From: Alex Elsayed <eternaleye@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: netdev@vger.kernel.org
Subject: Re: [PATCH v2 0/2] RFC, aiding pid/network correlation
Date: Fri, 01 Aug 2014 21:55:27 -0700 [thread overview]
Message-ID: <lrhr02$ncj$1@ger.gmane.org> (raw)
In-Reply-To: r3noaw4m8g6.fsf@perdido.sfo.corp.google.com
Peter Moody wrote:
<snip>
> One thing that Hone does which snet doesn't seem to do (apologies if
> this is incorrect but I can't test) is that it provides a full process
> tree for a given pid back to init. When doing an investigation into a
> system compromise, knowing what started the process making the
> suspicious connection(s) (and what started *that* process) is often just
> as important as knowing that there's a compromise to begin with.
Out of curiosity, have you looked at Tomoyo much at all? In particular, it:
1.) Keeps a tree all the way back to init
2.) Has network event hooks (see footnote [1])
3.) Has an interactive API for managing policy violations (tomoyo-queryd[2]
uses it)
4.) Is in mainline already.
The combination is actually sufficient to implement what you want for Hone
_today_ as far as I can tell, and there's even the out-of-tree AKARI variant
if you want to use it together with another LSM.
There's also Caitsith[3] (also from Tetsuo Handa), which might be even
better suited but is not in mainline yet.
[1] It has these hooks for inet sockets, and similar for unix:
network inet stream bind $ADDRESS $PORT
network inet stream listen $ADDRESS $PORT
network inet stream connect $ADDRESS $PORT
network inet dgram bind $ADDRESS $PORT
network inet dgram send $ADDRESS $PORT
network inet raw bind $ADDRESS $PROTOCOL
network inet raw send $ADDRESS $PROTOCOL
See http://tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
[2] http://tomoyo.sourceforge.jp/2.5/man-pages/tomoyo-queryd.html.en
[3] http://caitsith.sourceforge.jp/
next prev parent reply other threads:[~2014-08-02 4:55 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-01 1:21 [PATCH v2 0/2] RFC, aiding pid/network correlation Peter Moody
2014-08-01 1:21 ` [PATCH 1/2] security: create task_post_create callback Peter Moody
2014-08-01 1:21 ` [PATCH 2/2] security: Hone LSM Peter Moody
2014-08-01 12:16 ` [PATCH v2 0/2] RFC, aiding pid/network correlation Samir Bellabes
2014-08-01 17:22 ` Peter Moody
2014-08-02 0:30 ` Samir Bellabes
2014-08-02 15:05 ` Peter Moody
2014-08-02 4:55 ` Alex Elsayed [this message]
2014-08-03 1:34 ` Peter Moody
2014-08-03 1:49 ` Alex Elsayed
2014-08-03 2:19 ` Peter Moody
2014-08-03 2:28 ` Alex Elsayed
2014-08-03 2:38 ` Peter Moody
2014-08-03 2:41 ` Alex Elsayed
2014-08-03 2:47 ` Alex Elsayed
2014-08-03 3:14 ` Peter Moody
2014-08-03 3:41 ` Alex Elsayed
2014-08-03 21:57 ` Peter Moody
2014-08-03 22:18 ` Alex Elsayed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='lrhr02$ncj$1@ger.gmane.org' \
--to=eternaleye@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.