TOMOYO Linux is an extension of the Linux kernel that adds process tracing capabilities. It automatically stores the "process invocation history" which shows how each process was created. This allows users to browse the entire process tree and see the relationships between running processes. The TOMOYO Linux policy editor provides a command line interface to view the stored process histories on a system and monitor actions caused by each process. TOMOYO Linux can help provide visibility into process activity and is maintained as an open source project with repositories of patched kernels and tools.

1. Introduction ofTOMOYO LinuxSeptember 2010TOMOYO Linux project

2. TOMOYO Linux as a “Linux system analyze tool”Part 1

3. TOMOYO Linux is an extension of Linux kernel (it’s not a Linux distribution)TOMOYO Linux add a “process tracing capability” to your Linux environment“process tracing capability”What is TOMOYO Linux?

4. It is a capability to store “how a process has been created”For instance, if you logged in via ssh and get a /bin/bash session, that bash session is stored as follows:“<kernel> /sbin/init /bin/sh /etc/rc.d/rc /etc/rc.d/init.d/sshd /usr/sbin/sshd /usr/sbin/sshd/bin/bash”What is “process tracing capability”?

5. If you logged in through a console“<kernel> /sbin/init /bin/sh /sbin/mingetty /bin/login /bin/bash”“<kernel>” is just a symbol to indicated the starting point, and each program names just follow with space as a separator

6. If TOMOYO Linux is enabled“process invocation history” information is automatically storedyou can see how each process has been createdYou can browse the entire process invocation history by using a TOMOYO Linux policy editor (it’s CUI)So what?

7. Fedora 13

8. Fedora 13 (firefox)

9. Log in as a rootexecute “ccs-editpolicy”Total numbers of different “process invocation history” patterns is displayed like “601 domains”Use cursor key to go up/downHow to use the TOMOYO Linuxpolicy editor

10. TOMOYO Linux monitors actions caused for each “process invocation history” patternTo see them, simply select the line and hit enter key

11. Fedora 13 (firefox)

12. You need to install TOMOYO Linux kernel and TOMOYO Linux toolsWe are maintaining TOMOYO Linux kernel and tools repositoriesfor users’ convenienceKernel patches and tools source code are available, tooProject homepage has everything you needhttp://tomoyo.sourceforge.jp/How to use TOMOYO Linux

13. TOMOYO Linux as a “security tool”Part 2

14. Demo movie

15. Q and A