[apparmor] wrong loggingtime in apparmorlog
John Johansen
john.johansen at canonical.com
Fri Jan 30 15:38:07 UTC 2015
On 01/30/2015 12:52 AM, Hajo Locke wrote:
> Hello,
>
> system is Ubuntu14.04 and apparmor 2.8.95~2430-0ubuntu5.1
>
> Sometimes i see wrong time in my apparmor-logs.
> example: current date is "Fr 30. Jan 09:23:01 CET 2015"
>
> The apparmor-log logs these line in same moment:
>
> Jan 30 10:49:20 myhostname kernel: type=1400 audit(1422606208.759:6742033): apparmor="DENIED" operation="open" ..............
> The timestamp 1422606208 in brackets is correct.
>
> Other logs like syslog/maillog written by syslog are ok and look normal.
> I think i do not something special in my apparmor-confs, just denying some binaries.
>
> audit deny /bin/programname x,
>
> After rebooting problem is gone for unknown time but will return. It seems that difference of realtime and loggingtime increases by uptime of server.
>
> Somebody knows what happens here?
>
Interesting, with the timestamp being correct, I am guessing it is something
to do with timezones. I'll have to dig into audit to say much more. AppArmor
uses the audit subsystem to do its logging, and it is the audit subsystem
that is handling the event time.
More information about the AppArmor
mailing list