Merge pull request #77 from Achiefs/76-fix-audit-c7

Fix Audit module in CentOS 7

.github/workflows/system-tests-workflow.yml

@@ -47,8 +47,8 @@ jobs:
       - run: echo "Job's status is ${{ job.status }}."
 
 
-  audit-system-tests-unix:
-    runs-on: self-hosted
+  audit-system-tests-ubuntu18:
+    runs-on: [self-hosted, ubuntu18]
 
     steps:
       - name: Check out repository code, branch='${{ github.ref }}'
@@ -110,4 +110,70 @@ jobs:
         if: always()
         run: sudo pkill fim || true
 
+      - run: echo "Job's status is ${{ job.status }}."
+
+
+  audit-system-tests-centos7:
+    runs-on: [self-hosted, centos7]
+
+    steps:
+      - name: Check out repository code, branch='${{ github.ref }}'
+        uses: actions/checkout@v2
+
+      - name: Build FIM
+        run: /home/okynos/.cargo/bin/cargo build --release
+
+      - name: Change configuration
+        run: sed -i 's|/tmp|/tmp/test|g' config/linux/config.yml
+
+      - name: Copy FIM binary to main folder
+        run: cp ./target/release/fim ./
+
+      - name: Create required directories
+        run: mkdir -p /tmp/test
+
+      - name: Create events file and folder
+        run: sudo mkdir -p /var/lib/fim/ && sudo touch /var/lib/fim/events.json && sudo chown -R okynos:okynos /var/lib/fim
+
+      - name: Create log file and folder
+        run: sudo mkdir -p /var/log/fim/ && sudo touch /var/log/fim/fim.log && sudo chown -R okynos:okynos /var/log/fim
+
+      - name: Start FIM process
+        run: sudo ./fim &
+
+      - name: Launch test suite
+        run: sudo python3 -m pytest test/system/audit.py -v
+
+      - name: Print config file
+        if: always()
+        run: cat ${{ github.workspace }}/config/linux/config.yml || true
+
+      - name: Print log file
+        if: always()
+        run: cat /var/log/fim/fim.log || true
+
+      - name: Clean temporal folder
+        if: always()
+        run: sudo rm -rf /tmp/test
+
+      - name: Clean log folder
+        if: always()
+        run: sudo rm -rf /var/log/fim/
+
+      - name: Clean lib folder
+        if: always()
+        run: sudo rm -rf /var/lib/fim/
+
+      - name: Clean workspace
+        if: always()
+        run: sudo rm -rf ${{ github.workspace }}/test/system/__pycache__/ ${{ github.workspace }}/test/system/.pytest_cache ${{ github.workspace }}/.pytest_cache
+
+      - name: Clean test output
+        if: always()
+        run: sudo rm -rf ${{ github.workspace }}/test_*
+
+      - name: Stop FIM process
+        if: always()
+        run: sudo pkill fim || true
+
       - run: echo "Job's status is ${{ job.status }}."

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fim"
-version = "0.4.1"
+version = "0.4.2"
 authors = ["José Fernández <´[email protected]´>"]
 edition = "2021"
 

pkg/deb/debian/changelog

@@ -1,3 +1,9 @@
+fim (0.4.2-1) bionic; urgency=medium
+
+  * More info: https://github.com/Achiefs/fim/releases/tag/v0.4.2
+
+ -- Jose Fernandez <[email protected]>  Tue, 13 Dec 2022 19:16:00 +0000
+
 fim (0.4.1-1) bionic; urgency=medium
 
   * More info: https://github.com/Achiefs/fim/releases/tag/v0.4.1

pkg/fim.1

@@ -19,7 +19,7 @@
 .\" *
 .\" **************************************************************************
 .\"
-.TH fim 1 "01 Jun 2022" "FIM 0.4.1" "FIM Manual"
+.TH fim 1 "01 Jun 2022" "FIM 0.4.2" "FIM Manual"
 
 .SH NAME
 .B FIM

pkg/msi/fim.wxs

@@ -2,7 +2,7 @@
 <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
     <Product Name='File Integrity Monitor' Manufacturer='Achiefs LLC.' Id='*'
         UpgradeCode='5b9136b1-f19d-4af0-9efe-356fabdf1467'
-        Language='1033' Codepage='1252' Version='0.4.1'>
+        Language='1033' Codepage='1252' Version='0.4.2'>
         <Package Id='*' Keywords='Installer'
             Description="FIM is a Host-based file monitoring tool that performs file system analysis and real time alerting."
             Comments='FIM is an open source application, coded in Rust.'

pkg/rpm/fim.spec

@@ -99,6 +99,9 @@ rm -fr %{buildroot}
 # -----------------------------------------------------------------------------
 
 %changelog
+* Tue Dec 13 2022 support <[email protected]> - 0.4.2
+- More info: https://github.com/Achiefs/fim/releases/tag/v0.4.2
+
 * Tue Oct 25 2022 support <[email protected]> - 0.4.1
 - More info: https://github.com/Achiefs/fim/releases/tag/v0.4.1
 

src/auditevent.rs

@@ -146,7 +146,7 @@ impl Event {
             node: config.node,
             version: String::from(config::VERSION),
             labels,
-            operation: path["nametype"].clone(),
+            operation: utils::get_field(path.clone(), "nametype"),
             path: utils::clean_path(&event_path),
             file: utils::get_filename_path(path["name"].clone().as_str()),
             checksum: hash::get_checksum(format!("{}/{}",
@@ -401,7 +401,7 @@ fn get_field(map: HashMap<String, String>,field: &str) -> String {
 
 pub fn get_parent(paths: Vec<HashMap<String, String>>, cwd: &str, config: config::Config) -> HashMap<String, String> {
     match paths.iter().find(|p|{
-        p["nametype"] == "PARENT" &&
+        utils::get_field((*p).clone(), "nametype") == "PARENT" &&
         config.path_in(p["name"].as_str(), cwd, config.audit.clone())
     }){
         Some(p) => p.clone(),
@@ -413,8 +413,8 @@ pub fn get_parent(paths: Vec<HashMap<String, String>>, cwd: &str, config: config
 
 pub fn get_item_path(paths: Vec<HashMap<String, String>>, cwd: &str, config: config::Config) -> HashMap<String, String> {
     match paths.iter().rfind(|p|{
-        p["nametype"] != "PARENT" &&
-        p["nametype"] != "UNKNOWN" &&
+        utils::get_field((*p).clone(), "nametype") != "PARENT" &&
+        utils::get_field((*p).clone(), "nametype") != "UNKNOWN" &&
         config.path_in(p["name"].as_str(), cwd, config.audit.clone())
     }){
         Some(p) => p.clone(),

src/config.rs

@@ -1,7 +1,7 @@
 // Copyright (C) 2021, Achiefs.
 
 // Global constants definitions
-pub const VERSION: &str = "0.4.1";
+pub const VERSION: &str = "0.4.2";
 pub const NETWORK_MODE: &str = "NETWORK";
 pub const FILE_MODE: &str = "FILE";
 pub const BOTH_MODE: &str = "BOTH";

src/utils.rs

@@ -18,6 +18,8 @@ use std::path::{Path, PathBuf};
 use std::process::Command;
 // To log the program process
 use log::{warn, error, debug};
+// To manage maps
+use std::collections::HashMap;
 
 // ----------------------------------------------------------------------------
 
@@ -194,6 +196,28 @@ pub fn get_current_dir() -> String {
 
 // ----------------------------------------------------------------------------
 
+pub fn get_field(data: HashMap<String, String>, field_name: &str) -> String {
+    let alternative = match field_name {
+        "nametype" => "objtype",
+        _ => field_name
+    };
+    match data.get(field_name) {
+        Some(value) => String::from(value),
+        None => {
+            debug!("Could not fetch field name trying alternative");
+            match data.get(alternative) {
+                Some(alt) => String::from(alt),
+                None => {
+                    debug!("Could not fetch alternative. Using default");
+                    String::from("UNKNOWN")
+                }
+            }
+        }
+    }
+}
+
+// ----------------------------------------------------------------------------
+
 #[cfg(test)]
 mod tests {
     use super::*;

test/system/audit.py

@@ -12,6 +12,7 @@
 test_folder = '/tmp/test/test_folder'
 test_link = test_file + '.link'
 system = platform.system()
+release = platform.release()
 
 def get_last_event():
     time.sleep(0.1)
@@ -60,7 +61,10 @@ def test_file_create(self):
         open(test_file, 'w').close()
         data = json.loads(get_last_event())
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"
 
     # -------------------------------------------------------------------------
 
@@ -71,7 +75,10 @@ def test_file_write(self):
         w.close()
         data = json.loads(get_last_event())
         assert data['operation'] == "NORMAL"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"
 
     # -------------------------------------------------------------------------
 
@@ -128,7 +135,10 @@ def test_file_bash_symlink(self):
             stdout=subprocess.PIPE).communicate()
         data = json.loads(get_last_event())
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "266"
+        if "el7" in release:
+            assert data['syscall'] == "88"
+        else:
+            assert data['syscall'] == "266"
 
     # -------------------------------------------------------------------------
 
@@ -183,7 +193,10 @@ def test_false_move(self):
         subprocess.Popen(["mv", test_file, test_file],
             stdout=subprocess.PIPE).communicate()
         data = json.loads(get_last_event())
-        assert data['syscall'] == "316"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "316"
 
     # -------------------------------------------------------------------------
 
@@ -237,7 +250,10 @@ def test_bash_echo(self):
             shell=True, stdout=subprocess.PIPE).communicate()
         data = json.loads(get_last_event())
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"
 
     # -------------------------------------------------------------------------
 
@@ -248,7 +264,10 @@ def test_bash_sed(self):
             stdout=subprocess.PIPE).communicate()
         data = json.loads(get_event(0))
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"
 
         data = json.loads(get_last_event())
         assert data['operation'] == "CREATE"
@@ -261,7 +280,10 @@ def test_bash_touch(self):
             stdout=subprocess.PIPE).communicate()
         data = json.loads(get_last_event())
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"
 
     # -------------------------------------------------------------------------
 
@@ -423,7 +445,10 @@ def test_bash_copy(self):
         data = json.loads(get_last_event())
         remove(filename)
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"
 
     # -------------------------------------------------------------------------
 
@@ -458,7 +483,10 @@ def test_folder_bash_symlink(self):
         data = json.loads(get_last_event())
         remove(folder)
         assert data['operation'] == "CREATE"
-        assert data['syscall'] == "266"
+        if "el7" in release:
+            assert data['syscall'] == "88"
+        else:
+            assert data['syscall'] == "266"
 
     # -------------------------------------------------------------------------
 
@@ -468,4 +496,7 @@ def test_bash_append(self):
             shell=True, stdout=subprocess.PIPE).communicate()
         data = json.loads(get_last_event())
         assert data['operation'] == "NORMAL"
-        assert data['syscall'] == "257"
+        if "el7" in release:
+            assert data['syscall'] == "2"
+        else:
+            assert data['syscall'] == "257"