jw3
commented
1 year ago Testing on FC 39 will require 1.2 version of fapolicyd due to #885
dnf install https://kojipkgs.fedoraproject.org//packages/fapolicyd/1.2/5.fc39/x86_64/fapolicyd-1.2-5.fc39.x86_64.rpm
todo
Add support for analyzing from kernel audit logs
Adds an "audit" analyze event source that reads fanotify events from libaudit to be displayed in the analyzer. The records are read into the common Event structure that allows them to flow through the same API as the events from syslog and debug logs.
The entrypoint to this functionality is found in the Analyze menu and behaves similar to syslog where there is not a prompt to provide a path to the log file. The backend uses the libaudit API to locate and parse the system audit log.
This currently only has runtime support in the Kernel on Fedora Rawhide (fc39), so while the backend is always built the frontend is disabled on all other platforms.
It is anticipated that rhel 8 and 9 will both contain the required audit support at some point in the future. The build is currently wired into both of them with the feature flag disabled, hiding the functionality in the UI.
The audit support is implemented using bindgen to create native bindings to libaudit and auparse. To enable this our build requirements have grown to include clang and the audit dev libs to support building the bindings with bindgen. These bindings are generated at compile time and are excluded from version control.
Also adds
Requires
It may be possible to move the feature flag to a runtime check, allowing upgraded systems to use the audit feature. This is not within the scope of this PR. Given that that there is no support outside of fc39, there is some time to refine audit related capability before it has wide applicability.
Reference
Closes #294