Skip to content

System calls underlying CDM events

Jump to bottom
Ashish Gehani edited this page Mar 25, 2017 · 15 revisions

SPADE's CDM Storage translates OPM relations from the Audit Reporter into CDM events. The table below summarizes the audited system calls and corresponding CDM events emitted.

System call CDM event
clone() EVENT_CLONE / EVENT_FORK
fork()
vfork()		 EVENT_FORK
setuid()
setreuid()
setresuid()		 EVENT_CHANGE_PRINCIPAL
exit()
exit_group()		 EVENT_EXIT
accept()
accept4()		 EVENT_ACCEPT
pread()
preadv()
read()
readv()		 EVENT_READ
recvfrom()
recvmsg()		 EVENT_RECVMSG
chmod()
fchmod()
fchmodat()		 EVENT_MODIFY_FILE_ATTRIBUTES
connect() EVENT_CONNECT
ftruncate()
truncate()		 EVENT_TRUNCATE
mprotect() EVENT_MPROTECT
sendto()
sendmsg()		 EVENT_SENDMSG
unlink()
unlinkat()		 EVENT_UNLINK
close() EVENT_CLOSE
execve() EVENT_EXECUTE
link()
linkat()
symlink()
symlinkat()		 EVENT_LINK
mmap() EVENT_MMAP
open()
openat()
creat()		 EVENT_OPEN
pwrite()
pwritev()
write()
writev()		 EVENT_WRITE
rename()
renameat()		 EVENT_RENAME
bind()
dup()
dup2()
dup3()
mknod()
mknodat()
pipe()
pipe2()
socket()		 None*

*Interpretation has indirect effect

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Clone this wiki locally