[Touch-packages] [Bug 1736841] Re: aa-decode can't decode the audit log which contains the proctitle string

Seth Arnold Wed, 06 Dec 2017 18:31:09 -0800

Nice! Thanks

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1736841

Title:
  aa-decode can't decode the audit log which contains the proctitle
  string

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  [Description of Problem]
  aa-decode can't decode the audit log which contains the proctitle string.
  ubuntu kernel version: 4.4.0-87-generic
  AppArmor tool version: 2.10.95

  [How To Reproduce]
  eg.
  # apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump
  # cat /var/log/audit/audit.log
  type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" 
pid=7464 comm="apparmor_parser"
  type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 
success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 
comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
  type=PROCTITLE msg=audit(1512030686.240:8756): 
proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70

  # aa-decode 
61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70
  Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

  # cat /var/log/audit/audit.log | aa-decode
  type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 
format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined  
res=success
  type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" 
pid=7464 comm="apparmor_parser"
  type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 
success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 
comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
  type=PROCTITLE msg=audit(1512030686.240:8756): 
proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70

  [Actual Result]
  aa-decode can decode a single string, but can not take an audit log on 
standard input and convert the hex-encoded string.

  [Expected Result]
  # cat /var/log/audit/audit.log | aa-decode
  type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 
format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined  
res=success
  type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" 
pid=7464 comm="apparmor_parser"
  type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 
success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 
comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
  type=PROCTITLE msg=audit(1512030686.240:8756): 
proctitle=apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

  [How To Fix]
  fix the aa-decode shell script.

  --- utils/aa-decode     2013-01-01 14:15:04.000000000 -0500
  +++ utils/aa-decode.new 2017-11-30 02:39:13.780000000 -0500
  @@ -70,7 +70,7 @@ fi
   while read line ; do

       # check if line contains encoded name= or profile=
  -    if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then
  +    if [[ "$line" =~ \ (name|profile|proctitle)=[0-9a-fA-F] ]]; then

           # cut the encoded filename/profile name out of the line and decode it
           ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
  @@ -79,9 +79,13 @@ while read line ; do
           pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
           pd="$(decode ${pe/\'/\\\'})"

  +        pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'`
  +        pcd="$(decode ${pce/\'/\\\'})"
  +
           # replace encoded name and profile with its decoded counterparts 
(only if it was encoded)
           test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
           test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"
  +        test -n "$pcd" && line="${line/proctitle=$pce/proctitle=\"$pcd\"}"

       fi

  [Workaround]
  if you can not decode the audit log, try to decode the single string.
  # aa-decode 
61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70
  Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1736841/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1736841] Re: aa-decode can't decode the audit log which contains the proctitle string

Reply via email to