Skip to content

Generating CDM

Jump to bottom
Ashish Gehani edited this page May 31, 2019 · 15 revisions

On Ubuntu 14.04, SPADE can be used to generate CDM 20 as follows.

Install OpenJDK8:

sudo add-apt-repository -y ppa:openjdk-r/ppa
sudo apt-get update
sudo apt-get install -y openjdk-8-jdk

Install Linux dependencies:

sudo apt-get install git ifupdown libaudit-dev auditd pkg-config unzip uthash-dev linux-headers-`uname -r`

Download SPADE:

wget https://github.com/ashish-gehani/SPADE/archive/tc-e5.zip
unzip tc-e5.zip
mv SPADE-tc-e5 SPADE

Build SPADE:

cd SPADE
./configure
make

Configure SPADE:

echo 'add storage CDM output=/tmp/audit_cdm.avro' > cfg/spade.client.Control.config
echo 'add reporter Audit fileIO=true netIO=true unixSockets=true versions=false units=true' >> cfg/spade.client.Control.config

Add access:

sudo chmod ug+s `which auditctl`
sudo chmod ug+s `which iptables`
sudo chmod ug+s `which kmod`
sudo chown root bin/spadeAuditBridge bin/deleteModule
sudo chmod ug+s bin/spadeAuditBridge bin/deleteModule
sudo sed -i "s/active = no/active = yes/" /etc/audisp/plugins.d/af_unix.conf
sudo service auditd restart

Adjust audit configuration from defaults (for performance):

sudo sed -i "s/-b 320/-b 1000000/" /etc/audit/audit.rules
sudo sed -i "s/freq = 20/freq = 10000/" /etc/audit/auditd.conf
sudo sed -i "s/q_depth = 150/q_depth = 10000/" /etc/audisp/audispd.conf

Start SPADE:

bin/spade start

Run workload.

Stop SPADE:

bin/spade stop

CDM (in Avro) will be in /tmp/audit_cdm.avro

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Clone this wiki locally