Skip to content

Commit

Permalink
Merge pull request #67 from Achiefs/63-add-whodata
Browse files Browse the repository at this point in the history
Include audit daemon information into Linux monitored files
  • Loading branch information
okynos authored Oct 9, 2022
2 parents 0dcba5d + d9f3c62 commit fa6b597
Show file tree
Hide file tree
Showing 28 changed files with 2,690 additions and 264 deletions.
76 changes: 71 additions & 5 deletions .github/workflows/system-tests-workflow.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: System tests
on: [push]
jobs:
system-tests-unix:
monitor-system-tests-unix:
runs-on: ${{ matrix.os }}
strategy:
matrix:
Expand All @@ -19,17 +19,17 @@ jobs:

- name: Change configuration to test on Linux
if: runner.os == 'Linux'
run: sed -i 's|tmp/.*|tmp/test|g' config/linux/config.yml
run: sed -i 's|usr/bin/.*|tmp/test|g' config/linux/config.yml

- name: Change configuration to test on macOS
if: runner.os == 'macOS'
run: sed -i '' 's|tmp/.*|tmp/test|g' config/linux/config.yml
run: sed -i '' 's|usr/bin.*|tmp/test|g' config/linux/config.yml

- name: Copy FIM binary to main folder
run: cp ./target/release/fim ./

- name: Create required directories
run: mkdir /tmp/test
run: mkdir -p /tmp/test

- name: Create events file and folder
run: sudo mkdir -p /var/lib/fim/ && sudo touch /var/lib/fim/events.json && sudo chown -R runner:runner /var/lib/fim
Expand All @@ -41,10 +41,76 @@ jobs:
run: sudo ./fim &

- name: Launch test suite
run: python3 -m pytest test/system/test_system.py -v
run: python3 -m pytest test/system/monitor.py -v --noconftest

- name: Print events.json file
if: always()
run: cat /var/lib/fim/events.json

- run: echo "Job's status is ${{ job.status }}."


audit-system-tests-unix:
runs-on: self-hosted

steps:
- name: Check out repository code, branch='${{ github.ref }}'
uses: actions/checkout@v2

- name: Build FIM
run: cargo build --release

- name: Change configuration
run: sed -i 's|/tmp|/tmp/test|g' config/linux/config.yml

- name: Copy FIM binary to main folder
run: cp ./target/release/fim ./

- name: Create required directories
run: mkdir -p /tmp/test

- name: Create events file and folder
run: sudo mkdir -p /var/lib/fim/ && sudo touch /var/lib/fim/events.json && sudo chown -R okynos:okynos /var/lib/fim

- name: Create log file and folder
run: sudo mkdir -p /var/log/fim/ && sudo touch /var/log/fim/fim.log && sudo chown -R okynos:okynos /var/log/fim

- name: Start FIM process
run: sudo ./fim &

- name: Launch test suite
run: sudo python3 -m pytest test/system/audit.py -v

- name: Print config file
if: always()
run: cat ${{ github.workspace }}/config/linux/config.yml || true

- name: Print log file
if: always()
run: cat /var/log/fim/fim.log || true

- name: Clean temporal folder
if: always()
run: sudo rm -rf /tmp/test

- name: Clean log folder
if: always()
run: sudo rm -rf /var/log/fim/

- name: Clean lib folder
if: always()
run: sudo rm -rf /var/lib/fim/

- name: Clean workspace
if: always()
run: sudo rm -rf ${{ github.workspace }}/test/system/__pycache__/ ${{ github.workspace }}/test/system/.pytest_cache ${{ github.workspace }}/.pytest_cache

- name: Clean test output
if: always()
run: sudo rm -rf ${{ github.workspace }}/test_*

- name: Stop FIM process
if: always()
run: sudo pkill fim || true

- run: echo "Job's status is ${{ job.status }}."
3 changes: 2 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "fim"
version = "0.3.2"
version = "0.4.0"
authors = ["José Fernández <´[email protected]´>"]
edition = "2021"

Expand All @@ -22,6 +22,7 @@ tokio = { version = "1.17.0", features = ["rt", "rt-multi-thread", "macros"] }
tokio-util = { version = "0.7.1", features = ["codec"] }
serde_json = "1.0.79"
time = "0.3.9"
ctrlc = { version = "3.2", features = ["termination"] }

[dev-dependencies]
tokio-test = "*"
98 changes: 92 additions & 6 deletions config/index_template.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,59 @@
"index_patterns": [ "fim-*" ],
"mappings": {
"properties": {
"pid": { "type": "integer" },
"fpid": { "type": "long" },
"timestamp": { "type": "date" },
"file": { "type": "keyword" },
"hostname": { "type": "keyword" },
"kind": { "type": "keyword" },
"operation": { "type": "keyword" },
"node": { "type": "keyword" },
"version": { "type": "keyword" },
"checksum": { "type": "keyword" },
"system": { "type": "keyword" },
"labels": { "type": "keyword" }
"labels": { "type": "keyword" },
"path": { "type": "keyword" },
"command": { "type": "keyword" },
"ogid": { "type": "keyword" },
"rdev": { "type": "keyword" },
"proctitle": { "type": "keyword" },
"cap_fver": { "type": "keyword" },
"inode": { "type": "keyword" },
"cap_fp": { "type": "keyword" },
"cap_fe": { "type": "keyword" },
"item": { "type": "keyword" },
"cap_fi": { "type": "keyword" },
"dev": { "type": "keyword" },
"mode": { "type": "keyword" },
"cap_frootid": { "type": "keyword" },
"ouid": { "type": "keyword" },
"paths": { "type": "nested" },
"cwd": { "type": "keyword" },
"syscall": { "type": "keyword" },
"ppid": { "type": "long" },
"comm": { "type": "keyword" },
"fsuid": { "type": "keyword" },
"pid": { "type": "long" },
"a0": { "type": "keyword" },
"a1": { "type": "keyword" },
"a2": { "type": "keyword" },
"a3": { "type": "keyword" },
"arch": { "type": "keyword" },
"auid": { "type": "keyword" },
"items": { "type": "integer" },
"gid": { "type": "keyword" },
"euid": { "type": "keyword" },
"sgid": { "type": "keyword" },
"uid": { "type": "keyword" },
"tty": { "type": "keyword" },
"success": { "type": "keyword" },
"exit": { "type": "integer" },
"ses": { "type": "keyword" },
"key": { "type": "keyword" },
"suid": { "type": "keyword" },
"egid": { "type": "keyword" },
"fsgid": { "type": "keyword" },
"exe": { "type": "keyword" },
"source": { "type": "keyword" }
}
},
"settings": {
Expand All @@ -22,16 +65,59 @@
"auto_expand_replicas": "0-all",
"query": {
"default_field": [
"pid",
"fpid",
"timestamp",
"file",
"hostname",
"kind",
"operation",
"node",
"version",
"checksum",
"system",
"labels"
"labels",
"path",
"command",
"ogid",
"rdev",
"proctitle",
"cap_fver",
"inode",
"cap_fp",
"cap_fe",
"item",
"cap_fi",
"dev",
"mode",
"cap_frootid",
"ouid",
"paths",
"cwd",
"syscall",
"ppid",
"comm",
"fsuid",
"pid",
"a0",
"a1",
"a2",
"a3",
"arch",
"auid",
"items",
"gid",
"euid",
"sgid",
"uid",
"tty",
"success",
"exit",
"ses",
"key",
"suid",
"egid",
"fsgid",
"exe",
"source"
]
}
}
Expand Down
11 changes: 8 additions & 3 deletions config/linux/config.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,18 @@
nodename: "FIM"
node: "FIM"

# Events configuration, where to store produced events
events:
destination: file
file: /var/lib/fim/events.json

# Monitor files and folders.
# Audit extended files and folders information
audit:
- path: /tmp
labels: ["tmp", "linux"]
ignore: [".swp"]

# Simple files and folders information
monitor:
- path: /tmp/
- path: /bin/
- path: /usr/bin/
labels: ["usr/bin", "linux"]
Expand Down
2 changes: 1 addition & 1 deletion config/macos/config.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
nodename: "FIM"
node: "FIM"

# Events configuration, where to store produced events
events:
Expand Down
2 changes: 1 addition & 1 deletion config/windows/config.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
nodename: "FIM"
node: "FIM"

# Events configuration, where to store produced events
events:
Expand Down
4 changes: 2 additions & 2 deletions pkg/deb/debian/changelog
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
fim (0.3.2-1) bionic; urgency=medium
fim (0.4.0-1) bionic; urgency=medium

* More info: https://github.com/Achiefs/fim/releases/tag/v0.3.2
* More info: https://github.com/Achiefs/fim/releases/tag/v0.4.0

-- Jose Fernandez <[email protected]> Sat, 02 Jul 2022 20:00:00 +0000

Expand Down
3 changes: 3 additions & 0 deletions pkg/deb/repository/release/fim_0.4.0-1_amd64.deb
Git LFS file not shown
3 changes: 3 additions & 0 deletions pkg/deb/repository/release/fim_0.4.0-1_arm64.deb
Git LFS file not shown
3 changes: 3 additions & 0 deletions pkg/deb/repository/test/fim_0.4.0-1_amd64.deb
Git LFS file not shown
3 changes: 3 additions & 0 deletions pkg/deb/repository/test/fim_0.4.0-1_arm64.deb
Git LFS file not shown
2 changes: 1 addition & 1 deletion pkg/fim.1
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
.\" *
.\" **************************************************************************
.\"
.TH fim 1 "01 Jun 2022" "FIM 0.3.2" "FIM Manual"
.TH fim 1 "01 Jun 2022" "FIM 0.4.0" "FIM Manual"

.SH NAME
.B FIM
Expand Down
4 changes: 2 additions & 2 deletions pkg/rpm/fim.spec
Original file line number Diff line number Diff line change
Expand Up @@ -99,8 +99,8 @@ rm -fr %{buildroot}
# -----------------------------------------------------------------------------

%changelog
* Sat Jul 02 2022 support <[email protected]> - 0.3.2
- More info: https://github.com/Achiefs/fim/releases/tag/v0.3.2
* Sat Jul 02 2022 support <[email protected]> - 0.4.0
- More info: https://github.com/Achiefs/fim/releases/tag/v0.4.0

* Wed Jun 01 2022 support <[email protected]> - 0.3.1
- More info: https://github.com/Achiefs/fim/releases/tag/v0.3.1
Expand Down
3 changes: 3 additions & 0 deletions pkg/rpm/repository/release/fim-0.4.0-1.aarch64.rpm
Git LFS file not shown
3 changes: 3 additions & 0 deletions pkg/rpm/repository/release/fim-0.4.0-1.x86_64.rpm
Git LFS file not shown
3 changes: 3 additions & 0 deletions pkg/rpm/repository/test/fim-0.4.0-1.aarch64.rpm
Git LFS file not shown
3 changes: 3 additions & 0 deletions pkg/rpm/repository/test/fim-0.4.0-1.x86_64.rpm
Git LFS file not shown
Loading

0 comments on commit fa6b597

Please sign in to comment.