[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
This bug was fixed in the package logwatch - 7.4.2-1ubuntu1.1 --- logwatch (7.4.2-1ubuntu1.1) xenial; urgency=medium [ Bryce Harrington ] * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch: dhcpd: Ignore lease age under threshold messages (LP: #1578001) * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch: audit: Treat Denial-Errors same as Denied. (LP: #1577948) * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch: audit: Apparmor DENIED entries don't always include parent=N. (LP: #1577948) * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch: zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing. These are not installed by default in Ubuntu's logwatch packaging. (LP: #1890749) * d/p/0012-postfix-Handle-backwards-compatible-mode.patch: postfix: Handle backwards-compatible mode. (LP: #1583705) * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch: postfix: Ignore Resolved loghost to 127.0.0.1. (LP: #1583705) * d/p/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch: Use $PATH to determine location of zpool and zfs. (LP: #1880211) [ Karl Stenerud ] * d/p/ssh-ignore-disconnected.patch: sshd: ignore disconnected from user USER (LP: #1644057) -- Bryce Harrington Thu, 03 Sep 2020 04:21:50 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
This bug was fixed in the package logwatch - 7.4.3+git20161207-2ubuntu1.2 --- logwatch (7.4.3+git20161207-2ubuntu1.2) bionic; urgency=medium [ Bryce Harrington ] * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch: dhcpd: Ignore lease age under threshold messages (LP: #1578001) * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch: audit: Treat Denial-Errors same as Denied. (LP: #1577948) * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch: audit: Apparmor DENIED entries don't always include parent=N. (LP: #1577948) * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch: zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing. These are not installed by default in Ubuntu's logwatch packaging. (LP: #1890749) * d/p/0012-postfix-Handle-backwards-compatible-mode.patch: postfix: Handle backwards-compatible mode. (LP: #1583705) * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch: postfix: Ignore Resolved loghost to 127.0.0.1. (LP: #1583705) * d/p/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch: Use $PATH to determine location of zpool and zfs. (LP: #1880211) [ Karl Stenerud ] * d/p/ssh-ignore-disconnected.patch: sshd: ignore disconnected from user USER (LP: #1644057) -- Bryce Harrington Thu, 03 Sep 2020 04:21:53 + ** Changed in: logwatch (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: logwatch (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
This bug was fixed in the package logwatch - 7.5.2-1ubuntu1.1 --- logwatch (7.5.2-1ubuntu1.1) focal; urgency=medium [ Bryce Harrington ] * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch: dhcpd: Ignore lease age under threshold messages (LP: #1578001) * d/p/0019-exim-Handle-self-signed-certs-warnings.patch: exim: Handle self-signed certs warnings. (LP: #1892269) * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch: audit: Treat Denial-Errors same as Denied. (LP: #1577948) * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch: audit: Apparmor DENIED entries don't always include parent=N. (LP: #1577948) * d/p/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch: pam_unix: Ignore issues about /etc/securetty being missing. (LP: #1890751) * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch: zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing. These are not installed by default in Ubuntu's logwatch packaging. (LP: #1890749) * d/p/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch: secure: Ignore warnings about gnome-keyring-daemon items already registered. (LP: #1890752) * d/p/0012-postfix-Handle-backwards-compatible-mode.patch: postfix: Handle backwards-compatible mode. (LP: #1583705) * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch: postfix: Ignore Resolved loghost to 127.0.0.1. (LP: #1583705) * d/p/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch: Use $PATH to determine location of zpool and zfs. (LP: #1880211) [ Lucas Kanashiro ] * d/p/0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch: audit: use the term ALLOWED instead of Grants. (LP: #1577948) -- Bryce Harrington Thu, 03 Sep 2020 04:22:00 + ** Changed in: logwatch (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Tags removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-focal verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
Verified in LXC on xenial, bionic, and focal per the test case, that the messages are no longer under "Unmatched" but are still mentioned as matched entries. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
Hello Jared, or anyone else affected, Accepted logwatch into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/logwatch/7.4.2-1ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: logwatch (Ubuntu Xenial) Status: Triaged => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
Hello Jared, or anyone else affected, Accepted logwatch into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/logwatch/7.4.3+git20161207-2ubuntu1.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: logwatch (Ubuntu Bionic) Status: Triaged => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
Hello Jared, or anyone else affected, Accepted logwatch into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/logwatch/7.5.2-1ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: logwatch (Ubuntu Focal) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Changed in: logwatch (Ubuntu Xenial) Assignee: (unassigned) => Bryce Harrington (bryce) ** Changed in: logwatch (Ubuntu Bionic) Assignee: (unassigned) => Bryce Harrington (bryce) ** Changed in: logwatch (Ubuntu Focal) Assignee: (unassigned) => Bryce Harrington (bryce) ** Changed in: logwatch (Ubuntu Groovy) Assignee: (unassigned) => Bryce Harrington (bryce) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/390212 ** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/390213 ** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/390214 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Description changed: [Impact] Various AppArmor messages aren't handled by logwatch, and thus end up in the "Unmatched Entries" section. Some of these are noteworthy, others are innocuous, but given the quantity and variety of them, they can clutter the log. Common ones should be either ignored or matched and summarized, as appropriate. - [Test Case] $ export CODENAME="focal" $ lxc launch ubuntu:${CODENAME} test-logwatch $ lxc exec test-logwatch -- bash # apt-get update # apt-get dist-upgrade -y # apt-get install -y logwatch # wget https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+attachment/5407058/+files/unmatched-entries-apparmor%3Akern.log # cat unmatched-entries-apparmor:kern.log >> /var/log/kern.log # logwatch --detail High --service all --range all --output stdout Without the fix, there will be unmatched entries shown for apparmor="STATUS" ... profile="unconfined"; with the fix they won't display. (Note: For testing it's not really necessary to trigger the original condition that produces the log entry, since for Logwatch the purpose is more about making sure the entry is detected and processed appropriately.) - [Regression Potential] Since logwatch filters logs for errors pertinent to administrators, standard things to watch out for are undesired changes in this filtering behavior, such as flagging or failing to flag issues differently than before, other than the specific messages being filtered with this change. - - [Fix] - - [Discussion] [Original Report] Under the "Kernel Audit" heading, the following apparmor lines appear as unmatched: **Unmatched Entries** audit: type=1400 audit(1462209116.753:18): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/named" pid=22094 comm="apparmor_parser" audit: type=1400 audit(1462209262.641:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/freshclam" pid=1760 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/clamd" pid=1765 comm="apparmor_parser" audit: type=1400 audit(1462209262.673:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=1767 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=1768 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1768 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=1768 comm="apparmor_parser" - Description:Ubuntu 16.04 LTS Release:16.04 logwatch: Installed: 7.4.2-1ubuntu1 Candidate: 7.4.2-1ubuntu1 Version table: *** 7.4.2-1ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages 100 /var/lib/dpkg/status -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Description changed: [Impact] - Various AppArmor messages aren't handled by logwatch, and thus end up in the "Unmatched Entries" section. Some of these are noteworthy, others are innocuous, but given the quantity and variety of them, they can clutter the log. Common ones should be either ignored or matched and summarized, as appropriate. + + Various AppArmor messages aren't handled by logwatch, and thus end up in + the "Unmatched Entries" section. Some of these are noteworthy, others + are innocuous, but given the quantity and variety of them, they can + clutter the log. Common ones should be either ignored or matched and + summarized, as appropriate. [Test Case] $ export CODENAME="focal" $ lxc launch ubuntu:${CODENAME} test-logwatch $ lxc exec test-logwatch -- bash # apt-get update # apt-get dist-upgrade -y # apt-get install -y logwatch # wget https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+attachment/5407058/+files/unmatched-entries-apparmor%3Akern.log # cat unmatched-entries-apparmor:kern.log >> /var/log/kern.log # logwatch --detail High --service all --range all --output stdout Without the fix, there will be unmatched entries shown for apparmor="STATUS" ... profile="unconfined"; with the fix they won't display. (Note: For testing it's not really necessary to trigger the original condition that produces the log entry, since for Logwatch the purpose is more about making sure the entry is detected and processed appropriately.) [Regression Potential] Since logwatch filters logs for errors pertinent to administrators, standard things to watch out for are undesired changes in this filtering behavior, such as flagging or failing to flag issues differently than before, other than the specific messages being filtered with this change. [Fix] [Discussion] [Original Report] Under the "Kernel Audit" heading, the following apparmor lines appear as unmatched: **Unmatched Entries** audit: type=1400 audit(1462209116.753:18): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/named" pid=22094 comm="apparmor_parser" audit: type=1400 audit(1462209262.641:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/freshclam" pid=1760 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/clamd" pid=1765 comm="apparmor_parser" audit: type=1400 audit(1462209262.673:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=1767 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=1768 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1768 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=1768 comm="apparmor_parser" - Description:Ubuntu 16.04 LTS Release:16.04 logwatch: Installed: 7.4.2-1ubuntu1 Candidate: 7.4.2-1ubuntu1 Version table: *** 7.4.2-1ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages 100 /var/lib/dpkg/status -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Description changed: - Under the "Kernel Audit" heading, the following apparmor lines appear as - unmatched: + [Impact] + Various AppArmor messages aren't handled by logwatch, and thus end up in the "Unmatched Entries" section. Some of these are noteworthy, others are innocuous, but given the quantity and variety of them, they can clutter the log. Common ones should be either ignored or matched and summarized, as appropriate. + + + [Test Case] + + $ export CODENAME="focal" + $ lxc launch ubuntu:${CODENAME} test-logwatch + $ lxc exec test-logwatch -- bash + + # apt-get update + # apt-get dist-upgrade -y + # apt-get install -y logwatch + + # wget https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+attachment/5407058/+files/unmatched-entries-apparmor%3Akern.log + # cat unmatched-entries-apparmor:kern.log >> /var/log/kern.log + + # logwatch --detail High --service all --range all --output stdout + + Without the fix, there will be unmatched entries shown for + apparmor="STATUS" ... profile="unconfined"; with the fix they won't + display. + + (Note: For testing it's not really necessary to trigger the original + condition that produces the log entry, since for Logwatch the purpose is + more about making sure the entry is detected and processed + appropriately.) + + + [Regression Potential] + + Since logwatch filters logs for errors pertinent to administrators, + standard things to watch out for are undesired changes in this filtering + behavior, such as flagging or failing to flag issues differently than + before, other than the specific messages being filtered with this + change. + + [Fix] + + [Discussion] + + [Original Report] + Under the "Kernel Audit" heading, the following apparmor lines appear as unmatched: **Unmatched Entries** audit: type=1400 audit(1462209116.753:18): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/named" pid=22094 comm="apparmor_parser" audit: type=1400 audit(1462209262.641:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/freshclam" pid=1760 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1759 comm="apparmor_parser" audit: type=1400 audit(1462209262.657:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/clamd" pid=1765 comm="apparmor_parser" audit: type=1400 audit(1462209262.673:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=1767 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=1768 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1768 comm="apparmor_parser" audit: type=1400 audit(1462209262.677:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=1768 comm="apparmor_parser" - - Description:Ubuntu 16.04 LTS Release:16.04 logwatch: - Installed: 7.4.2-1ubuntu1 - Candidate: 7.4.2-1ubuntu1 - Version table: - *** 7.4.2-1ubuntu1 500 - 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages - 100 /var/lib/dpkg/status + Installed: 7.4.2-1ubuntu1 + Candidate: 7.4.2-1ubuntu1 + Version table: + *** 7.4.2-1ubuntu1 500 + 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages + 100 /var/lib/dpkg/status -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Attachment added: "Sample log entries for testing the apparmor="DENIED" error messages" https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+attachment/5407059/+files/unmatched-entries-apparmor-lxd%3Akern.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Attachment added: "Sample log entries for testing the profile="unconfirmed" issue." https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+attachment/5407058/+files/unmatched-entries-apparmor%3Akern.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
This bug was fixed in the package logwatch - 7.5.4-0ubuntu2 --- logwatch (7.5.4-0ubuntu2) groovy; urgency=medium [ Bryce Harrington ] * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch: dhcpd: Ignore lease age under threshold messages (LP: #1578001) * d/p/0019-exim-Handle-self-signed-certs-warnings.patch: exim: Handle self-signed certs warnings. (LP: #1892269) * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch: audit: Treat Denial-Errors same as Denied. (LP: #1577948) * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch: audit: Apparmor DENIED entries don't always include parent=N. (LP: #1577948) * d/p/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch: pam_unix: Ignore issues about /etc/securetty being missing. (LP: #1890751) * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch: zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing. These are not installed by default in Ubuntu's logwatch packaging. (LP: #1890749) * d/p/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch: secure: Ignore warnings about gnome-keyring-daemon items already registered. (LP: #1890752) * d/p/0012-postfix-Handle-backwards-compatible-mode.patch: postfix: Handle backwards-compatible mode. (LP: #1583705) * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch: postfix: Ignore Resolved loghost to 127.0.0.1. (LP: #1583705) * d/control: Update upstream's homepage (LP: #1891604) [ Lucas Kanashiro ] * d/p/0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch: audit: use the term ALLOWED instead of Grants. -- Bryce Harrington Fri, 21 Aug 2020 01:30:10 + ** Changed in: logwatch (Ubuntu Groovy) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/389633 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1577948] Re: unmatched entries for apparmor STATUS messages
On Thu, Aug 20, 2020 at 11:56:09PM -, Bryce Harrington wrote: > Thanks for the additional information. I've seen the snap profile_* > messages in my logwatch output as unmatched, but want to understand them > more before filtering them. > > As to the general unconfined entries, how can we best distinguish > between the normal behavior and exception cases? Loading and reloading policies happens all the time and can probably be filtered out in a log summarizing tool. (They might still be bad if an attacker has replaced policies with ones that are wide-open.) A quick skim through the kernel sources shows a lot of other possible info= strings, too many to itemize them all, and also it'd take a while to figure out which ones could happen with profile=unconfined. If you want to filter out operation="profile_load" profile="unconfined" and operation="profile_replace" profile="unconfined" lines, that'd probably be a good start. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
Thanks for the additional information. I've seen the snap profile_* messages in my logwatch output as unmatched, but want to understand them more before filtering them. As to the general unconfined entries, how can we best distinguish between the normal behavior and exception cases? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
To add to Seth's answer. unconfined generally doesn't log, the exceptions are when an unconfined tasks makes policy changes, and when there is an internal error on profile attachment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
The log message is reporting the profiles have been loaded. This is a standard part of booting a full system, starting services, and some service-specific operations (such as libvirt or snapd demand-loading profiles as VMs or snaps are used). There's other similar status messages: apparmor="STATUS" operation="profile_replace" apparmor="STATUS" operation="profile_remove" Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
The issue here is that logwatch does match apparmor STATUS messages generally, but not when they have profile="unconfined" between operation and name. I didn't find authoritative documentation on what this log entry means, but the answer to the following askubuntu post suggests this may be recording the disabling of an apparmor profile - something that may be of concern to sysadmins and thus should be flagged as noteworthy in the logwatch report. https://askubuntu.com/questions/825274/apparmor-audit-logs-what-does- this-mean ** Also affects: logwatch (Ubuntu Groovy) Importance: High Status: Triaged ** Also affects: logwatch (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: logwatch (Ubuntu Xenial) Status: New => Triaged ** Changed in: logwatch (Ubuntu Bionic) Status: New => Triaged ** Changed in: logwatch (Ubuntu Focal) Status: New => Triaged ** Changed in: logwatch (Ubuntu Xenial) Importance: Undecided => High ** Changed in: logwatch (Ubuntu Bionic) Importance: Undecided => High ** Changed in: logwatch (Ubuntu Focal) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1577948] Re: unmatched entries for apparmor STATUS messages
Yes, on focal I see the same. Since it's kernel, won't see these in an lxc container, but on bare metal or maybe a vm they add lots of noise. For Logwatch's purposes, all the apparmor="STATUS" messages should be filtered, as they're just informative. (I suspect many of the apparmor="DENIED" messages relating to snaps and lxc could also be filtered, as they're by definition permission-limited zones, however they're unrelated to this bug.) ** Summary changed: - unmatched entries for apparmor + unmatched entries for apparmor STATUS messages ** Changed in: logwatch (Ubuntu) Importance: Undecided => High ** Changed in: logwatch (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs