mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(aa-log): relax audit log format.

Browse source
This commit is contained in:
Alexandre Pujol 2022-09-06 17:49:40 +01:00
parent 746a36bfb4
commit 6c9122c617
Failed to generate hash of commit
2 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
cmd/aa-log/main.go
View file

@ -131,9 +131,9 @@ func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, erro
// NewApparmorLogs return a new ApparmorLogs list of map from a log file // NewApparmorLogs return a new ApparmorLogs list of map from a log file
func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
log := "" log := ""
exp := "apparmor=(\"DENIED\"|\"ALLOWED\"|\"AUDIT\")" exp := `apparmor=("DENIED"|"ALLOWED"|"AUDIT")`
if profile != "" { if profile != "" {
exp = fmt.Sprintf(exp+".* (profile=\"%s.*\"|label=\"%s.*\")", profile, profile) exp = fmt.Sprintf(exp+`.* (profile="%s.*"|label="%s.*")`, profile, profile)
} }
isAppArmorLog := regexp.MustCompile(exp) isAppArmorLog := regexp.MustCompile(exp)
@ -147,8 +147,8 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
} }
// Clean logs // Clean logs
regex := regexp.MustCompile(`type=(USER_|)AVC msg=audit(.*): (pid=.*msg='|)apparmor`) regex := regexp.MustCompile(`.*apparmor="`)
log = regex.ReplaceAllLiteralString(log, "apparmor") log = regex.ReplaceAllLiteralString(log, `apparmor="`)
regexAppArmorLogs := map[*regexp.Regexp]string{ regexAppArmorLogs := map[*regexp.Regexp]string{
regexp.MustCompile(`(peer_|)pid=[0-9]* `): "", regexp.MustCompile(`(peer_|)pid=[0-9]* `): "",
regexp.MustCompile(` fsuid.*`): "", regexp.MustCompile(` fsuid.*`): "",

2
tests/audit.log
View file

@ -32,3 +32,5 @@ type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 s
type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.4" mask="receive" label="dbus-daemon" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus" type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.4" mask="receive" label="dbus-daemon" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="bind" profile="gnome-shell" pid=2027 comm="gnome-shell" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X1" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="bind" profile="gnome-shell" pid=2027 comm="gnome-shell" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X1"
type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" profile="gnome-session-binary" pid=1995 comm="gnome-session-b" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr="@/tmp/.ICE-unix/1995" peer_addr=none peer="gnome-shell" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" profile="gnome-session-binary" pid=1995 comm="gnome-session-b" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr="@/tmp/.ICE-unix/1995" peer_addr=none peer="gnome-shell"
Sep 6 11:23:47 xubuntu-lts kernel: [ 31.024982] audit: type=1107 audit(1111111111.111:1111): pid=1567 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts/User1000" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.Accounts" pid=1693 label="lightdm" peer_pid=1559 peer_label="accounts-daemon"
Sep 6 11:26:12 xubuntu-lts kernel: [ 175.272924] audit: type=1107 audit(1111111111.111:1111): pid=1567 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/org/freedesktop/Accounts/User1000" interface="org.freedesktop.Accounts.User" member="Changed" name=":1.6" mask="receive" pid=1693 label="lightdm" peer_pid=1559 peer_label="accounts-daemon"