Adding audit support to dpkg

[Guillem Jover <guillem@debian.org>]

Hi!

We got a request to add audit support to dpkg [R], and as initially
mentioned on the bug report it seems the AUDIT_SOFTWARE_UPDATE format
does not appear to be documented, so while looking into all this, got
several questions.

  [R] <https://bugs.debian.org/931748>

>From the rpm implementation and auparse/normalize.c I gather that it
would contain the following fields, applied to dpkg:

  * primary field would be "sw" which would contain something like
    «"nginx_1.18.0-5_amd64"», I assume that the format differing from
    the one in rpm is fine as that would be keyed on the next field?
  * secondary field would be "sw_type" which would be «dpkg».
  * field "op", which would contain entries different to rpm, such as
    «unpack», «configure», «install», «remove», «purge», not sure if
    that might be a problem?
  * field "key_enforce", I take to denote whether a cryptographic
    verification has been performed on the .deb archive? With values
    «0» or «1». (This would depend on whether debsig-verify(1) has
    been configured to be executed or not.)
  * field "gpg_res", to denote whether the aforementioned verification
    succeeded or not? With values «0» or «1». And while dpkg can indeed
    use GnuPG to verify signatures from archives, the name feels too
    implementation specific, perhaps it could be renamed so that it
    would not be very confusing, in case someone implements a check
    based on say x509 certificates?
  * field "root_dir", to denote the installation root directory, which
    would map to dpkg --instdir value, with a value such as «"/"».

Anything else I might have missed or might be worth taking into
account while adding the support?

Thanks,
Guillem


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit