Skip to content

Collecting system wide provenance on Linux with CamFlow

Ashish Gehani edited this page Oct 18, 2019 · 1 revision

The CamFlow reporter collects provenance from across the operating system using a Linux kernel with CamFlow enabled.

This reporter is built automatically when SPADE's top-level make command is issued.


Before this reporter can be used, CamFlow must be installed, as described here.

To ensure that CamFlow records are sent to a pipe and are in SPADE JSON, edit /etc/camflowd.ini to specify:

output = fifo
format = spade_json

To ensure vertex endpoints are specified before each edge, edit /etc/camflow.ini to specify:

duplicate = true

Restart the CamFlow services:

sudo systemctl enable camconfd.service
sudo systemctl enable camflowd.service

(CamFlow configuration details are here.)

Real-time collection

The CamFlow reporter can be started using SPADE's controller:

-> add reporter CamFlow
Adding reporter CamFlow... done

Saving the CamFlow records

For debugging purposes, CamFlow records can be saved as a log. To store them in /tmp/camflow.log, edit /etc/camflowd.ini to specify:

output = log
format = spade_json


Using a saved log

Instead of collecting CamFlow records from the running system, a previously saved log can be used by specifying it with the inputLog argument.

For example, to read records from the file /tmp/camflow.log, this command can be used to start the reporter in the SPADE controller:

-> add reporter CamFlow inputLog=/tmp/camflow.log
Adding reporter CamFlow... done

The end of CamFlow log processing is reported in SPADE's log (that is stored in log/SPADE_<date>-<time>.log).

Clone this wiki locally
You can’t perform that action at this time.