Sorry AppArmor auditing will not be disabled by default. Generally it
indicates a violation of security policy. Which really does need to be
audited. However we can split policy into two broad classes, policy that
is being enforced, and policy that is in complain/allow/learning mode.
Unfortunately at this time auditing of the two classes can not be
controlled separately at this time. Disabling auditing of the complain
messages also disables the policy violation denials.
Generally speaking profiles should not be shipped in complain mode.
Complain mode as you have noted is for profile development. Some times a
profile maybe shipped in complain mode so it can have a cycle in the
real world, to gain additional feedback, before being put into enforce
mode. This is done in an effort to not break peoples systems. When this
is done the profile should be well enough tested that on most systems it
does not generate any messages. However when it does, as you have noted,
it can be rather noisy.
The messages are actionable by a user with admin privileges. The user
can manually generate profile rules from the log message, or can use the
apparmor utils to do it for them. From the utils the user has two
choices, apparmor-notify, or aa-genprof/aa-logprof in the apparmor-utils
package. Of the two apparmor-notify is more average user friendly, while
aa-genprof/aa-logprof are for interactive profile development.
We are aware that apparmor complain mode logging, on user's system can
result in a bad experience. There is work going on to address this by
allowing for better message deduplication, storing of complain messages
to an alternate stream other than the audit logs, and also adding the
ability to quiet complain messages separate from denied messages.
In the mean time you have multiple options to reduce the log messages
you are seeing.
1. You can quiet apparmor logging
echo -n > /sys/module/apparmor/parameters/audit
Which as previously noted this will also quiet the denied messages.
This can also be added to your grub configuration by adding the
parameter
apparmor.audit=quiet
2. You can update the profile based on the messages.
2.1 install apparmor-notify
$ cp /etc/apparmor/notify.conf ~/.config/apparmor/
edit ~/.config/apparmor/notify.conf to comment out
filter.profile="^(?!snap[._-])"
filter.operation="userns"
restart aa-notify, or log out and log back in.
The editing of appparmor-notify's config, is an unfortunate
necessity atm, as its default config is set to trigger only for
unprivileged user namespace denials.
2.2 install apparmor-utils
From a terminal run
sudo aa-logprof -a
to allow everything in the logs
3. You can enforce the profile
This is not guaranteed to reduce the amount of messages without updating
the profile, as applications may continue running when accesses are
denied, but it does generally reduce the volume of messages.
If you have apparmor-utils install you can do
sudo aa-enforce application-name
4 . You can remove the profile in question.
sudo apparmor_parser -r /etc/apparmor.d/profile_file
although this may have unintended consequences as profiles do have
interdependencies, so that removing one may result in other things breaking.
5. If you have auditd installed you can use audit filter rules to filter
out the apparmor="ALLOWED" messages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2117338
Title:
Tremendous amount of apparmor audit spam in the kernel log
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2117338/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
