesystem entities network socket - for network flows memory - for memory addresses unix socket, named pipe, and unnamed pipe - for inter-process flow unknown - underlying artifact can be of type file, network socket, unix socket, unnamed pipe, or named pipe
|
string (as enumerated) | required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
size |
only for artifact type memory, length of allocated memory |
hexadecimal integer | optional | |
pid |
only for artifact type memory, unnamed pipe, unknown, and pipe, process that created the artifact |
integer | optional | |
fd |
only for artifact type unknown, the file descriptor on which the IO call happened |
integer | optional | |
read fd |
only for artifact type unnamed pipe, the read file descriptor of the pipe |
integer | optional | |
write fd |
only for artifact type unnamed pipe, the write file descriptor of the pipe |
integer | optional | |
| WasControlledBy | ||||
time |
if known, when the event occurred (in Unix time) | floating point |
optional | |
event id |
if source is /dev/audit, underlying event's identifier |
unsigned integer |
optional | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem |
string (as enumerated) | required | |
| WasTriggeredBy | ||||
operation |
can be one of: fork - another independent process was created clone - another process created with shared state execve - child process replaced parent unknown - underlying operation can be of type fork, clone, or execve setuid - process ownership changed unit - creation of a BEEP unit (by a program loop) |
string (as enumerated) | optional | |
time |
if known, when the event occurred (in Unix time) | floating point |
optional | |
event id |
if source is /dev/audit, underlying event's identifier |
unsigned integer |
optional | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
| WasGeneratedBy | ||||
operation |
can be one of: create - file was created open - file was opened for writing write - data was transferred to memory, file, or network send - data was transferred from process to network connect - outgoing network connection was established truncate - data at end of file was removed rename (write) - to new file, after renaming link (write) - to new file, after linking mmap (write) - to mapped memory chmod - changed file permissions mprotect - changed memory protection |
string (as enumerated) | required | |
time |
if known, when the event occurred (in Unix time) | floating point |
required | |
event id |
if source is /dev/audit, underlying event's identifier |
unsigned integer |
required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
size |
only for operations write and send, number of bytes transferred |
long integer |
optional | |
mode |
only for operations chmod, open and create, permissions applied to file |
integer (in octal) | optional | |
protection |
only for operation mprotect, permissions set for memory location |
hexadecimal integer | optional | |
| Used | ||||
operation |
can be one of: open - file was opened for reading read - data was transferred from memory, file, or network recv - data was transferred from network to process accept - incoming network connection was established rename (read) - from original file, before renaming link (read) - from original file, before linking mmap (read) - from mapped file load - dynamic library loaded |
string (as enumerated) | required | |
time |
if known, when the event occurred (in Unix time) | floating point |
required | |
event id |
if source is /dev/audit, underlying event's identifier |
unsigned integer |
required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
size |
only for operations read and recv, number of bytes transferred |
long integer |
optional | |
mode |
only for operation open, permissions applied to file |
integer (in octal) | optional | |
| WasDerivedFrom | ||||
operation |
can be one of: update - the artifact has been modified rename - the same artifact has a new name link - a new name can be used to refer to the old artifact mmap - a file has been mapped into memory |
string (as enumerated) | required | |
time |
if known, when the event occurred (in Unix time) | floating point |
required | |
event id |
if source is /dev/audit, underlying event's identifier |
unsigned integer |
required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
pid |
process that performed the operation | integer | optional | |
protection |
only for operation mmap, permissions set for allocated memory |
hexadecimal integer | optional | |
NOTE: Though some operation values match system call names, the semantics differ. In particular, the interpretation is provenance-oriented. Multiple system calls may map to a single operation value (such as chmod() and fchmod() both reported as chmod). Some system calls have an indirect effect (such as dup() resulting in a new file descriptor resolving to the old path during read() and write() calls). The mapping of system calls to OPM edges is outlined [here](Linux Audit System Call Events).
This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- Setting up SPADE
- Storing provenance
-
Collecting provenance
- Across the operating system
- Limiting collection to a part of the filesystem
- From an external application
- With compile-time instrumentation
- Using the reporting API
- Of transactions in the Bitcoin blockchain
- Filtering provenance
- Viewing provenance
-
Querying SPADE
- Illustrative example
- Transforming query responses
- Protecting query responses
- Miscellaneous