4 Narcissistic, Incredible, Completely Exceptional Logger of Access Denials
7 Nice-lad is a tool to collect and aggregate logs of access denials in system.
8 The source of data are audit messages from DAC, Smack, Cynara and netfilter.
10 The purpose of nice-lad is to collect and normalize the selected audit logs
11 and make them readable by unprivileged user. This might be helpful during
12 debugging applications accessing restricted resources.
14 Nice-lad works as an [audispd][1] plugin.
16 [1]: http://linux.die.net/man/8/audispd "audispd"
19 Nice-lad was first introduced in July 2015.
21 ### Contact information
22 | Name | E-mail | Function |
23 |-----------------|-------------------------|-----------------------|
24 | Aleksander Zdyb | [a.zdyb@samsung.com][2] | Developer, Maintainer |
26 [2]: mailto:a.zdyb@samsung.com "Aleksander Zdyb"
29 The equivalent places, nice-lad can be obtained from:
31 * [Tizen](https://review.tizen.org/gerrit/gitweb?p=platform/core/security/nice-lad.git)
32 * [GitHub](https://github.com/Samsung/nice-lad)
36 Nice-lad, as an audisp plugin, is fed with audit events. It parses and filters
37 them to obtain and aggregate information useful in context of logging of access
40 At the moment, the supported subsystems are:
42 * DAC denials on given groups,
44 * [Cynara][3] denials,
45 * Netfilter denials (supported by [Nether][4]).
47 [3]: https://github.com/Samsung/cynara "Cynara"
48 [4]: https://github.com/Samsung/nether "Nether"
50 ### Implanted standards
53 * libauparse to parse audit events,
54 * [Security Manager][5] (where available) to obtain resource groups to monitor,
55 * journald (where available) or syslog to put aggregated logs.
57 [5]: https://github.com/Samsung/security-manager "Security Manager"
60 ## Running the project
61 The package consists of following files (note, the exact paths are
64 * /etc/audisp/plugins.d/nice_lad.conf,
67 Provided, the above config file is present in audisp plugins directory, nice-lad
68 is automagically activated, when auditing service is run. In order to disable
69 nice-lad, while keeping audit running, one need to edit the config to contain
73 Nice-lad will log access denials to journald (if available) or syslog with
74 informational level. Below, are some examples:
77 Jul 10 10:11:04 HOSTNAME nice-lad: ACCESS DENIED ON SYSCALL syscall=open filename=/tmp/test exit=-13(Permission denied) gid=unknown(1234) object=test subject=_
78 Jul 10 10:11:09 HOSTNAME nice-lad: ACCESS DENIED ON SMACK object="test" subject="_" access=r
79 Jul 10 10:11:26 HOSTNAME nice-lad: ACCESS DENIED ON CYNARA client="test_client" user="test_user" privilege="http://tizen.org/privilege/account.read"
80 Jul 10 10:11:51 HOSTNAME nice-lad: ACCESS DENIED ON NETFILTER obj=User outif=eth0 proto=tcp saddr=10.0.2.16 sport=54460 daddr=198.145.20.7 dport=443
84 Nice-lad comes with a set of unit tests written in [gmock][6]. By adding new
85 features or fixing bugs, please add or update tests.
87 [6]: http://gmock.org/ "Gmock"