Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w,By only logging you mean logging of an access but not granting permission?I mean logging of an access AND granting permission.ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions. ie. audit /** w, as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm.It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode: audit deny /home/**/*.php a, audit deny /home/**/*.php w,these two rules where necessary to get logging in complain mode?Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).OkayAudit alone it not working. Is this a known bug? Thanks.It is not known. Can you send us the full profile you are using?Here is the complete profile (i already removed that 'a' line and tested it): /usr/lib/apache2/mpm-itk/apache2 { network, capability, file, audit deny /home/**/*.php w, } As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).Can you please provide the following information to help as diagnose the problem. Kernel version: use the command uname -a Parser version: use the command apparmor_parser -v State dump from the compiler: use the command apparmor_parser -D dfa-states -QT profile_file 2>states_file Compiled output of your profile: use either of the following commands apparmor_parser -S profile_file > output_file apparmor_parser -o output_file profile_file * the -o version may not work on older parsers. * profile_name is the file name where your profile is stored * states_file and out_file are just file that the output will be dumped in. So that you can attach them
Kernel version: 3.2.47
Parser version: 2.7.103 (it was the -V switch)
Client software are packages from Debian Wheezy running on Debian Squeeze. I'm
using my own kernel patched with grsecurity.
Attaching 3 files from that 3 commands. Last two commands printed this warning
(probably ok):
Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain mode
To avoid misunderstanding: I'm currently using this profile (in complain mode):
/usr/lib/apache2/mpm-itk/apache2 {
network,
capability,
file,
audit deny /home/**/*.php w,
}
But i WANT to use this profile (not in complain mode):
/usr/lib/apache2/mpm-itk/apache2 {
network,
capability,
file,
audit /home/**/*.php w,
}
Logging is working only in the first one so i'm forced to use it instead of
second one. Hope i'm clear enough. Thank you.
azur
states_file
Description: states_file
output_file1
Description: output_file1
output_file2
Description: output_file2
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
