[Apparmor-dev] Re: I coded a logprof improvement

adnarim adnarim at pochta.ru
Thu Dec 13 11:29:01 MST 2007 

On Thu, 13 Dec 2007 10:15:10 -0700
Dominic Reynolds <dominic at mercenarylinux.com> wrote:

> This is a nice feature extension. Its ruby so would either need to be redone
> in perl - or just be the frontend for logprof (in order to incorporate the
> change).

Ruby rocks ;)
 
> 1. Its syslog specific. Ubuntu relies on syslog but openSUSE uses the audit
> subsystem. It would be nice to support both. This would mean detecting that
> the audit system is in use. In our current utils we check for the existence
> of /var/log/audit/audit.log to decide whether we are using syslog vs audit.

Yes you are right. I'll fix this tomorrow by parsing the /etc/apparmor/logprof.conf for the logfiles-entry. I think this should be reliable. 
My line contains /var/log/audit/audit.log /var/log/messages /var/log/syslog, so I'm gonna check them in a row for existance and will use the first one I'll find.
 
> 2. When marking the log it looks like it just echoes to the messages file. I
> think that you could use the logger util (system specific path defined in
> /etc/apparmor/logprof.conf) to mark the messages file.

First I tried to implement it with logger but if I use logger it forces me to have this overhead:
	Dec 13 19:21:01 localhost username: My_Created_Logmessage
I don't think thats needed, but someone told me that syslogd could be blocking the messages-log while I'm trying to echo or tee into it, so I will think about this again and come up with a better solution. 


> For audit based systems I'm not sure how to submit a mark. Maybe suffices to save the last
> audit index msg (like 1197059961.827:5 ) in the prefs file. There
> is a function in /usr/sbin/genprof that pulls the last index in the audit log
> (last_audit_entry_time).

If the above fixes are done, I'll try to switch my system to audit-based and look for it.

greets
-- 
adnarim <adnarim at pochta.ru>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20071213/27359c6d/attachment.pgp

More information about the Apparmor-dev mailing list