Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Little fix for AppArmor rules (added 5100 rule as parent) #1939

Merged
merged 3 commits into from
Aug 9, 2023
Merged

Little fix for AppArmor rules (added 5100 rule as parent) #1939

merged 3 commits into from
Aug 9, 2023

Conversation

g3rhard
Copy link
Contributor

@g3rhard g3rhard commented Dec 9, 2020

Found a little bug in AppArmor rules (but now not sure 😄 ):

2020/12/09 13:45:14 ossec-testrule: INFO: Reading local decoder file.
2020/12/09 13:45:14 ossec-testrule: INFO: Started (pid: 12629).
ossec-testrule: Type one log per line.

Dec  9 13:03:30 testing_server kernel: [1736294.389703] audit: type=1400 audit(1607519010.253:322): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/var/www/moodle_testing/temp/core_file/conversions/23fa780e-0c2f-4cec-b023-e150dc78929b/11630.docx" pid=29328 comm="cppu_threadpool" requested_mask="r" denied_mask="r" fsuid=33 ouid=33


**Phase 1: Completed pre-decoding.
       full event: 'Dec  9 13:03:30 testing_server kernel: [1736294.389703] audit: type=1400 audit(1607519010.253:322): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/var/www/moodle_testing/temp/core_file/conversions/23fa780e-0c2f-4cec-b023-e150dc78929b/11630.docx" pid=29328 comm="cppu_threadpool" requested_mask="r" denied_mask="r" fsuid=33 ouid=33'
       hostname: 'testing_server'
       program_name: 'kernel'
       log: '[1736294.389703] audit: type=1400 audit(1607519010.253:322): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/var/www/moodle_testing/temp/core_file/conversions/23fa780e-0c2f-4cec-b023-e150dc78929b/11630.docx" pid=29328 comm="cppu_threadpool" requested_mask="r" denied_mask="r" fsuid=33 ouid=33'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       status: 'ALLOWED'
       extra_data: 'open'

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 5500 - Grouping of the pam_unix rules.
    Trying rule: 5700 - SSHD messages grouped.
    Trying rule: 5600 - Grouping for the telnetd rules
    Trying rule: 2100 - NFS rules grouped.
    Trying rule: 2507 - OpenLDAP group.
    Trying rule: 2550 - rshd messages grouped.
    Trying rule: 2701 - Ignoring procmail messages.
    Trying rule: 2800 - Pre-match rule for smartd.
    Trying rule: 5100 - Pre-match rule for kernel messages
       *Rule 5100 matched.
       *Trying child rules.
    Trying rule: 5101 - Informative message from the kernel.
    Trying rule: 5102 - Informative message from the kernel
    Trying rule: 5104 - Interface entered in promiscuous(sniffing) mode.
    Trying rule: 5105 - Invalid request to /dev/fd0 (bug on the kernel).
...
    Trying rule: 1002 - Unknown problem somewhere in the system.
       *Rule 1002 matched.
       *Trying child rules.
    Trying rule: 1009 - Ignoring known false positives on rule 1002..
    Trying rule: 2942 - Uninteresting gnome error.
...

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '7'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

And after little changes everything work as expected.

@g3rhard
Copy link
Contributor Author

g3rhard commented Dec 9, 2020

Checked after update

2020/12/09 14:38:58 ossec-testrule: INFO: Reading local decoder file.
2020/12/09 14:38:58 ossec-testrule: INFO: Started (pid: 8335).
ossec-testrule: Type one log per line.

Dec  9 12:50:13 testing_server kernel: [84611.931993] audit: type=1400 audit(1607518213.006:40): apparmor="ALLOWED" operation="mkdir" profile="libreoffice-soffice" name="/var/www/.config/libreoffice/4/" pid=15622 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=33 ouid=33


**Phase 1: Completed pre-decoding.
       full event: 'Dec  9 12:50:13 testing_server kernel: [84611.931993] audit: type=1400 audit(1607518213.006:40): apparmor="ALLOWED" operation="mkdir" profile="libreoffice-soffice" name="/var/www/.config/libreoffice/4/" pid=15622 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=33 ouid=33'
       hostname: 'testing_server'
       program_name: 'kernel'
       log: '[84611.931993] audit: type=1400 audit(1607518213.006:40): apparmor="ALLOWED" operation="mkdir" profile="libreoffice-soffice" name="/var/www/.config/libreoffice/4/" pid=15622 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=33 ouid=33'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       status: 'ALLOWED'
       extra_data: 'mkdir'

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 5500 - Grouping of the pam_unix rules.
    Trying rule: 5700 - SSHD messages grouped.
    Trying rule: 5600 - Grouping for the telnetd rules
    Trying rule: 2100 - NFS rules grouped.
    Trying rule: 2507 - OpenLDAP group.
    Trying rule: 2550 - rshd messages grouped.
    Trying rule: 2701 - Ignoring procmail messages.
    Trying rule: 2800 - Pre-match rule for smartd.
    Trying rule: 5100 - Pre-match rule for kernel messages
       *Rule 5100 matched.
       *Trying child rules.
    Trying rule: 5101 - Informative message from the kernel.
    Trying rule: 5102 - Informative message from the kernel
    Trying rule: 5104 - Interface entered in promiscuous(sniffing) mode.
    Trying rule: 5105 - Invalid request to /dev/fd0 (bug on the kernel).
    Trying rule: 5106 - NFS incompatibility between Linux and Solaris.
    Trying rule: 5107 - NFS incompatibility between Linux and Solaris.
    Trying rule: 5111 - Kernel device error.
    Trying rule: 5112 - Kernel usbhid probe error (ignored).
    Trying rule: 2935 - Grouping for the mptscrih rules.
    Trying rule: 2936 - Grouping for the mptbase rules.
    Trying rule: 5108 - System running out of memory. Availability of the system is in risk.
    Trying rule: 5103 - Error message from the kernel. Ping of death attack.
    Trying rule: 5113 - System is shutting down.
    Trying rule: 5130 - Monitor ADSL line is down.
    Trying rule: 5109 - Kernel Input/Output error
    Trying rule: 5110 - IRC misconfiguration
    Trying rule: 5131 - Monitor ADSL line is up.
    Trying rule: 52000 - Apparmor grouping
       *Rule 52000 matched.
       *Trying child rules.
    Trying rule: 52001 - Ignore ALLOWED or STATUS
       *Rule 52001 matched.

**Phase 3: Completed filtering (rules).
       Rule id: '52001'
       Level: '0'
       Description: 'Ignore ALLOWED or STATUS'

@atomicturtle atomicturtle merged commit 0e70ff3 into ossec:master Aug 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@g3rhard @atomicturtle