[apparmor] Using AppArmor for system wide audit

Alex Maestretti amaestretti at netflix.com
Wed Aug 10 20:16:53 UTC 2016 

Thank you for the response. This makes sense.

>> # doesn't seem to work, but doesn't break anything, would be nice to
audit CAPs, maybe evaluating rules in order
>>         audit capability chown,
>
> this should work, which release is it failing on?

I have not tested extensively so I may be messing something up but I was on:

Ubuntu 4.8.2-19ubuntu1

Linux 3.13.0-76-generic #120-Ubuntu SMP x86_64 GNU/Linux
I touched a file, tried 'chown root file', failed, no entry, tried 'sudo
chown root file', success, no entry. I see the /bin/chown execution but not
the CAP action. Or am I misunderstanding what this is monitoring? Does it
monitor assuming the CAP or actually exercising it?

Thanks again for the response!

    -ASM

On Wed, Aug 10, 2016 at 12:39 AM John Johansen <john.johansen at canonical.com>
wrote:

> On 08/08/2016 05:02 PM, Alex Maestretti wrote:
> > Hello-
> >
> >   Given that AppArmor is already installed in Ubuntu I was looking at
> ways to use it for system wide audit rather than also enabling the k/auditd
> framework. If AppArmor is already inspecting system calls no need to do it
> twice for performance. I recognize this is not really what AppArmor was
> designed for but the profile below has gotten me close. My problem now is
> that the 'audit network' rule is logging every sendmsg/recvmsg whereas all
> I want are connect, accept and bind calls. It looks like AppArmor 3.0 will
> introduce permissions I could filter on, but is there anyway to do this
> today? Logging each send/recv is not going to be performant even if I
> filter the results in userland. Other comments on improving this profile
> welcome!
> > s
> Sadly atm this isn't possible. It wouldn't take too much of a patch at
> least for the dev branch to do this for streams, but to do it generically
> we need some additional work to land
>
>
> > #vim:syntax=apparmor
> > # Experimental -- attempt to use AppArmor as an audit function.
> > # MIT License - Alex Maestretti 2016
> > # AppArmor is already inspecting system calls by default in Ubuntu.
> > # If we can use it to audit, we don't need to turn on the k/auditd
> > # framework and can save some performance cost.
> > # Goals are file integrity, network sockets and process execution.
> >
> > profile global /** flags=(complain) {
> >
> > # Allow all top level rule types
> >         #file,  ## can't allow all 'file' as we get a pattern overload
> when we try to audit below
>
> deny rules do have priority over allow rules so you could potentially use
> and allow all and black list approach. Looking at your rules below I don't
> think I would recommend doing that though
>
> >         # audit ALL network syscalls, even send/recv, very verbose
> >         # selecting network permissions (connect, accept, bind) only
> supported in 3.0
> >         audit network,
> >         capability,
> >         # audit mounts and process injection w/ ptrace
> >         audit mount,
> >         audit ptrace,
> >         signal,
> >         dbus,
> >
> >         # These top level rules aren't implemented yet, but mentioned in
> docs
> >         #unix,
> this does show up in xenial and later, unfortunately older user spaces
> can't handle it and our conditional support in the language syntax leaves
> much to be desired
>
> >         #audit chown,
> >         #audit chmod,
> >         #audit setuid,
> >         #ipc,
> >         #rlimit,
> >
> rlimit is actual supported but is uniq in that it doesn't just control the
> application setting the rlimits but will lower application rlimits if they
> are above what is specified in the profile
>
> > # allow all file accesses, except execute
> >         /** rwlkm,
> >         # audit all executions. i - inherit current confinement, x -
> execute
> >         audit /** ix,
> >
> >         # audit specific file reads / writes for File Integrity
> Monitoring
> >         audit /tmp/file.txt rw,
> >
> > # doesn't seem to work, but doesn't break anything, would be nice to
> audit CAPs, maybe evaluating rules in order
> >         audit capability chown,
>
> this should work, which release is it failing on?
>
> > }
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160810/2de860f2/attachment.html>

More information about the AppArmor mailing list