{"id":28421140,"url":"https://github.com/latchset/crypto-auditing","last_synced_at":"2025-06-29T06:31:43.769Z","repository":{"id":66066358,"uuid":"599784785","full_name":"latchset/crypto-auditing","owner":"latchset","description":"Provides a way to monitor cryptographic operations performed on a system","archived":false,"fork":false,"pushed_at":"2024-09-10T01:59:44.000Z","size":338,"stargazers_count":12,"open_issues_count":9,"forks_count":8,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-09-10T05:23:38.434Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/latchset.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-09T21:50:46.000Z","updated_at":"2024-09-10T01:57:16.000Z","dependencies_parsed_at":"2024-09-10T05:18:17.139Z","dependency_job_id":"25e979d5-29a6-431f-95c9-a131fa09857d","html_url":"https://github.com/latchset/crypto-auditing","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/latchset/crypto-auditing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fcrypto-auditing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fcrypto-auditing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fcrypto-auditing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fcrypto-auditing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/latchset","download_url":"https://codeload.github.com/latchset/crypto-auditing/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fcrypto-auditing/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262546858,"owners_count":23327047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-05T04:46:27.059Z","updated_at":"2025-06-29T06:31:43.761Z","avatar_url":"https://github.com/latchset.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# crypto-auditing\n\n## Introduction\n\nThis project aims to create the infrastructure needed to audit crypto\noperations performed by crypto libraries on a system. This is accomplished by\nusing BPF USDT probes to intercept specific entry points in crypto libraries,\nas they are used by user space processes on the system, and collect data so that\nit can be analyzed later.\n\nThe design documents can be found from the following links:\n\n- [Objectives and high-level design](docs/objectives.md)\n- [Architecture](docs/architecture.md)\n- [Logging format for primary event logs](docs/logging-format.md)\n- [USDT probe points](docs/probe-points.md)\n- [Measuring performance impact](docs/performance.md)\n\n## Installation\n\n1. Install the latest Rust toolchain\n2. Install the instrumented crypto libraries, such as GnuTLS:\n```console\n$ git clone --depth=1 -b wip/usdt https://gitlab.com/gnutls/gnutls.git\n$ ./bootstrap\n$ ./configure --prefix=/path/to/installation\n$ make -j$(nproc)\n$ sudo make install\n```\n3. Install the dependencies (note that libbpf 1.1.1 or later is required)\n```console\n$ sudo dnf install bpftool make libbpf-devel llvm-devel rustfmt\n```\n4. Build the programs with `make`\n```console\n$ make\n```\n5. Install the programs with `make install`\n```console\n$ sudo make install\n```\n\nThe first step requires `agent/src/bpf/vmlinux.h` to be populated. By\ndefault it is done through BTF dump from the running kernel with\n`bpftool`, but if it is not supported in your system, it is possible\nto use `vmlinux.h` included in the `kernel-devel` package:\n\n```console\n$ sudo dnf install kernel-devel\n$ cp $(rpm -ql kernel-devel | grep '/vmlinux.h$' | tail -1) agent/src/bpf\n```\n\n## Running\n\n1. Create dedicated user and group (e.g., crypto-auditing:crypto-auditing)\n```console\n$ sudo groupadd crypto-auditing\n$ sudo useradd -g crypto-auditing\n```\n2. Modify systemd configuration for agent in `/lib/systemd/system/crypto-auditing-agent.service`:\n```ini\nUser=crypto-auditing\nGroup=crypto-auditing\n```\n3. Modify systemd configuration for event-broker in `/lib/systemd/system/crypto-auditing-event-broker.socket`:\n```ini\nSocketUser=crypto-auditing\nSocketGroup=crypto-auditing\nSocketMode=0660\n```\n4. Modify agent configuration in `/etc/crypto-auditing/agent.conf`:\n```toml\nlibrary = [\"/path/to/installation/lib64/libgnutls.so.30\"]\nuser = \"crypto-auditing:crypto-auditing\"\n```\n5. Enable agent and event-broker\n```console\n$ sudo systemctl daemon-reload\n$ sudo systemctl start crypto-auditing-agent.service\n$ sudo systemctl start crypto-auditing-event-broker.socket\n```\n6. Connect to event-broker with client\n```console\n$ crypto-auditing-client --scope tls --format json\n$ crypto-auditing-client --scope tls --format cbor --output audit.cborseq\n```\n7. On another terminal, run any commands using the instrumented library\n```console\n$ gnutls-serv --x509certfile=doc/credentials/x509/cert-rsa-pss.pem --x509keyfile=doc/credentials/x509/key-rsa-pss.pem \u0026\n$ gnutls-cli --x509cafile=doc/credentials/x509/ca.pem localhost -p 5556\n^C\n$ gnutls-cli --x509cafile=doc/credentials/x509/ca.pem localhost -p 5556 --priority NORMAL:-VERS-TLS1.3\n```\n\n## Inspecting logs\n\nIn the above example, client stores logs as a sequence of\nCBOR objects, which can be parsed and printed as a tree with the\n`crypto-auditing-log-parser` executable:\n```console\n$ crypto-auditing-log-parser audit.cborseq\n[\n  {\n    \"context\": \"33acb8e6ccc65bb285bd2f84cac3bf80\",\n    \"start\": 49431626623324,\n    \"end\": 49431626623324,\n    \"events\": {\n      \"name\": \"tls::handshake_client\",\n      \"tls::ciphersuite\": 4866,\n      \"tls::protocol_version\": 772\n    },\n    \"spans\": [\n      {\n        \"context\": \"cdbaebffb957deffec8664b52ab8290d\",\n        \"start\": 49431631956782,\n        \"end\": 49431631963209,\n        \"events\": {\n          \"name\": \"tls::certificate_verify\",\n          \"tls::signature_algorithm\": 2057\n        }\n      }\n    ]\n  },\n  {\n    \"context\": \"c8e0a865bab48563e70780234c3de1c0\",\n    \"start\": 49431626833778,\n    \"end\": 49431627033707,\n    \"events\": {\n      \"name\": \"tls::handshake_server\",\n      \"tls::ciphersuite\": 4866,\n      \"tls::protocol_version\": 772\n    },\n    \"spans\": [\n      {\n        \"context\": \"3c062a160cc8bc8113d05eff4ffc5da5\",\n        \"start\": 49431628203429,\n        \"end\": 49431628207396,\n        \"events\": {\n          \"name\": \"tls::certificate_verify\",\n          \"tls::signature_algorithm\": 2057\n        }\n      }\n    ]\n  },\n  {\n    \"context\": \"953c66fdd64be71bf99ccc4b91298c95\",\n    \"start\": 49434502888728,\n    \"end\": 49434502888728,\n    \"events\": {\n      \"name\": \"tls::handshake_client\",\n      \"tls::ciphersuite\": 49200,\n      \"tls::protocol_version\": 771\n    },\n    \"spans\": [\n      {\n        \"context\": \"d5ba85329440a679aece93ef63322753\",\n        \"start\": 49434509684783,\n        \"end\": 49434509694813,\n        \"events\": {\n          \"name\": \"tls::certificate_verify\",\n          \"tls::signature_algorithm\": 2057\n        }\n      }\n    ]\n  },\n  {\n    \"context\": \"c8e0a865bab48563e70780234c3de1c0\",\n    \"start\": 49434503007039,\n    \"end\": 49434503047270,\n    \"events\": {\n      \"name\": \"tls::handshake_server\",\n      \"tls::ciphersuite\": 49200,\n      \"tls::protocol_version\": 771\n    },\n    \"spans\": [\n      {\n        \"context\": \"983d47ffeaf4b50691c80f2431c6b539\",\n        \"start\": 49434503929186,\n        \"end\": 49434503940540,\n        \"events\": {\n          \"name\": \"tls::certificate_verify\",\n          \"tls::signature_algorithm\": 2057\n        }\n      }\n    ]\n  }\n]\n```\n\nTo simply deserialize it, you can use the `cborseq2json.rb` script\nfrom [cbor-diag](https://github.com/cabo/cbor-diag) package, which can\nbe installed with `gem install --user cbor-diag`.\n\nFrom the tree output, a flamegraph can be produced with the\n`scripts/flamegraph.py`:\n\n```console\n$ crypto-auditing-log-parser audit.cborseq | python scripts/flamegraph.py -\ndumping data to flamegraph.html\n```\n\nYou can open the generated `flamegraph.html` with your browser.\n\n## License\n\n- `agent/src/bpf/audit.bpf.c`: GPL-2.0-or-later\n- `agent/src/ringbuf.rs`: LGPL-2.1-only or BSD-2-Clause\n- `dist/audit.h`: MIT\n- `scripts/flamegraph.py`: GPL-2.0-only\n- everything else: GPL-3.0-or-later\n\n## Credits\n\n- [libbpf-async](https://github.com/fujita/libbpf-async) for asynchronous BPF ringbuf implementation over libbpf-rs\n- [rust-keylime](https://github.com/keylime/rust-keylime/) for permissions management code\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flatchset%2Fcrypto-auditing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flatchset%2Fcrypto-auditing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flatchset%2Fcrypto-auditing/lists"}