Skip to content

DDS: Linux Audit Logs Updates #20345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

DDS: Linux Audit Logs Updates #20345

wants to merge 3 commits into from

Conversation

tirthrajchaudhari-crest
Copy link
Contributor

@tirthrajchaudhari-crest tirthrajchaudhari-crest commented May 21, 2025
edited
Loading

What does this PR do?

  • Added support for SYSCALL logs
  • Updated the pipeline
  • Added system calls dashboard
  • Update README to include setup steps for audit rules

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@tirthrajchaudhari-crest tirthrajchaudhari-crest marked this pull request as ready for review May 21, 2025 12:55
@tirthrajchaudhari-crest tirthrajchaudhari-crest requested review from a team as code owners May 21, 2025 12:55
rtrieu
rtrieu requested changes May 21, 2025
View reviewed changes
Copy link
Contributor

@rtrieu rtrieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for contributing to our docs! i've left some feedback mainly to comply with our style guide.

linux_audit_logs/README.md Outdated
@@ -79,6 +80,25 @@ For Linux, run:
sudo systemctl restart auditd
```

### Setup Audit Rules (Optional)

1. Create/Edit the Audit Rules File
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Create/Edit the Audit Rules File
1. Create or edit the Audit Rules file:

linux_audit_logs/README.md Outdated
@@ -79,6 +80,25 @@ For Linux, run:
sudo systemctl restart auditd
```

### Setup Audit Rules (Optional)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Setup Audit Rules (Optional)
### Set up Audit Rules (optional)

linux_audit_logs/README.md Outdated
sudo nano /etc/audit/rules.d/audit.rules
```

2. Configure the audit rules based on your requirements. For reference, check out [audit rulesets][9].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. Configure the audit rules based on your requirements. For reference, check out [audit rulesets][9].
2. Configure the audit rules based on your requirements. For reference, see [audit rulesets][9].

linux_audit_logs/README.md Outdated

2. Configure the audit rules based on your requirements. For reference, check out [audit rulesets][9].

3. Reload Audit Rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. Reload Audit Rules
3. Reload Audit Rules:

linux_audit_logs/README.md Outdated
sudo augenrules --load
```

4. Verify Loaded Rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Verify Loaded Rules
4. Verify loaded rules:

buraizu
buraizu previously approved these changes May 21, 2025
View reviewed changes
Copy link
Contributor

@buraizu buraizu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving with one minor update requested for screen-reader accessibility, as well as some additional suggestions for consistency with casing and punctuation.

linux_audit_logs/README.md Outdated
@@ -79,6 +80,25 @@ For Linux, run:
sudo systemctl restart auditd
```

### Setup Audit Rules (Optional)

1. Create/Edit the Audit Rules File
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Create/Edit the Audit Rules File
1. Create or Edit the audit rules file.

linux_audit_logs/README.md Outdated

2. Configure the audit rules based on your requirements. For reference, check out [audit rulesets][9].

3. Reload Audit Rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. Reload Audit Rules
3. Reload audit rules.

linux_audit_logs/README.md Outdated
sudo augenrules --load
```

4. Verify Loaded Rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Verify Loaded Rules
4. Verify loaded rules.

linux_audit_logs/README.md

3. Reload Audit Rules
```shell
sudo augenrules --load
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just want to confirm that augenrules is the correct spelling.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's the correct spelling.

@temporal-github-worker-1 temporal-github-worker-1 bot dismissed buraizu’s stale review May 22, 2025 05:32

Review from buraizu is dismissed. Related teams and files:

  • documentation
    • linux_audit_logs/README.md
@tirthrajchaudhari-crest
Copy link
Contributor Author

Hey @rtrieu @buraizu, Both changes look good, but for now, we are proceeding with using a colon after the setup step statements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@buraizu buraizu buraizu approved these changes

@rtrieu rtrieu Awaiting requested review from rtrieu

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
docs/approved documentation ecosystems/review-requested integration/linux_audit_logs product/review-requested team/agent-integrations team/documentation team/logs-backend team/logs-integrations-reviewers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tirthrajchaudhari-crest @buraizu @rtrieu