diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 05d0e865..27cab29c 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -131,9 +131,9 @@ func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, erro // NewApparmorLogs return a new ApparmorLogs list of map from a log file func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { log := "" - exp := "apparmor=(\"DENIED\"|\"ALLOWED\"|\"AUDIT\")" + exp := `apparmor=("DENIED"|"ALLOWED"|"AUDIT")` if profile != "" { - exp = fmt.Sprintf(exp+".* (profile=\"%s.*\"|label=\"%s.*\")", profile, profile) + exp = fmt.Sprintf(exp+`.* (profile="%s.*"|label="%s.*")`, profile, profile) } isAppArmorLog := regexp.MustCompile(exp) @@ -147,8 +147,8 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { } // Clean logs - regex := regexp.MustCompile(`type=(USER_|)AVC msg=audit(.*): (pid=.*msg='|)apparmor`) - log = regex.ReplaceAllLiteralString(log, "apparmor") + regex := regexp.MustCompile(`.*apparmor="`) + log = regex.ReplaceAllLiteralString(log, `apparmor="`) regexAppArmorLogs := map[*regexp.Regexp]string{ regexp.MustCompile(`(peer_|)pid=[0-9]* `): "", regexp.MustCompile(` fsuid.*`): "", diff --git a/tests/audit.log b/tests/audit.log index 1d236b7e..09ae7421 100644 --- a/tests/audit.log +++ b/tests/audit.log @@ -32,3 +32,5 @@ type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 s type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.4" mask="receive" label="dbus-daemon" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="bind" profile="gnome-shell" pid=2027 comm="gnome-shell" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X1" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" profile="gnome-session-binary" pid=1995 comm="gnome-session-b" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr="@/tmp/.ICE-unix/1995" peer_addr=none peer="gnome-shell" +Sep 6 11:23:47 xubuntu-lts kernel: [ 31.024982] audit: type=1107 audit(1111111111.111:1111): pid=1567 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts/User1000" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.Accounts" pid=1693 label="lightdm" peer_pid=1559 peer_label="accounts-daemon" +Sep 6 11:26:12 xubuntu-lts kernel: [ 175.272924] audit: type=1107 audit(1111111111.111:1111): pid=1567 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/org/freedesktop/Accounts/User1000" interface="org.freedesktop.Accounts.User" member="Changed" name=":1.6" mask="receive" pid=1693 label="lightdm" peer_pid=1559 peer_label="accounts-daemon"