Similar to #739, but for Trust which makes it significantly more challenging.
This would provide a historical view of trust changes to support analyzing stale logs.
tl;dr; An auditd plugin is perhaps a clean solution.
Managing a dump of trust in a Git backend is pretty straightforward.
The problem is that updating trust can be triggered by a few processes out of our control
on fapolicyd restart
signalling fapolicyd via named pipe
via rpm plugin
To be notified on all of these, and capture the changes, is challenging. The only thing that comes to mind is if we can catch them all from an auditd plugin. That plugin could observe interesting changes and dump the fapolicyd trust to a disk location. That location might be checked, when our app starts, for things that need cataloged.
Some of unknowns in there, but seems possible.
Otherwise the only option that comes to mind is to provide a daemon service that performed a similar function, observe events and write the trust to disk. If we do not tie into audit notifications it would require watching the lmdb trust database directory. Also possible, seems less appealing than an audit plugin.
Similar to #739, but for Trust which makes it significantly more challenging.
This would provide a historical view of trust changes to support analyzing stale logs.
tl;dr; An auditd plugin is perhaps a clean solution.
Managing a dump of trust in a Git backend is pretty straightforward.
The problem is that updating trust can be triggered by a few processes out of our control
To be notified on all of these, and capture the changes, is challenging. The only thing that comes to mind is if we can catch them all from an auditd plugin. That plugin could observe interesting changes and dump the fapolicyd trust to a disk location. That location might be checked, when our app starts, for things that need cataloged.
Some of unknowns in there, but seems possible.
Otherwise the only option that comes to mind is to provide a daemon service that performed a similar function, observe events and write the trust to disk. If we do not tie into audit notifications it would require watching the lmdb trust database directory. Also possible, seems less appealing than an audit plugin.