3

To log the internet usage (visited URLs) of my local guest account, I asked the question Monitor visited websites of guest account through any browser and after assigning the guest account the fixed UID 499 and setting up the iptables rule below, I am not getting the wanted log messages in /var/log/kern.log but a message by apparmor that it blocked the logging attempt.

How do I tell AppArmor to allow the guest account (random name, but fixed UID) to log its network usage through iptables?

The iptables rule I have set up:

sudo iptables -A OUTPUT -m owner --uid-owner 499 -j LOG --log-prefix='[GUEST INTERNET ACCESS] '

One example line of the messages that appear in /var/log/kern.log instead (reformatted for better readability):

Nov 18 11:19:22 wolf-pack kernel: 
 [ 1030.063374] audit: type=1400 audit(1447841962.731:164): 
   apparmor="DENIED" 
   operation="connect"
   profile="/usr/lib/lightdm/lightdm-guest-session"
   name="/run/systemd/journal/stdout"
   pid=4693
   comm="dbus-daemon"
   requested_mask="w"
   denied_mask="w"
   fsuid=499
   ouid=0

Further system information:

$ uname -a
Linux wolf-pack 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 15.10
Release:    15.10
Codename:   wily

$ unity --version
unity 7.3.2

$ apt-cache policy apparmor | grep Installed
  Installed: 2.10-0ubuntu6

$ iptables --version
iptables v1.4.21

The output of sudo apparmor_status:

apparmor module is loaded.
23 profiles are loaded.
23 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ippusbxd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /sbin/dhclient (1138) 
   /usr/lib/telepathy/mission-control-5 (4700) 
   /usr/sbin/cups-browsed (777) 
   /usr/sbin/cupsd (5626) 
   /usr/sbin/cupsd (5651) 
   /usr/sbin/cupsd (5652) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Community
  • 1
Byte Commander
  • 105,631
  • 46
  • 284
  • 425
  • I have tried to create your issue on 3 computers, two servers and one VM desktop. It always works fine for me and the log messages appear fine in `/var/log/kern.log`. I think we need some more details about your specific setup. – Doug Smythies Nov 25 '15 at 20:18
  • @DougSmythies I will provide you any detail you want, but I have no idea what is needed to troubleshoot this issue. Did you try it for a normal account or the guest account on your machine by the way? – Byte Commander Nov 26 '15 at 11:57
  • I tried a normal account. I created a no password guest account, and tried that (on two servers). I tried the built in guest account and a no password guest account I created, on a VM desktop. I guess we need to know specifics as to which version of Ubuntu you are using and desktop details (unity or gnome or?). – Doug Smythies Nov 26 '15 at 14:33
  • @DougSmythies I use Unity DE on 15.10 64bit. Added `uname -a`, `lsb_release -a`, `unity--version`, `apt-cache policy apparmor | grep Installed` and `iptables --version` to the question. – Byte Commander Nov 26 '15 at 14:47
  • @DougSmythies I also added the output of `apparmor_status`, does that help? Do you need anything else? – Byte Commander Nov 27 '15 at 16:15
  • I still haven't been able to recreate your issue on any of my computers. – Doug Smythies Nov 27 '15 at 16:19
  • As per the OP's request - I've moved my answer to the linked question. I originally added it here, since this question isn't related to the resolution of the original problem. IP/TCP packet level information is not the place to look for URLs. – Marcin Kaminski Nov 30 '15 at 16:44

1 Answers1

2

I think your intention is clear here and in the other question you linked to: log URLs of websites visited by anyone using any application as the guest user.

Suggesting iptables logging to achieve this task isn't correct. iptables (without some obscure, performance-limiting extensions) works on the IP protocol, not on the application level.

I've also seen suggestions in the URLs suggested as comments - responders suggested only capturing packets with SYN flags (new connections). That too, results from a misunderstanding described above.

The way to achieve what you want is:

  1. Install a web proxy (preferably lightweight, such as tinyproxy).
  2. Add iptables rules that redirect outgoing connections made by only a specific user to ports 80,443/tcp to the local proxy.

What I had in mind is described here (not my post). This way you get a web proxy log which has all the HTTP requests logged. You won't get logs related to SSL protected traffic though, which is a good thing.

To reiterate: URLs are not part of the IP or TCP header structure, thus something working on the IP/TCP level isn't going to be able to show you this data, unless it has some TCP dissector (tcpdump/wireshark are able to do this but not iptables alone).

Marcin Kaminski
  • 4,881
  • 21
  • 35
  • Your answer is not really addressing my question here but the one I linked (where you posted and afterwards deleted the same answer). Please remove your answer here and undelete the other one. – Byte Commander Nov 30 '15 at 13:29