[Apparmor-dev] Re: I coded a logprof improvement

Thu Dec 13 10:15:10 MST 2007

Hi,

+++ John Johansen [12/12/07 22:14 -0800]:
> On Tue, Dec 11, 2007 at 05:06:15AM -0700, adnarim wrote:
> > Hi,
> > I wanna show you logprofIM. It's a ruby script I coded to improve
> > logprof a bit. logprof itself can read marks in the syslog with the
> > -m "MARK" switch This feature (to read marks) is used afaik only with
> > genprof to profile a certain app.
> > I myself use logprof regulary to check for AppArmor-complaints in the
> > log and possible accesss violations and to update a rule which I had set
> > up to strict. What I found really annonying is that logprof always scans
> > the whole syslog/messagelog for AppArmor messages and doesn't remind how
> > far it read it the last time used. So it asks always the same questions
> > again and again everytime you execute logprof until you delete the logfile.
> > But deleting it everytime you executed logprof isn't something which is
> > a good way of handling this imo and is not always wanted.
> > 
> > So I coded a ruby-script which manages log marks for logprof. If you
> > start logprofIM it reads from a file (by default saved in
> > $HOME/.logprofIM/mind) which marks it has already set and gives you the
> > choice to choose between them or simply to use the newest or oldest
> > (or no) mark and passes it to logprof.
> > After logprof finished, logprofIM will set a new mark (if you want it
> > asks you first) into the syslog and also saves it in .logprofIM/mind. So
> > the next time you start it you can advice logprof just to parse the
> > syslog from this point.
> > 
> > To see all features execute: logprofIM -h
> > 
> > Any feedback is really welcome :)
> > 
> this is a nice extension of logprof, I haven't really spent time with
> the code yet but I will get to it soon.  I have two questions, one
> to you and one to the community in general.

> 
> What licence do you want to use for logprofIM?
> 
> The question to the community is, should this functionality be included
> in logprof, or should we leave it in a separate executable.   I am
> inclined to say that this is a natural extension to logprof and it
> would be best to if it could be included directly into logprof.
> 

This is a nice feature extension. Its ruby so would either need to be redone
in perl - or just be the frontend for logprof (in order to incorporate the
change).

A couple of items about the implementation:

1. Its syslog specific. Ubuntu relies on syslog but openSUSE uses the audit
subsystem. It would be nice to support both. This would mean detecting that
the audit system is in use. In our current utils we check for the existence
of /var/log/audit/audit.log to decide whether we are using syslog vs audit.

2. When marking the log it looks like it just echoes to the messages file. I
think that you could use the logger util (system specific path defined in
/etc/apparmor/logprof.conf) to mark the messages file. For audit based
systems I'm not sure how to submit a mark. Maybe suffices to save the last
audit index msg (like 1197059961.827:5 ) in the prefs file. There
is a function in /usr/sbin/genprof that pulls the last index in the audit log
(last_audit_entry_time).

Thanks for submitting this improvement!

-dom

> _______________________________________________
> Apparmor-dev mailing list
> Apparmor-dev at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20071213/a70b08d3/attachment.pgp