[Apparmor-dev] aa-parselog: simple script that parses log
messages and print apparmor messages.
Steve Beattie
sbeattie at suse.de
Fri Jun 15 02:40:10 MDT 2007
Hey Mathias,
My apologies, I meant to look at this before, but had my laptop's
hard drive and its replacement fail.
On Tue, Jun 05, 2007 at 11:59:22AM -0400, Mathias Gug wrote:
> I've attached a small script that I use to parse /var/log/messages and
> print relevant apparmor messages grouped by profiles and running
> processes.
>
> A sample output is :
>
> /usr/sbin/named:
> 14203:
> PERMITTING r access to /etc/bind/named.conf
> (named(14203)profile /usr/sbin/named active /usr/sbin/named)
> PERMITTING r access to /etc/bind/named.conf.options
> (named(14203) profile /usr/sbin/named active /usr/sbin/named)
> 13383:
> PERMITTING w access to /var/run/bind/run/named.pid
> (named(13383) profile /usr/sbin/named active /usr/sbin/named)
> /sbin/klogd:
> 4885:
> PERMITTING w access to /var/run/klogd/klogd.pid (klogd(4885)
> profile /sbin/klogd active /sbin/klogd)
> PERMITTING r access to /var/run/klogd/kmsg
> (klogd(4885) profile /sbin/klogd active /sbin/klogd)
> 4844:
> PERMITTING w access to /var/run/klogd/klogd.pid (klogd(4844)
> profile /sbin/klogd active /sbin/klogd)
> PERMITTING r access to /var/run/klogd/kmsg (klogd(4844)
> profile /sbin/klogd active /sbin/klogd)
>
> It can list log messages relevant for running processes (default) or all
> processes. It has other options :
>
> $ ./aa-parselog -h
> Usage: ./aa-parselog [OPTIONS]
> Parse log file for apparmor messages.
> OPTIONS :
> --all print all messages, even for non-running processes
> --file=filename log file to process. DEFAULT=/var/log/messages
> --help this message
> --profile=name restrict processing to the profile. DEFAULT:process all profiles.
>
> Let me know what you think about it and how it could be improved.
Looks good. I admit that I was thrown off a little bit while testing by
--all not being the default behavior. It might be nice to support
examining multiple files; the linux audit daemon sadly can be somewhat
brittle and will shut itself down for various reasons, so even in an
environment where the audit infrastructure is used, apparmor events can
show up in /var/log/messages.
It also might be nice to coalesce duplicate messages, perhaps with
a count of how many times that action occurred. I really liked the
logwatch behavior of collating firewall log events by remote host ip
so that you could easily see where attacks were coming from, and have
wanted something vaguely similar for apparmor rejections for a while.
Even longer term, it would be nice to do event correlation to give an
admin a better understanding of what exactly happened and perhaps why;
for a simple example, correlating a rejection from apache with a specific
request logged in apache's access and error logs, as well as firewall
log events (if any) from the same client address.
> It may be integrated into apparmor_status.
Hmm. I'm not sure it's the right fit for that, although it might be useful
for apparmor_status to report counts of rejection and permission messages,
possibly on a per-profile basis.
> It may also use the log parser library in the future.
Yes, that would be nice. I think Matt's made good progress on that, and
may have something to review soon, but he'd have to speak to that.
I have no objection to adding aa-parselog to the utils package.
Thanks.
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070615/6a5e3f38/attachment.pgp
More information about the Apparmor-dev
mailing list