6969 run : |
7070 echo "Starting continuous /dev/kvm monitoring with inotify..."
7171
72+ # Set up audit rules for /dev/kvm monitoring
73+ echo "Setting up audit rules for /dev/kvm monitoring..."
74+
75+ # Add audit rules to monitor /dev/kvm access and changes
76+ sudo auditctl -w /dev/kvm -p rwxa -k hypervisor_kvm || echo "Failed to add /dev/kvm watch rule"
77+
78+ # Add audit rules for device file operations (using syscall monitoring)
79+ sudo auditctl -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F path=/dev/kvm -k device_changes || echo "Failed to add chmod audit rule"
80+ sudo auditctl -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F path=/dev/kvm -k device_changes || echo "Failed to add chown audit rule"
81+
82+ # Add audit rules for permission-related syscalls that might affect device access
83+ sudo auditctl -a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid,setresuid,setresgid -k permission_syscalls || echo "Failed to add permission syscalls audit rule"
84+
85+ # Add audit rules for file operations on the /dev directory that might affect kvm
86+ sudo auditctl -w /dev/ -p wa -k device_changes || echo "Failed to add /dev/ directory watch rule"
87+
88+ # Verify audit rules were added
89+ echo "Current audit rules:"
90+ sudo auditctl -l | grep -E "(kvm|device_changes|permission_syscalls|hypervisor_kvm)" || echo "No relevant audit rules found"
91+
7292 # Create monitoring script using inotify
7393 cat > /tmp/monitor_kvm_device.sh << 'EOF'
7494 #!/bin/bash
@@ -149,6 +169,23 @@ jobs:
149169
150170 echo "$(date): Starting inotify monitoring on /dev/" >> "$LOGFILE"
151171
172+ # Test inotify functionality first
173+ echo "$(date): Testing inotify functionality..." >> "$LOGFILE"
174+ timeout 2 inotifywait -e create,delete /tmp/ &
175+ INOTIFY_TEST_PID=$!
176+ touch /tmp/inotify_test_$$
177+ rm /tmp/inotify_test_$$ 2>/dev/null
178+ wait $INOTIFY_TEST_PID 2>/dev/null
179+ if [ $? -eq 0 ]; then
180+ echo "$(date): inotify test successful" >> "$LOGFILE"
181+ else
182+ echo "$(date): WARNING: inotify test failed - events may not be detected" >> "$LOGFILE"
183+ fi
184+
185+ # Check current /dev filesystem type and mount options
186+ echo "$(date): /dev filesystem info:" >> "$LOGFILE"
187+ mount | grep "/dev " >> "$LOGFILE" 2>/dev/null || echo "Could not get /dev mount info" >> "$LOGFILE"
188+
152189 # Monitor the /dev directory for KVM device changes
153190 # We monitor /dev because /dev/kvm might not exist initially
154191 inotifywait -m -e create,delete,modify,attrib,moved_to,moved_from /dev/ 2>/dev/null | while read path action file; do
@@ -163,14 +200,32 @@ jobs:
163200 # Also monitor /dev/kvm directly if it exists
164201 if [ -e /dev/kvm ]; then
165202 echo "$(date): Also monitoring /dev/kvm directly" >> "$LOGFILE"
166- inotifywait -m -e modify,attrib,access /dev/kvm 2>/dev/null | while read path action file; do
203+ # Use more comprehensive event monitoring for device files
204+ inotifywait -m -e modify,attrib,access,open,close_write,close_nowrite /dev/kvm 2>/dev/null | while read path action file; do
167205 echo "$(date): Direct inotify event on /dev/kvm: $action" >> "$LOGFILE"
168206 handle_change "direct_kvm_$action"
169207 done &
170208 KVM_MONITOR_PID=$!
171209 echo "$(date): Started direct /dev/kvm monitor with PID: $KVM_MONITOR_PID" >> "$LOGFILE"
172210 fi
173211
212+ # Add periodic validation alongside inotify (in case inotify misses changes)
213+ while true; do
214+ sleep 15 # Check every 15 seconds
215+ if [ -e /dev/kvm ]; then
216+ current_check=$(ls -la /dev/kvm 2>/dev/null)
217+ if [ -f "$BASELINE_FILE" ]; then
218+ baseline_check=$(cat "$BASELINE_FILE" 2>/dev/null)
219+ if [ "$current_check" != "$baseline_check" ] && [ "$baseline_check" != "NO_DEVICE" ]; then
220+ echo "$(date): PERIODIC CHECK: Change detected that inotify may have missed!" >> "$LOGFILE"
221+ handle_change "periodic_validation"
222+ fi
223+ fi
224+ fi
225+ done &
226+ PERIODIC_CHECK_PID=$!
227+ echo "$(date): Started periodic validation with PID: $PERIODIC_CHECK_PID" >> "$LOGFILE"
228+
174229 # Periodic check to ensure monitor processes are still running
175230 while true; do
176231 sleep 30
@@ -199,9 +254,17 @@ jobs:
199254 kill $MAIN_PID 2>/dev/null || echo "Main process already terminated"
200255 fi
201256
202- # Kill any remaining inotifywait processes
257+ if [ -f /tmp/audit_kvm_monitor.pid ]; then
258+ AUDIT_PID=$(cat /tmp/audit_kvm_monitor.pid)
259+ echo "Terminating audit monitor process: $AUDIT_PID"
260+ kill $AUDIT_PID 2>/dev/null || echo "Audit process already terminated"
261+ fi
262+
263+ # Kill any remaining monitoring processes
203264 pkill -f "inotifywait.*kvm" 2>/dev/null || echo "No inotifywait processes to clean up"
204265 pkill -f "monitor_kvm_device" 2>/dev/null || echo "No monitor script processes to clean up"
266+ pkill -f "audit_kvm_monitor" 2>/dev/null || echo "No audit monitor processes to clean up"
267+ pkill -f "ausearch.*hypervisor_kvm" 2>/dev/null || echo "No ausearch processes to clean up"
205268
206269 echo "Monitor cleanup completed"
207270 }
@@ -213,7 +276,10 @@ jobs:
213276 sleep 3
214277
215278 echo "Monitor status:"
216- ps aux | grep "monitor_kvm_device\|inotifywait" | grep -v grep || echo "Monitor process not found"
279+ ps aux | grep "monitor_kvm_device\|inotifywait\|audit_kvm_monitor\|ausearch" | grep -v grep || echo "Monitor processes not found"
280+ echo ""
281+ echo "Monitoring log files:"
282+ ls -la /tmp/kvm_device_changes.log /tmp/kvm_audit_changes.log 2>/dev/null || echo "Log files not yet created"
217283
218284name : clippy
219285 run : |
@@ -345,6 +411,19 @@ jobs:
345411 echo ""
346412 echo "Recent audit events related to changes:"
347413 grep -A 10 "Recent audit events:" /tmp/kvm_device_changes.log | head -20 || echo "No audit events captured"
414+ echo ""
415+ echo "=== Auditd KVM Events ==="
416+ if [ -f /tmp/kvm_audit_changes.log ]; then
417+ echo "🔍 KVM-related audit events detected:"
418+ cat /tmp/kvm_audit_changes.log
419+ echo ""
420+ echo "📊 Audit event statistics:"
421+ echo "Total KVM audit events: $(grep -c "AUDIT EVENT" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
422+ echo "Permission syscalls detected: $(grep -c "Permission/ownership syscall" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
423+ echo "KVM-related syscalls: $(grep -c "KVM-related syscall detected" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
424+ else
425+ echo "📝 No auditd events captured"
426+ fi
348427 else
349428 echo "✅ No device permission/ownership changes detected during job execution"
350429 fi
@@ -365,6 +444,14 @@ jobs:
365444 sleep 2
366445 fi
367446
447+ # Stop the audit monitoring process if still running
448+ if [ -f /tmp/audit_kvm_monitor.pid ]; then
449+ AUDIT_PID=$(cat /tmp/audit_kvm_monitor.pid)
450+ echo "Stopping audit monitor process (PID: $AUDIT_PID)..."
451+ kill $AUDIT_PID 2>/dev/null || echo "Audit monitor process already stopped"
452+ sleep 2
453+ fi
454+
368455 echo "KVM device listing:"
369456 sudo ls -al /dev/kvm 2>/dev/null || echo "❌ /dev/kvm device not found or not accessible"
370457 echo ""
@@ -374,13 +461,57 @@ jobs:
374461
375462 echo "=== Complete Device Change Summary ==="
376463 if [ -f /tmp/kvm_device_changes.log ]; then
377- echo "📊 Full monitoring log:"
464+ echo "📊 Full inotify monitoring log:"
378465 cat /tmp/kvm_device_changes.log
379466 echo ""
380- echo "🔢 Change statistics:"
467+ echo "🔢 inotify Change statistics:"
381468 echo "Device creation events: $(grep -c "DEVICE CREATED" /tmp/kvm_device_changes.log 2>/dev/null || echo "0")"
382469 echo "Device removal events: $(grep -c "DEVICE REMOVED" /tmp/kvm_device_changes.log 2>/dev/null || echo "0")"
383470 echo "Permission/ownership changes: $(grep -c "CHANGE DETECTED" /tmp/kvm_device_changes.log 2>/dev/null || echo "0")"
384471 else
385- echo "📝 No monitoring log available"
472+ echo "📝 No inotify monitoring log available"
473+ fi
474+ echo ""
475+
476+ if [ -f /tmp/kvm_audit_changes.log ]; then
477+ echo "📊 Full auditd monitoring log:"
478+ cat /tmp/kvm_audit_changes.log
479+ echo ""
480+ echo "🔢 Auditd event statistics:"
481+ echo "Total KVM audit events: $(grep -c "AUDIT EVENT" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
482+ echo "Permission syscalls detected: $(grep -c "Permission/ownership syscall" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
483+ echo "KVM-related syscalls: $(grep -c "KVM-related syscall detected" /tmp/kvm_audit_changes.log 2>/dev/null || echo "0")"
484+ else
485+ echo "📝 No auditd monitoring log available"
386486 fi
487+ name : Setup auditd rules for KVM monitoring
488+ if : runner.os == 'Linux'
489+ run : |
490+ echo "Setting up auditd rules for /dev/kvm monitoring..."
491+
492+ # Ensure auditd is running
493+ sudo systemctl start auditd || echo "Failed to start auditd, trying to continue..."
494+
495+ # Add audit rules for KVM device monitoring
496+ echo "Adding audit rules..."
497+
498+ # Monitor file operations on /dev/kvm
499+ sudo auditctl -w /dev/kvm -p rwxa -k hypervisor_kvm || echo "Failed to add /dev/kvm watch rule"
500+
501+ # Monitor device creation/deletion in /dev/
502+ sudo auditctl -w /dev/ -p wa -k device_changes || echo "Failed to add /dev/ watch rule"
503+
504+ # Monitor permission/ownership change syscalls
505+ sudo auditctl -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,fchownat,fchmodat -k permission_syscalls || echo "Failed to add permission syscalls rule"
506+
507+ # Monitor udev-related processes
508+ sudo auditctl -a always,exit -F comm=udevd -k device_changes || echo "Failed to add udevd monitoring rule"
509+ sudo auditctl -a always,exit -F comm=systemd-udevd -k device_changes || echo "Failed to add systemd-udevd monitoring rule"
510+
511+ # Show current audit rules
512+ echo "Current audit rules:"
513+ sudo auditctl -l || echo "Failed to list audit rules"
514+
515+ # Check audit status
516+ echo "Audit system status:"
517+ sudo auditctl -s || echo "Failed to get audit status"
0 commit comments