From: Alex Elsayed <eternaleye@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: netdev@vger.kernel.org
Subject: Re: [PATCH v2 0/2] RFC, aiding pid/network correlation
Date: Fri, 01 Aug 2014 21:55:27 -0700 [thread overview]
Message-ID: <lrhr02$ncj$1@ger.gmane.org> (raw)
In-Reply-To: r3noaw4m8g6.fsf@perdido.sfo.corp.google.com
Peter Moody wrote:
<snip>
> One thing that Hone does which snet doesn't seem to do (apologies if
> this is incorrect but I can't test) is that it provides a full process
> tree for a given pid back to init. When doing an investigation into a
> system compromise, knowing what started the process making the
> suspicious connection(s) (and what started *that* process) is often just
> as important as knowing that there's a compromise to begin with.
Out of curiosity, have you looked at Tomoyo much at all? In particular, it:
1.) Keeps a tree all the way back to init
2.) Has network event hooks (see footnote [1])
3.) Has an interactive API for managing policy violations (tomoyo-queryd[2]
uses it)
4.) Is in mainline already.
The combination is actually sufficient to implement what you want for Hone
_today_ as far as I can tell, and there's even the out-of-tree AKARI variant
if you want to use it together with another LSM.
There's also Caitsith[3] (also from Tetsuo Handa), which might be even
better suited but is not in mainline yet.
[1] It has these hooks for inet sockets, and similar for unix:
network inet stream bind $ADDRESS $PORT
network inet stream listen $ADDRESS $PORT
network inet stream connect $ADDRESS $PORT
network inet dgram bind $ADDRESS $PORT
network inet dgram send $ADDRESS $PORT
network inet raw bind $ADDRESS $PROTOCOL
network inet raw send $ADDRESS $PROTOCOL
See http://tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
[2] http://tomoyo.sourceforge.jp/2.5/man-pages/tomoyo-queryd.html.en
[3] http://caitsith.sourceforge.jp/
next prev parent reply other threads:[~2014-08-02 4:55 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-01 1:21 [PATCH v2 0/2] RFC, aiding pid/network correlation Peter Moody
2014-08-01 1:21 ` [PATCH 1/2] security: create task_post_create callback Peter Moody
2014-08-01 1:21 ` [PATCH 2/2] security: Hone LSM Peter Moody
2014-08-01 12:16 ` [PATCH v2 0/2] RFC, aiding pid/network correlation Samir Bellabes
2014-08-01 17:22 ` Peter Moody
2014-08-02 0:30 ` Samir Bellabes
2014-08-02 15:05 ` Peter Moody
2014-08-02 4:55 ` Alex Elsayed [this message]
2014-08-03 1:34 ` Peter Moody
2014-08-03 1:49 ` Alex Elsayed
2014-08-03 2:19 ` Peter Moody
2014-08-03 2:28 ` Alex Elsayed
2014-08-03 2:38 ` Peter Moody
2014-08-03 2:41 ` Alex Elsayed
2014-08-03 2:47 ` Alex Elsayed
2014-08-03 3:14 ` Peter Moody
2014-08-03 3:41 ` Alex Elsayed
2014-08-03 21:57 ` Peter Moody
2014-08-03 22:18 ` Alex Elsayed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='lrhr02$ncj$1@ger.gmane.org' \
--to=eternaleye@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).