Bug649197: Add AppArmor log processing to the audit service
Thanks: Kees Cook for the patch
Closes: 649197
Willi Mann
12 years ago
0 | From: Willi Mann <willi@wm1.at> | |
1 | Date: Tue, 27 Dec 2011 21:15:49 +0100 | |
2 | Subject: Bug649197: Add AppArmor log processing to the audit service | |
3 | ||
4 | Reported by Kees Cook <kees@debian.org> | |
5 | Patch by Kees Cook <kees@debian.org> | |
6 | ||
7 | Closes: 649197 | |
8 | --- | |
9 | conf/services/audit.conf | 4 ++-- | |
10 | scripts/services/audit | 26 ++++++++++++++++++++++++-- | |
11 | 2 files changed, 26 insertions(+), 4 deletions(-) | |
12 | ||
13 | diff --git a/conf/services/audit.conf b/conf/services/audit.conf | |
14 | index e0a6a5a..639e38b 100644 | |
15 | --- a/conf/services/audit.conf | |
16 | +++ b/conf/services/audit.conf | |
17 | @@ -12,7 +12,7 @@ | |
18 | # Yes = True = On = 1 | |
19 | # No = False = Off = 0 | |
20 | ||
21 | -Title = "Selinux Audit" | |
22 | +Title = "Kernel Audit" | |
23 | ||
24 | # Which logfile group... | |
25 | LogFile = messages | |
26 | @@ -21,7 +21,7 @@ LogFile = messages | |
27 | # Note that audit lines may have something like audit(1114839915.618:0) | |
28 | # as the service name | |
29 | # (Some implementations might not precede it with "kernel:") | |
30 | -*OnlyService = (kernel:)?\s*(\[\s*\d+\.\d+\]\s*)?(type=[0-9]+\s*)?audit.* | |
31 | +*OnlyService = (kernel:( \[[ 0-9\.]+\])?)?\s*(type=[0-9]+\s*)?audit.* | |
32 | *RemoveHeaders | |
33 | ||
34 | ######################################################## | |
35 | diff --git a/scripts/services/audit b/scripts/services/audit | |
36 | index 0246340..e05b3ad 100644 | |
37 | --- a/scripts/services/audit | |
38 | +++ b/scripts/services/audit | |
39 | @@ -78,7 +78,7 @@ | |
40 | use strict; | |
41 | use Logwatch ':all'; | |
42 | ||
43 | -my (%denials, %grants); | |
44 | +my (%denials, %grants, %loads); | |
45 | my @OtherList; | |
46 | my $othercount = 0; | |
47 | my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0); | |
48 | @@ -92,7 +92,7 @@ my $NumberOfDdStops = 0; | |
49 | my $NumberOfLostMessages = 0; | |
50 | my %InvalidContext = (); | |
51 | my %BugLog = (); | |
52 | -my $UELimit = 10; | |
53 | +my $UELimit = 100; | |
54 | my $ThisLine; | |
55 | my %Warning = (); | |
56 | my %AuditctlStatus = (); | |
57 | @@ -152,6 +152,22 @@ while ($ThisLine = <STDIN>) { | |
58 | $Warning{$ThisLine}++; | |
59 | } elsif ( my ($status) = ( $ThisLine =~ /AUDIT_STATUS: (.*)/ ) ) { | |
60 | $AuditctlStatus{$status}++; | |
61 | + } elsif ( $ThisLine =~ /audit\([0-9]+\.[0-9]+:[0-9]+\): apparmor=/) { | |
62 | + # AppArmor | |
63 | + if ( $ThisLine =~ /apparmor="STATUS" operation="profile_(load|replace)" name="([^"]+)"/ ) { | |
64 | + # type=1400 audit(1314853473.168:33616): apparmor="STATUS" operation="profile_replace" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=26566 comm="apparmor_parser" | |
65 | + $loads{$2}++; | |
66 | + } elsif ( $ThisLine =~ /apparmor="DENIED" operation="([^"]+)" parent=\d+ profile="([^"]+)" name="([^"]+)" pid=\d+ comm="([^"]+)"/ ) { | |
67 | + # type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33 | |
68 | + # type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0 | |
69 | + $denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++; | |
70 | + } else { | |
71 | + $othercount++; | |
72 | + $ThisLine =~ s/^\s*//; | |
73 | + if ($othercount < $UELimit+1) { | |
74 | + push @OtherList, $ThisLine; | |
75 | + } | |
76 | + } | |
77 | } elsif ( $Detail > 9 ) { | |
78 | if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { | |
79 | $denials{$2.' '.$3.' ('.$1.$4 . ')'}++; | |
80 | @@ -230,6 +246,12 @@ if ( keys %InvalidContext) { | |
81 | } | |
82 | } | |
83 | ||
84 | +if ( keys %loads ) { | |
85 | + print "\n\n*** Loads ***\n"; | |
86 | + foreach my $key (sort keys %loads) { | |
87 | + print " $key: ". $loads{$key} . " times\n"; | |
88 | + } | |
89 | +} | |
90 | ||
91 | ||
92 | if ($Detail and $NumberOfDStarts+$NumberOfDStartsPid) { | |
93 | -- |