Check out the new USENIX Web site. next up previous
Next: Dispatching Audit Data to Up: Intrusion Detection Wrappers Previous: Management and Composition

Obtaining System State Information

In addition to the parameters of the intercepted system calls, ID wrappers may need to access system state to acquire additional data for its analysis. For example, the owner, group, and permission mode of a file being accessed may be required to determine whether this file access deviates from a specified valid behavior profile. An ID support module has been added to the Generic Software Wrappers toolkit to provide a set of library functions for ID wrappers. Table 1 enumerates the library functions that have been implemented. Additional functions can be implemented and added to the system easily.
 
Table 1: Wrapper Library functions to support Intrusion Detection
Name Function
wr_stat obtain status of the file specified by a path
wr_fstat obtain status of the file specified by a file descriptor
wr_audit delivery audit data to the audit event handler
wr_audit_printf same as wr_audit, but with the printf interface
wr_get_addr obtain the socket address of a socket specified by a file descriptor
wr_getpeername get the name of the peer of a connection
wr_getsockname get the name of the local entity of a connection
 

next up previous
Next: Dispatching Audit Data to Up: Intrusion Detection Wrappers Previous: Management and Composition
Calvin Ko
2000-06-13