Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
This repository was archived by the owner on Aug 1, 2023. It is now read-only.
/rauditPublic archive

A configurable audit program for firejail-sandboxes with metrics

License

NotificationsYou must be signed in to change notification settings

rusty-snake/raudit

Repository files navigation

GPL-3.0-or-latermaintenance-status: as-is

A configurable audit program for firejail-sandboxes with metrics.

faudit was the default audit program forfirejail(in firejail 0.9.66 it was replaced by jailcheck). It is a good way to get animpressions of gaps in a firejail profile. However, it can not be configured,all check are hardcoded. raudit tries to fix this.

Project history

raudit started as a configurable alternative to faudit to be more flexiable.Nowadays it is a rootless alternative to jailcheck.

Build and Install

InstallRust and get the source code(e.g.git clone https://github.com/rusty-snake/raudit.git && cd raudit).Afterwards you can build raudit usingcargo build --release --features=color-backtrace,strip the binary if you want (strip target/release/raudit) and install it by

PREFIX=/usr/localsudo install -Dm0755 target/release/raudit$PREFIX/libexec/rauditsudo install -Dm0644 -t$PREFIX/share/raudit share/*.rules

Optionally you can build and install the man-page too.

make -C man mansudo install -Dm0644 man/raudit.7.gz$PREFIX/share/man/man7/raudit.7.gz

Example

$ firejail --profile=firefox /proc/self/fd/3 </usr/local/share/raudit/default.rules 3</usr/local/libexec/rauditReading profile /etc/firejail/firefox.profile[...]GREAT: The capability bounding set is empty.GREAT: no_new_privs is set, the sandbox can not acquire new privileges using execve.Check write access to "Initialization files that allow arbitrary command execution" from disable-common.incGOOD: The sandbox cannot write to /home/rusty-snake/.caffrc.GOOD: The sandbox cannot write to /home/rusty-snake/.cargo/env.GOOD: The sandbox cannot write to /home/rusty-snake/.dotfiles.[...]GOOD: The sandbox cannot write to /home/rusty-snake/_vimrc.GOOD: The sandbox cannot write to /home/rusty-snake/dotfiles.Check read access to "top secret" from disable-common.incGOOD: The sandbox cannot read /home/rusty-snake/.Private because it does not exist.GOOD: The sandbox cannot read /home/rusty-snake/.caff because it does not exist.GOOD: The sandbox cannot read /home/rusty-snake/.cargo/credentials because it does not exist.[...]GOOD: The sandbox cannot read /home/aurora/.nyx because it does not exist.UGLY: The sandbox can read /home/rusty-snake/.pki.UGLY: The sandbox can read /home/rusty-snake/.local/share/pki.GOOD: The sandbox cannot read /home/rusty-snake/.smbcredentials because it does not exist.GOOD: The sandbox cannot read /home/rusty-snake/.ssh because it does not exist.[...]GOOD: The sandbox cannot read /etc/shadow-.GOOD: The sandbox cannot read /etc/ssh.[...]Your score: 77 out of 79.Parent is shutting down, bye...

About

A configurable audit program for firejail-sandboxes with metrics

Topics

Resources

License

Stars

Watchers

Forks

[8]ページ先頭
©2009-2025 Movatter.jp