Skip to content

Latest commit

 

History

History
65 lines (52 loc) · 2.92 KB

INSTALL.md

File metadata and controls

65 lines (52 loc) · 2.92 KB

LAUREL installation instructions

Either build from source…

LAUREL is written in Rust. To build it, a reasonably recent Rust compiler is required, we currently use 1.56 for development. Also:

  • cargo
  • clang
  • the libacl library and its header files (Debian: libacl1-dev, RedHat: libacl-devel, Alpine: acl-dev)

Build binary, install:

$ cargo build --release
$ sudo install -m755 target/release/laurel /usr/local/sbin/laurel

…or use one of the provided binaries

For tagged releases, two types of binaries are created:

  • a statically-linked, musl-libc version, built on Alpine 3.16,
  • a dynamically-linked version based on an older version of GNU libc, built on CentOS 7.

The static build lacks the ability to perform user and group lookups using the nsswitch facility used on GNU-libc-based systems, therefore it should be avoided on systems where other user/group databases than local /etc/passwd and /etc/group files are used (cf. issue #84).

The provided binaries are built using Github's CI mechanism. See .github/workflows/ for details.

Extract binary, install:

$ tar xzf laurel-$FLAVOR.tar.gz laurel
$ sudo install -m755 laurel /usr/local/sbin/laurel

Set up auditd to use LAUREL and configure LAUREL itself

  • Create a dedicated user, e.g.: 
    $ sudo useradd --system --home-dir /var/log/laurel --create-home _laurel
  • Configure LAUREL: Copy the provided annotated example to /etc/laurel/config.toml and customize it.
  • Register LAUREL as an auditd plugin: Depending on your auditd version, copy the provided example to
    • /etc/audit/plugins.d/laurel.conf for auditd 3
    • /etc/audisp/plugins.d/laurel.conf for auditd 2
  • If you are running SELinux, compile the provided policy and install it into the running kernel: 
    $ make -C contrib/selinux
$ sudo semodule -i contrib/selinux/laurel.pp
$ sudo restorecon -v -R -F /usr/local/sbin/laurel /etc/laurel /var/log/laurel /etc/audit/plugins.d/laurel.conf
  • Tell auditd(8) to re-evaluate its configuration: 
    $ sudo pkill -HUP auditd
  • Check that LAUREL running. On systemd-enabled systems, the LAUREL binary should be part of the control group corresponding to the auditd service: 
    $ sudo systemctl status auditd.service
[…]
     CGroup: /system.slice/auditd.service
             ├─ 277780 /sbin/auditd
             └─1113756 /usr/local/sbin/laurel --config /etc/laurel/config.toml
[…]

Test, Debug

For debugging and other testing purposes, LAUREL can be run without specifying any configuration file. It will then not change users and read events from standard input, just as it would when called from auditd. Log entries are written to audit.log in the current working directory.