On Friday, April 29, 2016 10:03:02 AM Vincas Dargis wrote:
There was email about fixing ausearch for AppArmor:
https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html
Is there any progress regarding that issue?
You'll have to ask the AppArmor folks. I gave them a whole block of numbers to
use for their own purposes so that we don't have any problems. If they instead
create malformed SE Linux events, then things will never work right unless
they patch them. I don't plan to carry a patch in the main utility because it
completely violates all audit assumptions.
The main rule is that all audit records of the same type have to have the
exact same fields, in the same order, with the same format or no one can
analyze the events. You have to think of each record as a database table. Each
record is a row, each field is a column.
I have tried to search for AVC on Debian Testing (auditd 2.4.5), and
it fails to "grep" me AppArmor related events.
P.S. How do I actually reply to original thread that I did not
received, since I just subscribed? I though I could maybe find raw
message in archive
https://www.redhat.com/archives/linux-audit/ but
there aren't (no such message in 2014-May/Jun gz) . Oh how I hate
using mailing lists so much... /rant.
Just start a new one. Why worry?
-Steve