%attr(700,root,root) %{_sbindir}/audit-trail-rules-test
%attr(700,root,root) %{_sbindir}/audit-trail-overhead-test
%{audit_base_dir}/test_module.ko
+
+%package -n audit-trail-sample
+Summary: Sample tools for audit trail demonstration
+Group: Security/Testing
+Requires: %{name} = %{version}-%{release}
+
+%description -n audit-trail-sample
+The audit-trail-sample package contains test tools for demonstration
+
+%files -n audit-trail-sample
+%manifest audit-trail.manifest
+%defattr(644,root,root,755)
+%attr(700,root,root) %{_sbindir}/audit-analyzer
#
SET(AUDIT_TRAIL_CLI ${AUDIT_TRAIL_TOOLS}/cli)
SET(AUDIT_TRAIL_TEST ${AUDIT_TRAIL_TOOLS}/tests)
+SET(AUDIT_TRAIL_SAMPLE ${AUDIT_TRAIL_TOOLS}/sample/analysis)
ADD_SUBDIRECTORY(${AUDIT_TRAIL_CLI})
ADD_SUBDIRECTORY(${AUDIT_TRAIL_TEST})
+ADD_SUBDIRECTORY(${AUDIT_TRAIL_SAMPLE})
--- /dev/null
+#
+# Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+SET(SERVER_SRCS main.cpp analyzer.cpp)
+SET(DEPENDENCY klay
+ glib-2.0
+)
+SET(SERVER_NAME audit-analyzer)
+
+ADD_EXECUTABLE(${SERVER_NAME} ${SERVER_SRCS})
+PKG_CHECK_MODULES(SERVER_DEPS REQUIRED ${DEPENDENCY})
+
+SET_TARGET_PROPERTIES(${SERVER_NAME} PROPERTIES COMPILE_FLAGS "-fPIE")
+SET_TARGET_PROPERTIES(${SERVER_NAME} PROPERTIES LINK_FLAGS "-pie")
+
+INCLUDE_DIRECTORIES(SYSTEM ${SERVER_DEPS_INCLUDE_DIRS} ${AUDIT_TRAIL_LIB})
+TARGET_LINK_LIBRARIES(${SERVER_NAME} ${SERVER_DEPS_LIBRARIES} ${PROJECT_NAME} audit-trail)
+
+INSTALL(TARGETS ${SERVER_NAME} DESTINATION sbin)
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+#include <iostream> //TBD: removed
+#include "analyzer.h"
+
+AuditAnalyzer::AuditAnalyzer()
+ : auditTrail(nullptr), callbackId(0)
+{
+}
+
+AuditAnalyzer::~AuditAnalyzer()
+{
+ terminate();
+}
+
+void AuditAnalyzer::run()
+{
+ //start analyzer
+ runMonitor();
+ mainloop.run();
+}
+
+void AuditAnalyzer::terminate()
+{
+ //terminate analyzer
+ ::audit_trail_remove_system_log_cb(auditTrail, callbackId);
+ ::audit_trail_destroy(auditTrail);
+ mainloop.stop();
+}
+
+void AuditAnalyzer::runMonitor()
+{
+ //add callback to get system logs
+ audit_trail_create(&auditTrail);
+ if (auditTrail == nullptr)
+ throw runtime::Exception("Failed to create audit context");
+
+ ::audit_trail_add_system_log_cb(auditTrail, auditCallbackDispatcher,
+ reinterpret_cast<void*>(this), &callbackId);
+}
+
+void AuditAnalyzer::auditCallbackDispatcher(void *log, void *data)
+{
+ AuditAnalyzer *analyzer = nullptr;
+ analyzer = reinterpret_cast<AuditAnalyzer *>(data);
+ analyzer->analysis(reinterpret_cast<SystemLog>(log));
+}
+
+void AuditAnalyzer::analysis(SystemLog log)
+{
+ //parse system logs and check suspicious elements
+ int ret = parseLog(log);
+ //if parseLog's return value is not -1,
+ if (ret != -1)
+ sendNotification(ret);
+}
+
+int AuditAnalyzer::parseLog(SystemLog log)
+{
+ int ret = -1;
+ unsigned int syscall = 0;
+ //test code
+ std::cout << "[Parse Log] : ";
+ ::audit_system_log_get_action_systemcall(log, &syscall);
+ std::cout << "syscall = " << syscall << std::endl;
+
+ //check logs
+ //return suspicious activity type. if not suspicious, return -1
+ return ret;
+}
+
+void AuditAnalyzer::sendNotification(int result)
+{
+ //call noti app
+}
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#ifndef __AUDIT_ANALYZER_H__
+#define __AUDIT_ANALYZER_H__
+
+#include <audit-trail/system-log.h>
+#include <klay/mainloop.h>
+#include <klay/exception.h>
+
+#include "type.h"
+
+class AuditAnalyzer final {
+public:
+ using AuditTrail = audit_trail_h;
+ using SystemLog = audit_system_log_h;
+ AuditAnalyzer();
+ ~AuditAnalyzer();
+
+ void run();
+ void terminate();
+
+private:
+ void runMonitor();
+ void analysis(SystemLog log);
+
+ int parseLog(SystemLog log);
+ void sendNotification(int result);
+ static void auditCallbackDispatcher(void *log, void *data);
+
+private:
+ runtime::Mainloop mainloop;
+ AuditTrail auditTrail;
+ int callbackId;
+};
+
+#endif /*__AUDIT_ANALYZER_H__*/
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+#include <iostream>
+#include <sys/stat.h>
+#include <signal.h>
+#include <klay/gmainloop.h>
+#include "analyzer.h"
+
+void signalHandler(int signal)
+{
+ exit(0);
+}
+
+class AnalyzerGMainLoop {
+public:
+ AnalyzerGMainLoop() :
+ mainloop(::g_main_loop_new(NULL, FALSE), ::g_main_loop_unref)
+ {
+ handle = std::thread(g_main_loop_run, mainloop.get());
+ }
+ ~AnalyzerGMainLoop()
+ {
+ while (!g_main_loop_is_running(mainloop.get())) {
+ std::this_thread::yield();
+ }
+ ::g_main_loop_quit(mainloop.get());
+ handle.join();
+ }
+private:
+ std::unique_ptr<GMainLoop, void(*)(GMainLoop*)> mainloop;
+ std::thread handle;
+};
+
+int main(int argc, char *argv[])
+{
+ ::signal(SIGINT, signalHandler);
+ ::umask(0);
+
+ try {
+ AnalyzerGMainLoop gmainloop;
+ AuditAnalyzer analyzer;
+ analyzer.run();
+ } catch (runtime::Exception &e) {
+ std::cout << "Error : " << e.what() << std::endl;
+ return -1;
+ }
+ return EXIT_SUCCESS;
+}
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#ifndef __AUDIT_SUSPICIOUS_TYPE_H__
+#define __AUDIT_SUSPICIOUS_TYPE_H__
+
+enum SuspiciousActivity {
+ UnixSocketHijacking = 0,
+ BruteForceForDMCrypt,
+ ModifyFilePermForDAC,
+ ModifyFilePermForMAC,
+ ModifyMACPolicy,
+ MountDevice,
+ ModifyLibraries,
+ UseKernelModule,
+ Debugging,
+ PrivilegeEscalation,
+ Invalid,
+};
+
+#endif /*__AUDIT_SUSPICIOUS_TYPE_H__*/
projects / platform / core / security / audit-trail.git / commitdiff