mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 15:33:47 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
76105e699c
apparmor.d/docs/report.md
Alexandre Pujol fb29e8ba74
doc: general update.
2024-08-30 20:38:30 +01:00

1.4 KiB
Raw Blame History

title
Report AppArmor logs

The aa-log tool reports all AppArmor DENIED and ALLOWED. It should be used to fix AppArmor related issues.

While testing, if something get wrong, you need to put the profile in complain mode, so that you can investigate, and it does not block your program.

When creating an issue on Github, please post a link to the paste of the audit log generated with:

aa-log -R

??? question "No logs with aa-log?"

If the log file is empty, check that Auditd is running:

```sh
sudo systemctl status auditd.service
```

If Auditd is disabled aa-log will not have new results, you can enable Auditd with:

```sh
sudo systemctl enable auditd.service --now
```

If this command produces nothing, use -s to provide all logs since boot time (provided that journalctl collected them):

aa-log -s -R

??? question "No logs with aa-log -s?"

On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled:

```sh
sudo systemctl enable systemd-journald-audit.socket
```

You can get older logs with:

aa-log -R -f <nb>

Where <nb> is 1, 2, 3 and 4 (the rotated audit log file).