[Bug 1577948] Re: unmatched entries for apparmor STATUS messages

Bryce Harrington Wed, 02 Sep 2020 17:30:18 -0700

** Description changed:

  [Impact]
- Various AppArmor messages aren't handled by logwatch, and thus end up in the 
"Unmatched Entries" section. Some of these are noteworthy, others are 
innocuous, but given the quantity and variety of them, they can clutter the 
log.  Common ones should be either ignored or matched and summarized, as 
appropriate.
+ 
+ Various AppArmor messages aren't handled by logwatch, and thus end up in
+ the "Unmatched Entries" section. Some of these are noteworthy, others
+ are innocuous, but given the quantity and variety of them, they can
+ clutter the log.  Common ones should be either ignored or matched and
+ summarized, as appropriate.
  
  
  [Test Case]
  
  $ export CODENAME="focal"
  $ lxc launch ubuntu:${CODENAME} test-logwatch
  $ lxc exec test-logwatch -- bash
  
  # apt-get update
  # apt-get dist-upgrade -y
  # apt-get install -y logwatch
  
  # wget 
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+attachment/5407058/+files/unmatched-entries-apparmor%3Akern.log
  # cat unmatched-entries-apparmor:kern.log >> /var/log/kern.log
  
  # logwatch --detail High --service all --range all --output stdout
  
  Without the fix, there will be unmatched entries shown for
  apparmor="STATUS" ... profile="unconfined"; with the fix they won't
  display.
  
  (Note: For testing it's not really necessary to trigger the original
  condition that produces the log entry, since for Logwatch the purpose is
  more about making sure the entry is detected and processed
  appropriately.)
  
  
  [Regression Potential]
  
  Since logwatch filters logs for errors pertinent to administrators,
  standard things to watch out for are undesired changes in this filtering
  behavior, such as flagging or failing to flag issues differently than
  before, other than the specific messages being filtered with this
  change.
  
  [Fix]
  
  [Discussion]
  
  [Original Report]
  Under the "Kernel Audit" heading, the following apparmor lines appear as 
unmatched:
  
  **Unmatched Entries**
  audit: type=1400 audit(1462209116.753:18): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="/usr/sbin/named" 
pid=22094 comm="apparmor_parser"
  audit: type=1400 audit(1462209262.641:2): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/usr/bin/freshclam" 
pid=1760 comm="apparmor_parser"
  audit: type=1400 audit(1462209262.657:3): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1759 
comm="apparmor_parser"
  audit: type=1400 audit(1462209262.657:4): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1759 
comm="apparmor_parser"
  audit: type=1400 audit(1462209262.657:5): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1759 comm="apparmor_parser"
  audit: type=1400 audit(1462209262.657:6): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/connman/scripts/dhclient-script" pid=1759 comm="apparmor_parser"
  audit: type=1400 audit(1462209262.657:7): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/usr/sbin/clamd" pid=1765 
comm="apparmor_parser"
  audit: type=1400 audit(1462209262.673:8): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" 
pid=1767 comm="apparmor_parser"
  audit: type=1400 audit(1462209262.677:9): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/cups/backend/cups-pdf" pid=1768 comm="apparmor_parser"
  audit: type=1400 audit(1462209262.677:10): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1768 
comm="apparmor_parser"
  audit: type=1400 audit(1462209262.677:11): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/sbin/cupsd//third_party" pid=1768 comm="apparmor_parser"
  
  -----------------------------------------------------------------
  Description:    Ubuntu 16.04 LTS
  Release:        16.04
  
  logwatch:
    Installed: 7.4.2-1ubuntu1
    Candidate: 7.4.2-1ubuntu1
    Version table:
   *** 7.4.2-1ubuntu1 500
          500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages
          100 /var/lib/dpkg/status


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1577948

Title:
  unmatched entries for apparmor STATUS messages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1577948] Re: unmatched entries for apparmor STATUS messages

Reply via email to