[apparmor] Using AppArmor for system wide audit

John Johansen john.johansen at canonical.com
Wed Aug 10 07:39:00 UTC 2016 

On 08/08/2016 05:02 PM, Alex Maestretti wrote:
> Hello-
> 
>   Given that AppArmor is already installed in Ubuntu I was looking at ways to use it for system wide audit rather than also enabling the k/auditd framework. If AppArmor is already inspecting system calls no need to do it twice for performance. I recognize this is not really what AppArmor was designed for but the profile below has gotten me close. My problem now is that the 'audit network' rule is logging every sendmsg/recvmsg whereas all I want are connect, accept and bind calls. It looks like AppArmor 3.0 will introduce permissions I could filter on, but is there anyway to do this today? Logging each send/recv is not going to be performant even if I filter the results in userland. Other comments on improving this profile welcome!
> s
Sadly atm this isn't possible. It wouldn't take too much of a patch at least for the dev branch to do this for streams, but to do it generically we need some additional work to land


> #vim:syntax=apparmor
> # Experimental -- attempt to use AppArmor as an audit function.
> # MIT License - Alex Maestretti 2016
> # AppArmor is already inspecting system calls by default in Ubuntu.
> # If we can use it to audit, we don't need to turn on the k/auditd 
> # framework and can save some performance cost.
> # Goals are file integrity, network sockets and process execution.
> 
> profile global /** flags=(complain) {
> 
> # Allow all top level rule types
>         #file,  ## can't allow all 'file' as we get a pattern overload when we try to audit below 

deny rules do have priority over allow rules so you could potentially use and allow all and black list approach. Looking at your rules below I don't think I would recommend doing that though

>         # audit ALL network syscalls, even send/recv, very verbose
>         # selecting network permissions (connect, accept, bind) only supported in 3.0
>         audit network,
>         capability,
>         # audit mounts and process injection w/ ptrace
>         audit mount,
>         audit ptrace,
>         signal,
>         dbus,
>         
>         # These top level rules aren't implemented yet, but mentioned in docs
>         #unix,
this does show up in xenial and later, unfortunately older user spaces can't handle it and our conditional support in the language syntax leaves much to be desired

>         #audit chown,
>         #audit chmod,
>         #audit setuid,
>         #ipc,
>         #rlimit,
> 
rlimit is actual supported but is uniq in that it doesn't just control the application setting the rlimits but will lower application rlimits if they are above what is specified in the profile

> # allow all file accesses, except execute
>         /** rwlkm,
>         # audit all executions. i - inherit current confinement, x - execute
>         audit /** ix,
>         
>         # audit specific file reads / writes for File Integrity Monitoring
>         audit /tmp/file.txt rw,
> 
> # doesn't seem to work, but doesn't break anything, would be nice to audit CAPs, maybe evaluating rules in order      
>         audit capability chown,

this should work, which release is it failing on?

> }
> 
>

More information about the AppArmor mailing list