search

ctc-oss / fapolicy-analyzer

Tools to assist with the configuration and management of fapolicyd.
https://ctc-oss.github.io/fapolicy-analyzer
GNU General Public License v3.0
12 stars 5 forks source link

Analysis time button bug fix #859

Closed egbicker closed 1 year ago

egbicker commented 1 year ago

Fixes to allow the time selection button to properly filter syslog events.

Closes #832

egbicker commented 1 year ago

@jw3 I think there might be an issue when parsing the when variable in the Rust layer. I added my best guess at a print statement in my most recent commit to see the value of e.rs.event.when in crates/pyo3/src/analysis.rs temporal_filter function and got None. Looking at sudo systemctl status fapolicyd.service and sudo journalctl it looks like the time format is not rfc3339.

image image

jw3 commented 1 year ago

Whats this say grep FileFormat /etc/rsyslog.conf

egbicker commented 1 year ago

module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

jw3 commented 1 year ago

868 describes what you are seeing.

Quick fix is to update the syslog format. The playbook does that, I am guessing you didnt set this vm up from there.

- name: set syslog format
  replace:
    path: /etc/rsyslog.conf
    regexp: "RSYSLOG_TraditionalFileFormat"
    replace: "RSYSLOG_FileFormat"
jw3 commented 1 year ago

Btw, this is a good find :+1: .

That format change was made way back in development of the analysis view, I had forgot about it since then, but it definitely needs to be more robust.

egbicker commented 1 year ago

@jw3 This seems to be working after I cleared out the entries with the old format. Do you think its worth adding that grep as a check before enabling the time selection or is it better to open an issue with the parsing?

jw3 commented 1 year ago

Maybe the analyzer should warn the user if entries come back without a when value.

You could detect that from the returned results and display a dialog that mentions the config items to check.