[Apparmor-general] My AA is loging to syslog instead of /var/log/audit/audit.log [solved]

Carlos E. R. robin.listas at telefonica.net
Thu Jan 31 19:06:34 MST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The Thursday 2008-01-31 at 17:32 -0800, John Johansen wrote:


>> Hi,
>>
>> I was tuning the syslog profile, when suddenly errors stopped going to
>> /var/log/audit/audit.log, and the wizard said there were no errors
>> logged: I had to put my profile in complain mode instead of enforce.
>>
>> Hours later I noticed that the errors are being logged to the kernel
>> syslog instead.
>>
>> I have not changed the global configuration:
> It sounds like the audit daemon was shutdown, froze or crashed.  This
> will result in kernel audit messages being diverted to syslog.

But I have rebooted three times meanwhile!


> in a terminal do
>> ps aux | grep auditd
> root 2051 0.0 0.0    0    0 ?     S<   Jan27  0:00 [kauditd]
> root 3201 0.0 0.0 9956  452 ?     S<sl Jan27  0:00 /sbin/auditd -s disable
> jj   7858 0.0 0.0 2976  728 pts/6 S+   17:25   0:00 grep auditd
>
> it should give output similar to what is above

No, no auditd.

nimrodel:~ # ps afxu| grep audit
root      1955  0.0  0.0      0     0 ?        S<   01:19   0:00  \_ [kauditd]
root      5802  6.2  3.1  39960 32128 tty7     Ss+  01:23   5:42      \_ /usr/bin/X :0 -audit 0 -br -auth /var/lib/gdm/:0.Xauth -nolisten tcp vt7
root      1044  0.0  0.0   2036   512 pts/20   D+   02:55   0:00          |   |           \_ grep audit


>
> to restart the audit deamon as root in a terminal do
>
>> rcauditd restart

nimrodel:~ # rcauditd start
Starting auditd startproc:  exit status of parent of /sbin/auditd: 6

nimrodel:~ # rcauditd status
Checking for service auditd                                           unussed


Ah! At last I saw something!

Feb  1 02:56:12 nimrodel auditd: /var/log/audit/audit.log permissions should be 0640



nimrodel:~ # rm /var/log/audit/audit.log
nimrodel:~ # rcauditd start
Starting auditd                                                       done
nimrodel:~ # rcauditd status
Checking for service auditd                                           running




>> What did I do? What do I change now? The wizard doesn't work now :-/

Now I know. I gzipped the existing log to have a new start, touched a new 
one. It doesn't like that, I see.

Thanks!


> hrmm, I know the wizard should work with syslog but it may not if an
> /var/log/audit/audit.log  exists.

That was the case, a 0 bytes log.

> You could delete the existing audit.log and the wizard should pickup the
> entries in syslog.

No, a new one was created. I prefer it this way. I think. Dunno... the 
problem with AA is that you forget it exists, till you notice something 
not working... if perchance you look at the audit log and see there a 
denial of permission.  Sometimes I take hours or days to think that the 
"culprit" is AA, because I had forgotten its existence! :-)

- -- 
Cheers,
        Carlos E. R.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD4DBQFHon60tTMYHG2NR9URAnc/AJigXB7+QZdcwQGylRG3t2wVFeeSAJ9KH3s7
ob4A6yK/mbLbog0iHcmbvA==
=yBg/
-----END PGP SIGNATURE-----

More information about the Apparmor-general mailing list