update auditing

Signed-off-by: Simon Davies <[email protected]>

Author: simongdavies

.github/workflows/dep_rust.yml

@@ -47,13 +47,33 @@ jobs:
           matrix.hypervisor == 'hyperv' && 'win2022' || matrix.hypervisor == 'hyperv-ws2025' && 'win2025' || matrix.hypervisor == 'mshv3' && 'azlinux3-mshv' || matrix.hypervisor, 
           matrix.cpu)) }} 
     steps:
+      - name: Capture pre-workflow baseline
+        if: runner.os == 'Linux'
+        run: |
+          echo "=== Pre-Workflow System State ==="
+          echo "Timestamp: $(date)"
+          echo ""
+          echo "Initial device state:"
+          ls -la /dev/kvm /dev/mshv 2>/dev/null || echo "Hypervisor devices don't exist yet"
+          echo ""
+          echo "Loaded kernel modules:"
+          lsmod | grep -E "(kvm|mshv)" || echo "No KVM/MSHV modules loaded"
+          echo ""
+          echo "Current user and groups:"
+          echo "User: $(whoami)"
+          echo "Groups: $(groups)"
+          echo ""
+          echo "Initial audit log state:"
+          sudo wc -l /var/log/audit/audit.log 2>/dev/null || echo "No audit log exists yet"
+
       - uses: actions/checkout@v4
 
-      # Set up auditd monitoring for /dev/kvm permission changes
-      - name: Setup auditd monitoring for hypervisor devices
+      # Set up comprehensive auditd monitoring
+      - name: Setup comprehensive auditd monitoring
         if: runner.os == 'Linux'
         run: |
-          echo "Setting up auditd monitoring for hypervisor devices..."
+          echo "Setting up comprehensive auditd monitoring for hypervisor devices..."
+          
           # Install auditd if not present
           if ! command -v auditctl &> /dev/null; then
             if command -v dnf &> /dev/null; then
@@ -66,13 +86,39 @@ jobs:
           # Start auditd service
           sudo systemctl start auditd || sudo service auditd start || echo "Failed to start auditd, continuing..."
           
-          # Add audit rules for /dev/kvm and /dev/mshv
-          sudo auditctl -w /dev/kvm -p wa -k hypervisor_kvm || echo "Failed to add KVM audit rule"
-          sudo auditctl -w /dev/mshv -p wa -k hypervisor_mshv || echo "Failed to add MSHV audit rule"
+          # Clear existing rules to start fresh
+          sudo auditctl -D || true
+          
+          # Monitor the entire /dev directory for device creation/changes
+          sudo auditctl -w /dev/ -p wa -k device_changes || echo "Failed to add /dev/ monitoring"
+          
+          # Monitor specific hypervisor devices with all permissions
+          sudo auditctl -w /dev/kvm -p rwxa -k hypervisor_kvm || echo "Failed to add KVM audit rule"
+          sudo auditctl -w /dev/mshv -p rwxa -k hypervisor_mshv || echo "Failed to add MSHV audit rule"
+          
+          # Monitor udev rules and execution that could affect device permissions
+          sudo auditctl -w /etc/udev/rules.d/ -p wa -k udev_rules || echo "Failed to monitor udev rules"
+          sudo auditctl -w /lib/udev/rules.d/ -p wa -k udev_rules || echo "Failed to monitor lib udev rules"
+          sudo auditctl -w /usr/lib/udev/ -p x -k udev_execution || echo "Failed to monitor udev execution"
+          
+          # Monitor system calls for permission changes
+          sudo auditctl -a always,exit -S chmod,fchmod,chown,fchown,lchown -k permission_syscalls || echo "Failed to monitor permission syscalls"
           
-          # List current audit rules
-          echo "Current audit rules:"
+          # Monitor specific binaries that could change permissions
+          sudo auditctl -w /usr/bin/chown -p x -k chown_exec || echo "Failed to monitor chown binary"
+          sudo auditctl -w /usr/bin/chmod -p x -k chmod_exec || echo "Failed to monitor chmod binary"
+          sudo auditctl -w /bin/chown -p x -k chown_exec || echo "Failed to monitor bin chown"
+          sudo auditctl -w /bin/chmod -p x -k chmod_exec || echo "Failed to monitor bin chmod"
+          
+          # Monitor systemd and related services that might affect devices
+          sudo auditctl -w /usr/lib/systemd/ -p x -k systemd_execution || echo "Failed to monitor systemd"
+          
+          echo ""
+          echo "Active audit rules:"
           sudo auditctl -l || echo "Failed to list audit rules"
+          echo ""
+          echo "Auditd status:"
+          sudo systemctl status auditd --no-pager || sudo service auditd status || echo "Failed to get auditd status"
 
       # For rust-fmt 
       - name: Set up nightly rust 
@@ -230,21 +276,47 @@ jobs:
           echo "CPU virtualization features:"
           grep -E "(vmx|svm)" /proc/cpuinfo | head -5 || echo "No CPU virtualization features found"
           echo ""
-          echo "=== Auditd Log Analysis ==="
+          echo "=== Comprehensive Auditd Log Analysis ==="
+          echo "Device creation/change events:"
+          sudo ausearch -k device_changes -ts today 2>/dev/null || echo "No device change events found"
+          echo ""
           echo "Hypervisor device audit events (KVM):"
-          sudo ausearch -k hypervisor_kvm -ts today 2>/dev/null || echo "No KVM audit events found or ausearch failed"
+          sudo ausearch -k hypervisor_kvm -ts today 2>/dev/null || echo "No KVM audit events found"
           echo ""
           echo "Hypervisor device audit events (MSHV):"
-          sudo ausearch -k hypervisor_mshv -ts today 2>/dev/null || echo "No MSHV audit events found or ausearch failed"
+          sudo ausearch -k hypervisor_mshv -ts today 2>/dev/null || echo "No MSHV audit events found"
+          echo ""
+          echo "Udev rules events:"
+          sudo ausearch -k udev_rules -ts today 2>/dev/null || echo "No udev rules events found"
+          echo ""
+          echo "Udev execution events:"
+          sudo ausearch -k udev_execution -ts today 2>/dev/null || echo "No udev execution events found"
+          echo ""
+          echo "Permission change syscalls:"
+          sudo ausearch -k permission_syscalls -ts today 2>/dev/null || echo "No permission syscall events found"
+          echo ""
+          echo "Chown/chmod binary executions:"
+          sudo ausearch -k chown_exec -ts today 2>/dev/null || echo "No chown execution events found"
+          sudo ausearch -k chmod_exec -ts today 2>/dev/null || echo "No chmod execution events found"
+          echo ""
+          echo "Systemd execution events:"
+          sudo ausearch -k systemd_execution -ts today 2>/dev/null || echo "No systemd execution events found"
+          echo ""
+          echo "All events affecting KVM device specifically:"
+          sudo ausearch -f /dev/kvm -ts today 2>/dev/null || echo "No specific /dev/kvm events found"
+          echo ""
+          echo "All events affecting MSHV device specifically:"
+          sudo ausearch -f /dev/mshv -ts today 2>/dev/null || echo "No specific /dev/mshv events found"
           echo ""
-          echo "Recent audit log entries (last 50 lines):"
-          sudo tail -50 /var/log/audit/audit.log 2>/dev/null || echo "Unable to read audit log"
+          echo "Complete audit log entries:"
+          sudo cat /var/log/audit/audit.log 2>/dev/null || echo "Unable to read audit log"
           echo ""
-          echo "File access audit events for /dev/kvm:"
-          sudo ausearch -f /dev/kvm -ts today 2>/dev/null || echo "No /dev/kvm access events found"
+          echo "=== Process and System Analysis ==="
+          echo "Currently running udev processes:"
+          ps aux | grep -E "(udev|systemd)" | grep -v grep || echo "No udev/systemd processes found"
           echo ""
-          echo "File access audit events for /dev/mshv:"
-          sudo ausearch -f /dev/mshv -ts today 2>/dev/null || echo "No /dev/mshv access events found"
+          echo "Udev rules containing KVM or MSHV:"
+          find /etc/udev/rules.d/ /lib/udev/rules.d/ -name "*.rules" -exec grep -l "kvm\|mshv" {} + 2>/dev/null | xargs cat 2>/dev/null || echo "No udev rules found for hypervisor devices"
           echo ""
-          echo "Permission change events:"
-          sudo ausearch -sc chmod,fchmod,chown,fchown,lchown -ts today 2>/dev/null | grep -E "(kvm|mshv)" || echo "No permission change events for hypervisor devices found"
+          echo "Available groups on system:"
+          getent group | grep -E "(kvm|mshv|libvirt)" || echo "No hypervisor-related groups found"