feat(aa-log): add -a option to anonymize the logs.

2023-05-06 12:18:20 +01:00 · 2023-05-06 12:18:20 +01:00 · 538da05696
commit 538da05696
parent 26bd9350f2
4 changed files with 117 additions and 7 deletions
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@ -8,6 +8,7 @@ import (
 	"bufio"
 	"fmt"
 	"io"
+	"os/user"
 	"regexp"
 	"strings"

@ -28,6 +29,9 @@ const (
 	boldYellow = "\033[1;33m"
 )

+// Anonymized username
+const Username = "AAD"
+
 var (
 	quoted                bool
 	isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`)
@ -116,6 +120,29 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
 	return aaLogs
 }

+// Anonymize the logs before reporting
+func (aaLogs AppArmorLogs) Anonymize() {
+	user, _ := user.Current()
+	keys := []string{"name", "comm"}
+	regAnonymizeLogs := []struct {
+		regex *regexp.Regexp
+		repl  string
+	}{
+		{regexp.MustCompile(user.Username), Username},
+		{regexp.MustCompile(`/home/[^/]+`), `/home/` + Username},
+		{regexp.MustCompile(`[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*`), `b08dfa60-83e7-567a-1921-a715000001fb`},
+	}
+	for _, log := range aaLogs {
+		for _, key := range keys {
+			if _, ok := log[key]; ok {
+				for _, aa := range regAnonymizeLogs {
+					log[key] = aa.regex.ReplaceAllLiteralString(log[key], aa.repl)
+				}
+			}
+		}
+	}
+}
+
 // String returns a formatted AppArmor logs string
 func (aaLogs AppArmorLogs) String() string {
 	// Apparmor log states
--- a/pkg/logs/logs_test.go
+++ b/pkg/logs/logs_test.go
@ -261,3 +261,74 @@ func TestAppArmorLogs_String(t *testing.T) {
 		})
 	}
 }
+
+func TestAppArmorLogs_Anonymize(t *testing.T) {
+	tests := []struct {
+		name   string
+		aaLogs AppArmorLogs
+		want   AppArmorLogs
+	}{
+		{
+			name: "Anonymize Username",
+			aaLogs: AppArmorLogs{
+				{
+					"apparmor":       "ALLOWED",
+					"profile":        "foo",
+					"operation":      "file_perm",
+					"name":           "/home/foo/.bash_history",
+					"comm":           "bash",
+					"requested_mask": "rw",
+					"denied_mask":    "rw",
+					"parent":         "16001",
+				},
+			},
+			want: AppArmorLogs{
+				{
+					"apparmor":       "ALLOWED",
+					"profile":        "foo",
+					"operation":      "file_perm",
+					"name":           "/home/AAD/.bash_history",
+					"comm":           "bash",
+					"requested_mask": "rw",
+					"denied_mask":    "rw",
+					"parent":         "16001",
+				},
+			},
+		},
+		{
+			name: "Anonymize UUID",
+			aaLogs: AppArmorLogs{
+				{
+					"apparmor":       "ALLOWED",
+					"profile":        "drkonqi",
+					"operation":      "file_perm",
+					"name":           "/sys/devices/pci0000:00/0000:00:02.0/drm/card1/metrics/399d3001-97d6-4240-b065-4fb843138e17/id",
+					"comm":           "bash",
+					"requested_mask": "r",
+					"denied_mask":    "r",
+					"parent":         "16001",
+				},
+			},
+			want: AppArmorLogs{
+				{
+					"apparmor":       "ALLOWED",
+					"profile":        "drkonqi",
+					"operation":      "file_perm",
+					"name":           "/sys/devices/pci0000:00/0000:00:02.0/drm/card1/metrics/b08dfa60-83e7-567a-1921-a715000001fb/id",
+					"comm":           "bash",
+					"requested_mask": "r",
+					"denied_mask":    "r",
+					"parent":         "16001",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.aaLogs.Anonymize()
+			if !reflect.DeepEqual(tt.aaLogs, tt.want) {
+				t.Errorf("Anonymize() = %v, want %v", tt.aaLogs, tt.want)
+			}
+		})
+	}
+}