Monitoring AppArmor and Seccomp audit events from a log file

.github/scripts/toolchain.sh

@@ -4,4 +4,4 @@ wget https://apt.llvm.org/llvm.sh -O /tmp/llvm.sh
 chmod +x /tmp/llvm.sh
 sudo /tmp/llvm.sh 17
 sudo ln -s $(which llvm-strip-17) /usr/local/bin/llvm-strip
-sudo apt -y install libapparmor-dev libseccomp-dev libsystemd-dev
+sudo apt -y install libapparmor-dev libseccomp-dev

README.ja.md

@@ -4,7 +4,7 @@
         <img src="docs/img/logo-dark.svg" alt="Logo" width="400">
     </picture>
 </div>
-<br>
+<br />
 
 ![BHArsenalUSA2024](docs/img/BlackHat-Arsenal-USA-2024.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor)
@@ -42,8 +42,8 @@ vArmorは、ByteDanceのエンドポイントセキュリティ部門の**Elkeid
 
 |エンフォーサー|要件|推奨|
 |------------|--------------------------------------------|--------|
-|AppArmor    |1. Linux Kernel 4.15以上<br>2. AppArmor LSMが有効化されていること|GKE with Container-Optimized OS<br>AKS with Ubuntu 22.04 LTS<br>[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0<br>Debian 10以上<br>Ubuntu 18.04.0 LTS以上<br>[veLinux 1.0](https://www.volcengine.com/docs/6396/74967)など|
-|BPF         |1. Linux Kernel 5.10以上 (x86_64)<br>2. containerd v1.6.0以上<br>3. BPF LSMが有効化されていること|EKS with Amazon Linux 2<br>GKE with Container-Optimized OS<br>[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0 (with 5.10 kernel)<br>AKS with Ubuntu 22.04 LTS <sup>\*</sup><br>ACK with Alibaba Cloud Linux 3 <sup>\*</sup><br>OpenSUSE 15.4 <sup>\*</sup><br>Debian 11 <sup>\*</sup><br>Fedora 37 <br>[veLinux 1.0 with 5.10 kernel](https://www.volcengine.com/docs/6396/74967)など<br><br>* *BPF LSMの手動有効化が必要です*|
+|AppArmor    |1. Linux Kernel 4.15以上<br />2. AppArmor LSMが有効化されていること|GKE with Container-Optimized OS<br />AKS with Ubuntu 22.04 LTS<br />[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0<br />Debian 10以上<br />Ubuntu 18.04.0 LTS以上<br />[veLinux 1.0](https://www.volcengine.com/docs/6396/74967)など|
+|BPF         |1. Linux Kernel 5.10以上 (x86_64)<br />2. containerd v1.6.0以上<br />3. BPF LSMが有効化されていること|EKS with Amazon Linux 2<br />GKE with Container-Optimized OS<br />[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0 (with 5.10 kernel)<br />AKS with Ubuntu 22.04 LTS <sup>\*</sup><br />ACK with Alibaba Cloud Linux 3 <sup>\*</sup><br />OpenSUSE 15.4 <sup>\*</sup><br />Debian 11 <sup>\*</sup><br />Fedora 37 <br />[veLinux 1.0 with 5.10 kernel](https://www.volcengine.com/docs/6396/74967)など<br /><br />* *BPF LSMの手動有効化が必要です*|
 |Seccomp     |1. Kubernetes v1.19以上|すべてのLinuxディストリビューション|
 
 ## ポリシーモードと組み込みルール
@@ -123,7 +123,7 @@ vArmorは、eBPFプログラムを管理および操作するために[cilium/eb
 vArmorは、[Nirmata](https://nirmata.com/)によって開発された[kyverno](https://github.com/kyverno/kyverno)の一部のコードを参照しています。
 
 ## デモ
-以下は、vArmorを使用してDeploymentを強化し、CVE-2021-22555に対抗するデモンストレーションです。（エクスプロイトは[cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)から変更されています）<br>
+以下は、vArmorを使用してDeploymentを強化し、CVE-2021-22555に対抗するデモンストレーションです。（エクスプロイトは[cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)から変更されています）<br />
 ![image](test/demos/CVE-2021-22555/demo.gif)
 
 ## 404Starlink

README.md

@@ -4,7 +4,7 @@
         <img src="docs/img/logo-dark.svg" alt="Logo" width="400">
     </picture>
 </div>
-<br>
+<br />
 
 ![BHArsenalUSA2024](docs/img/BlackHat-Arsenal-USA-2024.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor)
@@ -74,7 +74,7 @@ vArmor references part of the code of [kyverno](https://github.com/kyverno/kyver
 
 
 ## Demo
-Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))<br>
+Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))<br />
 ![image](test/demos/CVE-2021-22555/demo.gif)
 
 

README.zh_CN.md

@@ -4,7 +4,7 @@
         <img src="docs/img/logo-dark.svg" alt="Logo" width="400">
     </picture>
 </div>
-<br>
+<br />
 
 ![BHArsenalUSA2024](docs/img/BlackHat-Arsenal-USA-2024.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor)
@@ -74,7 +74,7 @@ vArmor 在研发初期参考了 [Nirmata](https://nirmata.com/) 开发的 [kyver
 
 
 ## 演示
-下面是一个使用 vArmor 对 Deployment 进行加固，防御 CVE-2021-22555 攻击的演示（Exploit 修改自 [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)）。<br>
+下面是一个使用 vArmor 对 Deployment 进行加固，防御 CVE-2021-22555 攻击的演示（Exploit 修改自 [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)）。<br />
 ![image](test/demos/CVE-2021-22555/demo.zh_CN.gif)
 
 

cmd/varmor/Dockerfile

@@ -56,7 +56,7 @@ COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.go
 COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.o /varmor/pkg/lsm/bpfenforcer
 
 RUN apt-get update
-RUN apt-get install -y libseccomp2 libseccomp-dev libsystemd-dev
+RUN apt-get install -y libseccomp2 libseccomp-dev
 RUN export GOOS=$(echo ${TARGETPLATFORM} | cut -d / -f1) && \
     export GOARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2)
 RUN go env

cmd/varmor/main.go

@@ -64,6 +64,7 @@ var (
 	webhookMatchLabel        string
 	bpfExclusiveMode         bool
 	statusUpdateCycle        time.Duration
+	auditLogPaths            string
 	setupLog                 = log.Log.WithName("SETUP")
 )
 
@@ -86,6 +87,7 @@ func main() {
 	flag.StringVar(&webhookMatchLabel, "webhookMatchLabel", "sandbox.varmor.org/enable=true", "Configure the matchLabel of webhook configuration, the valid format is key=value or nil")
 	flag.BoolVar(&bpfExclusiveMode, "bpfExclusiveMode", false, "Set this flag to enable exclusive mode for the BPF enforcer. It will disable the AppArmor confinement when using the BPF enforcer.")
 	flag.DurationVar(&statusUpdateCycle, "statusUpdateCycle", time.Hour*2, "Configure the status update cycle for VarmorPolicy and ArmorProfile")
+	flag.StringVar(&auditLogPaths, "auditLogPaths", "/var/log/audit/audit.log|/var/log/kern.log", "Configure the file search list to select the audit log file and read the AppArmor and Seccomp audit events. Please use a vertical bar to separate the file paths, the first valid file will be used to track the audit events.")
 	flag.Parse()
 
 	// Set the webhook matchLabels configuration.
@@ -157,6 +159,7 @@ func main() {
 			managerIP,
 			config.StatusServicePort,
 			config.ClassifierServicePort,
+			auditLogPaths,
 			stopCh,
 			log.Log.WithName("AGENT"),
 		)

config/manifest/agent.yaml

@@ -52,11 +52,6 @@ spec:
           name: seccomp-dir
         - mountPath: /var/log
           name: var-log-dir
-        - mountPath: /run/log
-          name: run-log-dir
-        - mountPath: /etc/machine-id
-          name: machine-id
-          readOnly: true
         - mountPath: /var/run/secrets/tokens
           name: bound-token
         readinessProbe:
@@ -82,10 +77,6 @@ spec:
           path: /run/containerd
           type: Directory
         name: containerd
-      - hostPath:
-          path: /proc
-          type: Directory
-        name: procfs
       - hostPath:
           path: /var/run/varmor/audit
           type: DirectoryOrCreate
@@ -106,14 +97,6 @@ spec:
           path: /var/log
           type: Directory
         name: var-log-dir
-      - hostPath:
-          path: /run/log
-          type: Directory
-        name: run-log-dir
-      - hostPath:
-          path: /etc/machine-id
-          type: File
-        name: machine-id
       - projected:
           sources:
           - serviceAccountToken: