Results 1 to 4 of 4

Thread: Unable to see (apparmor) audit.log in messages files.

  1. #1
    Join Date
    Sep 2011
    Beans
    61

    Unable to see (apparmor) audit.log in messages files.

    If I use the following commands, should I expect to see the audit.log corresponding to apparmor in the system log viewer (messages)?
    Code:
    sudo aa-audit /etc/apparmor.d/usr.bin.firefox
    sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
    I do not see any and that is my problem. Someone hinted that "audit" file is to be installed for this to happen but I have no idea how to install that. Can anybody please advise?
    Last edited by newhere_m; October 15th, 2011 at 03:55 PM.

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Unable to see (apparmor) audit.log in messages files.

    Neither of those commands does what you think it does.

    The first command audits the profile and the second reloads it. Neither show you (display) the logs.

    I suggest you read the apparmor sticky or https://help.ubuntu.com/community/AppArmor
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Sep 2011
    Beans
    61

    Re: Unable to see (apparmor) audit.log in messages files.

    I wrote the second command precisely to mean that the firefox profile would have to be reloaded (not as an effort to view log messages directly, but as an intermediate step).
    Now as far as I understand: when a profile is in audit mode, security policy will be enforced and apparmor will give a log-message for each action taken by apparmor (permit/deny). The messages are to be found in these files:
    Code:
    /var/log/kern.log
    /var/log/messages
    /var/log/audit/audit.log
    The third is possible if "audit" is installed (this remains my doubt). Finally one can check using grep command, messages with "allowed"/"denied" in those files. Perhaps "sudo aa-logprof" will also do. However this last option also updates profile whose implication is not clear to me. Typical response:
    Code:
    Reading log entries from /var/log/messages.
    Updating AppArmor profiles in /etc/apparmor.d.

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Unable to see (apparmor) audit.log in messages files.

    I am not sure I am understanding your question.

    You can follow your logs with tail

    Code:
    tail -F /var/log/messages
    aa-logprof reads the logs, reviews any denials, and prompts you for any changes you might wish to make to the profile.

    See if this bolg help you: http://blog.bodhizazen.net/linux/app...ivoxy-profile/
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •