[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
responding to @intrigeri (sorry this got lost some how).
tldr: yes we are basically on the same page.
AppArmor does not fit into the 1400 range formats, every one of our
messages have some custom fields. Some of them could be
reformated/reworked to share more, but we would still need custom
fields.
Our message fields are in the common name=value format. So in that sense
they do fit in.
Kernel side this is fairly easy, we use common lsm_audit for the
messages we share in common, the code provides a callback to add your
own fields. Basically all that is needed is patch to allow different
number ranges to be used.
Userspace there needs to be some patching so LSM specific fields are
known about.
Whether is best to allocate new fields in a single number (say 1500),
with no fixed number of fields to output or it better to split into a
range of based on message type, I am not picky. When 1500 was taken away
from us I think it was 1500-1505 that we used, but expect we wouldn't
use the same mappings today if we had a choice.
so we have the generic audit type that is carried { audit, allowed,
denied, killed, prompt, hint, status, error }
this could carried as a common field, or we could use an allocated block
for
we have rule class, which is another way things are broken down, its
things like { file, cap, network, dbus, ...} there are currently about
25 of them currently.
common fields that can occur within apparmor messages { operation, info,
error, namespace, profile, label }, some fields aren't output if not
needed. Eg. we are auditing an access to say /etc/shadow that is allowed
but we want an audit trail for error won't be output, if its a system
status message that is not generated by a profiles rule set, profile=
won't be used. This set does not lend itself to an audit range as they
each take on basically a string value.
Then within a given class there are set of fields, some of them are shared by
several classes, but not all, and there are some that are only used by a single
class. Some examples would be, most mediation class share requested= and
denied= the values are class depended even those may be shared by a subset of
classes.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1117804
Title:
ausearch doesn't show AppArmor denial messages
Status in AppArmor:
Confirmed
Status in audit package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Incomplete
Bug description:
The following command should display all AVC denials:
ausearch -m avc
However, it doesn't work with AppArmor denials. Here's a quick test
case to generate a denial, search for it with ausearch, and see that
no messages are displayed:
$ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
cat: /proc/self/attr/current: Permission denied
$ sudo ausearch -m avc -c cat
ausearch claims that there are no matches, but there's a matching
audit message if you look in audit.log:
type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
operation="open" parent=8253 profile="/usr/sbin/tcpdump"
name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
As far as I know, no one has made an effort to try to improve the situation lately. There's some discussion at https://lists.ubuntu.com/archives/apparmor/2024-February/013091.html that may be enlightening, if not encouraging. Thanks -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
Any news on this? It has been open for over ten years now. AppArmor is on by default on Ubuntu, and if auditd is used, then the events are logged using it. Isn't it a security bug if the events don't show up when queried using ausearch? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
Meta: I've re-read the discussion from December 2017. If there were messages later than this on the thread, I missed them due to suboptimal mailing list archive presentation. Sorry if this leads me to wrong conclusions! I lack the skills to do the actual work I think should be done. The only way I can help here is by facilitating the conversation, so I'll do that: I'd like to make sure there's no misunderstanding about the various opinions that were expressed, the current state of the discussion, and what the next steps should be (e.g. who's waiting for whom). My understanding is that [my personal opinion in square brackets]: 0. Upstream acknowledges that there is a problem and that it would be nice to solve it. 1. There's indeed desire upstream for finding a good balance between sharing (via generic infrastructure and possibly message types) and taking into account that each LSM has different needs. [This makes sense to me: there are probably bits worth sharing instead of every LSM doing their own thing 100% in their dark corner. Now, obviously finding a good balance requires discussion between LSMs to identify what can be shared and what is specific to each, which has its costs (and may require different skills than writing kernel code).] 2. There's a consensus about the fact we need _some_ way to tell which LSM has sent the message. Several options have been mentioned, including adding a new lsm= identifier and using different allocated blocks (be it in the 1400 range or elsewhere). [I'm glad that the door remains open for the option we had in mind initially.] 3. The ball is in our court: upstream proposed several options and I don't see them reach actionable conclusions without our input. At this point, it seems that the next step is: AppArmor developers express their needs. For example: * Are there existing messages formats supported by the auditd suite that would work for us and we'd be happy to share with other LSMs? If yes, great: if we start using them our users will benefit from it without having to adapt existing tools. * What are our needs that we think are specific to AppArmor? (It might be that once we state them, another LSM developer will say "actually, this could be useful for us too", who knows :) * Once we have the answers to the above questions, we can start checking many AppArmor-specific identifiers we need today and how many extra spare ones we want allocated. (Without this info, nobody can decide whether we can fit in the 1400 range.) John, are we on the same page? If not, I'd love to know what we understood differently :) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
There was an attempt to revive this Dec. 6, 2017 https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html upstream there is belief in using a generic audit message types. The problem is that apparmor, selinux and smack messages differ, so they aren't so common. This is going to have to be revisited, whether it means new numbers/ranges being used or refactoring of messages is unclear at this point. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
IMHO we have to ask John Johansen about this, he's working on kernel side. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
FTR this was raised as a potential blocker for enabling AppArmor by default on Debian: https://bugs.debian.org/872726. I'm going to investigate why this is a blocker there. tl;dr: as the audit maintainers said in 2014 (https://www.redhat.com/archives/linux-audit/2014-May/msg00119.html) and 2016 (https://www.redhat.com/archives/linux- audit/2016-April/msg00129.html), we should use events ids from the range that has been allocated to us (1500-1599) instead of from the range assigned to SELinux. Any plans / ETA to fix this? Regardless of how you would prioritize this problem otherwise, the fact it might prevent AppArmor from being enabled by default in Debian could be a reason to handle it ASAP :) ** Bug watch added: Debian Bug tracker #872726 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: New Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
