fix audit rules

src/audit_rules.js

@@ -10,12 +10,10 @@ async function auditRulesTemplate({ homeDir, workingDir }) {
 -a exit,always -S execve -k bolt_monitored_process_exec
 
 # logs file changes (writes, deletes, renames, etc.)
--a exit,always -F dir=%s -F perm=wa -S open,openat,creat,truncate,ftruncate -k file_change
+# -a exit,always -F dir=%s -F perm=wa -S open,openat,creat,truncate,ftruncate -k file_change
 
 -w ${homeDir} -p wa -k bolt_monitored_bolt_home_changes
 
--w ${workingDir} -p wa -k bolt_monitored_working_dir_changes
-
 -w /etc/passwd -p wa -k bolt_monitored_passwd_changes
 
 -w /etc/shadow -p wa -k bolt_monitored_shadow_changes

src/audit_summary.js

@@ -57,6 +57,26 @@ function parentAction(node) {
   return null
 }
 
+async function getBuildEnvironmentTamperingActions() {
+  const boltPID = core.getState('boltPID')
+  const githubRunnerPID = core.getState('githubRunnerPID')
+  const audit = await generateTestResults('audit.json')
+
+  const buildEnvironmentTamperingEvents = [
+    'bolt_monitored_passwd_changes',
+    'bolt_monitored_shadow_changes',
+    'bolt_monitored_group_changes',
+    'bolt_monitored_sudoers_changes',
+    'bolt_monitored_docker_daemon_changes',
+    'bolt_monitored_audit_log_changes',
+    'bolt_monitored_bolt_home_changes'
+  ]
+
+  const processTamperingBuildEnv = audit.filter(a =>
+    a.tags?.some(tag => buildEnvironmentTamperingEvents.includes(tag))
+  )
+}
+
 async function getSudoCallingActions() {
   const boltPID = core.getState('boltPID')
   const githubRunnerPID = core.getState('githubRunnerPID')

src/scripts/audit.sh

@@ -20,3 +20,10 @@ mv audit.rules /etc/audit/rules.d/
 
 # Restart auditd service to apply the new rules
 service auditd restart
+
+auditctl -w $2 -p wa -k bolt_monitored_wd_changes
+
+auditctl -e 2
+
+
+

src/version.js

@@ -1,4 +1,4 @@
-const releaseVersion = 'v1.7.0-rc.1'
+const releaseVersion = 'v1.7.0-rc.2'
 
 module.exports = {
   releaseVersion