From ebb520d1c905cda098c648e51e9b55f8d72c29c5 Mon Sep 17 00:00:00 2001 From: Hilko Bengen Date: Mon, 16 Dec 2024 11:28:01 +0100 Subject: [PATCH] Fix Github workflows - no longer build SELinux policies for CentOS7, Amazon Linux 2 - install pandoc from the "Rocky Powertools" repo - remove defunct build-container-image, corresponding README entry --- .github/workflows/build.yml | 5 ++- .github/workflows/release.yml | 84 +---------------------------------- .github/workflows/selinux.yml | 44 ------------------ README.md | 8 ---- 4 files changed, 6 insertions(+), 135 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index be55bc9..4d1943d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -218,8 +218,10 @@ jobs: steps: - name: Prepare run: | + dnf install 'dnf-command(config-manager)' + dnf config-manager --enable powertools dnf -q -y update - dnf -q -y install gcc file libacl-devel clang + dnf -q -y install gcc file libacl-devel clang make pandoc - name: Install Rust toolchain (stable) uses: actions-rs/toolchain@v1 with: @@ -229,6 +231,7 @@ jobs: - name: Build run: | cargo build --release + make -C man - uses: actions/upload-artifact@v3 with: name: laurel-x86_64-gnu-old diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5874ce..781425a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -77,6 +77,8 @@ jobs: steps: - name: Prepare run: | + dnf install 'dnf-command(config-manager)' + dnf config-manager --enable powertools dnf -q -y update dnf -q -y install gcc file libacl-devel clang make pandoc - name: Install Rust toolchain (stable) @@ -110,85 +112,3 @@ jobs: asset_path: laurel.tar.gz asset_name: laurel-${{ needs.prep.outputs.git_version }}-x86_64-glibc.tar.gz asset_content_type: application/tar - - build-container-image: - needs: build-musl - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Download a Build Artifact - uses: actions/download-artifact@v2.1.1 - with: - name: laurel - path: . - - # use tar to keep permissions - - name: Unpack Build Artifact - run: tar -xzf laurel.tar.gz - - - name: Edit configuration - run: | - sed -e 's#^input = .*#input = "unix:/var/run/audispd_events"#' etc/laurel/config.toml - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v2 - - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/selinux.yml b/.github/workflows/selinux.yml index ae15874..6d8e96a 100644 --- a/.github/workflows/selinux.yml +++ b/.github/workflows/selinux.yml @@ -9,30 +9,6 @@ on: - .github/workflows/selinux.yml jobs: - build-el7: - env: - ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16 - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - runs-on: ubuntu-latest - container: centos:7 - steps: - - name: Prepare - run: | - sed -i \ - -e 's,^# *baseurl=http://mirror.centos.org/centos/,baseurl=https://vault.centos.org/centos/,g' \ - -e 's,^mirrorlist=http://mirrorlist.centos.org,#&1,' \ - /etc/yum.repos.d/*.repo - yum install -y selinux-policy-devel - - uses: actions/checkout@v2 - - name: Build - run: | - make -C contrib/selinux AUDITD_VERSIONS=2 - - name: Archive policy - uses: actions/upload-artifact@v3 - with: - name: selinux-el7 - path: contrib/selinux/laurel.pp - build-el8: runs-on: ubuntu-latest container: rockylinux:8 @@ -67,26 +43,6 @@ jobs: name: selinux-el9 path: contrib/selinux/laurel.pp - build-al2: - env: - ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16 - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - runs-on: ubuntu-latest - container: amazonlinux:2 - steps: - - name: Prepare - run: | - yum install -y selinux-policy-devel findutils tar - - uses: actions/checkout@v2 - - name: Build - run: | - make -C contrib/selinux AUDITD_VERSIONS=2 - - name: Archive policy - uses: actions/upload-artifact@v3 - with: - name: selinux-al2 - path: contrib/selinux/laurel.pp - build-al2023: runs-on: ubuntu-latest container: amazonlinux:2023 diff --git a/README.md b/README.md index 3181784..8d7f632 100644 --- a/README.md +++ b/README.md @@ -31,14 +31,6 @@ The [_LAUREL_ installation instructions](INSTALL.md) contain instructions on how We developed _LAUREL_ because we were not content with feature sets and performance characteristics of existing projects and products. Please refer to the [Performance](performance.md) document for details. -## Container Image - -From v0.5.2 on laurel is able to connect to a socket for forwarded auditd messages and can be executed in a container this way. A basic container image is published in this repository to `ghcr.io/threathunters-io/laurel` with tags `latest` and the respective version tag. - -The provided container image build includes default labels via docker buildx from the pipeline. These labels are not included in the provided Dockerfile but are considered good practice. If you use a custom build with another tooling, consider adding the default labels to the Dockerfile. - -The provided container image contains the default configuration, with one modification: Laurel connects to `/var/run/audispd_events` (the default path specified for the `builtin_af_unix` _auditd(8)_ plug-in. The plug-in needs to be enabled and the socket must be accessible from within the container. The rest of the configuration file should be customized as needed before deploying. - ## See also - [ansible-auditd-laurel](https://github.com/certeu/ansible-auditd-laurel/), an Ansible role to deploy _auditd_ + _laurel_, by @0xFustang / CERT-EU