sp-watch.d   [plain text]

#!/usr/sbin/dtrace -qs
#
#
#
self unsigned char *cdhash;

syspolicy*:::assess-*
{
	self->cdhash = 0;
}

self string type;
syspolicy*:::assess-outcome-* { self->type = "???"; }
syspolicy*:::assess-outcome-* / arg1 == 1 / { self->type = "execute"; }
syspolicy*:::assess-outcome-* / arg1 == 2 / { self->type = "install"; }
syspolicy*:::assess-outcome-* / arg1 == 3 / { self->type = "open"; }

syspolicy*:::assess-outcome-accept
{
	printf("accept %s %s;%s", self->type, copyinstr(arg0), copyinstr(arg2));
	self->cdhash = copyin(arg3, 20);
}

syspolicy*:::assess-outcome-deny
{
	printf("deny %s %s;%s", self->type, copyinstr(arg0), copyinstr(arg2));
	self->cdhash = copyin(arg3, 20);
}

syspolicy*:::assess-outcome-default
{
	printf("default %s %s;%s", self->type, copyinstr(arg0), copyinstr(arg2));
	self->cdhash = copyin(arg3, 20);
}

syspolicy*:::assess-outcome-unsigned
{
	printf("unsigned %s %s;", self->type, copyinstr(arg0));
}

syspolicy*:::assess-*
/ self->cdhash /
{
	printf(";%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x%02.2x",
		self->cdhash[0], self->cdhash[1], self->cdhash[2], self->cdhash[3], self->cdhash[4],
		self->cdhash[5], self->cdhash[6], self->cdhash[7], self->cdhash[8], self->cdhash[9],
		self->cdhash[10], self->cdhash[11], self->cdhash[12], self->cdhash[13], self->cdhash[14],
		self->cdhash[15], self->cdhash[16], self->cdhash[17], self->cdhash[18], self->cdhash[19]);
}

syspolicy*:::assess-*
{
	printf("\n");
}