[pkg-apparmor] Bug#1017595: Bug#1017595: please make apparmor less noisy

[Seth Arnold]

On Thu, Aug 18, 2022 at 09:46:39AM +0200, Harald Dunkel wrote:
> apparmor writes a bazillion of log entries to dmesg and /var/log/\
> kern.log, hiding other important messages. Do you think it would be
> reasonable to add auditd to the Recommends list?

I'm slightly in favour of this, yes. One downside is that dbus apparmor
enforcement doesn't go through the audit system, they'll still show up in
the syslog pile, so log entries are split. But I think it's still a net
win to move most of the logging to something less prone to dropping log
entries.

I realize 'noisy' is in the ears of the listener :) but I suspect your
policy could use some tuning for your use. From a few of my own systems:

$ grep -c -i apparmor /var/log/syslog
18

$ grep -c -i apparmor /var/log/audit/audit.log
110

$ grep -c -i apparmor /var/log/audit/audit.log
36

$ grep -c -i apparmor /var/log/audit/audit.log
354

(This last one covers 76 days of audit logs.)

Anyway, if you ask in #apparmor on irc.oftc.net someone may be able to
suggest policy changes to reduce the noise.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20220819/35b571fc/attachment.sig>