Move apparmor-info, apparmor-watch to security-misc, enable systemd-journald audit transport

2025-11-25 13:26:21 -05:00 · 2025-10-30 23:05:19 -05:00 · 2025-10-30 23:05:19 -05:00 · d1e148eba7
commit d1e148eba7
parent b168c37e84
9 changed files with 164 additions and 0 deletions
--- a/auto-generated-man-pages/apparmor-info.8
+++ b/auto-generated-man-pages/apparmor-info.8
@ -0,0 +1,25 @@
+.\" generated with Ronn-NG/v0.10.1
+.\" http://github.com/apjanke/ronn-ng/tree/0.10.1
+.TH "APPARMOR\-INFO" "8" "January 2020" "security-misc" "security-misc Manual"
+.SH "NAME"
+\fBapparmor\-info\fR \- Shows AppArmor DENIED Log Messages
+.SH "SYNOPSIS"
+\fBapparmor\-info\fR
+.SH "DESCRIPTION"
+Shows AppArmor DENIED log messages\.
+.P
+If there are no DENIED log messages, outputs nothing\.
+.SH "RETURN VALUES"
+.IP "\(bu" 4
+\fB0\fR No DENIED messages found, OK\.
+.IP "\(bu" 4
+\fB1\fR DENIED messages found\.
+.IP "" 0
+.SH "EXAMPLE"
+\fBsudo apparmor\-info ; echo $?\fR
+.P
+\fB0\fR
+.P
+No output from \fBapparmor\-info\fR with exit code \fB0\fR\. Meaning, no \fBDENIED\fR messages found, OK\.
+.SH "AUTHOR"
+This man page has been written by Patrick Schleizer (adrelanos@whonix\.org)\.
--- a/auto-generated-man-pages/apparmor-watch.8
+++ b/auto-generated-man-pages/apparmor-watch.8
@ -0,0 +1,13 @@
+.\" generated with Ronn-NG/v0.10.1
+.\" http://github.com/apjanke/ronn-ng/tree/0.10.1
+.TH "APPARMOR\-WATCH" "8" "January 2020" "security-misc" "security-misc Manual"
+.SH "NAME"
+\fBapparmor\-watch\fR \- Watch AppArmor DENIED and ALLOWED Log Messages
+.SH "SYNOPSIS"
+\fBapparmor\-watch\fR
+.SH "DESCRIPTION"
+Watches for AppArmor \fBDENIED\fR and \fBALLOWED\fR log messages\.
+.SH "EXAMPLE"
+\fBsudo apparmor\-watch\fR
+.SH "AUTHOR"
+This man page has been written by Patrick Schleizer (adrelanos@whonix\.org)\.
--- a/debian/rules
+++ b/debian/rules
@ -8,5 +8,10 @@
 %:
 	dh $@ --with=config-package

+override_dh_installman:
+	mkdir --parents -- debian/security-misc-shared/usr/share/man/man8
+	gzip -c -9 -- auto-generated-man-pages/apparmor-info.8 > debian/security-misc-shared/usr/share/man/man8/apparmor-info.8.gz
+	gzip -c -9 -- auto-generated-man-pages/apparmor-watch.8 > debian/security-misc-shared/usr/share/man/man8/apparmor-watch.8.gz
+
 override_dh_installchangelogs:
 	dh_installchangelogs changelog.upstream upstream
--- a/debian/security-misc-shared.install
+++ b/debian/security-misc-shared.install
@ -118,6 +118,8 @@ usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/s
 usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf
 usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
 usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf
+usr/sbin/apparmor-info#security-misc-shared => /usr/sbin/apparmor-info
+usr/sbin/apparmor-watch#security-misc-shared => /usr/sbin/apparmor-watch
 usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
 usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm
 usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc
--- a/debian/security-misc-shared.postinst
+++ b/debian/security-misc-shared.postinst
@ -103,6 +103,9 @@ case "$1" in
            chmod 0600 "${usbguard_config_file}"
          fi
        done
+
+        ## Enable systemd-journald audit transport
+        deb-systemd-helper enable systemd-journald-audit.socket
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
--- a/man/apparmor-info.8.ronn
+++ b/man/apparmor-info.8.ronn
@ -0,0 +1,34 @@
+apparmor-info(8) -- Shows AppArmor DENIED Log Messages
+=============================================
+
+<!--
+# Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+# See the file COPYING for copying conditions.
+-->
+
+## SYNOPSIS
+
+`apparmor-info`
+
+## DESCRIPTION
+
+Shows AppArmor DENIED log messages.
+
+If there are no DENIED log messages, outputs nothing.
+
+## RETURN VALUES
+* `0` No DENIED messages found, OK.
+* `1` DENIED messages found.
+
+## EXAMPLE
+
+`sudo apparmor-info ; echo $?`
+
+`0`
+
+No output from `apparmor-info` with exit code `0`.
+Meaning, no `DENIED` messages found, OK.
+
+## AUTHOR
+
+This man page has been written by Patrick Schleizer (adrelanos@whonix.org).
--- a/man/apparmor-watch.8.ronn
+++ b/man/apparmor-watch.8.ronn
@ -0,0 +1,23 @@
+apparmor-watch(8) -- Watch AppArmor DENIED and ALLOWED Log Messages
+=============================================
+
+<!--
+# Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+# See the file COPYING for copying conditions.
+-->
+
+## SYNOPSIS
+
+`apparmor-watch`
+
+## DESCRIPTION
+
+Watches for AppArmor `DENIED` and `ALLOWED` log messages.
+
+## EXAMPLE
+
+`sudo apparmor-watch`
+
+## AUTHOR
+
+This man page has been written by Patrick Schleizer (adrelanos@whonix.org).
--- a/usr/sbin/apparmor-info#security-misc-shared
+++ b/usr/sbin/apparmor-info#security-misc-shared
@ -0,0 +1,35 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/22
+
+## Not using sudo hardcoded below.
+## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/29
+if [ "$(id -u)" != "0" ]; then
+   echo "ERROR: Must run as root." >&2
+   echo "sudo $0" >&2
+   exit 112
+fi
+
+## Default.
+exit_code=0
+
+## Parses AppArmor denial logs to hide unnecessary information and remove duplicates.
+
+output_denied="$(journalctl _TRANSPORT=audit --output cat "${@}" | grep "DENIED" | sed -e 's/pid=.* comm/comm/g' | sed -e 's/ fsuid.*//g' | awk '!x[$0]++')"
+
+if [ ! "$output_denied" = "" ]; then
+   exit_code=1
+   echo "$output_denied"
+fi
+
+output_allowed="$(journalctl _TRANSPORT=audit --output cat "${@}" | grep "ALLOWED" | sed -e 's/pid=.* comm/comm/g' | sed -e 's/ fsuid.*//g' | awk '!x[$0]++')"
+
+if [ ! "$output_allowed" = "" ]; then
+   exit_code=1
+   echo "$output_allowed"
+fi
+
+exit "$exit_code"
--- a/usr/sbin/apparmor-watch#security-misc-shared
+++ b/usr/sbin/apparmor-watch#security-misc-shared
@ -0,0 +1,24 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/22
+
+## Not using sudo hardcoded below.
+## https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/29
+if [ "$(id -u)" != "0" ]; then
+   echo "ERROR: Must run as root." >&2
+   echo "sudo $0" >&2
+   exit 112
+fi
+
+while read -r -d $'\n' line; do
+   line=$(echo "$line" | grep "ALLOWED\|DENIED")
+   line=$(echo "$line" | sed -e 's/pid=.* comm/comm/g')
+   line=$(echo "$line" | sed -e 's/ fsuid.*//g')
+   if [ "$line" = "" ]; then
+      continue
+   fi
+   echo "$line"
+done < <( journalctl _TRANSPORT=audit --follow --lines=0 --output cat "${@}" )