1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
Quick start
-----------
These are instructions on how to get up and running with swabber quickly.
a) Compile swabber
Run:
make
b) Profile your host distribution
Run:
./update_distro mydistrodir
This will generate a directory called mydistrodir, guess your host
distribution, and generate some files which summarize the packages
on your host in a data structure optimized for swabber. This directory
could be 100M in size. This may take a minute or two to complete.
This may take some time, but you only need to do it once. If you
run it a second time, it'll detect if anything has changed, and will
exit quickly.I
c) Do a build to profile
Run anything, under:
strace -o logs/foo.log -e trace=open,execve -f <my command>
This will create a large file called foo.log. You may want to make
a collection of .log files in one directory.
d) Run swabber to generate a report
./swabber -c all -l logs -o required.txt -r extra.txt \
-p <project_dir> -d mydistrodir/ ~ /tmp
"-c all" means run all the tests. logs is the directory where you placed
foo.log and any other logs. -p <project_dir> is the project itself.
Here, ~ and /tmp are directories you don't care about; we can be assured
that none of them are cause for host infection.
This will create two report files; report.txt and extra.txt.
e) Read the reports
In required.txt, you should see something like:
# Automatically generated by swabber on Wed Nov 17 16:52:03 2010
# Distro: Ubuntu-10.04.1-64
binutils 2.20.1-3ubuntu7
# at-config:
# /usr/lib/libopcodes-2.20.1-system.20100303.so
# /usr/lib/libbfd-2.20.1-system.20100303.so
# /usr/bin/as
# at-make:
# /usr/lib/libopcodes-2.20.1-system.20100303.so
# /usr/lib/libbfd-2.20.1-system.20100303.so
# /usr/bin/ld
# /usr/bin/as
dash 0.5.5.1-3ubuntu2
# at:
# /bin/sh
sed 4.2.1-6
# at:
# /bin/sed
This means that the host packages binutils, dash and sed were referenced, and
shows what files within each were used.
extra.txt shows more detail. For each tag (at-config, at-make), it will do some
analysis that highlights suspicious activity. The types of information includes:
A. Dangerous errors
- blacklist: if you specify a blacklist file, this is packages that were referenced
and known to be dangerous.
- wandering: the software wandered the host filesystem, then found a needed file
within the project.
B. Warnings
- referenced packages: host packages that were accessed
- files not in packages: host files that were successfully accessed, but were not
in the host's package database.
C. Info
- packages in the whitelist: if you specified a whitelist, these are the packages
that were in it and could be skipped
- files that could not be accessed because of errors: speaks for itself
|