Comment 7 for bug 1577948
Revision history for this message
| Seth Arnold (seth-arnold) wrote Re: [Bug 1577948] Re: unmatched entries for apparmor STATUS messages | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
On Thu, Aug 20, 2020 at 11:56:09PM -0000, Bryce Harrington wrote:
> Thanks for the additional information. I've seen the snap profile_*
> messages in my logwatch output as unmatched, but want to understand them
> more before filtering them.
>
> As to the general unconfined entries, how can we best distinguish
> between the normal behavior and exception cases?
Loading and reloading policies happens all the time and can probably be
filtered out in a log summarizing tool. (They might still be bad if an
attacker has replaced policies with ones that are wide-open.)
A quick skim through the kernel sources shows a lot of other possible
info= strings, too many to itemize them all, and also it'd take a while to
figure out which ones could happen with profile=unconfined.
If you want to filter out operation=
and operation=
probably be a good start.
Thanks