LAUREL is written in Rust. To build it, a reasonably recent Rust compiler is required, we currently use 1.56 for development. Also:
cargoclang- the
libacllibrary and its header files (Debian:libacl1-dev, RedHat:libacl-devel, Alpine:acl-dev)
Build binary, install:
$ cargo build --release
$ sudo install -m755 target/release/laurel /usr/local/sbin/laurelFor tagged releases, two types of binaries are created:
- a statically-linked, musl-libc version, built on Alpine 3.16,
- a dynamically-linked version based on an older version of GNU libc, built on CentOS 7.
The static build lacks the ability to perform user and group lookups using the nsswitch facility used on GNU-libc-based systems, therefore it should be avoided on systems where other user/group databases than local /etc/passwd and /etc/group files are used (cf. issue #84).
The provided binaries are built using Github's CI mechanism. See .github/workflows/ for details.
Extract binary, install:
$ tar xzf laurel-$FLAVOR.tar.gz laurel
$ sudo install -m755 laurel /usr/local/sbin/laurel- Create a dedicated user, e.g.:
$ sudo useradd --system --home-dir /var/log/laurel --create-home _laurel - Configure LAUREL: Copy the provided annotated example to
/etc/laurel/config.tomland customize it. - Register LAUREL as an auditd plugin: Depending on your auditd version, copy the provided example to
/etc/audit/plugins.d/laurel.conffor auditd 3/etc/audisp/plugins.d/laurel.conffor auditd 2
- If you are running SELinux, compile the provided policy and install it into the running kernel:
$ make -C contrib/selinux $ sudo semodule -i contrib/selinux/laurel.pp $ sudo restorecon -v -R -F /usr/local/sbin/laurel /etc/laurel /var/log/laurel
- Tell auditd(8) to re-evaluate its configuration:
$ sudo pkill -HUP auditd - Check that LAUREL running. On systemd-enabled systems, the LAUREL binary should be part of the control group corresponding to the auditd service:
$ sudo systemctl status auditd.service […] CGroup: /system.slice/auditd.service ├─ 277780 /sbin/auditd └─1113756 /usr/local/sbin/laurel --config /etc/laurel/config.toml […]
For debugging and other testing purposes, LAUREL can be run without specifying any configuration file. It will then not change users and read events from standard input, just as it would when called from auditd. Log entries are written to audit.log in the current working directory.