jack-ullery / AppAnvil

Graphical user interface for the AppArmor security module (in-progress)
GNU General Public License v3.0
17 stars 12 forks source link

Use libapparmor for parsing logs #47

Closed jack-ullery closed 1 year ago

jack-ullery commented 1 year ago

This update changes (yet again) how logs are queried and parsed.

Before, we would use journalctl to query the logs, and jsoncpp to parse them. This had the benefit of comprehensively returning each AppArmor log. The only problem was that it slowed down the interface considerably after a few thousand logs.

Instead, I built a system to parse the logs using libapparmor, which is a library used to parse logs directly from files in /var/log. This should be considerably faster, but requires us to manually specify which log files to read.

Currently, we are only reading logs from /var/log/kern.log and /var/log/dmesg, but it may eventually be helpful to read from the syslog, which would allow us to read many more logs.

Another limitation with our implementation, is that we can only ready logs that a user would normally have permission for. We cannot read any logs that would require super-user privileges.

jack-ullery commented 1 year ago

Added the capability to read from /var/log/syslog. This still does not include all the DENIED logs we might be interested in. Eventually we should also query auditd logs from /var/log/audit/audit.log, maybe using ausearch