Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: AppArmor enforce program without logging

  1. #1
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    AppArmor enforce program without logging

    I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.

    Is there a way to let it enforce restrictions but not log denials?

    There should be.

  2. #2
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor enforce program without logging

    Quote Originally Posted by BkkBonanza View Post
    I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.

    Is there a way to let it enforce restrictions but not log denials?

    There should be.
    If it is logging denials then you have not setup the profile properly. The denials mean the program is not being allowed to do something that it might need to do.

    Or, are you saying that the program works fine regardless of these denials? If so, then I can think of two things:

    1) Install auditd. It will keep all the apparmor logs in their own separate log file so they wont be filling up /var/log/messages. You can achieve the same result by configuring your rsyslog config file, but it's more complicated.

    2)You might be able to explicitly "deny" these operations within your apparmor profile. If you do this, it shouldn't log it every time it denies it.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  3. #3
    Join Date
    Mar 2010
    Beans
    8,255
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor enforce program without logging

    I know this sounds like a silly question and is probably stating the obvious, but is the profile in complain or enforce mode?

    If the former, it is likely to produce a lot of messages depending on what you are trying to restrict.

  4. #4
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    It's in enforce mode. The app is actually working fine even though denied access to some things. The app is Skype - which likes to go on rampages reading stuff I don't want it to have access to.

    So I've explicitly denied certain things. It still works ok but it fills the log like you wouldn't believe. Basically entries every few seconds 24/7 and they seem to end up in 3 log files so it's a bit overdone really.

    I'll look into some rsyslog config to filter them out to another file. I've done that before so it shouldn't be too hard.

    Thanks!

  5. #5
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    I got this set up and working so I'm going to post what I did here for others.
    I just copied the same code as comes default with UFW and modified for apparmor. Now all my apparmor messages go into one log and don't polute the (3) others with junk.

    I created a file /etc/rsyslog.d/30-apparmor.conf containing,

    Code:
    # Log kernel generated apparmor log messages to file
    :msg,contains,"apparmor" /var/log/apparmor.log
    
    # Uncomment the following to stop logging anything that matches the last rule.
    # Doing this will stop logging kernel generated apparmor log messages to the file
    # normally containing kern.* messages (eg, /var/log/kern.log)
    & ~
    That last line can be commented if you want the messages to flow as usual but I wanted it cut down to just the one log file. You have to restart rsyslog but I rebooted anyway since I had other changes pending.

  6. #6
    Join Date
    Sep 2010
    Beans
    898

    Re: AppArmor enforce program without logging

    Thanks for the information on apparmor logging. I was planning on enabling some apparmor profiles, but didn't want the system logs to be cluttered with apparmor messages.

    I have one question. There's a directory /var/log/apparmor/. Is that used for anything on Ubuntu?

    ----
    Edit

    I found that /var/log/apparmor/ is listed in the "installed files" for apparmor-utils. Maybe it's used by one or more of the programs in that package.
    Last edited by Dave_L; May 11th, 2011 at 05:15 PM. Reason: more info about /var/log/apparmor/

  7. #7
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    I noticed there was a /var/log/apparmor directory created but I've never seen anything in there. I prefer to keep my logs all in /var/log but I can see that when rotating occurs and there are multiple copies it's a bit cluttered. I think either way is good.

  8. #8
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor enforce program without logging

    It is a shame you need to disable logging to quiet apparmor.

    IMO it would be nice if apparmor had a few more features and a few tools to help manage alerts.

    Perhaps report it as a bug or feature request ?
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #9
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    Good idea. I added it in launchpad. I couldn't find a place for feature requests so I marked it as feature request and submitted it in bugs section. Maybe some day we'll have the option "per profile logging".

    PS. I've already got 4.3MB in the apparmor log in 2 days...
    Last edited by BkkBonanza; April 26th, 2011 at 05:58 AM.

  10. #10
    Join Date
    Sep 2010
    Beans
    898

    Re: AppArmor enforce program without logging

    In addition to the preceding, if log file rotation is desired, a file /etc/logrotate.d/apparmor with the following contents could be added:

    Code:
    /var/log/apparmor.log {
       rotate 4
       weekly
       compress
       missingok
    }
    The specific logging options could vary.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •