Using secDetector ​

secDetector provides an SDK, a shared object library, which can be integrated into applications to allow simple utilization of secDetector through simple interfaces. This document describes how to use secDetector.

Basic Usage ​

After secDetector is installed according to Installing secDetector, libsecDetectorsdk.so, secDetector_sdk.h, and secDetector_topic.h will be deployed to the system user library default path.

1. Ensure the include path is configured for applications developed in C or C++. Then, include these two header files in the program.

   c

   #include <secDetector/secDetector_topic.h>
   #include <secDetector/secDetector_sdk.h>

2. Refer to API Reference to call the interfaces provided by the SDK to access secDetector.

   1. First, call the subscription interface secSub to subscribe to the required topics.
   2. Then, call the message reading interface secReadFrom in a separate thread to block and read the information generated by the subscribed topics.
   3. Finally, when secDetector is no longer needed, call the unsubscription interface secUnsub. When unsubscribing, strictly use the return value from the subscription.

Code Example ​

Refer to the example code in the secDetector repository, which is written in Python.

1. View the example code at the following link:

   examples/python · openEuler/secDetector (gitee.com)

2. Alternatively, download the repository for reference:

git clone https://gitee.com/openeuler/secDetector.git

Specifications and Constraints ​

1. Some functions (such as the memory modification probe - security switch) depend on the hardware architecture, so their behavior differs across different instruction set architectures.
2. The data buffer space for transferring data from the kernel to user space is shared among probes. If the buffer is full, newly collected event information will be discarded. The configurable range for the buffer space is 4-1024 MB and must be a power of 2.
3. The service process secDetectord supports running as the root user but does not support multiple instances; any program run after the first will exit.
4. The number of user subscription connections is limited to 5.
5. After a user subscribes, when reading messages, a buffer must be provided for the message reading interface. Messages exceeding the buffer length will be truncated. A buffer length of at least 4,096 is recommended.
6. Descriptive strings like filenames and node names have length limits, and excessively long ones may be truncated.
7. A single application process does not support parallel multi-connections to secDetectord for receiving messages. Only one subscription and one connection for receiving messages are allowed at a time. Resubscription is only possible after unsubscribing.
8. The secDetectord process should wait for all application connections to be disconnected, meaning all topics are fully unsubscribed, before shutting down and exiting.
9. Some functions (such as the memory modification probe - security switch) are based on the current CPU state. Therefore, the basic function can detect state changes on the current CPU. State changes on other CPUs will not be detected if they are not synchronized to the current CPU in a timely manner.