Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

command-line options: validate #15

Closed
juju4 opened this issue Sep 18, 2021 · 7 comments
Closed

command-line options: validate #15

juju4 opened this issue Sep 18, 2021 · 7 comments

Comments

@juju4
Copy link

juju4 commented Sep 18, 2021

as best practice, laurel executable should have a test/dry-run/foreground option to test configuration (syntax and working execution)
@hillu
Copy link
Collaborator

hillu commented Sep 20, 2021

You can just run the laurel executable without any parameters and pipe auditd log lines into its STDIN. (But don't forget the EOE messages, at least for now.)

It will write its log to an audit.log file in the current working directory and will not do any rotation. Is this what you wanted to do?

@juju4
Copy link
Author

juju4 commented Sep 20, 2021

having a full event set seems to be a partial issue

# tail -100 /var/log/audit/audit.log  | laurel ; echo $?; cat audit.log
0
{"warning":"Not dropping privileges -- no user configured"}
{"notice":{"program":"laurel","action":"start","euid":0,"config":{"user":null,"directory":".","auditlog":{"file":"audit.log","read-users":null,"size":null,"generations":null},"debuglog":null}}}
{"ID":"1632177775.990:2484140","PROCTITLE":{"proctitle":"/usr/bin/snap%00run%00nextcloud.mysql"}}
{"ID":"1632177779.650:2484144","SECCOMP":{"auid":4294967295,"uid":13,"gid":13,"ses":4294967295,"pid":43986,"comm":"squid","exe":"/usr/sbin/squid","sig":0,"arch":"0xc000003e","syscall":41,"compat":0,"ip":"0x7f52c084ad57","code":"0x50000"}}
{"ID":"1632177797.722:2484171","SECCOMP":{"auid":4294967295,"uid":13,"gid":13,"ses":4294967295,"pid":43986,"comm":"squid","exe":"/usr/sbin/squid","sig":0,"arch":"0xc000003e","syscall":41,"compat":0,"ip":"0x7f52c084ad57","code":"0x50000"}}
{"notice":{"program":"laurel","action":"stop","stats":{"lines":100,"events":3,"errors":0}}}
# tail -100 /var/log/audit/audit.log  | laurel -c /etc/laurel/config.toml; echo $?; cat audit.log
0
cat: audit.log: No such file or directory
# cat /etc/laurel/config.toml 
#
# This file is managed by Ansible.
#
# template: laurel.toml.j2
# user: user
# host: lab1
#

# Write log files relative to this directory
directory = "/var/log/laurel"
# Drop privileges from root to this user
user = "_laurel"

[auditlog]
# Base file name for the JSONL-based log file
file = "audit.log"
# Rotate when log file reaches this size (in bytes)
size = 10000000
# When rotating, keep this number of generations around
generations = 10
# Grant read permissions on the log files to these users, using
# POSIX ACLs
#read-users = [ "splunk" ]

part is validate processing, part syntax. something that can be used for example in ansible template deployment to ensure not deploying broken config
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html#parameter-validate

@hillu
Copy link
Collaborator

hillu commented Sep 21, 2021

Thanks for the clarification.

I'm not really sure how one should test with live data. I think, for the time being, I should just add a --dry-run switch that causes Laurel to try to parse the configuration and exit.

@hillu
Copy link
Collaborator

hillu commented Sep 21, 2021

@juju4 Does #18 help?

@hillu
Copy link
Collaborator

hillu commented Sep 25, 2021

@juju4 ping?

@juju4
Copy link
Author

juju4 commented Sep 26, 2021

Sorry for delay

# /usr/local/bin/laurel -d
# /usr/local/bin/laurel -d -c /etc/laurel/config.toml
#

I tried with an expected valid config file and and after adding some useless line with same results

Ideally, in success or fail, I would add some output to confirm laurel version, config file used, syntax ok or not and if not which lines are problematic

Thanks!

Note: when publishing releases, would be nice to add checksums (sha256...)

@hillu
Copy link
Collaborator

hillu commented Dec 3, 2022

There is now a --version parameter.

@hillu hillu closed this as completed Dec 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hillu @juju4