%attr(700,root,root) %{_sbindir}/audit-trail-rules-test
%attr(700,root,root) %{_sbindir}/audit-trail-overhead-test
%{audit_base_dir}/test_module.ko
+
+%package -n audit-trail-sample
+Summary: Sample tools for audit trail demonstration
+Group: Security/Testing
+BuildRequires: pkgconfig(capi-appfw-app-manager)
+BuildRequires: pkgconfig(libtzplatform-config)
+Requires: %{name} = %{version}-%{release}
+
+%description -n audit-trail-sample
+The audit-trail-sample package contains test tools for demonstration
+
+%files -n audit-trail-sample
+%manifest audit-trail.manifest
+%defattr(644,root,root,755)
+%attr(700,root,root) %{_sbindir}/audit-analyzer
#
SET(AUDIT_TRAIL_CLI ${AUDIT_TRAIL_TOOLS}/cli)
SET(AUDIT_TRAIL_TEST ${AUDIT_TRAIL_TOOLS}/tests)
+SET(AUDIT_TRAIL_SAMPLE ${AUDIT_TRAIL_TOOLS}/sample)
ADD_SUBDIRECTORY(${AUDIT_TRAIL_CLI})
ADD_SUBDIRECTORY(${AUDIT_TRAIL_TEST})
+ADD_SUBDIRECTORY(${AUDIT_TRAIL_SAMPLE})
--- /dev/null
+#
+# Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+SET(AUDIT_TRAIL_ANALYZER ${AUDIT_TRAIL_SAMPLE}/analysis)
+
+ADD_SUBDIRECTORY(${AUDIT_TRAIL_ANALYZER})
--- /dev/null
+#
+# Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+SET(TOOL_NAME audit-analyzer)
+SET(TOOL_SRCS
+ main.cpp
+ analyzer.cpp)
+SET(TOOL_CHECKER
+ checker/checker.cpp
+ checker/unix-socket.cpp
+ checker/inet-socket.cpp
+ checker/bruteforce.cpp
+ checker/modify-dac.cpp
+ checker/modify-mac.cpp
+ checker/modify-mac-policy.cpp
+ checker/use-kernel.cpp
+ checker/mount-device.cpp
+ checker/debugging.cpp
+ checker/privilege.cpp
+ checker/modify-host.cpp
+ checker/modify-arp.cpp)
+SET(DEPENDENCY
+ klay
+ capi-appfw-app-manager
+ libtzplatform-config
+ glib-2.0)
+
+ADD_EXECUTABLE(${TOOL_NAME} ${TOOL_SRCS} ${TOOL_CHECKER})
+PKG_CHECK_MODULES(TOOL_DEPS REQUIRED ${DEPENDENCY})
+
+SET_TARGET_PROPERTIES(${TOOL_NAME} PROPERTIES COMPILE_FLAGS "-fPIE")
+SET_TARGET_PROPERTIES(${TOOL_NAME} PROPERTIES LINK_FLAGS "-pie")
+
+INCLUDE_DIRECTORIES(SYSTEM ${TOOL_DEPS_INCLUDE_DIRS} ${AUDIT_TRAIL_LIB})
+TARGET_LINK_LIBRARIES(${TOOL_NAME} ${TOOL_DEPS_LIBRARIES} ${PROJECT_NAME} audit-trail)
+
+INSTALL(TARGETS ${TOOL_NAME} DESTINATION sbin)
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+#include <iostream> //[TODO]: removed
+#include <unordered_map> //[TODO]: removed
+#include <app_manager.h>
+#include <tzplatform_config.h>
+#include "analyzer.h"
+#include "checker/checker.h"
+
+//TODO : removed
+namespace {
+std::vector<std::string> detectedTag = {
+ "HijackUnixSocket",
+ "BruteforceDMCrypt",
+ "ModifyDAC",
+ "ModifyMAC",
+ "ModifyMACPolicy",
+ "MountDevice",
+ "ModifyLibraries",
+ "UseKernelModule",
+ "AccessPhishingSite",
+ "Debugging",
+ "PrivilegeEscalation",
+ "ModifyHostFile",
+ "ModifyARPTable",
+};
+}
+
+AuditAnalyzer::AuditAnalyzer()
+ : auditTrail(nullptr), callbackId(0)
+{
+}
+
+AuditAnalyzer::~AuditAnalyzer()
+{
+ terminate();
+}
+
+void AuditAnalyzer::run()
+{
+ //start analyzer
+ runMonitor();
+ mainloop.run();
+}
+
+void AuditAnalyzer::terminate()
+{
+ //terminate analyzer
+ ::audit_trail_remove_system_log_cb(auditTrail, callbackId);
+ ::audit_trail_destroy(auditTrail);
+ mainloop.stop();
+}
+
+void AuditAnalyzer::runMonitor()
+{
+ //add callback to get system logs
+ audit_trail_create(&auditTrail);
+ if (auditTrail == nullptr)
+ throw runtime::Exception("Failed to create audit context");
+
+ std::cout << "Add callback to get system logs" << std::endl;
+ if (::audit_trail_add_system_log_cb(auditTrail, auditCallbackDispatcher,
+ reinterpret_cast<void*>(this), &callbackId) != 0)
+ throw runtime::Exception("Failed to add callback to audit-trail");
+}
+
+void AuditAnalyzer::auditCallbackDispatcher(void *log, void *data)
+{
+ AuditAnalyzer *analyzer = nullptr;
+ analyzer = reinterpret_cast<AuditAnalyzer *>(data);
+ analyzer->analysis(reinterpret_cast<SystemLog>(log));
+}
+
+void AuditAnalyzer::analysis(SystemLog log)
+{
+ int type = Attack::Invalid;
+ Log parsedLog = {};
+ parseLog(log, parsedLog);
+
+ for (auto checker : CheckerFactory::list) {
+ type = checker->run(parsedLog);
+ if (type != Attack::Invalid)
+ break;
+ }
+
+ if (type != Attack::Invalid) {
+ char *processName = nullptr;
+ int ret = ::app_manager_get_app_id(parsedLog.pid, &processName);
+ std::unique_ptr<char> scopedPtr(processName);
+
+ if (ret == APP_MANAGER_ERROR_NONE && ret != APP_MANAGER_ERROR_NO_SUCH_APP) {
+ std::cout << "PID :" << parsedLog.pid << " App id : " << std::string(processName) << std::endl;
+ parsedLog.subjectName.clear();
+ parsedLog.subjectName.append(processName);
+ }
+
+ sendNotification(type, parsedLog.subjectName);
+ }
+}
+
+void AuditAnalyzer::parseLog(SystemLog log, Log &ret)
+{
+ std::unique_ptr<char> scopedPtr;
+ char *sbjName = nullptr;
+ char *objName = nullptr;
+
+ //get subject info
+ ::audit_system_log_get_subject_name(log, &sbjName);
+ scopedPtr.reset(sbjName);
+ ret.subjectName.append(sbjName);
+
+ auto pos = ret.subjectName.rfind('/');
+ pos = (pos == std::string::npos) ? 0 : pos + 1;
+ ret.subjectName = ret.subjectName.substr(pos, ret.subjectName.size());
+
+ ::audit_system_log_get_subject_pid(log, &ret.pid);
+
+ //get syscall info
+ if (::audit_system_log_get_action_systemcall(log, &ret.syscall) != 0)
+ throw runtime::Exception("Failed to get syscall number");
+
+ if (::audit_system_log_get_action_arguments(log, &ret.args) != 0)
+ throw runtime::Exception("Failed to get syscall arguments");
+
+ if (::audit_system_log_get_action_exitcode(log, &ret.exitcode) != 0)
+ throw runtime::Exception("Failed to get syscall exit code");
+
+ //get object info
+ if (::audit_system_log_get_object_name(log, &objName) != 0)
+ throw runtime::Exception("Failed to get object name");
+ scopedPtr.reset(objName);
+ ret.objectName.append(objName);
+
+ pos = ret.objectName.rfind('/');
+ if (pos == ret.objectName.size()-1)
+ ret.objectName = ret.objectName.substr(0, pos);
+
+ //[TODO] get dev number
+ ::audit_system_log_get_object_dev(log, &ret.dev);
+
+ //get socket type and address
+ if (::audit_system_log_get_object_sockaddr(log, NULL, &ret.sockFamily) != 0)
+ throw runtime::Exception("Failed to get socket address");
+
+ if (ret.sockFamily != -1) {
+ if (ret.sockFamily == AF_UNIX) {
+ if (::audit_system_log_get_object_sockaddr(log,
+ reinterpret_cast<struct sockaddr *>(&ret.unixAddr), &ret.sockFamily) != 0)
+ throw runtime::Exception("Failed to get socket address");
+ } else if (ret.sockFamily == AF_INET) {
+ if (::audit_system_log_get_object_sockaddr(log,
+ reinterpret_cast<struct sockaddr *>(&ret.inetAddr), &ret.sockFamily) != 0)
+ throw runtime::Exception("Failed to get socket address");
+ }
+ }
+}
+
+void AuditAnalyzer::sendNotification(int result, const std::string &name)
+{
+ //call notification app
+ //test code : [TODO]to be removed
+ std::cout << "[Detected] : " << detectedTag[result] << std::endl;
+ std::cout << "[Suspicious Process] : " << name << std::endl;
+}
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#ifndef __AUDIT_ANALYZER_H__
+#define __AUDIT_ANALYZER_H__
+
+#include <asm/unistd.h>
+#include <linux/audit.h>
+
+#include <vector>
+
+#include <audit-trail/system-log.h>
+#include <klay/mainloop.h>
+#include <klay/exception.h>
+
+#include "type.h"
+#include "checker/checker.h"
+
+class AuditAnalyzer final {
+public:
+ using AuditTrail = audit_trail_h;
+ using SystemLog = audit_system_log_h;
+
+ AuditAnalyzer();
+ ~AuditAnalyzer();
+
+ void run();
+ void terminate();
+
+private:
+ void runMonitor();
+ void analysis(SystemLog log);
+
+ void parseLog(SystemLog log, Log &ret);
+ void sendNotification(int result, const std::string &name);
+ static void auditCallbackDispatcher(void *log, void *data);
+
+private:
+ runtime::Mainloop mainloop;
+ AuditTrail auditTrail;
+ int callbackId;
+};
+
+#endif /*__AUDIT_ANALYZER_H__*/
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class BruteforceChecker : public AuditChecker {
+public:
+ BruteforceChecker();
+ virtual ~BruteforceChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<std::string> blackList;
+};
+
+BruteforceChecker::BruteforceChecker()
+{
+ blackList = {
+ "/dev/mapper/control",
+ };
+}
+
+BruteforceChecker::~BruteforceChecker()
+{
+}
+
+int BruteforceChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.objectName) ? Attack::BruteforceDMCrypt : Attack::Invalid;
+}
+
+CheckerBuilder<BruteforceChecker> bruteforceChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+AuditChecker::AuditChecker()
+{
+}
+
+AuditChecker::~AuditChecker()
+{
+}
+
+std::vector<AuditChecker *> CheckerFactory::list;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#ifndef __AUDIT_CHECKER_H__
+#define __AUDIT_CHECKER_H__
+
+#include <asm/unistd.h>
+#include <vector>
+#include <memory>
+#include <klay/exception.h>
+
+#include "../type.h"
+
+class AuditChecker {
+public:
+ AuditChecker();
+ ~AuditChecker();
+
+ virtual int run(const Log &log) = 0;
+protected:
+ template <typename T>
+ bool findOnList(const std::vector<T> &list, T target)
+ {
+ for (auto e : list) {
+ if (e == target)
+ return true;
+ }
+ return false;
+ }
+};
+
+class CheckerFactory {
+public:
+ static std::vector<AuditChecker*> list;
+};
+
+template <typename Checker>
+class CheckerBuilder {
+public:
+ CheckerBuilder();
+ ~CheckerBuilder();
+private:
+ std::unique_ptr<Checker> checker;
+};
+
+template <typename Checker>
+CheckerBuilder<Checker>::CheckerBuilder()
+{
+ checker.reset(new Checker{});
+ CheckerFactory::list.push_back(checker.get());
+}
+
+template <typename Checker>
+CheckerBuilder<Checker>::~CheckerBuilder()
+{
+}
+
+#endif /*__AUDIT_CHECKER_H__*/
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class DebuggingChecker : public AuditChecker {
+public:
+ DebuggingChecker();
+ virtual ~DebuggingChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+DebuggingChecker::DebuggingChecker()
+{
+ blackList = {
+ __NR_ptrace,
+ };
+}
+
+DebuggingChecker::~DebuggingChecker()
+{
+}
+
+int DebuggingChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.syscall) ? Attack::Debugging : Attack::Invalid;
+}
+
+CheckerBuilder<DebuggingChecker> debuggingChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class InetSocketChecker : public AuditChecker {
+public:
+ InetSocketChecker();
+ virtual ~InetSocketChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<std::string> blackList;
+};
+
+InetSocketChecker::InetSocketChecker()
+{
+ blackList = {
+ "121.189.57.82",
+ };
+}
+
+InetSocketChecker::~InetSocketChecker()
+{
+}
+
+int InetSocketChecker::run(const Log &log)
+{
+ std::string address(::inet_ntoa(log.inetAddr.sin_addr));
+ return findOnList(blackList, address) ? Attack::AccessPhishingSite : Attack::Invalid;
+}
+
+CheckerBuilder<InetSocketChecker> inetSocketChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class ModifyARPChecker : public AuditChecker {
+public:
+ ModifyARPChecker();
+ virtual ~ModifyARPChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+ModifyARPChecker::ModifyARPChecker()
+{
+ blackList = {
+ __NR_ioctl,
+ __NR_socket,
+ };
+}
+
+ModifyARPChecker::~ModifyARPChecker()
+{
+}
+
+int ModifyARPChecker::run(const Log &log)
+{
+ //TODO : check if a1 = 0x8955
+ if (findOnList(blackList, log.syscall) && log.args[1] == 0x8955)
+ return Attack::ModifyARPTable;
+
+ return Attack::Invalid;
+}
+
+CheckerBuilder<ModifyARPChecker> modifyARPChecke;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class ModifyDacChecker : public AuditChecker {
+public:
+ ModifyDacChecker();
+ virtual ~ModifyDacChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+ModifyDacChecker::ModifyDacChecker()
+{
+ blackList = {
+ __NR_chown,
+ __NR_fchown,
+ __NR_fchownat,
+ __NR_lchown,
+ __NR_lchown32,
+ __NR_chmod,
+ __NR_fchmod,
+ __NR_fchmodat,
+ };
+}
+
+ModifyDacChecker::~ModifyDacChecker()
+{
+}
+
+int ModifyDacChecker::run(const Log &log)
+{
+ if (log.syscall == __NR_chmod && !log.objectName.compare("/etc/ld.so.conf"))
+ return Attack::ModifyLibraries;
+
+ return findOnList(blackList, log.syscall) ? Attack::ModifyDAC : Attack::Invalid;
+}
+
+CheckerBuilder<ModifyDacChecker> modifyDacChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class ModifyHostChecker : public AuditChecker {
+public:
+ ModifyHostChecker();
+ virtual ~ModifyHostChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<std::string> blackList;
+};
+
+ModifyHostChecker::ModifyHostChecker()
+{
+ blackList = {
+ "/etc/hosts",
+ };
+}
+
+ModifyHostChecker::~ModifyHostChecker()
+{
+}
+
+int ModifyHostChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.objectName) ? Attack::ModifyHostFile : Attack::Invalid;
+}
+
+CheckerBuilder<ModifyHostChecker> modifyHostChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class ModifyMacPolicyChecker : public AuditChecker {
+public:
+ ModifyMacPolicyChecker();
+ virtual ~ModifyMacPolicyChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<std::string> blackList;
+};
+
+ModifyMacPolicyChecker::ModifyMacPolicyChecker()
+{
+ blackList = {
+ "/etc/smack",
+ "/sys/fs/smackfs",
+ "/etc/cynara",
+ "/etc/nether",
+ };
+}
+
+ModifyMacPolicyChecker::~ModifyMacPolicyChecker()
+{
+}
+
+int ModifyMacPolicyChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.objectName) ? Attack::ModifyMACPolicy : Attack::Invalid;
+}
+
+CheckerBuilder<ModifyMacPolicyChecker> modifyMacPolicyChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class ModifyMacChecker : public AuditChecker {
+public:
+ ModifyMacChecker();
+ virtual ~ModifyMacChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+ModifyMacChecker::ModifyMacChecker()
+{
+ blackList = {
+ __NR_setxattr,
+ __NR_lsetxattr,
+ __NR_fsetxattr,
+ __NR_removexattr,
+ __NR_lremovexattr,
+ __NR_fremovexattr,
+ };
+}
+
+ModifyMacChecker::~ModifyMacChecker()
+{
+}
+
+int ModifyMacChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.syscall) ? Attack::ModifyMAC : Attack::Invalid;
+}
+
+CheckerBuilder<ModifyMacChecker> modifyMacChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class MountDeviceChecker : public AuditChecker {
+public:
+ MountDeviceChecker();
+ virtual ~MountDeviceChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+MountDeviceChecker::MountDeviceChecker()
+{
+ blackList = {
+ __NR_mount,
+ __NR_umount2,
+#ifdef __NR_umount
+ __NR_umount,
+#endif
+ };
+}
+
+MountDeviceChecker::~MountDeviceChecker()
+{
+}
+
+int MountDeviceChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.syscall) ? Attack::MountDevice : Attack::Invalid;
+}
+
+CheckerBuilder<MountDeviceChecker> mountDeviceChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class PrivilegeChecker : public AuditChecker {
+public:
+ PrivilegeChecker();
+ virtual ~PrivilegeChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+PrivilegeChecker::PrivilegeChecker()
+{
+ blackList = {
+ __NR_setuid,
+ __NR_setuid32,
+ __NR_setreuid,
+ };
+}
+
+PrivilegeChecker::~PrivilegeChecker()
+{
+}
+
+int PrivilegeChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.syscall) ? Attack::PrivilegeEscalation : Attack::Invalid;
+}
+
+CheckerBuilder<PrivilegeChecker> privilegeChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class UnixSocketChecker : public AuditChecker {
+public:
+ UnixSocketChecker();
+ virtual ~UnixSocketChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<std::string> blackList;
+};
+
+UnixSocketChecker::UnixSocketChecker()
+{
+ blackList = {
+ "/tmp",
+ };
+}
+
+UnixSocketChecker::~UnixSocketChecker()
+{
+}
+
+int UnixSocketChecker::run(const Log &log)
+{
+ if (log.exitcode >= 0)
+ return Attack::Invalid;
+
+ std::string tmp(log.unixAddr.sun_path);
+ auto pos = tmp.find_last_of('/');
+ while (pos != std::string::npos) {
+ tmp = tmp.substr(0, pos);
+ if (findOnList(blackList, tmp))
+ return Attack::HijackUnixSocket;
+ pos = tmp.find_last_of('/');
+ }
+ return Attack::Invalid;
+}
+
+CheckerBuilder<UnixSocketChecker> unixSocketChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include "checker.h"
+
+class UseKernelModuleChecker : public AuditChecker {
+public:
+ UseKernelModuleChecker();
+ virtual ~UseKernelModuleChecker();
+
+ int run(const Log &log);
+private:
+ std::vector<unsigned int> blackList;
+};
+
+UseKernelModuleChecker::UseKernelModuleChecker()
+{
+ blackList = {
+ __NR_init_module,
+ __NR_finit_module,
+ __NR_delete_module,
+ };
+}
+
+UseKernelModuleChecker::~UseKernelModuleChecker()
+{
+}
+
+int UseKernelModuleChecker::run(const Log &log)
+{
+ return findOnList(blackList, log.syscall) ? Attack::UseKernelModule : Attack::Invalid;
+}
+
+CheckerBuilder<UseKernelModuleChecker> useKernelModuleChecker;
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+#include <iostream>
+#include <signal.h>
+#include <klay/gmainloop.h>
+#include "analyzer.h"
+
+void signalHandler(int signal)
+{
+ exit(0);
+}
+
+class AnalyzerGMainLoop {
+public:
+ AnalyzerGMainLoop() :
+ mainloop(::g_main_loop_new(NULL, FALSE), ::g_main_loop_unref)
+ {
+ handle = std::thread(g_main_loop_run, mainloop.get());
+ }
+ ~AnalyzerGMainLoop()
+ {
+ while (!g_main_loop_is_running(mainloop.get())) {
+ std::this_thread::yield();
+ }
+ ::g_main_loop_quit(mainloop.get());
+ handle.join();
+ }
+private:
+ std::unique_ptr<GMainLoop, void(*)(GMainLoop*)> mainloop;
+ std::thread handle;
+};
+
+int main(int argc, char *argv[])
+{
+ ::signal(SIGINT, signalHandler);
+
+ try {
+ AnalyzerGMainLoop gmainloop;
+ AuditAnalyzer analyzer;
+ analyzer.run();
+ } catch (runtime::Exception &e) {
+ std::cout << "Error : " << e.what() << std::endl;
+ return EXIT_FAILURE;
+ }
+ return EXIT_SUCCESS;
+}
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#ifndef __AUDIT_SUSPICIOUS_TYPE_H__
+#define __AUDIT_SUSPICIOUS_TYPE_H__
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+enum Attack {
+ Invalid = -1,
+ HijackUnixSocket = 0,
+ BruteforceDMCrypt,
+ ModifyDAC,
+ ModifyMAC,
+ ModifyMACPolicy,
+ MountDevice,
+ ModifyLibraries,
+ UseKernelModule,
+ AccessPhishingSite,
+ Debugging,
+ PrivilegeEscalation,
+ ModifyHostFile,
+ ModifyARPTable,
+};
+
+struct Log {
+ unsigned int syscall;
+ dev_t dev;
+ std::string objectName;
+ std::string subjectName;
+ int sockFamily;
+ int exitcode;
+ pid_t pid;
+ unsigned int args[4];
+ struct sockaddr_un unixAddr;
+ struct sockaddr_in inetAddr;
+};
+
+#endif /*__AUDIT_SUSPICIOUS_TYPE_H__*/
projects / platform / core / security / audit-trail.git / commitdiff