This is a small utility to translate Audit AVC logs into a YAML file of puppet facts that can be queried via the puppet dashboard or via an orchestration tool (like MCO).
Requires the following packages to be installed:
- audit-libs-python
- PyYAML
When run with --help:
usage: audit-avc-facter.py [-h] [--factfile FACTFILE] [--logfile LOGFILE] [--sleep SLEEP] [--quiet] Find AVCs since last policy load and record as facter facts optional arguments: -h, --help show this help message and exit --factfile FACTFILE where to write the resulting yaml (/etc/puppetlabs/facter/facts.d/avcs.yaml) --logfile LOGFILE log things into this logfile (/var/log/audit-avc- facter.log) --sleep SLEEP randomly sleep up to this many seconds --quiet only output critical errors
Example cron invocation:
/usr/local/bin/audit-avc-facter.py \ --factfile /etc/puppetlabs/facter/facts.d/avcs.yaml \ --quiet --sleep 300
You will probably be running this from cron, so we add a --sleep parameter to help make sure not all VMs on your hypervisor are parsing their audit.log at the same time, plus suppress output with --quiet.
A single toplevel entry called 'avcs':
--- avcs: - some_misbehaving_domain_t self:tcp_socket { connect create getattr setopt } - some_misbehaving_domain_t net_conf_t:file { getattr open read } - some_misbehaving_domain_t unreserved_port_t:tcp_socket { name_connect } - some_misbehaving_domain_t admin_home_t:file { ioctl open read } - some_misbehaving_domain_t http_cache_port_t:tcp_socket { name_connect }