Results 1 to 10 of 16

Thread: AppArmor enforce program without logging

Hybrid View

  1. #1
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    AppArmor enforce program without logging

    I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.

    Is there a way to let it enforce restrictions but not log denials?

    There should be.

  2. #2
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor enforce program without logging

    Quote Originally Posted by BkkBonanza View Post
    I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.

    Is there a way to let it enforce restrictions but not log denials?

    There should be.
    If it is logging denials then you have not setup the profile properly. The denials mean the program is not being allowed to do something that it might need to do.

    Or, are you saying that the program works fine regardless of these denials? If so, then I can think of two things:

    1) Install auditd. It will keep all the apparmor logs in their own separate log file so they wont be filling up /var/log/messages. You can achieve the same result by configuring your rsyslog config file, but it's more complicated.

    2)You might be able to explicitly "deny" these operations within your apparmor profile. If you do this, it shouldn't log it every time it denies it.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  3. #3
    Join Date
    Mar 2010
    Beans
    8,254
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor enforce program without logging

    I know this sounds like a silly question and is probably stating the obvious, but is the profile in complain or enforce mode?

    If the former, it is likely to produce a lot of messages depending on what you are trying to restrict.

  4. #4
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    It's in enforce mode. The app is actually working fine even though denied access to some things. The app is Skype - which likes to go on rampages reading stuff I don't want it to have access to.

    So I've explicitly denied certain things. It still works ok but it fills the log like you wouldn't believe. Basically entries every few seconds 24/7 and they seem to end up in 3 log files so it's a bit overdone really.

    I'll look into some rsyslog config to filter them out to another file. I've done that before so it shouldn't be too hard.

    Thanks!

  5. #5
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    I got this set up and working so I'm going to post what I did here for others.
    I just copied the same code as comes default with UFW and modified for apparmor. Now all my apparmor messages go into one log and don't polute the (3) others with junk.

    I created a file /etc/rsyslog.d/30-apparmor.conf containing,

    Code:
    # Log kernel generated apparmor log messages to file
    :msg,contains,"apparmor" /var/log/apparmor.log
    
    # Uncomment the following to stop logging anything that matches the last rule.
    # Doing this will stop logging kernel generated apparmor log messages to the file
    # normally containing kern.* messages (eg, /var/log/kern.log)
    & ~
    That last line can be commented if you want the messages to flow as usual but I wanted it cut down to just the one log file. You have to restart rsyslog but I rebooted anyway since I had other changes pending.

  6. #6
    Join Date
    Sep 2010
    Beans
    898

    Re: AppArmor enforce program without logging

    Thanks for the information on apparmor logging. I was planning on enabling some apparmor profiles, but didn't want the system logs to be cluttered with apparmor messages.

    I have one question. There's a directory /var/log/apparmor/. Is that used for anything on Ubuntu?

    ----
    Edit

    I found that /var/log/apparmor/ is listed in the "installed files" for apparmor-utils. Maybe it's used by one or more of the programs in that package.
    Last edited by Dave_L; May 11th, 2011 at 05:15 PM. Reason: more info about /var/log/apparmor/

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •