Skip to content

System calls underlying CDM events

Jump to bottom
Ashish Gehani edited this page Sep 21, 2021 · 15 revisions

SPADE's CDM Storage translates OPM relations from the Audit Reporter into CDM events. The table below summarizes the audited system calls and corresponding CDM events emitted.

System call CDM event
clone() EVENT_CLONE
or
EVENT_FORK
fork()
vfork()		 EVENT_FORK
setuid()
setreuid()
setresuid()
setfsuid()
setgid()
setregid()
setresgid()
setfsgid()		 EVENT_CHANGE_PRINCIPAL
exit()
exit_group()		 EVENT_EXIT
ptrace() EVENT_MODIFY_PROCESS
accept()
accept4()		 EVENT_ACCEPT
pread()
preadv()
read()
readv()		 EVENT_READ
recvfrom()
recvmsg()		 EVENT_RECVMSG
chmod()
fchmod()
fchmodat()		 EVENT_MODIFY_FILE_ATTRIBUTES
connect() EVENT_CONNECT
ftruncate()
truncate()		 EVENT_TRUNCATE
mprotect() EVENT_MPROTECT
madvise() EVENT_OTHER
sendto()
sendmsg()		 EVENT_SENDMSG
unlink()
unlinkat()		 EVENT_UNLINK
close() EVENT_CLOSE
execve() EVENT_EXECUTE
and
EVENT_LOADLIBRARY
link()
linkat()
symlink()
symlinkat()		 EVENT_LINK
mmap() EVENT_MMAP
open()
openat()		 EVENT_OPEN
or
EVENT_CREATE_OBJECT
creat() EVENT_CREATE_OBJECT
pwrite()
pwritev()
write()
writev()		 EVENT_WRITE
and
EVENT_UPDATE
lseek() EVENT_LSEEK
rename()
renameat()		 EVENT_RENAME
tee() EVENT_TEE
splice() EVENT_SPLICE
vmsplice() EVENT_VMSPLICE
init_module() EVENT_INIT_MODULE
finit_module() EVENT_FINIT_MODULE
kill()* EVENT_UNIT
or
EVENT_SIGNAL
bind()
dup()
dup2()
dup3()
mknod()
mknodat()
pipe()
pipe2()
socket()
fcntl()
socketpair()		 None**

*UBSI signals are translated into unit events.

**Interpretation has indirect effect.

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Clone this wiki locally