Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apparmor denied event - /var/log/syslog - apache2 #2456

Closed
sighmon opened this issue Oct 19, 2017 · 1 comment · Fixed by #2550
Closed

Apparmor denied event - /var/log/syslog - apache2 #2456

sighmon opened this issue Oct 19, 2017 · 1 comment · Fixed by #2550
Labels
able to reproduce
Milestone
0.5

Comments

@sighmon
Copy link

sighmon commented Oct 19, 2017

Bug

Description

Since the 14/10/2017 I've seen a bunch of Alert Level 7 OSSEC warnings.

Steps to Reproduce

Standard SecureDrop install. Possibly after an unattended upgrade.

Expected Behavior

No alerts.

Actual Behavior

13 alerts similar to the one below.

OSSEC HIDS Notification.
2017 Oct 14

Received From: (app) x.x.x.x->/var/log/syslog
Rule: 100012 fired (level 7) -> "Apparmor denied event"
Portion of the log(s):

Oct 15 app kernel: [  xxx ] audit: type=1400 audit(xxx): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/proc/xxx/status" pid=xxx comm="apache2" requested_mask="r" denied_mask="r" fsuid=xx ouid=0

 --END OF NOTIFICATION

Comments

Not sure if this is something to be worried about or a bug.
@b-meson
Copy link
Contributor

b-meson commented Oct 23, 2017

@sighmon This looks like an change to the Apache binary which means we may need to create new App Armor profiles. I was able to reproduce this issue on a local install of Secure Drop, which seems like a Secure Drop wide issue that we need to fix. Thanks for reporting this!

@redshiftzero redshiftzero modified the milestones: 0.5 Stretch, 0.5 Oct 25, 2017
@conorsch conorsch mentioned this issue Nov 1, 2017
Open
redshiftzero added a commit that referenced this issue Nov 9, 2017
@redshiftzero
Update AppArmor profiles for /usr/sbin/apache2
cb86892 
Add read access to /proc/[pid]/status (read access to /proc/[pid]/stat
was already granted in the AppArmor profile).

This fixes the spurious alerts reported in #2456 and #2507
@redshiftzero redshiftzero mentioned this issue Nov 9, 2017
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
able to reproduce
Projects
None yet
Milestone
0.5
Development

Successfully merging a pull request may close this issue.

Update AppArmor profiles for Apache freedomofpress/securedrop
3 participants
@sighmon @b-meson @redshiftzero