Skip to content
This repository has been archived by the owner on Aug 1, 2023. It is now read-only.

Latest commit

 

History

History
70 lines (57 loc) · 3.05 KB

README.md

File metadata and controls

70 lines (57 loc) · 3.05 KB
Raw

raudit

GPL-3.0-or-later maintenance-status: as-is

A configurable audit program for firejail-sandboxes with metrics.

faudit was the default audit program for firejail (in firejail 0.9.66 it was replaced by jailcheck). It is a good way to get an impressions of gaps in a firejail profile. However, it can not be configured, all check are hardcoded. raudit tries to fix this.

Project history

raudit started as a configurable alternative to faudit to be more flexiable. Nowadays it is a rootless alternative to jailcheck.

Build and Install

Install Rust and get the source code (e.g. git clone https://github.com/rusty-snake/raudit.git && cd raudit). Afterwards you can build raudit using cargo build --release --features=color-backtrace, strip the binary if you want (strip target/release/raudit) and install it by

PREFIX=/usr/local
sudo install -Dm0755 target/release/raudit $PREFIX/libexec/raudit
sudo install -Dm0644 -t $PREFIX/share/raudit share/*.rules

Optionally you can build and install the man-page too.

make -C man man
sudo install -Dm0644 man/raudit.7.gz $PREFIX/share/man/man7/raudit.7.gz

Example

$ firejail --profile=firefox /proc/self/fd/3 </usr/local/share/raudit/default.rules 3</usr/local/libexec/raudit
Reading profile /etc/firejail/firefox.profile
[...]
GREAT: The capability bounding set is empty.
GREAT: no_new_privs is set, the sandbox can not acquire new privileges using execve.
Check write access to "Initialization files that allow arbitrary command execution" from disable-common.inc
GOOD: The sandbox cannot write to /home/rusty-snake/.caffrc.
GOOD: The sandbox cannot write to /home/rusty-snake/.cargo/env.
GOOD: The sandbox cannot write to /home/rusty-snake/.dotfiles.
[...]
GOOD: The sandbox cannot write to /home/rusty-snake/_vimrc.
GOOD: The sandbox cannot write to /home/rusty-snake/dotfiles.
Check read access to "top secret" from disable-common.inc
GOOD: The sandbox cannot read /home/rusty-snake/.Private because it does not exist.
GOOD: The sandbox cannot read /home/rusty-snake/.caff because it does not exist.
GOOD: The sandbox cannot read /home/rusty-snake/.cargo/credentials because it does not exist.
[...]
GOOD: The sandbox cannot read /home/aurora/.nyx because it does not exist.
UGLY: The sandbox can read /home/rusty-snake/.pki.
UGLY: The sandbox can read /home/rusty-snake/.local/share/pki.
GOOD: The sandbox cannot read /home/rusty-snake/.smbcredentials because it does not exist.
GOOD: The sandbox cannot read /home/rusty-snake/.ssh because it does not exist.
[...]
GOOD: The sandbox cannot read /etc/shadow-.
GOOD: The sandbox cannot read /etc/ssh.
[...]
Your score: 77 out of 79.

Parent is shutting down, bye...