[Apparmor-general] My AA is loging to syslog instead of /var/log/audit/audit.log

Thu Jan 31 18:32:46 MST 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carlos E. R. wrote:
> 
> 
> Hi,
> 
> I was tuning the syslog profile, when suddenly errors stopped going to
> /var/log/audit/audit.log, and the wizard said there were no errors
> logged: I had to put my profile in complain mode instead of enforce.
> 
> Hours later I noticed that the errors are being logged to the kernel
> syslog instead.
> 
> I have not changed the global configuration:
It sounds like the audit daemon was shutdown, froze or crashed.  This
will result in kernel audit messages being diverted to syslog.

in a terminal do
> ps aux | grep auditd
root 2051 0.0 0.0    0    0 ?     S<   Jan27  0:00 [kauditd]
root 3201 0.0 0.0 9956  452 ?     S<sl Jan27  0:00 /sbin/auditd -s disable
jj   7858 0.0 0.0 2976  728 pts/6 S+   17:25   0:00 grep auditd

it should give output similar to what is above

to restart the audit deamon as root in a terminal do

> rcauditd restart

> 
> -rw-r----- 1 root root 373 Sep 21 23:51 /etc/audit/audit.rules
> -rw-r----- 1 root root 448 Sep 21 23:51 /etc/audit/auditd.conf
> 
> -rw-r--r-- 1 root root  3868 Sep 22 00:05 /etc/apparmor/logprof.conf
> -rw-r--r-- 1 root root     0 Jan 31 02:05 /etc/apparmor/notify.cfg
> -rw-r--r-- 1 root root   955 Sep 16 23:16 /etc/apparmor/reports.conf
> -rw-r--r-- 1 root root   179 Sep 16 23:16 /etc/apparmor/reports.crontab
> -rw------- 1 root root    44 Dec 24 00:39 /etc/apparmor/repository.conf
> -rw-r--r-- 1 root root 10398 Sep 22 00:05 /etc/apparmor/severity.db
> -rw-r--r-- 1 root root  2032 Dec 20 00:15 /etc/apparmor/subdomain.conf
> 
> 
> They are the original files... Only this one is changed, and is in
> complain mode
> 
> /etc/apparmor.d/sbin.syslog-ng:
> 
> #include <tunables/global>
> /sbin/syslog-ng flags=(complain) {
>   #include <abstractions/base>
>   #include <abstractions/consoles>
>   #include <abstractions/nameservice>
> 
>   capability chown,
>   capability dac_override,
>   capability fowner,
>   capability fsetid,
> 
>   /dev/log w,
>   /dev/tty10 rw,
>   /dev/xconsole rw,
>   /etc/syslog-ng/* r,
>   /sbin/syslog-ng mr,
>   /usr/local/bin/syslog-askandlogrouterip rUx,
>   /var/lib/*/dev/log w,
>   /var/log/** w,
>   /var/run/syslog-ng.pid w,
> }
> 
> 
> 
> 
> What did I do? What do I change now? The wizard doesn't work now :-/
> 
hrmm, I know the wizard should work with syslog but it may not if an
/var/log/audit/audit.log  exists.

You could delete the existing audit.log and the wizard should pickup the
entries in syslog.

cheers
john

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHona+i/GH5xuqKCcRAtVqAKCTmJ4xMvH8gMwz1dmudo+8AopPNwCfcsNA
Na2gGIK4qfPtBdjAkzN/bSk=
=HrfZ
-----END PGP SIGNATURE-----