feat(aa-log): only clean a few log keys, resolve more variables.

fix #382
This commit is contained in:
Alexandre Pujol 2024-06-19 23:39:23 +01:00
parent 018073638b
commit 3b82cc36ba
Failed to generate hash of commit
3 changed files with 41 additions and 20 deletions

View file

@ -104,7 +104,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) {
var res strings.Builder var res strings.Builder
for _, log := range logs { for _, log := range logs {
res.WriteString(log.Message + "\n") res.WriteString(log.Message)
res.WriteString("\n")
} }
return strings.NewReader(res.String()), nil return strings.NewReader(res.String()), nil
} }

View file

@ -31,13 +31,24 @@ const (
var ( var (
quoted bool quoted bool
isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`) isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`)
hex = `[0-9a-fA-F]` _hex = `[0-9a-fA-F]`
_int = `[0-9]`
regCleanLogs = util.ToRegexRepl([]string{ regCleanLogs = util.ToRegexRepl([]string{
// Clean apparmor log file // Clean apparmor log file
`.*apparmor="`, `apparmor="`, `.*apparmor="`, `apparmor="`,
`(peer_|)pid=[0-9]*\s`, " ", `(peer_|)pid=[0-9]*\s`, " ",
`\x1d`, " ", `\x1d`, " ",
// Remove basic rules from abstractions/base
`(?m)^.*/etc/[^/]+so.*$`, ``,
`(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+so.*$`, ``,
`(?m)^.*/usr/(lib|lib32|lib64|libexec)/locale/.*$`, ``,
`(?m)^.*/usr/share/locale[^/]?/.*$`, ``,
`(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``,
`(?m)^.*/dev/(null|zero|full|log).*$`, ``,
`(?m)^.*/dev/(u|)random.*$`, ``,
})
regResolveLogs = util.ToRegexRepl([]string{
// Resolve classic user variables // Resolve classic user variables
`/home/[^/]+/.cache`, `@{user_cache_dirs}`, `/home/[^/]+/.cache`, `@{user_cache_dirs}`,
`/home/[^/]+/.config`, `@{user_config_dirs}`, `/home/[^/]+/.config`, `@{user_config_dirs}`,
@ -47,38 +58,42 @@ var (
`/home/[^/]+/.local/lib`, `@{user_lib_dirs}`, `/home/[^/]+/.local/lib`, `@{user_lib_dirs}`,
`/home/[^/]+/.ssh`, `@{HOME}/@{XDG_SSH_DIR}`, `/home/[^/]+/.ssh`, `@{HOME}/@{XDG_SSH_DIR}`,
`/home/[^/]+/.gnupg`, `@{HOME}/@{XDG_GPG_DIR}`, `/home/[^/]+/.gnupg`, `@{HOME}/@{XDG_GPG_DIR}`,
`/home/[^/]+`, `@{HOME}`, `/home/[^/]+/`, `@{HOME}/`,
// Resolve classic system variables // Resolve classic system variables
`/usr/lib(|32|64|exec)`, `@{lib}`, `/usr/(lib|lib32|lib64|libexec)`, `@{lib}`,
`/usr/(|s)bin`, `@{bin}`, `/usr/(bin|sbin)`, `@{bin}`,
`x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`, `x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`,
`/usr/etc/`, `@{etc_ro}/`, `/usr/etc/`, `@{etc_ro}/`,
`/var/run/`, `@{run}/`,
`/run/`, `@{run}/`, `/run/`, `@{run}/`,
`user/[0-9]*/`, `user/@{uid}/`, `user/[0-9]*/`, `user/@{uid}/`,
`/tmp/user/@{uid}/`, `@{tmp}/`,
`/proc/`, `@{PROC}/`, `/proc/`, `@{PROC}/`,
`@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`, `@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`,
`@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`, `@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`,
`/sys/`, `@{sys}/`, `/sys/`, `@{sys}/`,
`@{PROC}@{sys}/`, `@{PROC}/sys/`, `@{PROC}@{sys}/`, `@{PROC}/sys/`,
`pci` + strings.Repeat(hex, 4) + `:` + strings.Repeat(hex, 2), `@{pci_bus}`, `pci` + strings.Repeat(_hex, 4) + `:` + strings.Repeat(_hex, 2), `@{pci_bus}`,
`1000`, `@{pid}`,
// Some system glob // Some system glob
`:1.[0-9]*`, `:*`, // dbus peer name `:1.[0-9]*`, `:*`, // dbus peer name
`@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell `@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell
`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses `@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
strings.Repeat(hex, 64), `@{hex64}`,
strings.Repeat(hex, 32), `@{hex32}`,
strings.Repeat(hex, 8) + `[-_]` + strings.Repeat(hex, 4) + `[-_]` + strings.Repeat(hex, 4) + `[-_]` + strings.Repeat(hex, 4) + `[-_]` + strings.Repeat(hex, 12), `@{uuid}`,
// Remove basic rules from abstractions/base // int, hex, uuid
`(?m)^.*/etc/[^/]+so.*$`, ``, strings.Repeat(_hex, 8) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 12), `@{uuid}`,
`(?m)^.*@{lib}/[^/]+so.*$`, ``, strings.Repeat(_int, 64), `@{int64}`,
`(?m)^.*@{lib}/locale/.*$`, ``, strings.Repeat(_hex, 64), `@{hex64}`,
`(?m)^.*/usr/share/locale[^/]?/.*$`, ``, strings.Repeat(_hex, 38), `@{hex38}`,
`(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``, strings.Repeat(_int, 32), `@{int32}`,
`(?m)^.*/dev/(null|zero|full|log).*$`, ``, strings.Repeat(_hex, 32), `@{hex32}`,
`(?m)^.*/dev/(u|)random.*$`, ``, strings.Repeat(_int, 16), `@{int16}`,
strings.Repeat(_hex, 16), `@{hex16}`,
strings.Repeat(_int, 10), `@{int10}`,
strings.Repeat(_int, 8), `@{int8}`,
strings.Repeat(_int, 6), `@{int6}`,
}) })
) )
@ -107,6 +122,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
// Parse log into ApparmorLog struct // Parse log into ApparmorLog struct
aaLogs := make(AppArmorLogs, 0) aaLogs := make(AppArmorLogs, 0)
toClean := []string{"profile", "name", "target"}
for _, log := range logs { for _, log := range logs {
quoted = false quoted = false
tmp := strings.FieldsFunc(log, splitQuoted) tmp := strings.FieldsFunc(log, splitQuoted)
@ -115,7 +131,11 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
for _, item := range tmp { for _, item := range tmp {
kv := strings.Split(item, "=") kv := strings.Split(item, "=")
if len(kv) >= 2 { if len(kv) >= 2 {
aa[kv[0]] = strings.Trim(kv[1], `"`) key, value := kv[0], kv[1]
if slices.Contains(toClean, key) {
value = regResolveLogs.Replace(kv[1])
}
aa[key] = strings.Trim(value, `"`)
} }
} }
aaLogs = append(aaLogs, aa) aaLogs = append(aaLogs, aa)

View file

@ -57,7 +57,7 @@ var (
"interface": "org.freedesktop.DBus", "interface": "org.freedesktop.DBus",
"member": "AddMatch", "member": "AddMatch",
"peer_label": "dbus-daemon", "peer_label": "dbus-daemon",
"exe": "@{bin}/dbus-daemon", "exe": "/usr/bin/dbus-daemon",
"sauid": "102", "sauid": "102",
"hostname": "?", "hostname": "?",
"addr": "?", "addr": "?",
@ -145,7 +145,7 @@ func TestAppArmorEvents(t *testing.T) {
"interface": "org.freedesktop.PolicyKit1.Authority", "interface": "org.freedesktop.PolicyKit1.Authority",
"member": "CheckAuthorization", "member": "CheckAuthorization",
"peer_label": "polkitd", "peer_label": "polkitd",
"exe": "@{bin}/dbus-daemon", "exe": "/usr/bin/dbus-daemon",
"sauid": "102", "sauid": "102",
"hostname": "?", "hostname": "?",
"addr": "?", "addr": "?",