LAUREL is written in Rust. To build it, a reasonably recent Rust compiler (we currently use 1.48), cargo
, and the
libacl
library and its header files (Debian: libacl1-dev
, RedHat: libacl-devel
) are required.
$ cargo build --release
$ sudo install -m755 target/release/laurel /usr/local/sbin/laurel
Static Linux/x86_64 binaries are built for tagged releases.
- Create a dedicated user, e.g.:
$ sudo useradd --system --home-dir /var/log/laurel --create-home _laurel
- Configure LAUREL: Copy the provided annotated example to
/etc/laurel/config.toml
and customize it. - Register LAUREL as an audisp plugin: Copy the provided example to
/etc/audisp/plugins.d/laurel.conf
or/etc/audit/plugins.d/laurel.conf
(depending on your auditd version). - If you are running SELinux, compile the provided policy and install it into the running kernel:
$ make -C contrib/selinux $ sudo semodule -i contrib/selinux/laurel.pp $ sudo restorecon -v -R -F /usr/local/sbin/laurel /etc/laurel /var/log/laurel
- Tell auditd(8) to re-evaluate its configuration
$ sudo pkill -HUP auditd
For debugging and other testing purposes, LAUREL can be run without specifying any configuration file. It will not change users and read events from standard input, just as it would when called from auditd. Log entries arewritten to audit.log
in the current working directory.