[Apparmor-dev] aa-parselog: simple script that parses log messages and print apparmor messages.

Mathias Gug mathiaz at ubuntu.com
Tue Jun 5 09:59:22 MDT 2007 

Hi,

I've attached a small script that I use to parse /var/log/messages and
print relevant apparmor messages grouped by profiles and running
processes.

A sample output is :

/usr/sbin/named:
    14203: 
          PERMITTING r access to /etc/bind/named.conf
	  (named(14203)profile /usr/sbin/named active /usr/sbin/named)
	  PERMITTING r access to /etc/bind/named.conf.options
	  (named(14203) profile /usr/sbin/named active /usr/sbin/named)
    13383: 
          PERMITTING w access to /var/run/bind/run/named.pid
	  (named(13383) profile /usr/sbin/named active /usr/sbin/named)
/sbin/klogd:
    4885: 
          PERMITTING w access to /var/run/klogd/klogd.pid (klogd(4885)
	  profile /sbin/klogd active /sbin/klogd)
	  PERMITTING r access to /var/run/klogd/kmsg
	  (klogd(4885) profile /sbin/klogd active /sbin/klogd)
    4844: 
          PERMITTING w access to /var/run/klogd/klogd.pid (klogd(4844)
	profile /sbin/klogd active /sbin/klogd)
          PERMITTING r access to /var/run/klogd/kmsg (klogd(4844)
	profile /sbin/klogd active /sbin/klogd)


It can list log messages relevant for running processes (default) or all
processes. It has other options :

$ ./aa-parselog -h
Usage: ./aa-parselog [OPTIONS]
Parse log file for apparmor messages.
OPTIONS :
  --all              print all messages, even for non-running processes
  --file=filename    log file to process. DEFAULT=/var/log/messages
  --help    this message
  --profile=name     restrict processing to the profile. DEFAULT:process all profiles.

Let me know what you think about it and how it could be improved. 
It may be integrated into apparmor_status. It may also use the log
parser library in the future.

--
Mathias
-------------- next part --------------
#!/usr/bin/perl -w

use strict;
use Getopt::Long;

my $log_file_dfl = '/var/log/messages';

my $report_all = 0;
my $log_file = $log_file_dfl;
my $profile_regex = '';
my $help = 0;

GetOptions(
  'all'		=> \$report_all,
  'file=s'	=> \$log_file,
  'profile=s'	=> \$profile_regex,
  'help|h'	=> \$help,
) or usage();

sub usage {
  print "Usage: $0 [OPTIONS]\n";
  print "Parse log file for apparmor messages.\n";
  print "OPTIONS :\n";
  print "  --all              print all messages, even for non-running processes\n";
  print "  --file=filename    log file to process. DEFAULT=$log_file_dfl\n";
  print "  --profile=name     restrict processing to the profile. DEFAULT: process all profiles.\n",
  print "  --help    this message\n";
  exit;
}

usage() if $help;

open(LOG,$log_file);

my %status = ();

while (<LOG>) {
	next unless (/audit\([\d\.:]+\):\s(.+)$/);
	my $msg = $1;
	if ($msg =~ /.*\([^\(]+\((\d+)\).+profile\s(.+)\sactive\s.+\)/) {
		my $pid = $1;
		my $profile = $2;
	   	if ( ( $profile_regex ne '' ? $profile =~ /$profile_regex/ : 1)
	   	     and ( $report_all or (-e "/proc/$pid")) )  {
			if (defined($status{$profile}{$pid})) {
				push(@{ $status{$profile}{$pid} },$msg);
			} else {
				$status{$profile}{$pid} = [$msg] ;
			}
		}
	}
}

while ( my ($profile,$processes) = each(%status) ) {
	print "$profile:\n";
	while( my ($pid,$msgs) = each(%{ $processes }) ) {
		print "    $pid: \n";
		foreach my $msg (@{ $msgs }) {
			print "        $msg\n";
		}
	}
}

More information about the Apparmor-dev mailing list