secDetector Installation

Software and Hardware Requirements

Hardware Requirements

x86_64 or AArch64 processors
Drive: 1 GB or more
Memory: 100 MB or more

OS Requirements

openEuler 22.03 LTS SP3 or later

Environment Setup

Install the openEuler OS. For details, see the openEuler Installation Guide.

secDetector Installation

Configure the openEuler yum repository. Since openEuler 22.03 LTS has been configured with the yum repository by default, no additional operation is required. In special cases, configure the online yum repository by referring to the openEuler official document or configure the local yum repository by mounting an ISO file.

Install secDetector.

#Install secDetector.
sudo yum install secDetector

NOTE:
After secDetector is installed, you can obtain the following files required for deploying secDetector:

#Core framework of the kerneldriver of secDetector
/lib/modules/%{kernel_version}/extra/secDetector/secDetector_core.ko

#Functional component of the kerneldriver of secDetector
/lib/modules/%{kernel_version}/extra/secDetector/secDetector_xxx.ko

#Daemon process file of secDetector
/usr/bin/secDetectord

#SDK library files of secDetector
/usr/lib64/secDetector/libsecDetectorsdk.so
/usr/include/secDetector/secDetector_sdk.h
/usr/include/secDetector/secDetector_topic.h

secDetector Deployment

secDetectord, the main body of secDetector, is deployed as a system service. The foreground service system can communicate with secDetectord by integrating the SDK. Because some of the capabilities of secDetector must be built in the kernel, the full set of functions of secDetectord also depends on its background driver.

Deploying the Kerneldriver

Insert secDetector_core.ko, the basic framework of the kernel driver. It must be deployed prior to other kernel modules. Find the secDetector_core.ko directory after the installation and insert it into the kernel. The command is as follows:
```
sudo insmod secDetector_core.ko
```
secDetector_core supports a command line parameter ringbuf_size. You can specify the value of this parameter to control the buffer size of the data channel between the kerneldriver and secDetectord in user space. This parameter can be set to an integer ranging from 4 to 1024, in MB. The default value is 4. The value must be a power of 2. The command is as follows:
```
sudo insmod secDetector_core.ko ringbuf_size=128
```
Insert the functional modules of the kerneldriver, which are deployed in modular mode. You can deploy required functional modules based on the framework or deploy all modules. The command is as follows:
```
sudo insmod secDetector_kmodule_baseline.ko

sudo insmod secDetector_memory_corruption.ko

sudo insmod secDetector_program_action.ko

sudo insmod secDetector_xxx.ko
```
- secDetector_kmodule_baseline.ko detects the kernel module list and is a memory modification probe.
- secDetector_memory_corruption.ko detects memory modifications and is a memory modification probe.
- secDetector_program_action.ko detects program behavior and is a program behavior probe.

Deploying the usrdriver and observer_agent

The usrdriver and the observer_agent service have been integrated into secDetectord. The following command is for reference:

sudo ./secDetectord &

The usrdriver provides file operation probes and process management probes.

secDetectord supports the following configuration options:

Syntax: secDetectord [Option]
By default, secDetectord runs in the background, obtains data from probes, and forwards the data to subscribers.
Options:
  -d         Enter the debug mode in the foreground, and print the probe data on the console.
  -s <size>  Size of the eBPF buffer, in Mb. The default value is 4. The value of size ranges from 4 to 1024 and must be a power of 2. There are two independent buffers.
  -t <topic> Events to be subscribed to. By default, all events are subscribed to. A topic is in bitmap format. For example, -t 0x60 subscribes to process creation and exit events at the same time. For details, see include/secDetector_topic.h.

SDK Deployment

By default, the library files of the SDK are deployed in the system library directory. You only need to reference the header files of the SDK in your program.

Bug Catching

Buggy Content

Bug Description

Submit As Issue

It's a little complicated....

I'd like to ask someone.

Just a small problem.

I can fix it online!

Bug Type

Specifications and Common Mistakes

● Misspellings or punctuation mistakes;

● Incorrect links, empty cells, or wrong formats;

● Chinese characters in English context;

● Minor inconsistencies between the UI and descriptions;

● Low writing fluency that does not affect understanding;

● Incorrect version numbers, including software package names and version numbers on the UI.

Usability

● Incorrect or missing key steps;

● Missing prerequisites or precautions;

● Ambiguous figures, tables, or texts;

● Unclear logic, such as missing classifications, items, and steps.

Correctness

● Technical principles, function descriptions, or specifications inconsistent with those of the software;

● Incorrect schematic or architecture diagrams;

● Incorrect commands or command parameters;

● Incorrect code;

● Commands inconsistent with the functions;

● Wrong screenshots.

Risk Warnings

● Lack of risk warnings for operations that may damage the system or important data.

Content Compliance

● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

● Copyright infringement.

We may contact you through email in regard to the bug fixing solution. You will also be notified through email if you win any prize during the activity.

How satisfied are you with this document

Not satisfied at all

Very satisfied

By submitting the contents, you fully understand and agree to the terms of the openEuler Privacy Statement.

Submit

Click to create an issue. An issue template will be automatically generated based on your feedback.