1. Introduction ofTOMOYO Linux September 2010 TOMOYO Linux project

2. TOMOYO Linux as a “Linux system analyze tool” Part 1

3. TOMOYO Linux is an extension of Linux kernel (it’s not a Linux distribution) TOMOYO Linux add a “process tracing capability” to your Linux environment “process tracing capability” What is TOMOYO Linux?

4. It is a capability to store “how a process has been created” For instance, if you logged in via ssh and get a /bin/bash session, that bash session is stored as follows: “<kernel> /sbin/init /bin/sh /etc/rc.d/rc /etc/rc.d/init.d/sshd /usr/sbin/sshd /usr/sbin/sshd/bin/bash” What is “process tracing capability”?

5. If you logged in through a console “<kernel> /sbin/init /bin/sh /sbin/mingetty /bin/login /bin/bash” “<kernel>” is just a symbol to indicated the starting point, and each program names just follow with space as a separator

6. If TOMOYO Linux is enabled “process invocation history” information is automatically stored you can see how each process has been created You can browse the entire process invocation history by using a TOMOYO Linux policy editor (it’s CUI) So what?

7. Fedora 13

8. Fedora 13 (firefox)

9. Log in as a root execute “ccs-editpolicy” Total numbers of different “process invocation history” patterns is displayed like “601 domains” Use cursor key to go up/down How to use the TOMOYO Linuxpolicy editor

10. TOMOYO Linux monitors actions caused for each “process invocation history” pattern To see them, simply select the line and hit enter key

11. Fedora 13 (firefox)

12. You need to install TOMOYO Linux kernel and TOMOYO Linux tools We are maintaining TOMOYO Linux kernel and tools repositoriesfor users’ convenience Kernel patches and tools source code are available, too Project homepage has everything you need http://tomoyo.sourceforge.jp/ How to use TOMOYO Linux

13. TOMOYO Linux as a “security tool” Part 2

14. Demo movie

15. Q and A