System calls underlying CDM events

Hassaan edited this page May 2, 2018 · 9 revisions

SPADE's CDM Storage translates OPM relations from the Audit Reporter into CDM events. The table below summarizes the audited system calls and corresponding CDM events emitted.

System call CDM event
clone() EVENT_CLONE
or
EVENT_FORK
fork()
vfork()
EVENT_FORK
setuid()
setreuid()
setresuid()
setfsuid()
setgid()
setregid()
setresgid()
setfsgid()
EVENT_CHANGE_PRINCIPAL
exit()
exit_group()
EVENT_EXIT
accept()
accept4()
EVENT_ACCEPT
pread()
preadv()
read()
readv()
EVENT_READ
recvfrom()
recvmsg()
EVENT_RECVMSG
chmod()
fchmod()
fchmodat()
EVENT_MODIFY_FILE_ATTRIBUTES
connect() EVENT_CONNECT
ftruncate()
truncate()
EVENT_TRUNCATE
mprotect() EVENT_MPROTECT
sendto()
sendmsg()
EVENT_SENDMSG
unlink()
unlinkat()
EVENT_UNLINK
close() EVENT_CLOSE
execve() EVENT_EXECUTE
and
EVENT_LOADLIBRARY
link()
linkat()
symlink()
symlinkat()
EVENT_LINK
mmap() EVENT_MMAP
open()
openat()
EVENT_OPEN
or
EVENT_CREATE_OBJECT
creat() EVENT_CREATE_OBJECT
pwrite()
pwritev()
write()
writev()
EVENT_WRITE
and
EVENT_UPDATE
rename()
renameat()
EVENT_RENAME
tee()
splice()
vmsplice()
init_module()
finit_module()
EVENT_OTHER***
bind()
dup()
dup2()
dup3()
mknod()
mknodat()
pipe()
pipe2()
socket()
fcntl()
socketpair()
None*
kill()** EVENT_UNIT

*Interpretation has indirect effect.

**Only BEEP events, not signals, are reported.

***No matching event in CDM18.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.