blob: fd6cf1159519b9954b5093044a9f4215adce8cfa [file] [log] [blame] [view] [edit]
# Scrutiny
The Scrutiny Framework provides an extensible plugin based architecture
for building security auditing tools for Fuchsia. The primary goal is to have a
common base for these tools to prevent code duplication. I encourage you to
work through the Getting Started section to get a quick overview of the
framework and how you can use it and write your own plugins!
## Getting Started
To get started you can launch Scrutiny with the command `fx scrutiny`. If the
tool isn't available on your path you can build it by simply adding:
`--with //src/security/scrutiny` or `--with //bundles:tools` to your fx
set command.
When you initially launch Scrutiny you will be greeted with a shell interface.
This shell supports history, tab completions etc. The first command you will
want to try out in the shell is:
```
help
```
This will list all of the currently available commands in Scrutiny. Each
individual command can then be further dug into by using:
```
help command_name
```
With just these two instructions you should be able to get a pretty good idea
of the different commands but to see some common workflows check out the
`examples` directory which contains a selection of Scrutiny scripts (.sc).
### Running Scripts
Scrutiny scripts (.sc) can be run with the `fx scrutiny -s script_name` command.
This will output the content of your script to the screen as it runs through.
To get started try out the following example:
`fx scrutiny -s examples/zbi_inspect.sc`
This script will extract the ZBI into your /tmp/ and allow you to see some of
the inner workings of how the Zircon Boot Image is packaged.
## Framework Architecture
### Overview
This section of the guide provides a deep overview of the architecture behind
the framework which should be useful to anyone looking to build a more complex
plugin or who is looking to develop and improve the framework itself.
### Data Model
The core of the framework revolves around the `DataModel` and is split into
three categories:
1. DataCollectors: Objects that collect data from the host or target and
populate the DataModel. These transform raw data from the target or host
device into the abstract data model that `DataControllers` consume to
analyze the system.
2. DataModel: This is an object relational mapping of Fuchsia. It provides a
simple machine readable abstraction of the component topology along with
other properties of the system state collected both statically and
dynamically by the `DataCollectors`.
3. DataControllers: Objects that analyze and collate data from the `DataModel`.
This is where the complex analysis of the `DataModel` occurs completely
independent of how the underlying data is collected. This provides
flexability and compatability even if the underlying system changes.
Source: `framework/src/model` for the implementation of these three categories.
### Plugin Management
Plugins take a set of `DataCollectors` and `DataControllers` and register them
with the `PluginManager`. This is the primary interface you will work with
when adding new features to the framework. Currently plugins must be built into
the core binary.
A Scrutiny plugin has three core functions:
1. Provide a mapping between a namespace and a `DataController`.
2. Provide the set of `DataCollectors` required so that the `DataModel` is
populated with all the information the `DataControllers` need to service
queries.
3. Provide a set of dependencies this plugin requires to operate correctly.
This allows developers to build lightweight plugins that build ontop of the
work of other plugins.
The abstract interface defined in `framework/src/engine/plugin.rs` allows the
developer to focus on developing the plugin and can benefit from a shared
architecture for integrating their plugin into both a REST service and a
DataCollector worker pool.
### REST Service
The REST service provides a way for `DataVisualizers` to access `DataControllers`
over the network through REST JSON. This provides the greatest flexability as
`DataVisualizers` can be written in any language or framework as long as they
can communicate over the network to the Scrutiny service.
The REST service is populated automatically by the `PluginManager`. If a
`Plugin` is registered and loaded and provides a `PluginHook` for a
`DataController` mapped to the namespace "/foo/bar" the REST service will then
call that `DataController` when the URL "http://localhost:8080/foo/bar" is accessed.
It handles passing through the query string which is the HTTP body of the
request.
This allows the developer to just work on the plugin and take advantage of the
shared infrastructure for hooking into `DataVisualizers`.