[apparmor] Problem with audit rule modifier

azurIt azurit at pobox.sk
Sun Jun 30 09:56:57 UTC 2013 

>>>>>> Hi,
>>>>>>
>>>>>> i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this:
>>>>>> audit /home/** a,
>>>>>> audit /home/** w,
>>>>> By only logging you mean logging of an access but not granting permission?
>>>>
>>>>
>>>> I mean logging of an access AND granting permission.
>>>>
>>> ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions.
>>>
>>> ie. audit /** w,
>>>
>>> as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm.
>>>
>>>>
>>>>>
>>>>>>
>>>>>> It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode:
>>>>>> audit deny /home/**/*.php a,
>>>>>> audit deny /home/**/*.php w,
>>>>>>
>>>>> these two rules where necessary to get logging in complain mode?
>>>>
>>>>
>>>> Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).
>>>>
>>> Okay
>>>
>>>>
>>>>>> Audit alone it not working. Is this a known bug? Thanks.
>>>>>>
>>>>> It is not known.
>>>>>
>>>>> Can you send us the full profile you are using?
>>>>
>>>>
>>>> Here is the complete profile (i already removed that 'a' line and tested it):
>>>>
>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>         network,
>>>>         capability,
>>>>         file,
>>>>         audit deny /home/**/*.php w,
>>>> }
>>>>
>>>>
>>>> As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).
>>>>
>>> Can you please provide the following information to help as diagnose the problem.
>>>
>>> Kernel version: use the command     uname -a
>>> Parser version: use the command     apparmor_parser -v
>>> State dump from the compiler:  use the command
>>>  apparmor_parser -D dfa-states -QT profile_file 2>states_file
>>>
>>> Compiled output of your profile: use either of the following commands
>>>  apparmor_parser -S profile_file  > output_file
>>>  apparmor_parser -o output_file profile_file
>>>
>>> * the -o version may not work on older parsers.
>>> * profile_name is the file name where your profile is stored
>>> * states_file and out_file are just file that the output will be dumped in. So that you can attach them
>> 
>> Kernel version: 3.2.47
>> Parser version: 2.7.103 (it was the -V switch)
>oops sorry
>
>> Client software are packages from Debian Wheezy running on Debian Squeeze. I'm using my own kernel patched with grsecurity.
>> 
>Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu?



It's vanilla kernel downloaded directly from kernel.org + grsecurity from grsecurity.org.




>> Attaching 3 files from that 3 commands. Last two commands printed this warning (probably ok):
>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain mode
>> 
>yes that is fine, but thanks for the heads up
>
>> To avoid misunderstanding: I'm currently using this profile (in complain mode):
>> 
>> /usr/lib/apache2/mpm-itk/apache2 {
>>        network,
>>        capability,
>>        file,
>>        audit deny /home/**/*.php w,
>> }
>> 
>> 
>> 
>> But i WANT to use this profile (not in complain mode):
>> /usr/lib/apache2/mpm-itk/apache2 {
>>        network,
>>        capability,
>>        file,
>>        audit /home/**/*.php w,
>> }
>> 
>> Logging is working only in the first one so i'm forced to use it instead of second one. Hope i'm clear enough. Thank you.
>> 
>Okay, the output of the compiler for the first one looks good, I still need to look at the kernel side (waiting for confirmation on the patchset there).
>
>Can you attach the same set of compiler out for the second profile (without the deny) so I can check it as well.


Attaching.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: states_file
Type: application/octet-stream
Size: 2051 bytes
Desc: states_file
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130630/37877a6e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_file1
Type: application/octet-stream
Size: 1977 bytes
Desc: output_file1
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130630/37877a6e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_file2
Type: application/octet-stream
Size: 1977 bytes
Desc: output_file2
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130630/37877a6e/attachment-0002.obj>

More information about the AppArmor mailing list