secDetector Usage

secDetector provides an SDK, that is, an .so library. Users can integrate the dynamic link library (DLL) into their applications to use secDetector through APIs. This chapter describes how to use the SDK.

How to Use

After secDetector is installed by referring to secDetector Installation, libsecDetectorsdk.so, secDetector_sdk.h, and secDetector_topic.h are deployed in the default path of the system user library.

1. After ensuring that the include path is included in the application developed using C or C++, reference the two header files in the application.

   #include <secDetector/secDetector_topic.h>
   #include <secDetector/secDetector_sdk.h>
   

2. Call APIs provided by the SDK to access secDetector by referring to API Reference.

   1. Call the subscription API secSub to subscribe to the required topics.
   2. Call the message reading API secReadFrom in an independent thread to read the messages from the subscribed topics in blocking mode.
   3. If secDetector is not required, call the secUnsub API for unsubscription. Use the return value of subscription during unsubscription.

Sample Code

See the sample code compiled in Python in the secDetector code repository.

1. View the sample code at the following link:

   examples/python · openEuler/secDetector (gitee.com)

2. Alternatively, download sample code.

git clone https://gitee.com/openeuler/secDetector.git

Specifications and Constraints

1. Some functions (such as the security switch in memory modification probes) depend on the hardware architecture. They perform differently on different instruction set architectures.
2. The buffer size for transferring data from the kernel to the user mode is shared by probes. If the buffer is full, newly collected event information is discarded. The buffer size ranges from 4 MB to 1,024 MB and must be a power of 2.
3. The service process secDetectord can be run by the root user and does not support multiple instances. The program that is not the first to run exits.
4. The maximum number of user subscription connections is 5.
5. After a user subscribes to specific topics, a buffer needs to be provided for the message reading API. Messages that exceed the buffer length will be truncated. It is recommended that the buffer length be greater than or equal to 4096.
6. The length of the description character strings such as the file name and node name is limited. If the length is too long, the description character strings may be truncated.
7. Parallel multi-connection secDetectord for receiving messages is not supported within a single process of an application. Once a subscription is successful, a single connection is used to receive messages. You can subscribe to different topics only after unsubscribing from the subscribed topics.
8. The secDetectord process can be closed and exited only after all applications are disconnected, that is, all topics are unsubscribed.
9. Some functions (such as the security switch in memory modification probes) are based on the CPU status. The basic detection function is to detect the status change of the current CPU. If the status change of other CPUs is not synchronized to the current CPU in time, the status change of other CPUs will not be detected.