-
Notifications
You must be signed in to change notification settings - Fork 78
Audit provenance
Hassaan edited this page Jun 23, 2016
·
58 revisions
The Audit reporter transforms records into an Open Provenance Model (OPM) representation.
The table below outlines the key-value annotations that decorate the OPM elements generated.
| OPM element | Annotation Key | Annotation Value's semantics | Annotation Value's type | Presence |
|---|---|---|---|---|
| Process | ||||
name |
command used to invoke program | string | required | |
pid |
operating system process identifier | integer | required | |
ppid |
parent's process identifier | integer | required | |
uid |
operating system identifier of user that ran the program | unsigned integer |
required | |
euid |
operating system identifier of effective user of program | unsigned integer |
required | |
gid |
operating system identifier of user's group when they ran the program | unsigned integer |
required | |
egid |
operating system identifier of effective group of program | unsigned integer |
required | |
cwd |
only for process from operation execve, current working directory of user (in the shell when they ran the program) |
string | optional | |
commandline |
only for process from operation execve, program name and arguments provided |
string | optional | |
start time |
if known, when the process started (in Unix time) | floating point |
optional | |
unit |
only if BEEP used, unique identifier of unit (with 0 denoting the non-unit part of the process) |
long integer |
optional | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
| Artifact | ||||
path |
only for artifact types file, pipe, network, and unknown, location in the local filesystem |
string | optional | |
memory address |
only for artifact type memory, location in memory |
integer (in hexadecimal) | optional | |
source address |
only for artifact type network, host from which connection originates |
dotted octet | optional | |
source port |
only for artifact type network, connection port used at originating host |
unsigned short integer |
optional | |
destination address |
only for artifact type network, host at which connection terminates |
dotted octet | optional | |
destination port |
only for artifact type network, connection port used at terminating host |
unsigned short integer |
optional | |
version |
only for artifact types file, pipe, memory, network, and unknown, how many times it has been written |
integer | optional | |
subtype |
can be one of: file - for filesystem entities network - for network flows memory - for memory addresses pipe - for inter-process flow unknown - underlying artifact can be of type file, network, or pipe
|
string (as enumerated) | required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
size |
only for artifact type memory, length of allocated memory |
hexadecimal integer | optional | |
protection |
only for artifact type memory, protection on the allocated memory |
hexadecimal integer | optional | |
| WasTriggeredBy | ||||
operation |
can be one of: fork - another independent process was created clone - another process created with shared state execve - child process replaced parent setuid - process ownership changed unit - creation of a BEEP unit (by a program loop) unknown - another process created but responsible system call not known |
string (as enumerated) | optional | |
time |
if known, when the event occurred (in Unix time) | floating point |
optional | |
event id |
if derived from audit, underlying event's identifier | unsigned integer |
optional | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
| WasGeneratedBy | ||||
operation |
can be one of: write - data was transferred to memory, file, or network send - data was transferred from process to network connect - outgoing network connection was established truncate - data at end of file was removed chmod - process changed file's permissions rename_write - to new file, after renaming link_write - to new file, after linking open - file was opened using a write flag create - file was created when opened mprotect - protection on a memory location was changed mmap_write - memory location was allocated |
string (as enumerated) | required | |
time |
if known, when the event occurred (in Unix time) | floating point |
required | |
event id |
if derived from audit, underlying event's identifier | unsigned integer |
required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
size |
only for operations write and send, the number of bytes transferred |
long integer |
optional | |
mode |
only for operation chmod, the permissions that were applied |
integer (in octal) | optional | |
| Used | ||||
operation |
can be one of: read - data was transferred from memory, file, or network recv - data was transferred from network to process accept - incoming network connection was established rename_read - from original file, before renaming link_read - from original file, before linking open - file was opened using a read flag mmap_read - file read into a memory location load - library loaded by a process when execve |
string (as enumerated) | required | |
time |
if known, when the event occurred (in Unix time) | floating point |
required | |
event id |
if derived from audit, underlying event's identifier | unsigned integer |
required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
size |
only for operations read and recv, the number of bytes transferred |
long integer |
optional | |
| WasDerivedFrom | ||||
operation |
can be one of: update - the artifact has been modified rename - the same artifact has a new name link - a new name can be used to refer to the old artifact mmap - a file is mapped to a memory location |
string (as enumerated) | required | |
time |
if known, when the event occurred (in Unix time) | floating point |
required | |
event id |
if derived from audit, underlying event's identifier | unsigned integer |
required | |
source |
can be one of: /dev/audit - if information came from the Linux kernel's Audit subsystem /proc - if information was extracted from Linux's /proc pseudofilesystem beep - if information came from BEEP
|
string (as enumerated) | required | |
pid |
process that performed the operation | integer | required | |
NOTE: Though some operation values match system call names, the semantics differ. In particular, the interpretation is provenance-oriented. Multiple system calls may map to a single operation value (such as chmod() and fchmod() both reported as chmod). Some system calls have an indirect effect (such as dup() resulting in a new file descriptor resolving to the old path during read() and write() calls). The mapping of system calls to OPM edges is outlined [here](Linux Audit System Call Events).
This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- Setting up SPADE
- Storing provenance
-
Collecting provenance
- Across the operating system
- Limiting collection to a part of the filesystem
- From an external application
- With compile-time instrumentation
- Using the reporting API
- Of transactions in the Bitcoin blockchain
- Filtering provenance
- Viewing provenance
-
Querying SPADE
- Illustrative example
- Transforming query responses
- Protecting query responses
- Miscellaneous