mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
80 lines
2.4 KiB
Groff
80 lines
2.4 KiB
Groff
|
.\" Automatically generated by Pandoc 3.1.9
|
||
|
.\"
|
||
|
.TH "aa-log" "8" "September 2024" "" ""
|
||
|
.SH NAME
|
||
|
aa-log \[em] Review AppArmor generated messages in a colorful way.
|
||
|
.SH SYNOPSIS
|
||
|
\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]]
|
||
|
.SH DESCRIPTION
|
||
|
Review AppArmor generated messages in a colourful way.
|
||
|
Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R]
|
||
|
as well as \f[I]dbus session\f[R] events.
|
||
|
.PP
|
||
|
It can be given an optional profile name to filter the output with.
|
||
|
.PP
|
||
|
It can be used to generate AppArmor rules from the logs and it therefore
|
||
|
an alternative to \f[CR]aa-logprof(8)\f[R].
|
||
|
The generated rules should be manually reviewed and inserted into the
|
||
|
profile.
|
||
|
.PP
|
||
|
Default logs are read from \f[CR]/var/log/audit/audit.log\f[R].
|
||
|
Other files in \f[CR]/var/log/audit/\f[R] can easily be checked:
|
||
|
\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R]
|
||
|
.SH OPTIONS
|
||
|
\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]]
|
||
|
.TP
|
||
|
[\f[I]profile\f[R]]
|
||
|
Optional profile name to filter the output with.
|
||
|
.TP
|
||
|
\f[CR]--file\f[R], \f[CR]-f\f[R]
|
||
|
Set a logfile or a suffix to the default log file.
|
||
|
.TP
|
||
|
\f[CR]--systemd\f[R], \f[CR]-s\f[R]
|
||
|
Parse systemd logs from journalctl.
|
||
|
Provides all AppArmor logs since the last boot.
|
||
|
.TP
|
||
|
\f[CR]--rules\f[R], \f[CR]-r\f[R]
|
||
|
Convert the log into AppArmor rules.
|
||
|
.TP
|
||
|
\f[CR]--raw\f[R], \f[CR]-R\f[R]
|
||
|
Print the raw log without any formatting.
|
||
|
Useful for reporting logs.
|
||
|
.TP
|
||
|
\f[CR]--help\f[R], \f[CR]-h\f[R]
|
||
|
Print the program usage.
|
||
|
.SH USAGE
|
||
|
To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]:
|
||
|
.IP
|
||
|
.EX
|
||
|
aa-log
|
||
|
.EE
|
||
|
.PP
|
||
|
To optionally filter a given profile name:
|
||
|
\f[CR]aa-log <profile-name>\f[R] (your shell will autocomplete the
|
||
|
profile name):
|
||
|
.IP
|
||
|
.EX
|
||
|
$ aa-log dnsmasq
|
||
|
DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
|
||
|
DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
|
||
|
DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
|
||
|
.EE
|
||
|
.PP
|
||
|
To generate AppArmor rule:
|
||
|
.IP
|
||
|
.EX
|
||
|
$ aa-log -r dnsmasq
|
||
|
profile dnsmasq {
|
||
|
\[at]{PROC}/\[at]{pid}/environ r,
|
||
|
\[at]{PROC}/cmdline r,
|
||
|
\[at]{PROC}/sys/kernel/osrelease r,
|
||
|
}
|
||
|
.EE
|
||
|
.SH SEE ALSO
|
||
|
\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R],
|
||
|
\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R],
|
||
|
\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R],
|
||
|
\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io.
|
||
|
.SH AUTHORS
|
||
|
aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io).
|