Can I stop a system call before it is executed using Stackable Filesystems? [closed]
Clash Royale CLAN TAG#URR8PPP
Let's assume that I have an application X. I only track system calls that X issues. For example in systems like "CS-STILo". The system detects anomalous sequences of system calls to detect code reuse attacks.
If I want to prevent the attack when I detect the attack, what should I do? Can I stop the system calls before it is executed using Stackable Filesystems (e.g., Wrapfs)? If not, is there another way?
filesystems linux-kernel system-calls
asked Mar 4 at 18:21
DaliaDalia
62
closed as unclear what you're asking by Rui F Ribeiro, Kusalananda♦, Scott, Thomas, jimmij Mar 5 at 8:13
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Let's assume that I have an application X. I only track system calls that X issues. For example in systems like "CS-STILo". The system detects anomalous sequences of system calls to detect code reuse attacks.
If I want to prevent the attack when I detect the attack, what should I do? Can I stop the system calls before it is executed using Stackable Filesystems (e.g., Wrapfs)? If not, is there another way?
filesystems linux-kernel system-calls
asked Mar 4 at 18:21
DaliaDalia
62
closed as unclear what you're asking by Rui F Ribeiro, Kusalananda♦, Scott, Thomas, jimmij Mar 5 at 8:13
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Let's assume that I have an application X. I only track system calls that X issues. For example in systems like "CS-STILo". The system detects anomalous sequences of system calls to detect code reuse attacks.
If I want to prevent the attack when I detect the attack, what should I do? Can I stop the system calls before it is executed using Stackable Filesystems (e.g., Wrapfs)? If not, is there another way?
filesystems linux-kernel system-calls
asked Mar 4 at 18:21
DaliaDalia
62
Let's assume that I have an application X. I only track system calls that X issues. For example in systems like "CS-STILo". The system detects anomalous sequences of system calls to detect code reuse attacks.
If I want to prevent the attack when I detect the attack, what should I do? Can I stop the system calls before it is executed using Stackable Filesystems (e.g., Wrapfs)? If not, is there another way?
filesystems linux-kernel system-calls
filesystems linux-kernel system-calls
asked Mar 4 at 18:21
DaliaDalia
62
asked Mar 4 at 18:21
DaliaDalia
62
edited Mar 6 at 15:35
Dalia
asked Mar 4 at 18:21
DaliaDalia
62
asked Mar 4 at 18:21
DaliaDalia
62
asked Mar 4 at 18:21
DaliaDalia
62
62
closed as unclear what you're asking by Rui F Ribeiro, Kusalananda♦, Scott, Thomas, jimmij Mar 5 at 8:13
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as unclear what you're asking by Rui F Ribeiro, Kusalananda♦, Scott, Thomas, jimmij Mar 5 at 8:13
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
There are SELinux and AppArmor (called MAC - mandatory access control).
AFAIK RedHat, CentOS uses SELinux.
SuSe, Debian, Ubuntu uses AppArmour by default.
In a nutshell with SELinux or AppArmor enabled you need to give permissions which application/daemon is allowed to access which resources (ports, sockets, filesystem ).
For example you need to allow tomcat daemon to access the mysql database on port 3306 or apache webserver to access the filesystem /var/www.
Whenever a systemcall is blocked ie. selinux blocks tomcat accessing mysql, it's logged to /var/log/audit.log or similar depending on your linux flavor.
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are SELinux and AppArmor (called MAC - mandatory access control).
AFAIK RedHat, CentOS uses SELinux.
SuSe, Debian, Ubuntu uses AppArmour by default.
In a nutshell with SELinux or AppArmor enabled you need to give permissions which application/daemon is allowed to access which resources (ports, sockets, filesystem ).
For example you need to allow tomcat daemon to access the mysql database on port 3306 or apache webserver to access the filesystem /var/www.
Whenever a systemcall is blocked ie. selinux blocks tomcat accessing mysql, it's logged to /var/log/audit.log or similar depending on your linux flavor.
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
add a comment |
There are SELinux and AppArmor (called MAC - mandatory access control).
AFAIK RedHat, CentOS uses SELinux.
SuSe, Debian, Ubuntu uses AppArmour by default.
In a nutshell with SELinux or AppArmor enabled you need to give permissions which application/daemon is allowed to access which resources (ports, sockets, filesystem ).
For example you need to allow tomcat daemon to access the mysql database on port 3306 or apache webserver to access the filesystem /var/www.
Whenever a systemcall is blocked ie. selinux blocks tomcat accessing mysql, it's logged to /var/log/audit.log or similar depending on your linux flavor.
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
add a comment |
There are SELinux and AppArmor (called MAC - mandatory access control).
AFAIK RedHat, CentOS uses SELinux.
SuSe, Debian, Ubuntu uses AppArmour by default.
In a nutshell with SELinux or AppArmor enabled you need to give permissions which application/daemon is allowed to access which resources (ports, sockets, filesystem ).
For example you need to allow tomcat daemon to access the mysql database on port 3306 or apache webserver to access the filesystem /var/www.
Whenever a systemcall is blocked ie. selinux blocks tomcat accessing mysql, it's logged to /var/log/audit.log or similar depending on your linux flavor.
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
There are SELinux and AppArmor (called MAC - mandatory access control).
AFAIK RedHat, CentOS uses SELinux.
SuSe, Debian, Ubuntu uses AppArmour by default.
In a nutshell with SELinux or AppArmor enabled you need to give permissions which application/daemon is allowed to access which resources (ports, sockets, filesystem ).
For example you need to allow tomcat daemon to access the mysql database on port 3306 or apache webserver to access the filesystem /var/www.
Whenever a systemcall is blocked ie. selinux blocks tomcat accessing mysql, it's logged to /var/log/audit.log or similar depending on your linux flavor.
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
answered Mar 4 at 19:28
Michael D.Michael D.
1,707917
1,707917
add a comment |
add a comment |