[pkg-apparmor] Bug#1017595: Bug#1017595: Bug#1017595: please make apparmor less noisy

intrigeri intrigeri at debian.org
Sat Dec 10 17:54:05 GMT 2022 

Control: retitle -1 Consider recommending auditd

Harald Dunkel (2022-09-07):
> This is not about fine-tuning apparmor profiles or avoiding certain
> packages. Its about adding auditd to Recommends to make apparmor less
> noisy.

OK, retitling accordingly then.

I'll now summarize my understanding of the problem space.

Recommending auditd would workaround at least 2 problems:

 - On some systems, the configured AppArmor policy sends many log
   messages to syslog, which makes it more difficult to see other,
   potentially more relevant, log messages in dmesg, syslog, and
   kern.log. That is, what this bug report was originally about.

   Impact: with the data I have in hand, I doubt this practically
   affects many Debian users.

 - The AppArmor userspace tools currently don't support systems that
   run systemd-journald, but neither syslogd nor auditd (#866340,
   https://gitlab.com/apparmor/apparmor/-/issues/213).

   Impact: if (or as long as) we install a syslogd implementation by
   default, this impacts very few Debian users. Do we?

Currently known drawbacks of recommending auditd:

 - It makes the systemd Journal more noisy: 237 on a basic sid test
   system, just booting and logging into GNOME (excluding the 75
   AppArmor ones).

   Impact: this introduces a regression that's of the same nature as
   the problem this bug report was originally about, but it'll impact
   everyone querying the systemd Journal, even with common
   system configurations.

 - Users used to monitor AppArmor logs in dmesg, syslog, or kern.log,
   won't find them there anymore.

   Impact: I'm worried this may impact production monitoring systems
   and confuse a number of users.

   Mitigation: a NEWS.Debian entry seems necessary and sufficient
   to me.

Open questions:

 - This would run auditd by default on most Debian systems. It would
   be good to check with the auditd maintainers if they're fine with
   that (e.g. additional workload) and whether they're aware of other
   potential drawbacks.

My current conclusion (that can of course change as I become aware of
more data): I'm not convinced that installing auditd by default on
Debian would solve more AppArmor usability problems than it would
create. But a "Suggests" seems well deserved: at least for some use
cases, auditd *is* the best solution.

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list