add auditd to see what is changign the ownership

simongdavies · simongdavies · commit 213f7b64d02c · 2025-06-10T13:09:03.000+01:00
Signed-off-by: Simon Davies &lt;simongdavies@users.noreply.github.com&gt;
diff --git a/.github/workflows/dep_rust.yml b/.github/workflows/dep_rust.yml
@@ -49,6 +49,31 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      # Set up auditd monitoring for /dev/kvm permission changes
+      - name: Setup auditd monitoring for hypervisor devices
+        if: runner.os == 'Linux'
+        run: |
+          echo "Setting up auditd monitoring for hypervisor devices..."
+          # Install auditd if not present
+          if ! command -v auditctl &> /dev/null; then
+            if command -v dnf &> /dev/null; then
+              sudo dnf install -y audit
+            elif command -v apt &> /dev/null; then
+              sudo apt update && sudo apt install -y auditd
+            fi
+          fi
+          
+          # Start auditd service
+          sudo systemctl start auditd || sudo service auditd start || echo "Failed to start auditd, continuing..."
+          
+          # Add audit rules for /dev/kvm and /dev/mshv
+          sudo auditctl -w /dev/kvm -p wa -k hypervisor_kvm || echo "Failed to add KVM audit rule"
+          sudo auditctl -w /dev/mshv -p wa -k hypervisor_mshv || echo "Failed to add MSHV audit rule"
+          
+          # List current audit rules
+          echo "Current audit rules:"
+          sudo auditctl -l || echo "Failed to list audit rules"
+
       # For rust-fmt 
       - name: Set up nightly rust 
         uses: dtolnay/rust-toolchain@nightly
@@ -204,3 +229,22 @@ jobs:
           echo ""
           echo "CPU virtualization features:"
           grep -E "(vmx|svm)" /proc/cpuinfo | head -5 || echo "No CPU virtualization features found"
+          echo ""
+          echo "=== Auditd Log Analysis ==="
+          echo "Hypervisor device audit events (KVM):"
+          sudo ausearch -k hypervisor_kvm -ts today 2>/dev/null || echo "No KVM audit events found or ausearch failed"
+          echo ""
+          echo "Hypervisor device audit events (MSHV):"
+          sudo ausearch -k hypervisor_mshv -ts today 2>/dev/null || echo "No MSHV audit events found or ausearch failed"
+          echo ""
+          echo "Recent audit log entries (last 50 lines):"
+          sudo tail -50 /var/log/audit/audit.log 2>/dev/null || echo "Unable to read audit log"
+          echo ""
+          echo "File access audit events for /dev/kvm:"
+          sudo ausearch -f /dev/kvm -ts today 2>/dev/null || echo "No /dev/kvm access events found"
+          echo ""
+          echo "File access audit events for /dev/mshv:"
+          sudo ausearch -f /dev/mshv -ts today 2>/dev/null || echo "No /dev/mshv access events found"
+          echo ""
+          echo "Permission change events:"
+          sudo ausearch -sc chmod,fchmod,chown,fchown,lchown -ts today 2>/dev/null | grep -E "(kvm|mshv)" || echo "No permission change events for hypervisor devices found"
