mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated sqlite db and related functions to support new parser and

Browse source 
libapparmor.
This commit is contained in:
David J Drewelow 2007-08-20 15:07:13 +00:00
parent 7a3ddb5ce7
commit fd1c72183b
1 changed files with 205 additions and 355 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

560
utils/aa-eventd
View file

@ -33,6 +33,7 @@ use Time::Local;
use File::Tail; use File::Tail;
use Immunix::Severity; use Immunix::Severity;
require LibAppArmor;
########################################################################## ##########################################################################
# locations # locations
@ -93,6 +94,7 @@ my $inserts = 0;
my $total = 0; my $total = 0;
my @commit_buffer; my @commit_buffer;
my @debug_buffer;
my @verbose_buffer; my @verbose_buffer;
my @summary_buffer; my @summary_buffer;
@ -101,31 +103,41 @@ my @terse_buffer;
my $date_module = "None"; my $date_module = "None";
my %templates = ( my %templates = (
"path" => "(time,counter,type,profile,sdmode,mode,resource,prog,pid,severity) VALUES(?,?,'path',?,?,?,?,?,?,?)", "path" => "(time,counter,type,op,profile,sdmode,mode_deny,resource,prog,pid,severity) VALUES(?,?,?,?,?,?,?,?,?,?,?)",
"link" => "(time,counter,type,profile,sdmode,resource,target,prog,pid,severity) VALUES(?,?,'link',?,?,?,?,?,?,?)", "link" => "(time,counter,type,op,profile,sdmode,resource,target,prog,pid,severity) VALUES(?,?,?,?,?,?,?,?,?,?,?)",
"chattr" => "(time,counter,type,profile,sdmode,resource,mode,prog,pid,severity) VALUES(?,?,'chattr',?,?,?,?,?,?,?)", "chattr" => "(time,counter,type,op,profile,sdmode,resource,mode_deny,prog,pid,severity) VALUES(?,?,?,?,?,?,?,?,?,?,?)",
"capability" => "(time,counter,type,profile,sdmode,resource,prog,pid,severity) VALUES(?,?,'capability',?,?,?,?,?,?)", "capability" => "(time,counter,type,op,profile,sdmode,resource,prog,pid,severity) VALUES(?,?,?,?,?,?,?,?,?,?)",
"unknown_hat" => "(time,counter,type,profile,sdmode,resource,pid) VALUES(?,?,'unknown_hat',?,?,?,?)", "capable" => "(time,counter,type,op,prog,pid,profile) VALUES(?,?,?,?,?,?,?)",
"fork" => "(time,counter,type,profile,sdmode,pid,resource) VALUES(?,?,'fork',?,?,?,?)", "unknown_hat" => "(time,counter,type,op,profile,sdmode,resource,pid) VALUES(?,?,?,?,?,?,?,?)",
"changing_profile" => "(time,counter,type,profile,sdmode,pid) VALUES(?,?,'changing_profile',?,?,?)", "fork" => "(time,counter,type,op,profile,sdmode,pid,resource) VALUES(?,?,?,?,?,?,?,?)",
"profile_replacement" => "(time,counter,type,profile,sdmode,prog,pid,severity) VALUES(?,?,'profile_replacement',?,?,?,?,?)", "changing_profile" => "(time,counter,type,op,profile,sdmode,pid) VALUES(?,?,?,?,?,?,?)",
"removed" => "(time,counter,type,severity) VALUES(?,?,'removed',?)", "profile_replacement" => "(time,counter,type,op,profile,sdmode,prog,pid,severity) VALUES(?,?,?,?,?,?,?,?,?)",
"initialized" => "(time,counter,type,resource,severity) VALUES(?,?,'initialized',?,?)", "net" => "(time,counter,type,op,net_family,net_socktype,net_proto,pid,profile) VALUES(?,?,?,?,?,?,?,?,?)",
"ctrl_var" => "(time,counter,type,resource,mode,severity) VALUES(?,?,'ctrl_var',?,?,?)", "removed" => "(time,counter,type,op,severity) VALUES(?,?,?,?,?)",
"initialized" => "(time,counter,type,op,resource,severity) VALUES(?,?,?,?,?,?)",
"ctrl_var" => "(time,counter,type,op,resource,mode_deny,severity) VALUES(?,?,?,?,?,?,?)",
"profile_load" => "(time,counter,type,op,resource,prog,pid) VALUES(?,?,?,?,?,?,?)",
); );
########################################################################## ##########################################################################
# generic functions # generic functions
sub new_errlog {
my @msgList = @_;
my $localtime = localtime(time);
for my $arr (@msgList) {
my $msg = join(", ", @msgList);
print ERRLOG "[$localtime] $msg\n";
}
}
sub errlog ($) { sub errlog ($) {
my $mesg = shift; my $mesg = shift;
my $localtime = localtime(time); my $localtime = localtime(time);
print ERRLOG "[$localtime] $mesg\n"; print ERRLOG "[$localtime] $mesg\n";
} }
sub readconfig () { sub readconfig () {
my $cfg = {}; my $cfg = {};
# record when we read the config file # record when we read the config file
@ -174,7 +186,7 @@ sub parsedate ($) {
sub connect_database ($) { sub connect_database ($) {
my $dbdir = shift; my $dbdir = shift;
my $dbh = DBI->connect("dbi:SQLite:dbname=$dbdir/events.db", "", ""); my $dbh = DBI->connect("dbi:SQLite:dbname=$dbdir/events.db", "", "", {RaiseError=>1});
# we'll do the commits ourselves so performance doesn't suck # we'll do the commits ourselves so performance doesn't suck
$dbh->{AutoCommit} = 0; $dbh->{AutoCommit} = 0;
@ -199,36 +211,45 @@ sub connect_database ($) {
$dbh->do("CREATE TABLE info (name,value)"); $dbh->do("CREATE TABLE info (name,value)");
$sth = $dbh->prepare("INSERT INTO info(name,value) VALUES(?,?)"); $sth = $dbh->prepare("INSERT INTO info(name,value) VALUES(?,?)");
$sth->execute("version", "0.1"); $sth->execute("version", "0.2");
$sth->execute("host", "$host"); $sth->execute("host", "$host");
} }
# create the events table # create the events table
unless ($existing_tables{events}) { unless ($existing_tables{events}) {
$dbh->do( $dbh->do(
"CREATE TABLE events ( "CREATE TABLE events (
id INTEGER PRIMARY KEY AUTOINCREMENT, id INTEGER PRIMARY KEY AUTOINCREMENT,
time INTEGER NOT NULL, time INTEGER NOT NULL,
counter INTEGER NOT NULL, counter INTEGER NOT NULL,
op,
pid, pid,
sdmode, sdmode,
type, type,
mode, mode_deny,
mode_req,
resource, resource,
target, target,
profile, profile,
prog, prog,
name_alt,
attr,
parent,
active_hat,
net_family,
net_proto,
net_socktype,
severity INTEGER severity INTEGER
)" )"
); );
# set up the indexes we want # set up the indexes we want
my @indexes = qw(time type sdmode mode resource profile prog severity); #my @indexes = qw(time type sdmode mode resource profile prog severity);
my @indexes = qw(time type op sdmode mode_deny resource profile prog severity);
for my $index (@indexes) { for my $index (@indexes) {
$dbh->do("CREATE INDEX " . $index . "_idx ON events($index)"); $dbh->do("CREATE INDEX " . $index . "_idx ON events($index)");
} }
} }
# make sure our changes actually get saved # make sure our changes actually get saved
$dbh->commit || errlog "Error commiting changes: $!"; $dbh->commit || errlog "Error commiting changes: $!";
@ -401,35 +422,82 @@ sub fork_into_background {
} }
########################################################################## ##########################################################################
# Parse event record into key-value pairs
sub parseEvent($) {
my %ev = ();
my $msg = shift;
chomp($msg);
errlog "Event: $msg";
my $event = LibAppArmor::parse_record($msg);
# resource is an alternate term for 'name1' below
# mode is an alternate term for 'mode-deny' below
$ev{'op'} = LibAppArmor::aa_log_record::swig_operation_get($event);
$ev{'pid'} = LibAppArmor::aa_log_record::swig_pid_get($event);
$ev{'mode-deny'} = LibAppArmor::aa_log_record::swig_denied_mask_get($event);
$ev{'mode-req'} = LibAppArmor::aa_log_record::swig_requested_mask_get($event);
$ev{'profile'}= LibAppArmor::aa_log_record::swig_profile_get($event);
$ev{'prog'} = LibAppArmor::aa_log_record::swig_name_get($event);
$ev{'name2'} = LibAppArmor::aa_log_record::swig_name2_get($event);
$ev{'attr'} = LibAppArmor::aa_log_record::swig_attribute_get($event);
$ev{'parent'} = LibAppArmor::aa_log_record::swig_parent_get($event);
$ev{'magic_token'} = LibAppArmor::aa_log_record::swig_magic_token_get($event);
$ev{'resource'} = LibAppArmor::aa_log_record::swig_info_get($event);
$ev{'active_hat'} = LibAppArmor::aa_log_record::swig_active_hat_get($event);
$ev{'sdmode'} = LibAppArmor::aa_log_record::swig_event_get($event);
# NetDomain
if ( $ev{'op'} && $ev{'op'} =~ /socket/ ) {
next if $ev{'op'} =~ /create/;
$ev{'net_family'} = LibAppArmor::aa_log_record::swig_net_family_get($event);
$ev{'net_proto'} = LibAppArmor::aa_log_record::swig_net_protocol_get($event);
$ev{'net_socktype'} = LibAppArmor::aa_log_record::swig_net_sock_type_get($event);
}
LibAppArmor::free_record($event);
# remove null responses
for (keys(%ev)) {
if ( $ev{$_} !~ /\w+/) {delete($ev{$_}); }
#errlog "EVENT: $_ is $ev{$_}";
}
if ( $ev{'sdmode'} ) {
#0 = invalid, 1 = error, 2 = AUDIT, 3 = ALLOW/PERMIT,
#4 = DENIED/REJECTED, 5 = HINT, 6 = STATUS/config change
if ( $ev{'sdmode'} == 2 ) { $ev{'sdmode'} = "AUDITING"; }
elsif ( $ev{'sdmode'} == 3 ) { $ev{'sdmode'} = "PERMITING"; }
elsif ( $ev{'sdmode'} == 4 ) { $ev{'sdmode'} = "REJECTING"; }
else { delete($ev{'action'}); }
}
return \%ev;
}
sub process_event ($$) { sub process_event ($$) {
my $dbh = shift; my $dbh = shift;
my $logmsg = shift; my $logmsg = shift;
my $sth; my $sth;
my $severity = "";
my @eventList = ();
my $type = undef;
my $time = undef;
my ($time, $mesg); return unless $logmsg && $logmsg =~ /APPARMOR/;
if ($logmsg =~ /^(?:type=(?:APPARMOR|UNKNOWN\[1500\]) msg=|$REdate\s+\S+\s+(?:kernel:\s+)*)audit\((\d+).\d+:\d+\): (.+)$/) { my $ev = parseEvent($logmsg);
($time, $mesg) = ($1, $2);
# have we rolled over to another second yet? # skip logprof hints
if ($time ne $lasttime) { if ( ! $ev->{'op'} || $ev->{'op'} eq 'clone') { return; }
$counter = 0;
$timestamp = $time;
$lasttime = $time;
}
} elsif ($logmsg =~ /^\s*($REdate)\s+\S+\s+(?:kernel:\s+)*(SubDomain|AppArmor):\s+(.+)$/) {
($time, $mesg) = ($1, $3);
# have we rolled over to another second yet? $time = time; # XXX - do we want current time or $ev->{'time'}?
if ($time ne $lasttime) {
$counter = 0;
$timestamp = parsedate($time);
$lasttime = $time;
}
} else {
# not one of ours, just return if ($time ne $lasttime) {
return; $counter = 0;
$timestamp = $time;
$lasttime = $time;
} }
$counter++; $counter++;
@ -449,290 +517,9 @@ sub process_event ($$) {
$last_inserted_time = undef; $last_inserted_time = undef;
} }
# workaround for syslog uglyness. if ( $ev->{'sdmode'} && $ev->{'sdmode'} eq "REJECTING") {
if ($mesg =~ s/(PERMITTING|REJECTING|AUDITING)-SYSLOGFIX/$1/) { $severity = $sevdb->rank($ev->{'prog'}, $ev->{'mode'});
$mesg =~ s/%%/%/g; if ( ! $severity ) { $severity = "-1"; }
}
if ($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $mode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, $mode);
# we only do notification for enforce mode events
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "path", $prog, $mode, $resource ];
}
}
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter, "dummy" ];
}
}
}
push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ];
$inserts++;
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $link, $target, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($target, "l");
# we only do notification for enforce mode events
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "link", $prog, $link, $target ];
}
}
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
}
push @commit_buffer, [ "link", $timestamp, $counter, $profile, $sdmode, $link, $target, $prog, $pid, $severity ];
$inserts++;
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $attrch, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, "w");
# we only do notification for enforce mode events
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "attrch", $prog, $resource, $attrch ];
}
}
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
}
push @commit_buffer, [ "chattr", $timestamp, $counter, $profile, $sdmode, $resource, $attrch, $prog, $pid, $severity ];
$inserts++;
} elsif (m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6);
$profile .= "^$hat" if $profile ne $hat;
my $mode = "w";
my $severity = "";
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, $mode);
# we only do notification for enforce mode events
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "path", $prog, $mode, $resource ];
}
}
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter, "dummy" ];
}
}
}
push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ];
$inserts++;
} elsif (/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $xattr_op, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $mode;
if ($xattr_op eq "get" || $xattr_op eq "list") {
$mode = "r";
} elsif ($xattr_op eq "set" || $xattr_op eq "remove") {
$mode = "w";
}
my $severity = "";
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank($resource, $mode);
# we only do notification for enforce mode events
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "path", $prog, $mode, $resource ];
}
}
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter, "dummy" ];
}
}
}
push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ];
$inserts++;
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $capability, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = "";
if ($sdmode eq "REJECTING") {
$severity = $sevdb->rank(uc("cap_$capability"));
# we only do notification for enforce mode events
if ($config->{verbose_freq}) {
if ( ($severity >= $config->{verbose_level})
|| (($severity == -1) && $config->{verbose_unknown}))
{
push @verbose_buffer, [ $timestamp, $counter, $logmsg ];
}
}
if ($config->{summary_freq}) {
if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown}))
{
push @summary_buffer, [ $timestamp, $counter, "capability", $prog, $capability ];
}
}
if ($config->{terse_freq}) {
if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown}))
{
push @terse_buffer, [ $timestamp, $counter ];
}
}
}
push @commit_buffer, [ "capability", $timestamp, $counter, $profile, $sdmode, $capability, $prog, $pid, $severity ];
$inserts++;
} elsif ($mesg =~ /LOGPROF-HINT unknown_hat (\S+) pid=(\d+) profile=(\S+) active=(\S+)/) {
my ($uhat, $pid, $profile, $hat) = ($1, $2, $3, $4);
$profile .= "^$hat" if $profile ne $hat;
push @commit_buffer, [ "unknown_hat", $timestamp, $counter, $profile, "PERMITTING", $uhat, $pid ];
$inserts++;
} elsif ($mesg =~ /LOGPROF-HINT fork pid=(\d+) child=(\d+) profile=(\S+) active=(\S+)/) {
my ($pid, $child, $profile, $hat) = ($1, $2, $3, $4);
$profile .= "^$hat" if $profile ne $hat;
push @commit_buffer, [ "fork", $timestamp, $counter, $profile, "PERMITTING", $pid, $child ];
$inserts++;
} elsif ($mesg =~ /LOGPROF-HINT changing_profile pid=(\d+) newprofile=(\S+)/) {
my ($pid, $newprofile) = ($1, $2);
push @commit_buffer, [ "changing_profile", $timestamp, $counter, $newprofile, "PERMITTING", $pid ];
$inserts++;
} elsif ($mesg =~ /LOGPROF-HINT fork pid=(\d+) child=(\d+)/) {
my ($pid, $child) = ($1, $2);
push @commit_buffer, [ "fork", $timestamp, $counter, "null-complain-profile", "PERMITTING", $pid, $child ];
$inserts++;
} elsif ($mesg =~ /LOGPROF-HINT changing_profile pid=(\d+)/) {
my $pid = $1;
push @commit_buffer, [ "changing_profile", $timestamp, $counter, "null-complain-profile", "PERMITTING", $pid ];
$inserts++;
} elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) {
my ($sdmode, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7);
$profile .= "^$hat" if $profile ne $hat;
my $severity = 10;
# we only do notification for enforce mode events # we only do notification for enforce mode events
if ($config->{verbose_freq}) { if ($config->{verbose_freq}) {
@ -747,7 +534,8 @@ sub process_event ($$) {
if ( ($severity >= $config->{summary_level}) if ( ($severity >= $config->{summary_level})
|| (($severity == -1) && $config->{summary_unknown})) || (($severity == -1) && $config->{summary_unknown}))
{ {
push @summary_buffer, [ $timestamp, $counter, "profile_replacement", $prog ]; push @summary_buffer, [ $timestamp, $counter, "path",
$ev->{'prog'}, $ev->{'mode'}, $ev->{'resource'} ];
} }
} }
@ -755,34 +543,85 @@ sub process_event ($$) {
if ( ($severity >= $config->{terse_level}) if ( ($severity >= $config->{terse_level})
|| (($severity == -1) && $config->{terse_unknown})) || (($severity == -1) && $config->{terse_unknown}))
{ {
push @terse_buffer, [ $timestamp, $counter ]; push @terse_buffer, [ $timestamp, $counter, "dummy" ];
} }
} }
push @commit_buffer, [ "profile_replacement", $timestamp, $counter, $profile, $sdmode, $prog, $pid, $severity ];
$inserts++;
} elsif ($mesg =~ /(SubDomain|AppArmor) protection removed/) {
push @commit_buffer, [ "removed", $timestamp, $counter, 10 ];
$inserts++;
} elsif ($mesg =~ /(SubDomain|AppArmor) \(version (\S+)\) initialized/) {
my $version = $1;
push @commit_buffer, [ "initialized", $timestamp, $counter, $version, 10 ];
$inserts++;
} elsif ($mesg =~ /Control variable '(\S+)' changed to (\S+)/) {
my ($variable, $value) = ($1, $2);
push @commit_buffer, [ "ctrl_var", $timestamp, $counter, $variable, $value, 10 ];
$inserts++;
} else {
chomp $logmsg;
errlog "Unhandled log message: $logmsg";
} }
unless ( $ev->{'op'} ) {
my $errmsg = "ERROR: No operation found: ";
for my $k (sort keys(%$ev)) {
$errmsg .= "$k is $ev->{$k}, ";
}
errlog("$errmsg\n");
return;
}
# Format the message to match the db template
if ($ev->{'op'} eq 'link' ) {
$type = 'link';
push(@eventList, [$time,$counter,$type,$ev->{'profile'},$ev->{'sdmode'},
$ev->{'resource'},$ev->{'target'},$ev->{'prog'},$ev->{'pid'},$severity]);
} elsif ($ev->{'op'} eq 'attribute') {
$type = 'chattr';
push(@eventList, []);
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'resource'},$ev->{'mode'},$ev->{'prog'},$ev->{'pid'},$severity]);
} elsif ($ev->{'op'} eq 'capability') {
$type = 'capability';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'resource'},$ev->{'prog'},$ev->{'pid'},$severity]);
} elsif ($ev->{'op'} eq 'capable') {
$type = 'capable';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'prog'},$ev->{'profile'},$ev->{'pid'}]);
} elsif ($ev->{'op'} =~ /ontrol variable/ ) {
$type = 'ctrl_var';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'resource'},$ev->{'mode'},$severity]);
} elsif ($ev->{'op'} eq 'unknown_hat') {
$type = 'unknown_hat';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'resource'},$ev->{'pid'},$severity]);
} elsif ($ev->{'op'} eq 'fork') {
$type = 'fork';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'pid'},$ev->{'resource'}]);
} elsif ($ev->{'op'} eq 'changing_profile') {
$type = 'changing_profile';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'pid'}]);
} elsif ($ev->{'op'} eq 'profile_load') {
$type = 'profile_load';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'resource'},$ev->{'prog'},$ev->{'pid'}]);
} elsif ($ev->{'op'} eq 'profile_replace') {
$type = 'profile_replacement';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'prog'},$ev->{'pid'},$severity]);
} elsif ($ev->{'op'} eq 'removed') {
$type = 'removed';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$severity]);
} elsif ($ev->{'op'} eq 'initialized') {
$type = 'initialized';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'resource'},$severity]);
} elsif ( $ev->{'op'} =~ /socket/) {
$type = 'net';
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'net_family'},
$ev->{'net_sock_type'},$ev->{'net_proto'},$ev->{'pid'},$ev->{'profile'}]);
} else {
$type = 'path';
if ( ! $ev->{'prog'} ) { $ev->{'prog'} = "NIL"; }
push(@eventList, [$time,$counter,$type,$ev->{'op'},$ev->{'profile'},$ev->{'sdmode'},
$ev->{'mode'},$ev->{'resource'},$ev->{'prog'},$ev->{'pid'},$severity]);
}
#type=APPARMOR_ALLOWED msg=audit(1187300010.953:1833): operation="file_mprotect" requested_mask="r" denied_mask="r" name="/lib/libc-2.6.so" pid=10273 profile="null-complain-profile"
#type=APPARMOR_ALLOWED msg=audit(1187300010.953:1834): operation="socket_create" family="inet" sock_type="raw" protocol=1 pid=10273 profile="null-complain-profile"
push(@commit_buffer, @eventList);
$inserts++;
} }
sub dump_events { sub dump_events {
@ -818,17 +657,28 @@ sub check_timers ($) {
for my $event (sort { $a->[0] cmp $b->[0] } @commit_buffer) { for my $event (sort { $a->[0] cmp $b->[0] } @commit_buffer) {
my @event = @{$event}; my @event = @{$event};
my $type = shift @event;
if ($type ne $last_prepare) { #my $type = shift @event;
$sth = $dbh->prepare("INSERT INTO events $templates{$type};"); my $type = $event[2];
$last_prepare = $type;
}
$sth->execute(@event); eval {
if ($type ne $last_prepare) {
$sth = $dbh->prepare("INSERT INTO events $templates{$type}");
$last_prepare = $type;
}
$sth->execute(@event);
};
if ($@) {
print ERRLOG "DBI Execution failed: $DBI::errstr\n";
}
#$sth->execute(@event);
} }
$dbh->commit || errlog "Error commiting changes: $!"; $dbh->commit || errlog "Error commiting changes: $!";
errlog "Just commited";
# need to get the time again to include how much time it takes to # need to get the time again to include how much time it takes to
# actually write all this crap to the db # actually write all this crap to the db