Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-27 11:50:59 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'

Browse source
This commit is contained in:
Patrick Schleizer 2025-10-31 10:19:08 -04:00
commit 3b2092ee76
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
9 changed files with 164 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
auto-generated-man-pages/apparmor-info.8 Normal file
View file

@ -0,0 +1,25 @@
.\" generated with Ronn-NG/v0.10.1
.\" http://github.com/apjanke/ronn-ng/tree/0.10.1
.TH "APPARMOR\-INFO" "8" "January 2020" "security-misc" "security-misc Manual"
.SH "NAME"
\fBapparmor\-info\fR \- Shows AppArmor DENIED Log Messages
.SH "SYNOPSIS"
\fBapparmor\-info\fR
.SH "DESCRIPTION"
Shows AppArmor DENIED log messages\.
.P
If there are no DENIED log messages, outputs nothing\.
.SH "RETURN VALUES"
.IP "\(bu" 4
\fB0\fR No DENIED messages found, OK\.
.IP "\(bu" 4
\fB1\fR DENIED messages found\.
.IP "" 0
.SH "EXAMPLE"
\fBsudo apparmor\-info ; echo $?\fR
.P
\fB0\fR
.P
No output from \fBapparmor\-info\fR with exit code \fB0\fR\. Meaning, no \fBDENIED\fR messages found, OK\.
.SH "AUTHOR"
This man page has been written by Patrick Schleizer (adrelanos@whonix\.org)\.

13
auto-generated-man-pages/apparmor-watch.8 Normal file
View file

@ -0,0 +1,13 @@
.\" generated with Ronn-NG/v0.10.1
.\" http://github.com/apjanke/ronn-ng/tree/0.10.1
.TH "APPARMOR\-WATCH" "8" "January 2020" "security-misc" "security-misc Manual"
.SH "NAME"
\fBapparmor\-watch\fR \- Watch AppArmor DENIED and ALLOWED Log Messages
.SH "SYNOPSIS"
\fBapparmor\-watch\fR
.SH "DESCRIPTION"
Watches for AppArmor \fBDENIED\fR and \fBALLOWED\fR log messages\.
.SH "EXAMPLE"
\fBsudo apparmor\-watch\fR
.SH "AUTHOR"
This man page has been written by Patrick Schleizer (adrelanos@whonix\.org)\.

5
debian/rules vendored
View file

@ -8,5 +8,10 @@
%: %:
dh $@ --with=config-package dh $@ --with=config-package
override_dh_installman:
mkdir --parents -- debian/security-misc-shared/usr/share/man/man8
gzip -c -9 -- auto-generated-man-pages/apparmor-info.8 > debian/security-misc-shared/usr/share/man/man8/apparmor-info.8.gz
gzip -c -9 -- auto-generated-man-pages/apparmor-watch.8 > debian/security-misc-shared/usr/share/man/man8/apparmor-watch.8.gz
override_dh_installchangelogs: override_dh_installchangelogs:
dh_installchangelogs changelog.upstream upstream dh_installchangelogs changelog.upstream upstream

2
debian/security-misc-shared.install vendored
View file

@ -118,6 +118,8 @@ usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/s
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf
usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf
usr/sbin/apparmor-info#security-misc-shared => /usr/sbin/apparmor-info
usr/sbin/apparmor-watch#security-misc-shared => /usr/sbin/apparmor-watch
usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm
usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc

3
debian/security-misc-shared.postinst vendored
View file

@ -103,6 +103,9 @@ case "$1" in
chmod 0600 "${usbguard_config_file}" chmod 0600 "${usbguard_config_file}"
fi fi
done done
## Enable systemd-journald audit transport
deb-systemd-helper enable systemd-journald-audit.socket
;; ;;
abort-upgrade|abort-remove|abort-deconfigure) abort-upgrade|abort-remove|abort-deconfigure)

34
man/apparmor-info.8.ronn Normal file
View file

@ -0,0 +1,34 @@
apparmor-info(8) -- Shows AppArmor DENIED Log Messages
=============================================
<!--
# Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
# See the file COPYING for copying conditions.
-->
## SYNOPSIS
`apparmor-info`
## DESCRIPTION
Shows AppArmor DENIED log messages.
If there are no DENIED log messages, outputs nothing.
## RETURN VALUES
* `0` No DENIED messages found, OK.
* `1` DENIED messages found.
## EXAMPLE
`sudo apparmor-info ; echo $?`
`0`
No output from `apparmor-info` with exit code `0`.
Meaning, no `DENIED` messages found, OK.
## AUTHOR
This man page has been written by Patrick Schleizer (adrelanos@whonix.org).

23
man/apparmor-watch.8.ronn Normal file
View file

@ -0,0 +1,23 @@
apparmor-watch(8) -- Watch AppArmor DENIED and ALLOWED Log Messages
=============================================
<!--
# Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
# See the file COPYING for copying conditions.
-->
## SYNOPSIS
`apparmor-watch`
## DESCRIPTION
Watches for AppArmor `DENIED` and `ALLOWED` log messages.
## EXAMPLE
`sudo apparmor-watch`
## AUTHOR
This man page has been written by Patrick Schleizer (adrelanos@whonix.org).

35
usr/sbin/apparmor-info#security-misc-shared Executable file
View file

@ -0,0 +1,35 @@
#!/bin/bash
## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/22
## Not using sudo hardcoded below.
## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/29
if [ "$(id -u)" != "0" ]; then
echo "ERROR: Must run as root." >&2
echo "sudo $0" >&2
exit 112
fi
## Default.
exit_code=0
## Parses AppArmor denial logs to hide unnecessary information and remove duplicates.
output_denied="$(journalctl _TRANSPORT=audit --output cat "${@}" | grep "DENIED" | sed -e 's/pid=.* comm/comm/g' | sed -e 's/ fsuid.*//g' | awk '!x[$0]++')"
if [ ! "$output_denied" = "" ]; then
exit_code=1
echo "$output_denied"
fi
output_allowed="$(journalctl _TRANSPORT=audit --output cat "${@}" | grep "ALLOWED" | sed -e 's/pid=.* comm/comm/g' | sed -e 's/ fsuid.*//g' | awk '!x[$0]++')"
if [ ! "$output_allowed" = "" ]; then
exit_code=1
echo "$output_allowed"
fi
exit "$exit_code"

24
usr/sbin/apparmor-watch#security-misc-shared Executable file
View file

@ -0,0 +1,24 @@
#!/bin/bash
## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/22
## Not using sudo hardcoded below.
## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/29
if [ "$(id -u)" != "0" ]; then
echo "ERROR: Must run as root." >&2
echo "sudo $0" >&2
exit 112
fi
while read -r -d $'\n' line; do
line=$(echo "$line" | grep "ALLOWED\|DENIED")
line=$(echo "$line" | sed -e 's/pid=.* comm/comm/g')
line=$(echo "$line" | sed -e 's/ fsuid.*//g')
if [ "$line" = "" ]; then
continue
fi
echo "$line"
done < <( journalctl _TRANSPORT=audit --follow --lines=0 --output cat "${@}" )