On Thu, Aug 18, 2022 at 09:46:39AM +0200, Harald Dunkel wrote: > apparmor writes a bazillion of log entries to dmesg and /var/log/\ > kern.log, hiding other important messages. Do you think it would be > reasonable to add auditd to the Recommends list?
I'm slightly in favour of this, yes. One downside is that dbus apparmor enforcement doesn't go through the audit system, they'll still show up in the syslog pile, so log entries are split. But I think it's still a net win to move most of the logging to something less prone to dropping log entries. I realize 'noisy' is in the ears of the listener :) but I suspect your policy could use some tuning for your use. From a few of my own systems: $ grep -c -i apparmor /var/log/syslog 18 $ grep -c -i apparmor /var/log/audit/audit.log 110 $ grep -c -i apparmor /var/log/audit/audit.log 36 $ grep -c -i apparmor /var/log/audit/audit.log 354 (This last one covers 76 days of audit logs.) Anyway, if you ask in #apparmor on irc.oftc.net someone may be able to suggest policy changes to reduce the noise. Thanks
signature.asc
Description: PGP signature