- 1 nice-lad
- 1.1 Introduction
- 1.2 Features
- 1.3 Running the project
- 1.4 High Level Architecture
Narcissistic, Incredible, Completely Exceptional Logger of Access Denials
Nice-lad is a tool to collect and aggregate logs of access denials in system. The source of data are audit messages from DAC, Smack, Cynara and netfilter.
The purpose of nice-lad is to collect and normalize the selected audit logs and make them readable by unprivileged user. This might be helpful during debugging applications accessing restricted resources.
Nice-lad works as an audispd plugin.
Nice-lad was first introduced in July 2015.
- tizen.org: https://review.tizen.org/gerrit/gitweb?p=platform/core/security/nice-lad.git
- GitHub: https://github.com/Samsung/nice-lad
Nice-lad, as an audisp plugin, is fed with audit events. It parses and filters them to obtain and aggregate information useful in context of logging of access denials.
At the moment, the supported subsystems are:
- DAC denials on given groups
- Smack denials
- Cynara denials
- Netfilter denials (supported by Nether)
This software might be useful for developers trying to debug their applications. Once enabled, nice-lad will log access denials to journald. This may help understand and fix improperly configured applications (e.g. missing privileges in manifest).
- libauparse to parse audit events,
- Security Manager (where available) to obtain resource groups to monitor,
- journald (where available) or syslog to put aggregated logs.
Running the project
Nice-lad must be compiled using GBS.
Building and running requirements not provided by GBS:
To install, copy created rpms from GBS repo to your Tizen installation and install it using zypper or rpm. Zypper is preferred way as it installs required packages from repository.
On non Tizen systems
- cmake >= 2.8.3
- boost >= 1.57
- audit >= 2.4.3
- gmock 1.7.0 tested – required for tests only
- gcc >= 4.8.3 or clang >= 3.4
/* Possible build modes are: RELEASE, DEBUG, CCOV (enables code coverage) and PROFILING (enables code profiling). */
/* with tests or without tests. */
cmake .. -DGMOCK_ROOT=/path/to/gmock/root/directory [ -DCMAKE_BUILD_TYPE=<mode> ]
cmake .. -DWITH_TESTS=OFF [ -DCMAKE_BUILD_TYPE=<mode> ]
The package consists of following files (note, the exact paths are system-dependent):
Usage and configuration
Provided, the above config file is present in audisp plugins directory, nice-lad is automagically activated, when auditing service is run. In order to disable nice-lad, while keeping audit running, one need to edit the config to contain "active = no". To change collector(backend) log level, set "arg = -l LOG_LEVEL" where possible log levels are defined in syslog(3), default collector log level is LOG_INFO. It can by manually started with -h/--help parameter to print help message. If ran with invalid parameter it will be terminated and error will be logged to journald or syslog.
Reading the logs
Nice-lad will log access denials to journald (if available) or syslog with default or defined level. Below, are some examples:
Jul 10 10:11:04 HOSTNAME nice-lad: ACCESS DENIED ON SYSCALL syscall=open filename=/tmp/test exit=-13(Permission denied) gid=unknown(1234) object=test subject=_
Jul 10 10:11:09 HOSTNAME nice-lad: ACCESS DENIED ON SMACK object="test" subject="_" access=r
Jul 10 10:11:26 HOSTNAME nice-lad: ACCESS DENIED ON CYNARA client="test_client" user="test_user" privilege="http://tizen.org/privilege/account.read"
Jul 10 10:11:51 HOSTNAME nice-lad: ACCESS DENIED ON NETFILTER obj=User outif=eth0 proto=tcp saddr=10.0.2.16 sport=54460 daddr=220.127.116.11 dport=443
Nice-lad comes with a set of unit tests written in gmock. By adding new features or fixing bugs, please add or update tests.
To build in debug mode, for Tizen add to gbs flags `--define "build_type DEBUG"`, otherwise add following flag to cmake: `-DCMAKE_BUILD_TYPE=DEBUG`.