Re: No "type=APPARMOR_ALLOWED/DENIED" logs
Hi Didier, 6 juil. 2020 à 23:42 de didier.gau...@gmail.com: > man -s7 apparmor seems to indicate (DEBUGGING section) that for the DENY > messages to appear, you have to "Turn off deny audit quieting" and for the > ALLOW messages to appear you have to "Force audit mode" > Thanks for having checked that. Unfortunately, filling /sys/module/apparmor/parameters/audit with "noquiet" or "all" doesn't change anything about my logs (even after restarting apparmor.service)... I will probably post a message on AppArmor ML and tell you should I get the final answer :) Best regards, l0f4r0
Re: No "type=APPARMOR_ALLOWED/DENIED" logs
OK, I have read a little bit :-) Now I understand better the difference between enforce (for production) and complain (for testing/setup) modes and that they are mutually exclusive. man aa-genprof seems to indicate that the complain mode is set only during the generation of the profile: when aa-genprof exits the profile is in enforce mode. man -s7 apparmor seems to indicate (DEBUGGING section) that for the DENY messages to appear, you have to "Turn off deny audit quieting" and for the ALLOW messages to appear you have to "Force audit mode" Good luck :-)
Re: No "type=APPARMOR_ALLOWED/DENIED" logs
Hi, 6 juil. 2020 à 12:05 de didier.gau...@gmail.com: > Sorry > No worries, thanks for replying :) > I am almost totally Apparmor ignorant but would both set enforce and complain > modes for your profiles give you the result you expect? > I'm afraid not because: * most of my profiles are already in enforce mode * aa-genprof is supposed to create a new profile, set it into complain mode, adapt the profile thanks to AppArmor logs and decisions from the sysadmin and finally enforce the profile. In other words, I should have logs already... Best regards, l0f4r0
Re: No "type=APPARMOR_ALLOWED/DENIED" logs
Hello, Sorry, I am almost totally Apparmor ignorant but would both set enforce and complain modes for your profiles give you the result you expect?
No "type=APPARMOR_ALLOWED/DENIED" logs
Hi, I'm under Debian 10 (kernel 5.4.8-1~bpo10+1) and I installed auditd some weeks ago. Issue: I don't get any AppArmor logs like ALLOWED or DENIED in my /var/log/audit/audit.log while I'm sure I should have some (for example, aa-genprof seems unable to scan my logs and help me to generate an appropriate profile). I thought AppArmor writes its logs directly in /var/log/audit/audit.log if auditd is already installed, otherwise they go to /var/log/syslog, /var/log/messages or /var/log/kern.log. I have nothing there neither... Did I miss something please? NB: * the only AppArmor related logs I have are some apparmor="STATUS" regarding operation="profile_load" for the most part... * apparmor.service is running and everything is OK with aa-status Thanks in advance :) Best regards, l0f4r0