2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 05:17:59 +00:00

add ability to parser dmesg output as a log file

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
John Johansen 2015-06-02 01:00:29 -07:00
parent 7cc75c44fa
commit 2d31e2c113
29 changed files with 137 additions and 0 deletions

View File

@ -169,6 +169,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%% %%
log_message: audit_type log_message: audit_type
| dmesg_type
| syslog_type | syslog_type
| audit_dispatch | audit_dispatch
; ;
@ -199,6 +200,10 @@ other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
} }
; ;
dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
;
syslog_type: syslog_type:
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }

View File

@ -355,6 +355,7 @@ yy_flex_debug = 0;
{syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_TIME); } {syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_TIME); }
{audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); } {audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
{dmesg_timestamp} { yylval->t_str = strdup(yytext); return(TOK_DMESG_STAMP); }
. { /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); } . { /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); }

View File

@ -0,0 +1 @@
[ 1612.746129] audit: type=1400 audit(1284061910.975:672): apparmor="DENIED" operation="capable" parent=2663 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority" pid=7292 comm="syscall_setprio" capability=23 capname="sys_nice"

View File

@ -0,0 +1,12 @@
START
File: testcase_dmesg_capability.in
Event type: AA_RECORD_DENIED
Audit ID: 1284061910.975:672
Operation: capable
Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority
Name: sys_nice
Command: syscall_setprio
Parent: 2663
PID: 7292
Epoch: 1284061910
Audit subid: 672

View File

@ -0,0 +1 @@
[ 1597.774866] audit: type=1400 audit(1284061896.005:28): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=2698 comm="syscall_ptrace"

View File

@ -0,0 +1,11 @@
START
File: testcase_dmesg_changehat_negative_error.in
Event type: AA_RECORD_DENIED
Audit ID: 1284061896.005:28
Operation: change_hat
Command: syscall_ptrace
Info: unconfined
ErrorCode: 1
PID: 2698
Epoch: 1284061896
Audit subid: 28

View File

@ -0,0 +1 @@
[ 97.492562] audit: type=1400 audit(1431116353.523:77): apparmor="DENIED" operation="change_profile" profile="/tests/regression/apparmor/changeprofile" pid=3459 comm="changeprofile" target="/tests/regression/apparmor/rename"

View File

@ -0,0 +1,11 @@
START
File: testcase_dmesg_changeprofile_01.in
Event type: AA_RECORD_DENIED
Audit ID: 1431116353.523:77
Operation: change_profile
Profile: /tests/regression/apparmor/changeprofile
Command: changeprofile
Name2: /tests/regression/apparmor/rename
PID: 3459
Epoch: 1431116353
Audit subid: 77

View File

@ -0,0 +1 @@
[ 2010.738449] audit: type=1400 audit(1284062308.965:276251): apparmor="DENIED" operation="link" parent=19088 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/link" name="/tmp/sdtest.19088-12382-HWH57d/linkfile" pid=19142 comm="link" requested_mask="l" denied_mask="l" fsuid=0 ouid=0 target="/tmp/sdtest.19088-12382-HWH57d/target"

View File

@ -0,0 +1,17 @@
START
File: testcase_dmesg_link_01.in
Event type: AA_RECORD_DENIED
Audit ID: 1284062308.965:276251
Operation: link
Mask: l
Denied Mask: l
fsuid: 0
ouid: 0
Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link
Name: /tmp/sdtest.19088-12382-HWH57d/linkfile
Command: link
Name2: /tmp/sdtest.19088-12382-HWH57d/target
Parent: 19088
PID: 19142
Epoch: 1284062308
Audit subid: 276251

View File

@ -0,0 +1 @@
[45334.755142] audit: type=1503 audit(1282671283.411:2199): operation="mkdir" pid=4786 parent=4708 profile="/usr/sbin/sshd//ubuntu" requested_mask="c::" denied_mask="c::" fsuid=1000 ouid=1000 name="/tmp/ssh-gRozJw4786/"

View File

@ -0,0 +1,15 @@
START
File: testcase_dmesg_mkdir.in
Event type: AA_RECORD_DENIED
Audit ID: 1282671283.411:2199
Operation: mkdir
Mask: c::
Denied Mask: c::
fsuid: 1000
ouid: 1000
Profile: /usr/sbin/sshd//ubuntu
Name: /tmp/ssh-gRozJw4786/
Parent: 4708
PID: 4786
Epoch: 1282671283
Audit subid: 2199

View File

@ -0,0 +1 @@
[ 878.663418] audit: type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"

View File

@ -0,0 +1,15 @@
START
File: testcase_dmesg_rename_dest.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1282626827.320:413
Operation: rename_dest
Mask: wc::
Denied Mask: wc::
fsuid: 0
ouid: 0
Profile: /usr/sbin/sshd
Name: /var/run/motd
Parent: 650
PID: 1881
Epoch: 1282626827
Audit subid: 413

View File

@ -0,0 +1 @@
[ 878.663410] audit: type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"

View File

@ -0,0 +1,15 @@
START
File: testcase_dmesg_rename_src.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1282626827.320:412
Operation: rename_src
Mask: r::
Denied Mask: r::
fsuid: 0
ouid: 0
Profile: /usr/sbin/sshd
Name: /var/run/motd.new
Parent: 650
PID: 1881
Epoch: 1282626827
Audit subid: 412

View File

@ -0,0 +1 @@
[ 2143.902340] audit: type=1400 audit(1283989336.064:272335): apparmor="STATUS" info="failed to unpack profile" error=-71 pid=4958 comm="apparmor_parser" name="/home/jj/master/tests/regression/apparmor/net_raw" offset=159

View File

@ -0,0 +1,11 @@
START
File: testcase_dmesg_status_offset.in
Event type: AA_RECORD_STATUS
Audit ID: 1283989336.064:272335
Name: /home/jj/master/tests/regression/apparmor/net_raw
Command: apparmor_parser
Info: failed to unpack profile
ErrorCode: 71
PID: 4958
Epoch: 1283989336
Audit subid: 272335

View File

@ -0,0 +1 @@
[ 878.662172] audit: type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"

View File

@ -0,0 +1,15 @@
START
File: testcase_dmesg_truncate.in
Event type: AA_RECORD_DENIED
Audit ID: 1282626827.320:411
Operation: truncate
Mask: w::
Denied Mask: w::
fsuid: 0
ouid: 0
Profile: /etc/update-motd.d/91-release-upgrade
Name: /var/lib/update-notifier/release-upgrade-available
Parent: 1
PID: 1957
Epoch: 1282626827
Audit subid: 411