[apparmor] Using AppArmor for system wide audit

Alex Maestretti amaestretti at netflix.com
Tue Aug 9 00:02:40 UTC 2016 

Hello-

  Given that AppArmor is already installed in Ubuntu I was looking at ways
to use it for system wide audit rather than also enabling the k/auditd
framework. If AppArmor is already inspecting system calls no need to do it
twice for performance. I recognize this is not really what AppArmor was
designed for but the profile below has gotten me close. My problem now is
that the 'audit network' rule is logging every sendmsg/recvmsg whereas all
I want are connect, accept and bind calls. It looks like AppArmor 3.0 will
introduce permissions I could filter on, but is there anyway to do this
today? Logging each send/recv is not going to be performant even if I
filter the results in userland. Other comments on improving this profile
welcome!

#vim:syntax=apparmor
# Experimental -- attempt to use AppArmor as an audit function.
# MIT License - Alex Maestretti 2016
# AppArmor is already inspecting system calls by default in Ubuntu.
# If we can use it to audit, we don't need to turn on the k/auditd
# framework and can save some performance cost.
# Goals are file integrity, network sockets and process execution.

profile global /** flags=(complain) {

# Allow all top level rule types
        #file,  ## can't allow all 'file' as we get a pattern overload when
we try to audit below
        # audit ALL network syscalls, even send/recv, very verbose
        # selecting network permissions (connect, accept, bind) only
supported in 3.0
        audit network,
        capability,
        # audit mounts and process injection w/ ptrace
        audit mount,
        audit ptrace,
        signal,
        dbus,

        # These top level rules aren't implemented yet, but mentioned in
docs
        #unix,
        #audit chown,
        #audit chmod,
        #audit setuid,
        #ipc,
        #rlimit,

# allow all file accesses, except execute
        /** rwlkm,
        # audit all executions. i - inherit current confinement, x - execute
        audit /** ix,

        # audit specific file reads / writes for File Integrity Monitoring
        audit /tmp/file.txt rw,

# doesn't seem to work, but doesn't break anything, would be nice to audit
CAPs, maybe evaluating rules in order
        audit capability chown,
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160809/fa2659f7/attachment.html>

More information about the AppArmor mailing list