Document your code
Every project on GitHub comes with a version-controlled wiki to give your documentation the high level of care it deserves. It’s easy to create well-maintained, Markdown or rich text documentation alongside your code.
Sign up for free See pricing for teams and enterprisesCollecting system wide provenance on Linux with CamFlow
The CamFlow reporter collects provenance from across the operating system using a Linux kernel with CamFlow enabled.
This reporter is built automatically when SPADE's top-level make command is issued.
Requirements
Before this reporter can be used, CamFlow must be installed, as described here.
To ensure that CamFlow records are sent to a pipe and are in SPADE JSON, edit /etc/camflowd.ini to specify:
[general]
output = fifo
format = spade_json
To ensure vertex endpoints are specified before each edge, edit /etc/camflow.ini to specify:
[compression]
duplicate = true
Restart the CamFlow services:
sudo systemctl enable camconfd.service
sudo systemctl enable camflowd.service
(CamFlow configuration details are here.)
Real-time collection
The CamFlow reporter can be started using SPADE's controller:
-> add reporter CamFlow
Adding reporter CamFlow... done
Saving the CamFlow records
For debugging purposes, CamFlow records can be saved as a log. To store them in /tmp/camflow.log, edit /etc/camflowd.ini to specify:
[general]
output = log
format = spade_json
[log]
path=/tmp/camflow.log
Using a saved log
Instead of collecting CamFlow records from the running system, a previously saved log can be used by specifying it with the inputLog argument.
For example, to read records from the file /tmp/camflow.log, this command can be used to start the reporter in the SPADE controller:
-> add reporter CamFlow inputLog=/tmp/camflow.log
Adding reporter CamFlow... done
The end of CamFlow log processing is reported in SPADE's log (that is stored in log/SPADE_<date>-<time>.log).