Control: retitle -1 Consider recommending auditd Harald Dunkel (2022-09-07): > This is not about fine-tuning apparmor profiles or avoiding certain > packages. Its about adding auditd to Recommends to make apparmor less > noisy.
OK, retitling accordingly then. I'll now summarize my understanding of the problem space. Recommending auditd would workaround at least 2 problems: - On some systems, the configured AppArmor policy sends many log messages to syslog, which makes it more difficult to see other, potentially more relevant, log messages in dmesg, syslog, and kern.log. That is, what this bug report was originally about. Impact: with the data I have in hand, I doubt this practically affects many Debian users. - The AppArmor userspace tools currently don't support systems that run systemd-journald, but neither syslogd nor auditd (#866340, https://gitlab.com/apparmor/apparmor/-/issues/213). Impact: if (or as long as) we install a syslogd implementation by default, this impacts very few Debian users. Do we? Currently known drawbacks of recommending auditd: - It makes the systemd Journal more noisy: 237 on a basic sid test system, just booting and logging into GNOME (excluding the 75 AppArmor ones). Impact: this introduces a regression that's of the same nature as the problem this bug report was originally about, but it'll impact everyone querying the systemd Journal, even with common system configurations. - Users used to monitor AppArmor logs in dmesg, syslog, or kern.log, won't find them there anymore. Impact: I'm worried this may impact production monitoring systems and confuse a number of users. Mitigation: a NEWS.Debian entry seems necessary and sufficient to me. Open questions: - This would run auditd by default on most Debian systems. It would be good to check with the auditd maintainers if they're fine with that (e.g. additional workload) and whether they're aware of other potential drawbacks. My current conclusion (that can of course change as I become aware of more data): I'm not convinced that installing auditd by default on Debian would solve more AppArmor usability problems than it would create. But a "Suggests" seems well deserved: at least for some use cases, auditd *is* the best solution. Cheers, -- intrigeri
