Tetsuo Handa
from-****@I-lov*****
Wed Dec 8 21:45:19 JST 2010
TOMOYO
ForkJamie Nguyen wrote:
> Tetsuo Handa wrote:
> > Do we want keyword matching (e.g. patternize only "file create" entries)
> > (though we can pick them up by
> >
> > awk ' { if ($1 == "<kernel>" || ($1 == "file" && $2 == "create")) print $0; } '
> > )? If we want keyword matching, syntax similar to ccs-auditd is needed.
>
> Oh right, I understand. I think this could benefit users, especially
> because not all are familiar with awk. However, it depends on how
> complex it is to implement and whether it adds a lot of complexity to
> the workflow. If I understand correctly, keyword matching rules will
> be placed into ccs-patternize configuration file?
Yes if we want to support keyword matching rules.
All data in TOMOYO are guaranteed to consist with plain ASCII printable
characters, with a space (0x20) as a word delimiter and a new line (0x0A) as a
line delimiter. (No worry for multibyte encoding such as Japanese and UTF-8
because non-printable characters are represented using \ooo octal format.)
Therefore, most of programs in ccs-tools package could be implemented as awk
(or perl) scripts. (But ccs-editpolicy and ccs-queryd are too difficult to
implement as awk scripts because they need to deal ncurses library. Also, I'm
not familiar with perl.)
OK, let's determine keywords and syntaxes for ccs-auditd and ccs-patternize.
We want to support simple keyword matching rules. Below is just an example.
I think that users want three operators
!strcmp(line_or_word, value)
strstr(line, value)!=NULL
!strncmp(line, value, strlen(value)) && (!line[strlen(value)] || line[strlen(value)] == ' ')
I refer these operators as ".equals", ".contains", ".starts" respectively.
Regarding ccs-auditd , we have three lines and we can refer these lines using
three lines "header", "domain", "acl" respectively.
header.contains("granted=yes") write("/dev/null")
header.contains("granted=no") header.contains("profile=1") write("/var/log/tomoyo/profile001.log")
header.contains("granted=no") acl[1].equals("file") acl[2].equals("create") write("/var/log/tomoyo/file.create.log")
header.contains("granted=no") domain.starts("<kernel> /usr/sbin/httpd") write("/var/log/tomoyo/apache.log")
header.contains("granted=no") domain.equals("<kernel> /usr/sbin/sshd") write("/var/log/tomoyo/sshd.log")
or using multi lines
header.contains: granted=yes
write: /dev/null
header.contains: granted=no
header.contains: profile=1
write: /var/log/tomoyo/profile001.log
header.contains: granted=no
acl[1].equals: file
acl[2].equals: create
write: /var/log/tomoyo/file.create.log
header.contains: granted=no:
domain.starts: <kernel> /usr/sbin/httpd
write: /var/log/tomoyo/apache.log
header.contains: granted=no:
domain.equals: <kernel> /usr/sbin/sshd
write: /var/log/tomoyo/sshd.log
.
Regarding ccs-patternize , we can use "domain" and "acl" respectively.
(Unlike ccs-auditd , we don't have header line.)
domain.starts("<kernel> /usr/sbin/httpd") acl[1].equals("file") convert.path("/var/www/html/\*", "@WWW_CONTENTS")
convert.path("/etc/mtab~\$", "/etc/mtab~\$")
or using multi lines
domain.contains: <kernel> /usr/sbin/httpd
acl[1].starts: file
convert.path: /var/www/html/\* @WWW_CONTENTS
convert.path: /etc/mtab~\$ /etc/mtab~\$
.
If you feel that this kind of keywords and syntaxes
(this is a programming language) is too difficult for users,
maybe ccs-patternize should not deal with keyword matching.
What keywords and syntaxes do you want to use?
Regards.