On Thu, Aug 20, 2020 at 11:56:09PM -0000, Bryce Harrington wrote: > Thanks for the additional information. I've seen the snap profile_* > messages in my logwatch output as unmatched, but want to understand them > more before filtering them. > > As to the general unconfined entries, how can we best distinguish > between the normal behavior and exception cases?
Loading and reloading policies happens all the time and can probably be filtered out in a log summarizing tool. (They might still be bad if an attacker has replaced policies with ones that are wide-open.) A quick skim through the kernel sources shows a lot of other possible info= strings, too many to itemize them all, and also it'd take a while to figure out which ones could happen with profile=unconfined. If you want to filter out operation="profile_load" profile="unconfined" and operation="profile_replace" profile="unconfined" lines, that'd probably be a good start. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs