AppArmor audit logs ... what does this mean?

Question

 1 Time(s): audit: type=1400 audit(1473854574.089:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=31430 comm="apparmor_parser"

 1 Time(s): audit: type=1400 audit(1473854574.089:114): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=31430 comm="apparmor_parser"

 1 Time(s): audit: type=1400 audit(1473854574.089:115): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=31430 comm="apparmor_parser"

Should I be worried?

I'm running Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)

score 8 · Accepted Answer · edited Apr 13 '17 at 12:24

First, it means that you should read man -k apparmor, and the man pages.

Second, the apparmor="STATUS" shows that this is a Status report, reporting on a "profile_replace" operation, replacing the current apparmor profile with the profile="unconfined" profile, on behalf of name="/usr/lib/cups/backend/cups-pdf" pid=31430, name="/usr/sbin/cupsd" pid=31430 and name="/usr/sbin/cupsd" pid=31430, using the apparmor_parser (see man apparmor_parser) command.

In English, the is CUPS - Common Unix Printing System telling AppArmor it wants to execute in the old, "unconfined", "AppArmor don't bother me", mode used by programs that have not adapted to life with AppArmor, yet.

For more information about AppArmor, see What Is AppArmor?" https://askubuntu.com/questions/236381/what-is-apparmor?rq=1

You do not need to be worried, but a certain level of concern is always appropriate.

score 0 · Answer 2 · answered Oct 17 '18 at 10:57

I would beg to differ with waltinator's answer. If a process could say to apparmor "leave me alone" there would not be much point to apparmor would there?

I have read the manual pages and welcome a citation that applies.

Any time I type "sudo service mysql restart" I see a similar message in syslog... time kernel: audit: type=1400 apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/mysqld" pid=5014 comm="apparmor_parser"

If I then type "sudo aa-status" I see that mysql is in the list "nn processes are in enforce mode" 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

So I think this rather confusing message is just apparmor saying... I just found a process matching profile="unconfined" and I am going to perform operation="profile_replace".

These messages also appear when the pc is rebooted, presumably for the same reason, apparmor loads first, then as other processes load it confines them.

Also please note if you restart apparmor then all confined processes currently running will be unconfined. Use "sudo service apparmor reload" or reboot after making any apparmor configuration changes.

score 0 · Answer 3 · answered Dec 02 '24 at 04:39

Summary

These messages indicate that the AppArmor subsystem is (re)loading profile(s) that define the AppArmor security policy. This happens normally during system startup, or if you restart the apparmor.service unit.

They do not indicate something being allowed or denied by AppArmor. They indicate the policy (which defines the rules for allow/deny) has been (re)loaded.

Gory Details

Audit Leader

audit: type=1400 audit(1473854574.089:114):

The audit: prefix means it is coming from the kernel's audit subsystem, which is used by both SELinux and AppArmor. In the context of computer security, "auditing" usually means "logging". (Because logs allow things that happen on a system to be audited. The terminology is overloaded.)

type=1400 is event type code. 1400 is AUDIT_AVC, "SE Linux avc denial or grant". While AppArmor works to replace SELinux as far as the operator-facing portions are concerned, it is implemented on top of some of the SELinux primitives. As a result, most/all AppArmor messages get logged using this code.

audit(1473854574.089:114) provides a timestamp and an event ID.

The timestamp uses the standard Unix format of "seconds since 1970 January 01 at 00:00:00 UTC". You can decode it with the GNU date(1) utility. For example:

$ date -d '@1473854574.089'
Wed Sep 14 08:02:54 EDT 2016

The event ID is basically just a sequence number, starting at one (not zero) at system boot. It is allegedly possible for multiple log lines to reference the same event ID, if they are all part of the same transaction.

AppArmor Leader

apparmor="STATUS" operation="profile_replace"

apparmor=STATUS indicates this is an AppArmor message (as opposed to a proper SELinux message). The type of AppArmor message here is a status report, i.e., something about the AppArmor system as a whole -- and not about a permissions decision. Those get logged with ALLOWED or DENIED.

operation indicates the operation that triggered the AppArmor audit log message. profile_replace means that a profile definition in the kernel is being replaced with a new one. For normal operations, these are things like open or write.

AppArmor Entities

profile="unconfined" name="/usr/lib/cups/backend/cups-pdf"

An AppArmor profile is a set of rules that get applied in particular circumstances. profile=unconfined means the process that triggered this event is not confined by any AppArmor profile. No profile apples. No AppArmor rules apply. This makes sense, since most restrictions would block a profile_reload.

name tells us the name of the object associated with this event. Here, object is used in the grammatical sense: This is the thing being acted upon. Since this is a profile_replace operation, this is the profile being replaced.

AppArmor profiles are traditionally named using the full path of the executable. When looking for the profile definition file, slashes (/) get replaced with dots (.) . So the corresponding profile is /etc/apparmor.d/usr.lib.cups.backend.cups-pdf.

Process Details

pid=31430 comm="apparmor_parser"

Process ID 31430 performed the profile_replace operation. The name of the command associated with that process was apparmor_parser. apparmor_parser is the name of the program that loads AppArmor profiles into the kernel.