Merge ~bryce/ubuntu/+source/logwatch:fix-unmatched-entries-groovy into ubuntu/+source/logwatch:ubuntu/devel

Proposed by Bryce Harrington
Status: Merged
Merged at revision: a1388e93369f955a44ef06a0374c678d7b9fc643
Proposed branch: ~bryce/ubuntu/+source/logwatch:fix-unmatched-entries-groovy
Merge into: ubuntu/+source/logwatch:ubuntu/devel
Diff against target: 649 lines (+561/-1)
13 files modified
debian/changelog (+39/-0)
debian/control (+1/-1)
debian/patches/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch (+42/-0)
debian/patches/0012-postfix-Handle-backwards-compatible-mode.patch (+74/-0)
debian/patches/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch (+32/-0)
debian/patches/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch (+52/-0)
debian/patches/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch (+51/-0)
debian/patches/0016-audit-Flag-apparmor-confinement-drops.patch (+62/-0)
debian/patches/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch (+36/-0)
debian/patches/0018-audit-Handle-apparmor-errors-on-DENIED-messages.patch (+56/-0)
debian/patches/0019-exim-Handle-self-signed-certs-warnings.patch (+73/-0)
debian/patches/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch (+32/-0)
debian/patches/series (+11/-0)
Reviewer Review Type Date Requested Status
Seth Arnold (community) Approve
Canonical Server Pending
Canonical Server Core Reviewers Pending
Canonical Server packageset reviewers Pending
Review via email: mp+389633@code.staging.launchpad.net

Description of the change

Collection of bugfixes for unmatched entries for various things, and a couple other cleanups to make the logwatch output on Ubuntu more coherent and useful.

There is not (yet) an autopkgtest for logwatch. To test the bugs, I concat the original log message (or a close facsimile) to the appropriate system log file, then run logwatch before and after, to verify the unfixed logwatch marks the log entry 'Unmatched' and the fixed logwatch either ignores it or categorizes it properly. You might doublecheck my judgment on what is shown vs. suppressed, particularly with the AppArmor entries.

I've forwarded most of the patches upstream in an MP on sourceforge. The one I did not forward turns off some system status reporting (cpu and mem info); these require perl modules that we do not install by default. If someone does install them, the info will display, but otherwise it'll silently ignore the error. I expect upstream will prefer to retain these modules.

If you do test-run this logwatch on your local system, and any other Unmatched Entries pop up unrelated to the ones addressed in this MP, please feel free to file bug reports on each of them and I'll followup with fixes later.

(Once this is landed in groovy, and upstream has accepted and landed the patches, I plan to SRU many of these to past LTS's. So if you see anything that gives you concern regarding SRU worthiness on any of the fixes, let me know.)

PPA: https://launchpad.net/~bryce/+archive/ubuntu/logwatch-fix-unmatched-entries-groovy

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've got a few small comments on the AppArmor portions of the summaries. Thanks!

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Small suggestion in the changelog.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Seth, Bryce is off this week and I want to make logwatch land in groovy before the freeze. I replied to one of your inline comments to check if I got what you proposed. The other 2 comments I believe you just asked to change the message printed, so that's easier.

Revision history for this message
Bryce Harrington (bryce) wrote :
Download full text (9.3 KiB)

Hi Lucas, thanks for taking this over.

I had done some work on updates for the review feedback. I've pushed
two branches to sourceforge:

  https://sourceforge.net/u/bryce/logwatch-from-ubuntu/ci/master/tree/

  review-updates.0 - Original MP
  review-updates.1 - Plus changes (unsquashed) for review feedback

I plan to squash and re-proposed the MP for upstream, but wanted to
investigate the securetty issue upstream raised first, but it proved
elusive. Probably best to omit that patch for now (it can be landed
post-FF as a bug fix if needed). But I think I got Seth's feedback
addressed so you can see what I did.

A couple comments below:

On Tue, Aug 25, 2020 at 08:04:18PM -0000, Lucas Kanashiro wrote:
> Seth, Bryce is off this week and I want to make logwatch land in groovy before the freeze. I replied to one of your inline comments to check if I got what you proposed. The other 2 comments I believe you just asked to change the message printed, so that's easier.
>
> Diff comments:
>
> > diff --git a/debian/patches/0016-audit-Flag-apparmor-confinement-drops.patch b/debian/patches/0016-audit-Flag-apparmor-confinement-drops.patch
> > new file mode 100644
> > index 0000000..c49cc27
> > --- /dev/null
> > +++ b/debian/patches/0016-audit-Flag-apparmor-confinement-drops.patch
> > @@ -0,0 +1,62 @@
> > +From d231dab4a735c490edf3a7cf3e0da5e84b127074 Mon Sep 17 00:00:00 2001
> > +From: Bryce Harrington <email address hidden>
> > +Date: Thu, 20 Aug 2020 04:41:24 +0000
> > +Subject: [PATCH 06/10] audit: Flag apparmor confinement drops
> > +
> > +Switching an apparmor profile to unconfined drops protections for that
> > +service. This might be innocuous if it's done intentionally or
> > +accidentally, but it could also indicate a security issue so the issue
> > +should be summarized and displayed in the report.
> > +
> > +Fixes: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948
> > +Signed-off-by: Bryce Harrington <email address hidden>
> > +---
> > + scripts/services/audit | 13 ++++++++++++-
> > + 1 file changed, 12 insertions(+), 1 deletion(-)
> > +
> > +Origin: vendor
> > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948
> > +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/
> > +Last-Updated: 2020-08-20
> > +
> > +diff --git a/scripts/services/audit b/scripts/services/audit
> > +index b12f710..fd63f8e 100644
> > +--- a/scripts/services/audit
> > ++++ b/scripts/services/audit
> > +@@ -36,7 +36,7 @@
> > + use strict;
> > + use Logwatch ':all';
> > +
> > +-my (%denials, %grants, %loads);
> > ++my (%denials, %grants, %loads, %unconfineds);
> > + my %OtherList;
> > + my $othercount = 0;
> > + my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0);
> > +@@ -131,6 +131,10 @@ while ($ThisLine = <STDIN>) {
> > + if ( $ThisLine =~ /apparmor="STATUS" operation="profile_(load|replace)" name="([^"]+)"/ ) {
> > + # type=1400 audit(1314853473.168:33616): apparmor="STATUS" operation="profile_replace" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=26566 comm="apparmor_parser"
> > + $loads{$2}++;
> > ++ } elsif ( $ThisLine =~ /apparmor="STATUS" operation="profile_(...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) :
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Bryce and Seth for your feedback! I prepared a new branch here based on what Bryce has done:

https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/logwatch/+git/logwatch/+ref/update-bryce-changes

Could any of you ack the changes made in the HEAD of this branch before I move forward with the upload? I dropped the patch which is under discussion as Bryce mentioned, squashed a couple of patches (based on the new branch Bryce has proposed to upstream), and added a new one to use ALLOWED instead of Grants in the audit script (as proposed by Seth and +1 by Bryce).

Many thanks in advance!

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The squashed changes in Lucas's linked branch look good to me. Thanks!

review: Approve
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

To make our life easier in the next merge I split my commit in some others (also updated changelog):

https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/logwatch/+git/logwatch/+ref/update-bryce-changes

The content is the same. I am uploading it now.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Uploaded:

$ git push pkg upload/7.5.4-0ubuntu2
Enumerating objects: 93, done.
Counting objects: 100% (93/93), done.
Delta compression using up to 8 threads
Compressing objects: 100% (87/87), done.
Writing objects: 100% (87/87), 20.03 KiB | 1.25 MiB/s, done.
Total 87 (delta 58), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/logwatch
 * [new tag] upload/7.5.4-0ubuntu2 -> upload/7.5.4-0ubuntu2

$ dput ubuntu ../logwatch_7.5.4-0ubuntu2_source.changes
Checking signature on .changes
gpg: ../logwatch_7.5.4-0ubuntu2_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../logwatch_7.5.4-0ubuntu2.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading logwatch_7.5.4-0ubuntu2.dsc: done.
  Uploading logwatch_7.5.4-0ubuntu2.debian.tar.xz: done.
  Uploading logwatch_7.5.4-0ubuntu2_source.changes: done.
Successfully uploaded packages.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches