Quick start ----------- These are instructions on how to get up and running with swabber quickly. a) Compile swabber Run: make b) Profile your host distribution Run: ./update_distro mydistrodir This will generate a directory called mydistrodir, guess your host distribution, and generate some files which summarize the packages on your host in a data structure optimized for swabber. This directory could be 100M in size. This may take a minute or two to complete. This may take some time, but you only need to do it once. If you run it a second time, it'll detect if anything has changed, and will exit quickly.I c) Do a build to profile Run anything, under: strace -o logs/foo.log -e trace=open,execve -f This will create a large file called foo.log. You may want to make a collection of .log files in one directory. d) Run swabber to generate a report ./swabber -c all -l logs -o required.txt -r extra.txt \ -p -d mydistrodir/ ~ /tmp "-c all" means run all the tests. logs is the directory where you placed foo.log and any other logs. -p is the project itself. Here, ~ and /tmp are directories you don't care about; we can be assured that none of them are cause for host infection. This will create two report files; report.txt and extra.txt. e) Read the reports In required.txt, you should see something like: # Automatically generated by swabber on Wed Nov 17 16:52:03 2010 # Distro: Ubuntu-10.04.1-64 binutils 2.20.1-3ubuntu7 # at-config: # /usr/lib/libopcodes-2.20.1-system.20100303.so # /usr/lib/libbfd-2.20.1-system.20100303.so # /usr/bin/as # at-make: # /usr/lib/libopcodes-2.20.1-system.20100303.so # /usr/lib/libbfd-2.20.1-system.20100303.so # /usr/bin/ld # /usr/bin/as dash 0.5.5.1-3ubuntu2 # at: # /bin/sh sed 4.2.1-6 # at: # /bin/sed This means that the host packages binutils, dash and sed were referenced, and shows what files within each were used. extra.txt shows more detail. For each tag (at-config, at-make), it will do some analysis that highlights suspicious activity. The types of information includes: A. Dangerous errors - blacklist: if you specify a blacklist file, this is packages that were referenced and known to be dangerous. - wandering: the software wandered the host filesystem, then found a needed file within the project. B. Warnings - referenced packages: host packages that were accessed - files not in packages: host files that were successfully accessed, but were not in the host's package database. C. Info - packages in the whitelist: if you specified a whitelist, these are the packages that were in it and could be skipped - files that could not be accessed because of errors: speaks for itself