aa-logprof and aa-genprof work only with audit.log not syslog
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Ubuntu 14.10
apparmor 2.8.98-0ubuntu2
Analyzing the logs with aa-logprof works when the logs are written by audid:
# aa-logprof -f /var/log/
Reading log entries from /var/log/
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:
WARN: unknown capability: CAP_setgid
Profile: /usr/sbin/havp
Capability: setgid
Severity: unknown
[1 - #include <abstractions/
2 - #include <abstractions/
3 - capability setgid
[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
It does not work when the logs are written to /var/log/syslog
root@apparmor:~# aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
One contained message:
Mar 15 13:20:07 test kernel: [ 3349.757377] audit: type=1400 audit(142642200
| Christian Boltz (cboltz) wrote | #1 |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in apparmor (Ubuntu): | |
| status: | New → Confirmed |
| Thomas d'Otreppe (thomas-dotreppe) wrote | #3 |
| tags: | added: aa-tools |
That sounds like bug 1399027.
The libapparmor part is fixed in 2.9.1, the python side is only fixed in bzr (will be in 2.9.2). The openSUSE 13.2 update package and Factory already have the patch added to the package.
I'll let this bug open for Ubuntu - providing updated packages would make sense ;-)