Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support analysis from libauparse #294

Closed
jw3 opened this issue Oct 4, 2021 · 1 comment · Fixed by #879
Closed

Support analysis from libauparse #294

jw3 opened this issue Oct 4, 2021 · 1 comment · Fixed by #879
Labels
analysis backend enhancement New feature or request fapolicyd-feature New feature in fapolicyd that is not yet supported. feedback1
Milestone
v1.1

Comments

@jw3
Copy link
Member

jw3 commented Oct 4, 2021
edited
Loading

Add an analysis input from kernel audit events.
@jw3 jw3 changed the title Look into libauparse Support analysis from libauparse Nov 15, 2022
@jw3 jw3 added enhancement New feature or request analysis labels Feb 7, 2023
@jw3
Copy link
Member Author

jw3 commented Feb 7, 2023

The kernel patch has been accepted and fapolicyd has been updated

Initial prototyping was done here https://github.com/jw3/audit-userspace-rs

@jw3 jw3 mentioned this issue Feb 17, 2023
Closed
@jw3 jw3 added the fapolicyd-feature New feature in fapolicyd that is not yet supported. label Apr 5, 2023
@jw3 jw3 added this to the v1.1 milestone May 2, 2023
@jw3 jw3 mentioned this issue Jun 28, 2023
Merged
3 tasks
@jw3 jw3 closed this as completed in #879 Jul 4, 2023
jw3 added a commit that referenced this issue Jul 4, 2023
@jw3
Analyze from audit log (#879)
a074d3d 
Add support for analyzing from kernel audit logs
---

Adds an "audit" analyze event source that reads fanotify events from
libaudit to be displayed in the analyzer. The records are read into the
common Event structure that allows them to flow through the same API as
the events from syslog and debug logs.

The entrypoint to this functionality is found in the Analyze menu and
behaves similar to syslog where there is not a prompt to provide a path
to the log file. The backend uses the libaudit API to locate and parse
the system audit log.

This currently only has runtime support in the Kernel on Fedora Rawhide
(fc39), so while the backend is always built the frontend is disabled on
all other platforms.

It is anticipated that rhel 8 and 9 will both contain the required audit
support at some point in the future. The build is currently wired into
both of them with the feature flag disabled, hiding the functionality in
the UI.

The audit support is implemented using bindgen to create native bindings
to libaudit and auparse. To enable this our build requirements have
grown to include clang and the audit dev libs to support building the
bindings with bindgen. These bindings are generated at compile time and
are excluded from version control.

### Also adds
- Adds Python LogType enum in place of some magic strings
- Plumbs Cargo feature support into the python build
- Improves the make header-check to support piping the output

### Requires
- Kernel >= 6.3
- Audit >= 3.1
- fapolicyd >= 1.2

It may be possible to move the feature flag to a runtime check, allowing
upgraded systems to use the audit feature, but this is not within the scope
of this PR. Given that that there is no support outside of fc39, there
is some time to refine audit related capability before it has wide
applicability.

### Reference
-
linux-audit/audit-kernel@032bffd
-
linux-audit/audit-userspace@d1aec22
-
https://lore.kernel.org/linux-fsdevel/20230207120921.7pgh6uxs7ze7hkjo@quack3/
- linux-application-whitelisting/fapolicyd#84
-
linux-application-whitelisting/fapolicyd@ee9c99a

Closes #294
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analysis backend enhancement New feature or request fapolicyd-feature New feature in fapolicyd that is not yet supported. feedback1
Projects
None yet
Milestone
v1.1
Development

Successfully merging a pull request may close this issue.

Analyze from audit log jw3/fapolicy-analyzer
1 participant
@jw3