On Wed, 08 Mar 2017 15:20:57 +0300, Lev Olshvang said: > Hi Greg, > > Thank you for a prompt reply. My intention is to build some euristics for > Intrusion detection of embedded based on sequence of syscalls. > I am collecting syscall events and send then with netlink to my monitor. > Since platform may use SELinux or other LSM, I thought the hook of syscall is > the only point I can use to catch syscalls. > > Is it wrong direction ?
SELinux supports being stacked with a "small" LSM that can do what you want. Or use the already-provided audit function to track syscalls and send them to userspace via netlink to your monitor.
pgpcOhgYz3CLF.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list [email protected] https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
