Package: logwatch
Version: 7.4.0+svn20111018rev68-1
Severity: normal
Tags: patch
This adds AppArmor log processing to the audit service.
-Kees
--
Kees Cook @debian.org
Description: add AppArmor log processing to audit service.
Author: Kees Cook <k...@ubuntu.com>
Index: logwatch-7.4.0+svn20110808rev66/conf/services/audit.conf
===================================================================
--- logwatch-7.4.0+svn20110808rev66.orig/conf/services/audit.conf 2011-11-18 09:46:53.120882455 -0800
+++ logwatch-7.4.0+svn20110808rev66/conf/services/audit.conf 2011-11-18 09:49:05.670680823 -0800
@@ -12,16 +12,16 @@
# Yes = True = On = 1
# No = False = Off = 0
-Title = "Selinux Audit"
+Title = "Kernel Audit"
# Which logfile group...
-LogFile = messages
+LogFile = kernel
# Only give lines related to the audit service
# Note that audit lines may have something like audit(1114839915.618:0)
# as the service name
# (Some implementations might not precede it with "kernel:")
-*OnlyService = (kernel:)?\s*(\[\s*\d+\.\d+\]\s*)?(type=[0-9]+\s*)?audit.*
+*OnlyService = (kernel:( \[[ 0-9\.]+\])?)?\s*(type=[0-9]+\s*)?audit.*
*RemoveHeaders
########################################################
Index: logwatch-7.4.0+svn20110808rev66/scripts/services/audit
===================================================================
--- logwatch-7.4.0+svn20110808rev66.orig/scripts/services/audit 2011-11-18 09:46:58.416954302 -0800
+++ logwatch-7.4.0+svn20110808rev66/scripts/services/audit 2011-11-18 09:56:34.596773845 -0800
@@ -78,7 +78,7 @@
use strict;
use Logwatch ':all';
-my (%denials, %grants);
+my (%denials, %grants, %loads);
my @OtherList;
my $othercount = 0;
my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0);
@@ -92,7 +92,7 @@
my $NumberOfLostMessages = 0;
my %InvalidContext = ();
my %BugLog = ();
-my $UELimit = 10;
+my $UELimit = 100;
my $ThisLine;
my %Warning = ();
@@ -147,6 +147,23 @@
} elsif (( $ThisLine =~ /Audit daemon is low on disk space for logging/) or
( $ThisLine =~ /Audit daemon is suspending logging due to low disk space./)) {
$Warning{$ThisLine}++;
+
+ } elsif ( $ThisLine =~ /audit\([0-9]+\.[0-9]+:[0-9]+\): apparmor=/) {
+ # AppArmor
+ if ( $ThisLine =~ /apparmor="STATUS" operation="profile_(load|replace)" name="([^"]+)"/ ) {
+ # type=1400 audit(1314853473.168:33616): apparmor="STATUS" operation="profile_replace" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=26566 comm="apparmor_parser"
+ $loads{$2}++;
+ } elsif ( $ThisLine =~ /apparmor="DENIED" operation="([^"]+)" parent=\d+ profile="([^"]+)" name="([^"]+)" pid=\d+ comm="([^"]+)"/ ) {
+ # type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
+ # type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
+ $denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++;
+ } else {
+ $othercount++;
+ $ThisLine =~ s/^\s*//;
+ if ($othercount < $UELimit+1) {
+ push @OtherList, $ThisLine;
+ }
+ }
} elsif ( $Detail > 9 ) {
if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
$denials{$2.' '.$3.' ('.$1.$4 . ')'}++;
@@ -225,6 +242,12 @@
}
}
+if ( keys %loads ) {
+ print "\n\n*** Loads ***\n";
+ foreach my $key (sort keys %loads) {
+ print " $key: ". $loads{$key} . " times\n";
+ }
+}
if ($Detail and $NumberOfDStarts+$NumberOfDStartsPid) {
