Access Analysis using TOMOYO Linux

Last modified: $Date: 2006-11-25 10:18:46 +0900 (Sat, 25 Nov 2006) $

Since the policy of TOMOYO Linux is represented using pathnames, TOMOYO Linux is applicable for tracing file accesses.
You can use TOMOYO Linux to find how programs access files or what program is creating files on specific directories.

Preparation

Install Kernel

TOMOYO Linux provides some binary kernel packages. If you want to use binary kernel packages, download and install.

RedHat Linux 9 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-2.4.20-46.9.legacy_tomoyo_1.2.i386.rpm
Fedora Core 3 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-2.6.12-2.3.legacy_FC3_tomoyo_1.2.i586.rpm
Fedora Core 4 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-2.6.17-1.2142_FC4_tomoyo_1.2.i586.rpm
Fedora Core 5 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-2.6.18-1.2200_FC5_tomoyo_1.2.i586.rpm
Fedora Core 6 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-2.6.18-1.2798_tomoyo_1.2.i586.rpm
CentOS 4.4 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-2.6.9-42.0.3.EL_tomoyo_1.2.i586.rpm
Debian Sarge (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-image-2.4.27-10sarge4-ccs_1.2_i586.deb
http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-image-2.6.8-16sarge5-ccs_1.2_i586.deb
OpenSUSE 10.1 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/kernel-default-2.6.16.21-0.25_tomoyo_1.2.i586.rpm

If the CPU architecture differs or you want to customize kernel configuration, you need to compile kernel. To compile kernel, see TOMOYO Linux kernel compilation.

Boot with TOMOYO Linux kernel, and check the system works properly.

Install Tool

TOMOYO Linux provides some pre-compiled tools. If you want to use pre-compiled tools, download and extract under /root/ directory.

RedHat Linux 9 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-RHL9.tar.gz
Fedora Core 3 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-FC3.tar.gz
Fedora Core 4 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-FC4.tar.gz
Fedora Core 5 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-FC5.tar.gz
Fedora Core 6 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-FC6.tar.gz
CentOS 4.4 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-CentOS4.4.tar.gz
Debian Sarge (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-Sarge.tar.gz
OpenSUSE 10.1 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/21518/ccs-tools-1.2-i386-SUSE10.1.tar.gz

If the CPU architecture differs, you need to compile tools. To compile tools, run the following commands.

# Download source of tools for TOMOYO Linux.
wget http://osdn.dl.sourceforge.jp/tomoyo/21579/ccs-tools-1.2-20060903.tar.gz
# Extract.
tar -zxf ccs-tools-1.2-20060903.tar.gz
# Compile.
make -sC ccstools/

Create Policy

Create /root/security/manager.txt with the following contents.

/root/ccstools/editpolicy

Create /root/security/profile0.txt with the following contents.

MAC_FOR_FILE=1
MAX_ACCEPT_FILES=1048576
MAX_GRANT_LOG=0
MAX_REJECT_LOG=0
TOMOYO_VERBOSE=0

Save the output of the following commands as /root/security/exception_policy.txt .

/root/ccstools/make_exception.sh | grep ^file_pattern | sort | uniq

Analysis

Boot with TOMOYO Linux kernel and run applications you want to analyze.

You can see the list of programs executed until now by executing /root/ccstools/editpolicy . Choose a program and press "Enter" to see the list of files accessed by the program.

You can save the list of all accessed files until now as /root/security/domain_policy.txt by executing /root/ccstools/savepolicy .