[apparmor] Making AppArmor work with audit's ausearch
Vincas Dargis
vindrg at gmail.com
Sun Nov 27 11:06:31 UTC 2016
Hi,
Some (quite) time ago I've asked Audit developers about issue that ausearch fails to "grep" AppArmor events from audit
log. For example, "ausearch -m AVC" does not return anything while "apparmor="DENIED"" messages are in the log.
Actually, even "ausearch -m ALL" does not contain any AppArmor-produced mesasges. I've just checked on current Debian
Testing (AppArmor 2.10.95) and behaviour is the same.
I was informed [1] that it's AppArmor problem and that there is something to do with message types that are allocated
for AppArmor, but is not (properly?) used..?
Anyway, I can't comment here too much as I might misunderstand the details, but I would like to ask is there any
progress in making AppArmor work with ausearch? Or maybe it's already fixed in the trunk..?
It would be really nice to have it working on Debian 9 (freeze is on 2017-01-05 [2]), though I am not sure if it is
realistic to hope for.
Thanks!
[1] https://www.redhat.com/archives/linux-audit/2016-April/msg00129.html
[2] https://wiki.debian.org/DebianStretch
More information about the AppArmor
mailing list