Security:nice-lad

From Tizen Wiki
(Redirected from Security/Tizen 3.X Nice-lad)
Jump to: navigation, search

nice-lad

Narcissistic, Incredible, Completely Exceptional Logger of Access Denials

Introduction

Project Goals

Nice-lad is a tool to collect and aggregate logs of access denials in system. The source of data are audit messages from DAC, Smack, Cynara and netfilter.

The purpose of nice-lad is to collect and normalize the selected audit logs and make them readable by unprivileged user. This might be helpful during debugging applications accessing restricted resources.

Nice-lad works as an audispd plugin.

Project History

Nice-lad was first introduced in July 2015.

Contact information

Name E-mail Function
Aleksander Zdyb a.zdyb@samsung.com Maintainer

Sources

Features

Nice-lad, as an audisp plugin, is fed with audit events. It parses and filters them to obtain and aggregate information useful in context of logging of access denials.

At the moment, the supported subsystems are:

  • DAC denials on given groups
  • Smack denials
  • Cynara denials
  • Netfilter denials (supported by Nether)

Tizen Context

This software might be useful for developers trying to debug their applications. Once enabled, nice-lad will log access denials to journald. This may help understand and fix improperly configured applications (e.g. missing privileges in manifest).

In Tizen, nice-lad will obtain resource groups from Security Manager, so only limited number of rules are added to auditd.

Implanted standards

Nice-lad uses:

  • libauparse to parse audit events,
  • Security Manager (where available) to obtain resource groups to monitor,
  • journald (where available) or syslog to put aggregated logs.

Running the project

On Tizen

Compilation

Nice-lad must be compiled using GBS.

Building and running requirements not provided by GBS:

  • audit

Installation

To install, copy created rpms from GBS repo to your Tizen installation and install it using zypper or rpm. Zypper is preferred way as it installs required packages from repository.

On non Tizen systems

Compilation requirements

  • cmake >= 2.8.3
  • boost >= 1.57
  • audit >= 2.4.3
  • gmock 1.7.0 tested – required for tests only
  • gcc >= 4.8.3 or clang >= 3.4

Compilation

mkdir build

cd build

/* Possible build modes are: RELEASE, DEBUG, CCOV (enables code coverage) and PROFILING (enables code profiling). */

/* with tests or without tests. */

cmake .. -DGMOCK_ROOT=/path/to/gmock/root/directory [ -DCMAKE_BUILD_TYPE=<mode> ]

cmake .. -DWITH_TESTS=OFF [ -DCMAKE_BUILD_TYPE=<mode> ]

make

Installation

make install

Files

The package consists of following files (note, the exact paths are system-dependent):

  • /etc/audisp/plugins.d/nice_lad.conf,
  • /usr/sbin/nice-lad.
  • /usr/share/man/man8/nice-lad.8.gz
  • /usr/share/man/man8/nice_lad.conf.8.gz

Usage and configuration

Provided, the above config file is present in audisp plugins directory, nice-lad is automagically activated, when auditing service is run. In order to disable nice-lad, while keeping audit running, one need to edit the config to contain "active = no". To change collector(backend) log level, set "arg = -l LOG_LEVEL" where possible log levels are defined in syslog(3), default collector log level is LOG_INFO. It can by manually started with -h/--help parameter to print help message. If ran with invalid parameter it will be terminated and error will be logged to journald or syslog.

Reading the logs

Nice-lad will log access denials to journald (if available) or syslog with default or defined level. Below, are some examples:

Jul 10 10:11:04 HOSTNAME nice-lad: ACCESS DENIED ON SYSCALL syscall=open filename=/tmp/test exit=-13(Permission denied) gid=unknown(1234) object=test subject=_

Jul 10 10:11:09 HOSTNAME nice-lad: ACCESS DENIED ON SMACK object="test" subject="_" access=r

Jul 10 10:11:26 HOSTNAME nice-lad: ACCESS DENIED ON CYNARA client="test_client" user="test_user" privilege="http://tizen.org/privilege/account.read"

Jul 10 10:11:51 HOSTNAME nice-lad: ACCESS DENIED ON NETFILTER obj=User outif=eth0 proto=tcp saddr=10.0.2.16 sport=54460 daddr=198.145.20.7 dport=443

Testing

Nice-lad comes with a set of unit tests written in gmock. By adding new features or fixing bugs, please add or update tests.

Debugging

To build in debug mode, for Tizen add to gbs flags `--define "build_type DEBUG"`, otherwise add following flag to cmake: `-DCMAKE_BUILD_TYPE=DEBUG`.

High Level Architecture

High Level Architecture of nice-lad