laurel
laurel copied to clipboard
threathunters-io
command-line options: validate
as best practice, laurel executable should have a test/dry-run/foreground option to test configuration (syntax and working execution)
You can just run the laurel executable without any parameters and pipe auditd log lines into its STDIN. (But don't forget the EOE messages, at least for now.)
It will write its log to an audit.log file in the current working directory and will not do any rotation. Is this what you wanted to do?
having a full event set seems to be a partial issue
# tail -100 /var/log/audit/audit.log | laurel ; echo $?; cat audit.log
0
{"warning":"Not dropping privileges -- no user configured"}
{"notice":{"program":"laurel","action":"start","euid":0,"config":{"user":null,"directory":".","auditlog":{"file":"audit.log","read-users":null,"size":null,"generations":null},"debuglog":null}}}
{"ID":"1632177775.990:2484140","PROCTITLE":{"proctitle":"/usr/bin/snap%00run%00nextcloud.mysql"}}
{"ID":"1632177779.650:2484144","SECCOMP":{"auid":4294967295,"uid":13,"gid":13,"ses":4294967295,"pid":43986,"comm":"squid","exe":"/usr/sbin/squid","sig":0,"arch":"0xc000003e","syscall":41,"compat":0,"ip":"0x7f52c084ad57","code":"0x50000"}}
{"ID":"1632177797.722:2484171","SECCOMP":{"auid":4294967295,"uid":13,"gid":13,"ses":4294967295,"pid":43986,"comm":"squid","exe":"/usr/sbin/squid","sig":0,"arch":"0xc000003e","syscall":41,"compat":0,"ip":"0x7f52c084ad57","code":"0x50000"}}
{"notice":{"program":"laurel","action":"stop","stats":{"lines":100,"events":3,"errors":0}}}
# tail -100 /var/log/audit/audit.log | laurel -c /etc/laurel/config.toml; echo $?; cat audit.log
0
cat: audit.log: No such file or directory
# cat /etc/laurel/config.toml
#
# This file is managed by Ansible.
#
# template: laurel.toml.j2
# user: user
# host: lab1
#
# Write log files relative to this directory
directory = "/var/log/laurel"
# Drop privileges from root to this user
user = "_laurel"
[auditlog]
# Base file name for the JSONL-based log file
file = "audit.log"
# Rotate when log file reaches this size (in bytes)
size = 10000000
# When rotating, keep this number of generations around
generations = 10
# Grant read permissions on the log files to these users, using
# POSIX ACLs
#read-users = [ "splunk" ]
part is validate processing, part syntax. something that can be used for example in ansible template deployment to ensure not deploying broken config https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html#parameter-validate
Thanks for the clarification.
I'm not really sure how one should test with live data. I think, for the time being, I should just add a --dry-run switch that causes Laurel to try to parse the configuration and exit.
Sorry for delay
# /usr/local/bin/laurel -d
# /usr/local/bin/laurel -d -c /etc/laurel/config.toml
#
I tried with an expected valid config file and and after adding some useless line with same results
Ideally, in success or fail, I would add some output to confirm laurel version, config file used, syntax ok or not and if not which lines are problematic
Thanks!
Note: when publishing releases, would be nice to add checksums (sha256...)