Generating CDM

Ashish Gehani edited this page Sep 4, 2018 · 10 revisions

On Ubuntu 14.04, SPADE can be used to generate CDM 19 as follows.


Install Oracle JDK8:

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

Install Linux dependencies:

sudo apt-get install git libaudit-dev auditd pkg-config uthash-dev linux-headers-`uname -r`

Download SPADE:

wget https://github.com/ashish-gehani/SPADE/archive/tc-e4.zip
unzip tc-e4.zip
mv SPADE-tc-e4 SPADE

Build SPADE:

cd SPADE
./configure
make

Configure SPADE:

echo 'add storage CDM output=/tmp/audit_cdm.avro' > cfg/spade.client.Control.config
echo 'add reporter Audit fileIO=true netIO=true unixSockets=true versions=false units=true' >> cfg/spade.client.Control.config

Add access:

sudo chmod ug+s `which auditctl`
sudo chmod ug+s `which iptables`
sudo chmod ug+s `which kmod`
sudo chown root lib/spadeAuditBridge
sudo chmod ug+s lib/spadeAuditBridge
sudo sed -i "s/active = no/active = yes/" /etc/audisp/plugins.d/af_unix.conf
sudo service auditd restart

Adjust audit configuration from defaults (for performance):

sudo sed -i "s/-b 320/-b 1000000/" /etc/audit/audit.rules
sudo sed -i "s/freq = 20/freq = 10000/" /etc/audit/auditd.conf
sudo sed -i "s/q_depth = 150/q_depth = 10000/" /etc/audisp/audispd.conf

Start SPADE:

bin/spade start

Run workload.


Stop SPADE:

bin/spade stop

CDM (in Avro) will be in /tmp/audit_cdm.avro

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.