AppArmor

aa-notify, aa-genprof: use audispd instead of parsing logs

Bug #1597671 reported by intrigeri on 2016-06-30

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Won't Fix	Undecided	Unassigned

Bug Description

In the discussion that starts at https://bugs.debian.org/759604#55, linux-audit people suggest that a realtime audit event analysis tool should use audispd instead of parsing logs. They pointed us to two possible ways to implement it.

Tags:

Christian Boltz (cboltz) on 2016-10-13

tags:

added: aa-tools

Revision history for this message

intrigeri (intrigeri) wrote on 2017-06-29:

And we got a bug report about aa-genprof not working on a journald-only setup without /var/log/syslog: https://bugs.debian.org/866340. So presumably all utils that currently parse syslog should learn how to use audispd instead of syslog files.

summary:

- aa-notify: use audispd instead of parsing logs
+ aa-notify, aa-genprof: use audispd instead of parsing logs

Bug Watch Updater (bug-watch-updater) on 2017-06-29

Changed in apparmor (Debian):
status:	Unknown → Confirmed

Revision history for this message

intrigeri (intrigeri) wrote on 2018-12-16:

* https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html
* https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1117804

Revision history for this message

intrigeri (intrigeri) wrote on 2022-02-12:

See also https://gitlab.com/apparmor/apparmor/-/issues/213, where jj shared more workarounds.

Revision history for this message

intrigeri (intrigeri) wrote on 2022-02-14:

While this could work for real-time log analysis tools such as aa-genprof, assuming we're fine with requiring auditd (which is currently considered to be a workaround), this won't work for aa-logprof.

It seems we're leaning towards not going the auditd way and instead implementing support for the systemd Journal ⇒ I'll reject this issue in favor of https://gitlab.com/apparmor/apparmor/-/issues/213, which is about the latter.

Changed in apparmor:
status:	New → Won't Fix
no longer affects:	apparmor (Debian)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #866340
[forwarded normal upstream] Edit
auto-gitlab.com-apparmor-apparmor-- #213
[opened] Edit

Bug watches keep track of this bug in other bug trackers.