secDetector Installation
Software and Hardware Requirements
Hardware Requirements
- x86_64 or AArch64 processors
- Drive: 1 GB or more
- Memory: 100 MB or more
OS Requirements
openEuler 22.03 LTS SP3 or later
Environment Setup
Install the openEuler OS. For details, see the openEuler Installation Guide.
secDetector Installation
Configure the openEuler yum repository. Since openEuler 22.03 LTS has been configured with the yum repository by default, no additional operation is required. In special cases, configure the online yum repository by referring to the openEuler official document or configure the local yum repository by mounting an ISO file.
Install secDetector.
#Install secDetector. sudo yum install secDetector
NOTE:
After secDetector is installed, you can obtain the following files required for deploying secDetector:
#Core framework of the kerneldriver of secDetector
/lib/modules/%{kernel_version}/extra/secDetector/secDetector_core.ko
#Functional component of the kerneldriver of secDetector
/lib/modules/%{kernel_version}/extra/secDetector/secDetector_xxx.ko
#Daemon process file of secDetector
/usr/bin/secDetectord
#SDK library files of secDetector
/usr/lib64/secDetector/libsecDetectorsdk.so
/usr/include/secDetector/secDetector_sdk.h
/usr/include/secDetector/secDetector_topic.h
secDetector Deployment
secDetectord, the main body of secDetector, is deployed as a system service. The foreground service system can communicate with secDetectord by integrating the SDK. Because some of the capabilities of secDetector must be built in the kernel, the full set of functions of secDetectord also depends on its background driver.
Deploying the Kerneldriver
Insert secDetector_core.ko, the basic framework of the kernel driver. It must be deployed prior to other kernel modules. Find the secDetector_core.ko directory after the installation and insert it into the kernel. The command is as follows:
sudo insmod secDetector_core.ko
secDetector_core supports a command line parameter ringbuf_size. You can specify the value of this parameter to control the buffer size of the data channel between the kerneldriver and secDetectord in user space. This parameter can be set to an integer ranging from 4 to 1024, in MB. The default value is 4. The value must be a power of 2. The command is as follows:
sudo insmod secDetector_core.ko ringbuf_size=128
Insert the functional modules of the kerneldriver, which are deployed in modular mode. You can deploy required functional modules based on the framework or deploy all modules. The command is as follows:
sudo insmod secDetector_kmodule_baseline.ko sudo insmod secDetector_memory_corruption.ko sudo insmod secDetector_program_action.ko sudo insmod secDetector_xxx.ko
- secDetector_kmodule_baseline.ko detects the kernel module list and is a memory modification probe.
- secDetector_memory_corruption.ko detects memory modifications and is a memory modification probe.
- secDetector_program_action.ko detects program behavior and is a program behavior probe.
Deploying the usrdriver and observer_agent
The usrdriver and the observer_agent service have been integrated into secDetectord. The following command is for reference:
sudo ./secDetectord &
The usrdriver provides file operation probes and process management probes.
secDetectord supports the following configuration options:
Syntax: secDetectord [Option]
By default, secDetectord runs in the background, obtains data from probes, and forwards the data to subscribers.
Options:
-d Enter the debug mode in the foreground, and print the probe data on the console.
-s <size> Size of the eBPF buffer, in Mb. The default value is 4. The value of size ranges from 4 to 1024 and must be a power of 2. There are two independent buffers.
-t <topic> Events to be subscribed to. By default, all events are subscribed to. A topic is in bitmap format. For example, -t 0x60 subscribes to process creation and exit events at the same time. For details, see include/secDetector_topic.h.
SDK Deployment
By default, the library files of the SDK are deployed in the system library directory. You only need to reference the header files of the SDK in your program.