[PATCH] auparse: apparmor fields
by Marcelo Cerri
Hi,
I'm taking a look at the AVC records generated by apparmor and some fields in
these records, such as "apparmor" and "operation", are quoted and are not listed
in the auparse/typetab.h file.
Searching in the kernel source, I've found the piece of code that generates the
AVC records and I noticed that it uses the function audit_log_string, which
just add quotes to the string, instead of audit_log_untrustedstring, which seems
to be targeted to escaped fields.
I'd like to know if these fields should be treated the same way as escaped
fields by libauparse or maybe it should be changed in the kernel.
If libauparse really needs to be changed, please consider this patch that
includes the fields "apparmor" and "operation" in the file auparse/typetab.h as
escaped fields.
Regards,
Marcelo
---
auparse/typetab.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/auparse/typetab.h b/auparse/typetab.h
index 7838c17..0a81e25 100644
--- a/auparse/typetab.h
+++ b/auparse/typetab.h
@@ -86,3 +86,5 @@ _S(AUPARSE_TYPE_NFPROTO, "family" )
_S(AUPARSE_TYPE_ICMPTYPE, "icmptype" )
_S(AUPARSE_TYPE_PROTOCOL, "proto" )
_S(AUPARSE_TYPE_ADDR, "addr" )
+_S(AUPARSE_TYPE_ESCAPED, "apparmor" )
+_S(AUPARSE_TYPE_ESCAPED, "operation" )
--
1.7.1
12 years, 8 months
audit-2.2 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Correct all rules for clock_settime
- Fix possible segfault in auparse library
- Handle malformed socket addresses better
- Improve performance in audit_log_user_message()
- Improve performance in writing to the log file in auditd
- Syscall update for accept4 and recvmmsg
- Update autrace resource usage mode syscall list
- Improved sample rules for recent syscalls
- Add some debug info to audidp-remote startup and shutdown
- Make compiling with Python optional
- In auditd, if disk_error_action is ignore, don't syslog anything
- Fix some memory leaks
- If audispd is stopping, don't restart children
- Add support in auditctl for shell escaped filenames (Alexander)
- Add search support for virt events (Marcelo Cerri)
- Update interpretation tables
- Sync auparse's auditd config parser with auditd's parser
- In ausearch, also use cwd fields in file name searchs
- In ausearch, parse cwd in USER_CMD events
- In ausearch, correct parsing of uid in user space events
- In ausearch, update parsing of integrity events
- Apply some text cleanups from Debian (Russell Coker)
- In auditd, relax some permission checks for external apps
- Add ROLE_MODIFY event type
- In auditctl, new -c option to continue through bad rules but with failed exit
- Add auvirt program to do special reporting on virt events (Marcelo Cerri)
- Add interfield comparison support to auditctl (Peter Moody)
- Update auparse type intepretation for apparmor (Marcelo Cerri)
- Increase tcp_max_per_addr maximum to 1024.
This is a huge bugfix release. It has 2 new features worth calling attention to.
The first is a new program, auvirt which produces a report about guest operating
systems.
The second is the addition of the -C directive for auditctl. This requires a
kernel upgrade in order to use it. Its purpose is to be able to trigger on
events that would otherwise take a mountain of events to find just the one
occurance. For example, if you want to see if an admin is accessing files in
user's home dirs, then you can write a rule like:
-a always,exit -F dir=/home -C auid!=obj_uid -F key=admin-abuse
Please let me know if you run across any problems with this release.
-Steve
12 years, 8 months