6464 - name : fmt
6565 run : just fmt-check
6666
67+ - name : Setup auditd rules for KVM monitoring
68+ if : runner.os == 'Linux'
69+ run : |
70+ echo "Setting up auditd rules for /dev/kvm monitoring..."
71+
72+ # Ensure auditd is running
73+ sudo systemctl start auditd || echo "Failed to start auditd, trying to continue..."
74+
75+ # Add audit rules for KVM device monitoring
76+ echo "Adding audit rules..."
77+
78+ # Monitor file operations on /dev/kvm
79+ sudo auditctl -w /dev/kvm -p rwxa -k hypervisor_kvm || echo "Failed to add /dev/kvm watch rule"
80+
81+ # Monitor device creation/deletion in /dev/
82+ sudo auditctl -w /dev/ -p wa -k device_changes || echo "Failed to add /dev/ watch rule"
83+
84+ # Monitor permission/ownership change syscalls
85+ sudo auditctl -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,fchownat,fchmodat -k permission_syscalls || echo "Failed to add permission syscalls rule"
86+
87+ # Monitor udev-related processes
88+ sudo auditctl -a always,exit -F comm=udevd -k device_changes || echo "Failed to add udevd monitoring rule"
89+ sudo auditctl -a always,exit -F comm=systemd-udevd -k device_changes || echo "Failed to add systemd-udevd monitoring rule"
90+
91+ # Show current audit rules
92+ echo "Current audit rules:"
93+ sudo auditctl -l || echo "Failed to list audit rules"
94+
95+ # Check audit status
96+ echo "Audit system status:"
97+ sudo auditctl -s || echo "Failed to get audit status"
98+
6799name : Start continuous device monitoring
68100 if : runner.os == 'Linux'
69101 run : |
@@ -374,97 +406,44 @@ jobs:
374406 just bench-ci main ${{ matrix.config }} ${{ matrix.hypervisor == 'mshv3' && 'mshv3' || ''}}
375407if : ${{ matrix.config == 'release' }}
376408
377- # Show device change monitoring results on failure
378- - name : Show KVM device change analysis on failure
379- if : failure() && runner.os == 'Linux'
380- run : |
381- echo "=== KVM Device Change Analysis (Job Failed) ==="
382- echo "Timestamp: $(date)"
383- echo ""
384-
385- # Stop the monitoring process
386- if [ -f /tmp/kvm_monitor.pid ]; then
387- MONITOR_PID=$(cat /tmp/kvm_monitor.pid)
388- echo "Stopping monitor process (PID: $MONITOR_PID)..."
389- kill $MONITOR_PID 2>/dev/null || echo "Monitor process already stopped"
390- sleep 2
391- fi
392-
393- echo "=== Device Change Log Analysis ==="
394- if [ -f /tmp/kvm_device_changes.log ]; then
395- echo "🔍 Changes detected during job execution:"
396- cat /tmp/kvm_device_changes.log
397- else
398- echo "📝 No device changes detected (log file not found)"
399- fi
400- echo ""
401-
402- echo "=== What Caused Permission/Ownership Changes ==="
403- if [ -f /tmp/kvm_device_changes.log ] && grep -q "CHANGE DETECTED" /tmp/kvm_device_changes.log; then
404- echo "⚠️ Device permissions or ownership changed during the job!"
405- echo ""
406- echo "Summary of changes:"
407- grep -A 2 "CHANGE DETECTED" /tmp/kvm_device_changes.log || echo "Could not extract change summary"
408- echo ""
409- echo "Processes that may have caused changes:"
410- grep -A 10 "Active processes:" /tmp/kvm_device_changes.log | head -20 || echo "No process information captured"
411- echo ""
412- echo "Recent audit events related to changes:"
413- grep -A 10 "Recent audit events:" /tmp/kvm_device_changes.log | head -20 || echo "No audit events captured"
414- echo ""
415- echo "=== Auditd KVM Events ==="
416- if [ -f /tmp/kvm_audit_changes.log ]; then
417- echo "🔍 KVM-related audit events detected:"
418- cat /tmp/kvm_audit_changes.log
419- echo ""
420- echo "📊 Audit event statistics:"
421- echo "Total KVM audit events: $(grep -c "AUDIT EVENT" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
422- echo "Permission syscalls detected: $(grep -c "Permission/ownership syscall" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
423- echo "KVM-related syscalls: $(grep -c "KVM-related syscall detected" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
424- else
425- echo "📝 No auditd events captured"
426- fi
427- else
428- echo "✅ No device permission/ownership changes detected during job execution"
429- fi
430-
431- # Always check KVM device status at the end - runs regardless of job success/failure
432- - name : Final KVM device status check
409+ # Always show KVM device monitoring analysis - runs regardless of job success/failure
410+ - name : KVM device monitoring analysis and final status
433411 if : always() && runner.os == 'Linux'
434412 run : |
435- echo "=== Final KVM Device Status Check ==="
413+ echo "=== KVM Device Monitoring Analysis ==="
436414 echo "Timestamp: $(date)"
415+ echo "Job Status: ${{ job.status }}"
437416 echo ""
438417
439- # Stop the monitoring process if still running
418+ # Stop the monitoring processes if still running
440419 if [ -f /tmp/kvm_monitor.pid ]; then
441420 MONITOR_PID=$(cat /tmp/kvm_monitor.pid)
442421 echo "Stopping monitor process (PID: $MONITOR_PID)..."
443422 kill $MONITOR_PID 2>/dev/null || echo "Monitor process already stopped"
444423 sleep 2
445424 fi
446425
447- # Stop the audit monitoring process if still running
448426 if [ -f /tmp/audit_kvm_monitor.pid ]; then
449427 AUDIT_PID=$(cat /tmp/audit_kvm_monitor.pid)
450428 echo "Stopping audit monitor process (PID: $AUDIT_PID)..."
451429 kill $AUDIT_PID 2>/dev/null || echo "Audit monitor process already stopped"
452430 sleep 2
453431 fi
454432
433+ echo "=== Current KVM Device Status ==="
455434 echo "KVM device listing:"
456435 sudo ls -al /dev/kvm 2>/dev/null || echo "❌ /dev/kvm device not found or not accessible"
457436 echo ""
458- echo "All hypervisor -related devices:"
459- sudo ls -al /dev/ | grep -E "( kvm|hyperv) " 2>/dev/null || echo "No hypervisor devices found in /dev/"
437+ echo "Other KVM -related devices:"
438+ sudo ls -al /dev/ | grep " kvm" 2>/dev/null || echo "No other KVM devices found in /dev/"
460439 echo ""
461440
462- echo "=== Complete Device Change Summary ==="
441+ echo "=== Device Change Detection Results ==="
463442 if [ -f /tmp/kvm_device_changes.log ]; then
464- echo "📊 Full inotify monitoring log :"
443+ echo "📊 inotify monitoring detected events :"
465444 cat /tmp/kvm_device_changes.log
466445 echo ""
467- echo "🔢 inotify Change statistics:"
446+ echo "🔢 inotify event statistics:"
468447 echo "Device creation events: $(grep -c "DEVICE CREATED" /tmp/kvm_device_changes.log 2>/dev/null || echo "0")"
469448 echo "Device removal events: $(grep -c "DEVICE REMOVED" /tmp/kvm_device_changes.log 2>/dev/null || echo "0")"
470449 echo "Permission/ownership changes: $(grep -c "CHANGE DETECTED" /tmp/kvm_device_changes.log 2>/dev/null || echo "0")"
@@ -474,44 +453,31 @@ jobs:
474453 echo ""
475454
476455 if [ -f /tmp/kvm_audit_changes.log ]; then
477- echo "📊 Full auditd monitoring log :"
456+ echo "📊 auditd monitoring detected events :"
478457 cat /tmp/kvm_audit_changes.log
479458 echo ""
480- echo "🔢 Auditd event statistics:"
459+ echo "🔢 auditd event statistics:"
481460 echo "Total KVM audit events: $(grep -c "AUDIT EVENT" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
482461 echo "Permission syscalls detected: $(grep -c "Permission/ownership syscall" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
483462 echo "KVM-related syscalls: $(grep -c "KVM-related syscall detected" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
484463 else
485464 echo "📝 No auditd monitoring log available"
486465 fi
487- name : Setup auditd rules for KVM monitoring
488- if : runner.os == 'Linux'
489- run : |
490- echo "Setting up auditd rules for /dev/kvm monitoring..."
491-
492- # Ensure auditd is running
493- sudo systemctl start auditd || echo "Failed to start auditd, trying to continue..."
494-
495- # Add audit rules for KVM device monitoring
496- echo "Adding audit rules..."
497-
498- # Monitor file operations on /dev/kvm
499- sudo auditctl -w /dev/kvm -p rwxa -k hypervisor_kvm || echo "Failed to add /dev/kvm watch rule"
500-
501- # Monitor device creation/deletion in /dev/
502- sudo auditctl -w /dev/ -p wa -k device_changes || echo "Failed to add /dev/ watch rule"
503-
504- # Monitor permission/ownership change syscalls
505- sudo auditctl -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,fchownat,fchmodat -k permission_syscalls || echo "Failed to add permission syscalls rule"
506-
507- # Monitor udev-related processes
508- sudo auditctl -a always,exit -F comm=udevd -k device_changes || echo "Failed to add udevd monitoring rule"
509- sudo auditctl -a always,exit -F comm=systemd-udevd -k device_changes || echo "Failed to add systemd-udevd monitoring rule"
510-
511- # Show current audit rules
512- echo "Current audit rules:"
513- sudo auditctl -l || echo "Failed to list audit rules"
466+ echo ""
514467
515- # Check audit status
516- echo "Audit system status:"
517- sudo auditctl -s || echo "Failed to get audit status"
468+ echo "=== Change Analysis Summary ==="
469+ if [ -f /tmp/kvm_device_changes.log ] && grep -q "CHANGE DETECTED" /tmp/kvm_device_changes.log; then
470+ echo "⚠️ Device permissions or ownership changed during the job!"
471+ echo ""
472+ echo "Summary of changes:"
473+ grep -A 2 "CHANGE DETECTED" /tmp/kvm_device_changes.log || echo "Could not extract change summary"
474+ echo ""
475+ echo "Processes that may have caused changes:"
476+ grep -A 10 "Active processes:" /tmp/kvm_device_changes.log | head -20 || echo "No process information captured"
477+ echo ""
478+ echo "Recent audit events related to changes:"
479+ grep -A 10 "Recent audit events:" /tmp/kvm_device_changes.log | head -20 || echo "No audit events captured"
480+ else
481+ echo "✅ No device permission/ownership changes detected during job execution"
482+ fi
483+
0 commit comments