Invalid mode found: AUDITING

Can you please attach some example log lines that cause this? (Typical log locations are /var/log/audit/audit.log, /var/log/messages or /var/log/syslog)

This probably needs to be fixed in logparser.py add_event_to_tree() (which is expected to ignore audit events) - but I'll need the log sample to get it right.

Hi Christian,

I think these lines are causing it:

Aug 19 11:35:48 kautsky kernel: [ 1545.990026] type=1400 audit(1408448148.700:7093): apparmor="AUDIT" operation="accept" profile="/usr/sbin/nginx" pid=6660 comm="nginx" lport=80 family="inet" sock_type="stream" protocol=6
Aug 19 11:35:48 kautsky kernel: [ 1545.990060] type=1400 audit(1408448148.700:7094): apparmor="AUDIT" operation="accept" profile="/usr/sbin/nginx" pid=6660 comm="nginx" lport=80 family="inet" sock_type="stream" protocol=6

I was able to fix the crash by adding the following lines after line 1515 in /usr/lib/python3/dist-packages/apparmor/aa.py but this probably needs verifying for overall business logic compliance (as audit mode is combination of enforcement and complain):

elif aamode == 'AUDITING':
            aaui.UI_Info(_('Audit-mode changes:'))

On 19 Aug 2014, at 12:26, Christian Boltz <email address hidden> wrote:

> Can you please attach some example log lines that cause this? (Typical
> log locations are /var/log/audit/audit.log, /var/log/messages or
> /var/log/syslog)
>
> This probably needs to be fixed in logparser.py add_event_to_tree()
> (which is expected to ignore audit events) - but I'll need the log
> sample to get it right.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1358705
>
> Title:
> Invalid mode found: AUDITING
>
> Status in AppArmor Linux application security framework:
> New
>
> Bug description:
> aa-logprof crashes with the following error:
>
> Invalid mode found: AUDITING
> File "/usr/sbin/aa-genprof", line 150, in <module>
> lp_ret = apparmor.do_logprof_pass(logmark, passno)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2270, in do_logprof_pass
> ask_the_questions()
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1518, in ask_the_questions
> fatal_error(_('Invalid mode found: %s') % aamode)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 133, in fatal_error
> tb_stack = traceback.format_list(traceback.extract_stack())
>
> when I have some processes running in AUDIT mode.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1358705/+subscriptions
>

--
Pawel Krawczyk
<email address hidden> +44 7879 180015
CISSP, OWASP

Actually AUDIT events need to be skipped by aa-logprof - they are already known to the profile, so there's no reason to ask about them.

Thanks for the log lines - I'm able to reproduce the problem with them.

The real problem was a typo - the code uses "AUDIT" everywhere, except at one place that accidently contained "AUDITING".

The following patch fixes it:

=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2014-08-18 19:01:38 +0000
+++ utils/apparmor/logparser.py 2014-08-20 11:26:09 +0000
@@ -151,7 +151,7 @@
             # Convert aamode values to their counter-parts
             mode_convertor = {0: 'UNKNOWN',
                               1: 'ERROR',
- 2: 'AUDITING',
+ 2: 'AUDIT',
                               3: 'PERMITTING',
                               4: 'REJECTING',
                               5: 'HINT',

Cool, happy I could help!

On 20 Aug 2014, at 12:34, Christian Boltz <email address hidden> wrote:

> Actually AUDIT events need to be skipped by aa-logprof - they are
> already known to the profile, so there's no reason to ask about them.
>
> Thanks for the log lines - I'm able to reproduce the problem with them.
>
> The real problem was a typo - the code uses "AUDIT" everywhere, except
> at one place that accidently contained "AUDITING".
>
> The following patch fixes it:
>
> === modified file 'utils/apparmor/logparser.py'
> --- utils/apparmor/logparser.py 2014-08-18 19:01:38 +0000
> +++ utils/apparmor/logparser.py 2014-08-20 11:26:09 +0000
> @@ -151,7 +151,7 @@
> # Convert aamode values to their counter-parts
> mode_convertor = {0: 'UNKNOWN',
> 1: 'ERROR',
> - 2: 'AUDITING',
> + 2: 'AUDIT',
> 3: 'PERMITTING',
> 4: 'REJECTING',
> 5: 'HINT',
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1358705
>
> Title:
> Invalid mode found: AUDITING
>
> Status in AppArmor Linux application security framework:
> New
>
> Bug description:
> aa-logprof crashes with the following error:
>
> Invalid mode found: AUDITING
> File "/usr/sbin/aa-genprof", line 150, in <module>
> lp_ret = apparmor.do_logprof_pass(logmark, passno)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2270, in do_logprof_pass
> ask_the_questions()
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1518, in ask_the_questions
> fatal_error(_('Invalid mode found: %s') % aamode)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 133, in fatal_error
> tb_stack = traceback.format_list(traceback.extract_stack())
>
> when I have some processes running in AUDIT mode.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1358705/+subscriptions
>

--
Pawel Krawczyk
<email address hidden> +44 7879 180015
CISSP, OWASP

Fix commited to bzr trunk r2589.

2.9 beta2 will contain the fixed logparser.py.

Apparmor 2.9.0 has been released; closing.