audit-userspace icon indicating copy to clipboard operation
audit-userspace copied to clipboard
verified publisher icon linux-audit

Add definitions for messages that started appearing in Ubuntu 22.04

Open hillu opened this issue 3 years ago • 2 comments

These seem to have been introduced in a patchset "LSM: Module stacking for AppArmor" (https://lkml.org/lkml/2022/4/18/1558) that has not been merged upstream yet.

hillu avatar May 27 '22 10:05 hillu

I was going to do an update once they are merged upstream. My recollection was that this was going into kernel-next for some testing before going to main line.

stevegrubb avatar May 27 '22 19:05 stevegrubb

Since the patch is in Ubuntu's kernel already, the following log lines are pretty widespread.

type=UNKNOWN[1420] msg=audit(1659685796.323:886): subj_apparmor=unconfined

To be honest, we have an own level of suffering with this due post-processing of the logs, which might not be relevant for the majority of Auditd users. I would understand if you want to leave it out for now. A merge into the following minor release would be greatly appreciated, though. It think it would raise the likelyhood of Canonical update their Auditd-version quickly.

disasmwinnie avatar Aug 05 '22 08:08 disasmwinnie

I think the module stacking patch was withdrawn some time last year. I think we can close this out.

stevegrubb avatar Jul 25 '23 19:07 stevegrubb