Skip to content

Apparmor #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 13, 2014
Merged

Apparmor #243

merged 3 commits into from
Jul 13, 2014

Conversation

ddpbsd
Copy link
Member

@ddpbsd ddpbsd commented Jul 11, 2014

Some quick decoder/rules for apparmor. Log samples provided by @RealRancor

ddpbsd added 3 commits June 24, 2014 11:30
@ddpbsd
Add a VERY basic deoccder for apparmor, and a couple of rules to
a8bb270 
basically ignore things.
The IDs for the rules are in the user range, but that can change later.
Sample log message is from RealRancor on github ossec#234. Hopefully he
can help expand the rules.
@ddpbsd
Update the decoder to add the operation. This seems important for
dc90dd5 
determining how malicious some action is.
Add arule to alert on DENIED messages.

The examples provided by @RealRancor illustrate an issue. The
original examples that were provided were in a syslog format
with "kernel" as the program_name. This made them identify as
iptables log messages. The DENIED examples did not have the syslog
header, and identified as auditd log messages. This work should
probably duplicate what was already done for auditd.
@ddpbsd
Add a couple of rules for breaking down the operations in the
253ac1d 
DENIED log samples. I don't know how much value something like this
really has, but I don't have a lot of experience with apparmor.

On another note, but British may be right. Armour feels more right
than armor.
@ddpbsd
Copy link
Member Author

ddpbsd commented Jul 11, 2014

@RealRancor any updates?

@jrossi
Copy link
Member

jrossi commented Jul 12, 2014

I like it and acts a great starting point. I would love unit tests if you have time.

@jrossi jrossi added this to the ossec-hids-2.9 milestone Jul 12, 2014
@ghost
Copy link

ghost commented Jul 13, 2014

@ddpbsd Sorry for the long delay of the feedback

The STATUS and ALLOWED message are successfully ignored by the new rules.

Unfortunately i don't have live data of DENIED messages at the moment. Tomorrow i will have a look at some other systems running apparmor to see if i can find some of them on those systems.

jrossi added a commit that referenced this pull request Jul 13, 2014
@jrossi
Merge pull request #243 from ddpbsd/apparmor
596a4e5 
Some quick decoder/rules for apparmor. Log samples provided by @RealRancor
@jrossi jrossi merged commit 596a4e5 into ossec:master Jul 13, 2014
@ghost
Copy link

ghost commented Jul 14, 2014

@ddpbsd

Only found this repeating log entry on one of my other systems running apparmor:

Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

which is also catched by the initial rule "400003". Its probably not needed to add an extra sub-rule for this "open" operation.

@ddpbsd
Copy link
Member Author

ddpbsd commented Jul 14, 2014

On Mon, Jul 14, 2014 at 7:24 AM, RealRancor [email protected] wrote:

@ddpbsd

Only found this repeating log entry on one of my other systems running apparmor:

Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

which is also catched by the initial rule "400003". Its probably not needed to add an extra sub-rule for this "open" operation.

Awesome, thanks for looking!

Reply to this email directly or view it on GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Rules & Decoders
Projects
None yet
Milestone
ossec-hids-2.9
Development

Successfully merging this pull request may close these issues.
2 participants
@ddpbsd @jrossi