Package: logwatch
Version: 7.4.1-2
Severity: normal
Tags: patch
Dear Maintainer,
I am getting a number of unmatched entries in logwatch related to
apparmor. Specifically, the are entries where apparmor is allowing
access (apparmor="ALLOWED") and there is no "parent=..." in the log
entry. The existing relevant regexp in scripts/services/audit matches only when
the line contains 'parent="\d+" ' before 'profile=...'. I have a number
oenteries every day where there is no parent= in the log entry. It
looks like they all come from the dovecot package (the imap process,
managesieve process, dovecot-lda, etc.). Making the 'parent=...' part
of the line optional, as in the attached patch, clears it us for me.
The fix for bug #710146 resolved a similar issue, but did not catch all
of the related unmatched entries identified in this bug report.
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages logwatch depends on:
ii perl 5.20.1-4
ii postfix [mail-transport-agent] 2.11.3-1
Versions of packages logwatch recommends:
ii libdate-manip-perl 6.47-1
ii libsys-cpu-perl 0.61-1+b1
Versions of packages logwatch suggests:
pn fortune-mod <none>
-- no debconf information
--- /usr/share/logwatch/scripts/services/audit.old 2014-11-03 14:03:18.000000000 -0500
+++ /usr/share/logwatch/scripts/services/audit 2015-01-11 09:44:33.210362455 -0500
@@ -168,7 +168,7 @@
# type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
# type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
$denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++;
- } elsif ( $ThisLine =~ /apparmor="ALLOWED" operation="([^"]+)" (info="([^"]+)" )?(error=[+-]?\d+ )?parent=\d+ profile="([^"]+)" (name="([^"]+)" )?pid=\d+ comm="([^"]+)"/ ) {
+ } elsif ( $ThisLine =~ /apparmor="ALLOWED" operation="([^"]+)" (info="([^"]+)" )?(error=[+-]?\d+ )?(parent=\d+ )?profile="([^"]+)" (name="([^"]+)" )?pid=\d+ comm="([^"]+)"/ ) {
# type=1400 audit(1369519203.141:259049): apparmor="ALLOWED" operation="exec" parent=3733 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/usr/lib/dovecot/pop3-login" pid=24634 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1c//null-1d//null-d12"
# type=1400 audit(1369627891.522:447576): apparmor="ALLOWED" operation="capable" parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" pid=3733 comm="dovecot" capability=5 capname="kill"
# type=1400 audit(1369823965.682:824587): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/var/lib/dovecot/.temp.3733.d786c1fcaaa73248" pid=3733 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
