This allows AppAnvil to read additional logs from auditd.
Changes
Add flag to aa-caller
Added a flag "-l" to aa-caller. When aa-caller -l is executed, it calls ausearch to return a list of logs that may pertain to apparmor. Some of the logs might not be apparmor related.
Furthermore, this generates a randomly named checkpoint file that ausearch can use to save progress. The file's name has the following format: /tmp/appanvil_[random], where [random] is a random number. This filename is printed on the first line of output from aa-caller. Afterwards, the user can execute aa-caller -l [filename] to get any new logs. See the checkpoint option in man ausearch for more information.
Use aa-caller when reading logs
Now the LogReader class also queries aa-caller when reading logs. So that they are shown in AppAnvil.
Minor changes to pkexec policy
I noticed that the pkexec policy does not actually point to the final installed location of aa-caller. I fixed that in this update. Ideally, we should configure that location automatically when CMake is called.
Possible issues
It may be possible for auditd and sysog to store duplicate entries for the same event. This would show as duplicate entries in AppAnvil.
Like I said earlier, I should probably configure the pkexec policy dynamically when CMake is built.
This allows AppAnvil to read additional logs from auditd.
Changes
Add flag to
aa-callerAdded a flag "-l" to aa-caller. When
aa-caller -lis executed, it calls ausearch to return a list of logs that may pertain to apparmor. Some of the logs might not be apparmor related.Furthermore, this generates a randomly named checkpoint file that ausearch can use to save progress. The file's name has the following format:
/tmp/appanvil_[random], where [random] is a random number. This filename is printed on the first line of output from aa-caller. Afterwards, the user can executeaa-caller -l [filename]to get any new logs. See the checkpoint option inman ausearchfor more information.Use
aa-callerwhen reading logsNow the LogReader class also queries aa-caller when reading logs. So that they are shown in AppAnvil.
Minor changes to pkexec policy
I noticed that the pkexec policy does not actually point to the final installed location of aa-caller. I fixed that in this update. Ideally, we should configure that location automatically when CMake is called.
Possible issues
It may be possible for auditd and sysog to store duplicate entries for the same event. This would show as duplicate entries in AppAnvil.
Like I said earlier, I should probably configure the pkexec policy dynamically when CMake is built.