System calls underlying CDM events - ashish-gehani/SPADE GitHub Wiki
SPADE's CDM Storage translates OPM relations from the Audit Reporter into CDM events. The table below summarizes the audited system calls and corresponding CDM events emitted.
| System call | CDM event |
|---|---|
| clone() | EVENT_CLONE or EVENT_FORK |
| fork() vfork() |
EVENT_FORK |
| setuid() setreuid() setresuid() setfsuid() setgid() setregid() setresgid() setfsgid() |
EVENT_CHANGE_PRINCIPAL |
| exit() exit_group() |
EVENT_EXIT |
| ptrace() | EVENT_MODIFY_PROCESS |
| accept() accept4() |
EVENT_ACCEPT |
| pread() preadv() read() readv() |
EVENT_READ |
| recvfrom() recvmsg() |
EVENT_RECVMSG |
| chmod() fchmod() fchmodat() |
EVENT_MODIFY_FILE_ATTRIBUTES |
| connect() | EVENT_CONNECT |
| ftruncate() truncate() |
EVENT_TRUNCATE |
| mprotect() | EVENT_MPROTECT |
| madvise() | EVENT_OTHER |
| sendto() sendmsg() |
EVENT_SENDMSG |
| unlink() unlinkat() |
EVENT_UNLINK |
| close() | EVENT_CLOSE |
| execve() | EVENT_EXECUTE and EVENT_LOADLIBRARY |
| link() linkat() symlink() symlinkat() |
EVENT_LINK |
| mmap() | EVENT_MMAP |
| open() openat() |
EVENT_OPEN or EVENT_CREATE_OBJECT |
| creat() | EVENT_CREATE_OBJECT |
| pwrite() pwritev() write() writev() |
EVENT_WRITE and EVENT_UPDATE |
| lseek() | EVENT_LSEEK |
| rename() renameat() |
EVENT_RENAME |
| tee() | EVENT_TEE |
| splice() | EVENT_SPLICE |
| vmsplice() | EVENT_VMSPLICE |
| init_module() | EVENT_INIT_MODULE |
| finit_module() | EVENT_FINIT_MODULE |
| kill()* | EVENT_UNIT or EVENT_SIGNAL |
| bind() dup() dup2() dup3() mknod() mknodat() pipe() pipe2() socket() fcntl() socketpair() |
None** |
*UBSI signals are translated into unit events.
**Interpretation has indirect effect.