System/Dependency graphs - method

From Tizen Wiki
Jump to: navigation, search

The method for Unix domain sockets graph

The test was made in following steps:

  • the audit subsystem was compiled and enabled in Linux kernel (for 3.0.15 in ARM architecture there is need for patching: source code)
  • the audit subsystem is turned on during system boot by option ' audit=1 ' in kernel command line
  • the auditd daemon is set up to run by systemd as quick as possible during system boot (for example: in basic.target)
  • audit rules are added to audit.rules file:
    • -a always,exit -S bind
    • -a always,exit -S connect
    • -a always,exit -S accept
    • -a always,exit -S accept4
  • in auditd.conf 'dispather' option is set to modified audit_dispatcher program source code

If all this steps are completed, one should reboot the system. The audit_dispatcher program will create logs in /var/log/audit/audit_extracted.log

There is a script that converts logs to graph in svg format:

CRDATE=$(date +%Y-%m-%d-%H-%M-%S)
FNAME=socket_graph_${CRDATE}

echo "digraph G {"  > ${FNAME}.dot
echo "rankdir=LR"  >> ${FNAME}.dot
sed -e '/^log start/d' < ${1} | sort | uniq >> ${FNAME}.dot
echo     >> ${FNAME}.dot
echo "}" >> ${FNAME}.dot

dot -Tsvg -o ${FNAME}.svg ${FNAME}.dot

The path to audit_extracted.log file should be given as command line argument.

A *.svg document can be converted to *.pdf format using rsvg-convert tool:

rsvg-convert  -f pdf -o socket_graph.pdf socket_graph.svg 

The method for Files graph

The test was made in following steps:

  • the first three steps are the same as socket graph method
  • audit rules are added to audit.rules file:
    • -a exit,always -S inotify_add_watch -k inotify
    • -a exit,always -S open -k open
    • execute script to add a rule to each file (which I described earlier)
  • in auditd.conf set dispatcher = /sbin/audispd and max_log_file = 200

If all this steps are completed, one should reboot the system. The program will create logs in /var/log/audit/audit.log

There is a script that converts logs to graph in svg format (working properly on i686, on x86_64 ausearch tool can generate output in other form):

#!/bin/bash

FILENAME="read_write_notify_files_graph.dot"

# Create dependencies graph.
# Read, write to files.

less audit.log |ausearch -i -k write > tmp_write
less audit.log |ausearch -i -k read > tmp_read
less audit.log |ausearch -i -k open > tmp_open

awk  'BEGIN { FS = "\n" ; RS = "----" } ; { print $2 ", " $3", "$4 }' tmp_read | grep system::vconf > tmp_read_vconf
awk  'BEGIN { FS = "exe=" } ; { print $2 }' tmp_read_vconf | cut -d' ' -f 1-1 > tmp_process
awk  'BEGIN { FS = "name=" } ; { print $2 }' tmp_read_vconf | cut -d' ' -f 1-1 > tmp_files
paste tmp_files tmp_process | awk '{print "\""$1 "\" -- \"" $2"\";"}' | sort |uniq > tmp_graph_read
awk  'BEGIN { FS = "\n" ; RS = "----" } ; { print $2 ", " $3", "$4 }' tmp_write | grep SYSCALL > tmp_write_awk
awk  'BEGIN { FS = "exe=" } ; { print $2 }' tmp_write_awk | cut -d' ' -f 1-1 > tmp_process
awk  'BEGIN { FS = "name=" } ; { print $2 }' tmp_write_awk | cut -d' ' -f 1-1 > tmp_files
paste tmp_process tmp_files | awk '{print "\""$1 "\" -- \"" $2"\";"}' | sort | uniq  > tmp_graph_write
awk 'BEGIN { RS = "----" ; FS = "\n" } ; { print $2 $4 }' tmp_open | grep system::vconf|grep -v find |grep RDWR > tmp_open_rdwr
awk 'BEGIN { RS = " exe=" } ; { print $1 }' tmp_open_rdwr > tmp_process
awk 'BEGIN { RS = " name=" } ; { print $1 }' tmp_open_rdwr > tmp_file
paste tmp_process tmp_file | awk '{print "\""$1 "\" -- \"" $2"\";"}' | sort|uniq  > tmp_graph_rdwr

# Inotify files.

less audit.log |ausearch -k inotify > tmp_inotify
awk  'BEGIN { FS = "\n" ; RS = "----" } ; { print $3 ", " $4", "$5 }' tmp_inotify | grep system::vconf > tmp_inotify_vconf
awk  'BEGIN { FS = "exe=" } ; { print $2 }' tmp_inotify_vconf | cut -d' ' -f 1-1 > tmp_process
awk  'BEGIN { FS = "name=" } ; { print $2 }' tmp_inotify_vconf | cut -d' ' -f 1-1 > tmp_files
paste tmp_process tmp_files | awk '{print $1 " -- " $2";"}' | sort | uniq  > tmp_graph_inotify

# Create a graph.
# blue write()
# red read()
# green inotify()

echo "graph graphname {" > $FILENAME
echo "rankdir=LR;" >> $FILENAME
echo "edge [color=red];" >> $FILENAME
cat tmp_graph_read >> $FILENAME
echo "edge [color=blue];" >> $FILENAME
cat tmp_graph_rdwr >> $FILENAME
cat tmp_graph_write >> $FILENAME
echo "edge [color=green];" >> $FILENAME
cat tmp_graph_inotify >> $FILENAME
echo "}" >> $FILENAME
dot -Tsvg $FILENAME -o read_write_notify_files_graph.svg

rm tmp*