Skip to content

audit: adjust OSPP file activity rules for session users#1782

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
everton-dematos:pr_audit-ospp
Feb 26, 2026
Merged

audit: adjust OSPP file activity rules for session users#1782
brianmcgillion merged 1 commit intotiiuae:mainfrom
everton-dematos:pr_audit-ospp

Conversation

@everton-dematos
Copy link
Copy Markdown
Contributor

@everton-dematos everton-dematos commented Feb 24, 2026

Description of Changes

This PR fixes OSPP file activity auditing coverage for session users in Ghaf VMs.

  • Updates OSPP create, modification, and delete audit rules to use auid!=unset instead of auid>=1000.
  • Ensures file activity events from logged-in users with non-standard UIDs (for example ghaf, UID 901) are captured.
  • Keeps other OSPP rule groups unchanged (for example access, permission-change, ownership-change) to limit noise increase.
  • Adds openat2 coverage to OSPP create rules so newer create syscalls are also audited.

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

https://jira.tii.ae/browse/SSRCSP-8000
https://jira.tii.ae/browse/SSRCSP-6940

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Enable audit and OSPP rules
    1.1. Enable audit option to be true security.audit.enable = true; under ghaf/modules/reference/profiles/mvp-user-trial.nix
    1.2 Enable OSPP rules to true default=true under ghaf/modules/common/security/audit/default.nix (inside 'enableOspp = mkOption'))
  2. Build the image, flash and boot
  3. SSH to chrome-vm (or any vm)
  4. Create a new file touch /tmp/testfile.txt
  5. Grafana should show logs for the creation/modification/deletion of a file:
Screenshot From 2026-02-24 15-15-34

@everton-dematos
audit: adjust OSPP file activity rules for session users
8f7bd74 
Signed-off-by: Everton de Matos <everton.dematos@tii.ae>
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Feb 25, 2026

Tested on Lenovo X1 (nixos-rebuild switch)

  • File creation is logged when audit and OSPP rules are enabled

@milva-unikie milva-unikie added the Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon label Feb 25, 2026
@brianmcgillion brianmcgillion merged commit 588c086 into tiiuae:main Feb 26, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@juliuskoskela juliuskoskela Awaiting requested review from juliuskoskela

@milva-unikie milva-unikie Awaiting requested review from milva-unikie

Assignees

No one assigned

Labels

Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@everton-dematos @milva-unikie @brianmcgillion