Codebase list logwatch / e17e703
Bug649197: Add AppArmor log processing to the audit service Thanks: Kees Cook for the patch Closes: 649197 Willi Mann 12 years ago
2 changed file(s) with 95 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+94
-0
debian/patches/0009-Bug649197-Add-AppArmor-log-processing-to-the-audit-s.patch less more
0 From: Willi Mann <willi@wm1.at>
1 Date: Tue, 27 Dec 2011 21:15:49 +0100
2 Subject: Bug649197: Add AppArmor log processing to the audit service
3
4 Reported by Kees Cook <kees@debian.org>
5 Patch by Kees Cook <kees@debian.org>
6
7 Closes: 649197
8 ---
9 conf/services/audit.conf | 4 ++--
10 scripts/services/audit | 26 ++++++++++++++++++++++++--
11 2 files changed, 26 insertions(+), 4 deletions(-)
12
13 diff --git a/conf/services/audit.conf b/conf/services/audit.conf
14 index e0a6a5a..639e38b 100644
15 --- a/conf/services/audit.conf
16 +++ b/conf/services/audit.conf
17 @@ -12,7 +12,7 @@
18 # Yes = True = On = 1
19 # No = False = Off = 0
20
21 -Title = "Selinux Audit"
22 +Title = "Kernel Audit"
23
24 # Which logfile group...
25 LogFile = messages
26 @@ -21,7 +21,7 @@ LogFile = messages
27 # Note that audit lines may have something like audit(1114839915.618:0)
28 # as the service name
29 # (Some implementations might not precede it with "kernel:")
30 -*OnlyService = (kernel:)?\s*(\[\s*\d+\.\d+\]\s*)?(type=[0-9]+\s*)?audit.*
31 +*OnlyService = (kernel:( \[[ 0-9\.]+\])?)?\s*(type=[0-9]+\s*)?audit.*
32 *RemoveHeaders
33
34 ########################################################
35 diff --git a/scripts/services/audit b/scripts/services/audit
36 index 0246340..e05b3ad 100644
37 --- a/scripts/services/audit
38 +++ b/scripts/services/audit
39 @@ -78,7 +78,7 @@
40 use strict;
41 use Logwatch ':all';
42
43 -my (%denials, %grants);
44 +my (%denials, %grants, %loads);
45 my @OtherList;
46 my $othercount = 0;
47 my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0);
48 @@ -92,7 +92,7 @@ my $NumberOfDdStops = 0;
49 my $NumberOfLostMessages = 0;
50 my %InvalidContext = ();
51 my %BugLog = ();
52 -my $UELimit = 10;
53 +my $UELimit = 100;
54 my $ThisLine;
55 my %Warning = ();
56 my %AuditctlStatus = ();
57 @@ -152,6 +152,22 @@ while ($ThisLine = <STDIN>) {
58 $Warning{$ThisLine}++;
59 } elsif ( my ($status) = ( $ThisLine =~ /AUDIT_STATUS: (.*)/ ) ) {
60 $AuditctlStatus{$status}++;
61 + } elsif ( $ThisLine =~ /audit\([0-9]+\.[0-9]+:[0-9]+\): apparmor=/) {
62 + # AppArmor
63 + if ( $ThisLine =~ /apparmor="STATUS" operation="profile_(load|replace)" name="([^"]+)"/ ) {
64 + # type=1400 audit(1314853473.168:33616): apparmor="STATUS" operation="profile_replace" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=26566 comm="apparmor_parser"
65 + $loads{$2}++;
66 + } elsif ( $ThisLine =~ /apparmor="DENIED" operation="([^"]+)" parent=\d+ profile="([^"]+)" name="([^"]+)" pid=\d+ comm="([^"]+)"/ ) {
67 + # type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
68 + # type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
69 + $denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++;
70 + } else {
71 + $othercount++;
72 + $ThisLine =~ s/^\s*//;
73 + if ($othercount < $UELimit+1) {
74 + push @OtherList, $ThisLine;
75 + }
76 + }
77 } elsif ( $Detail > 9 ) {
78 if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
79 $denials{$2.' '.$3.' ('.$1.$4 . ')'}++;
80 @@ -230,6 +246,12 @@ if ( keys %InvalidContext) {
81 }
82 }
83
84 +if ( keys %loads ) {
85 + print "\n\n*** Loads ***\n";
86 + foreach my $key (sort keys %loads) {
87 + print " $key: ". $loads{$key} . " times\n";
88 + }
89 +}
90
91
92 if ($Detail and $NumberOfDStarts+$NumberOfDStartsPid) {
93 --
+1
-0
debian/patches/series less more
55 0006-scripts-services-amavis-Remove-unmatched-entries.patch
66 0007-Bug618604-Support-some-kerberos-lines-in-secure.patch
77 0008-Bug649194-Handle-unmatched-entry-in-saslauthd.patch
8 0009-Bug649197-Add-AppArmor-log-processing-to-the-audit-s.patch