Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analyze from audit log #879

Merged
merged 66 commits into from
Jul 4, 2023
Merged

Analyze from audit log #879

merged 66 commits into from
Jul 4, 2023

Conversation

jw3
Copy link
Member

@jw3 jw3 commented Jun 28, 2023
edited
Loading

todo

  • add user guide section for general usage
  • add user guide content for configuring auditd
  • add audit log tests for python

Add support for analyzing from kernel audit logs

Adds an "audit" analyze event source that reads fanotify events from libaudit to be displayed in the analyzer. The records are read into the common Event structure that allows them to flow through the same API as the events from syslog and debug logs.

The entrypoint to this functionality is found in the Analyze menu and behaves similar to syslog where there is not a prompt to provide a path to the log file. The backend uses the libaudit API to locate and parse the system audit log.

This currently only has runtime support in the Kernel on Fedora Rawhide (fc39), so while the backend is always built the frontend is disabled on all other platforms.

It is anticipated that rhel 8 and 9 will both contain the required audit support at some point in the future. The build is currently wired into both of them with the feature flag disabled, hiding the functionality in the UI.

The audit support is implemented using bindgen to create native bindings to libaudit and auparse. To enable this our build requirements have grown to include clang and the audit dev libs to support building the bindings with bindgen. These bindings are generated at compile time and are excluded from version control.

Also adds

  • Adds LogType enum in place of some magic strings
  • Plumbs feature support into the python build.
  • Improves the make header-check to support piping the output

Requires

  • Kernel >= 6.3
  • Audit >= 3.1
  • fapolicyd >= 1.2

It may be possible to move the feature flag to a runtime check, allowing upgraded systems to use the audit feature. This is not within the scope of this PR. Given that that there is no support outside of fc39, there is some time to refine audit related capability before it has wide applicability.

Reference

Closes #294

jw3
jw3 commented Jun 28, 2023
View reviewed changes
examples/parse_audit_log.py Outdated Show resolved Hide resolved
jw3
jw3 commented Jun 28, 2023
View reviewed changes
crates/pyo3/src/auparse.rs Outdated Show resolved Hide resolved
@jw3
Copy link
Member Author

jw3 commented Jul 4, 2023

Testing on FC 39 will require 1.2 version of fapolicyd due to #885

dnf install https://kojipkgs.fedoraproject.org//packages/fapolicyd/1.2/5.fc39/x86_64/fapolicyd-1.2-5.fc39.x86_64.rpm

@jw3
Copy link
Member Author

jw3 commented Jul 4, 2023

Init auditd rules

cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/audit.rules

@jw3 jw3 merged commit a074d3d into ctc-oss:master Jul 4, 2023
@jw3 jw3 deleted the 294-audit branch July 4, 2023 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support analysis from libauparse
1 participant
@jw3