AppArmor audit logs ... what does this mean?
First, it means that you should read man -k apparmor
, and the man
pages.
Second, the apparmor="STATUS"
shows that this is a Status report, reporting on a "profile_replace"
operation, replacing the current apparmor profile with the profile="unconfined"
profile, on behalf of name="/usr/lib/cups/backend/cups-pdf" pid=31430
, name="/usr/sbin/cupsd" pid=31430
and name="/usr/sbin/cupsd" pid=31430
, using the apparmor_parser
(see man apparmor_parser
) command.
In English, the is CUPS - Common Unix Printing System
telling AppArmor it wants to execute in the old, "unconfined", "AppArmor don't bother me", mode used by programs that have not adapted to life with AppArmor, yet.
For more information about AppArmor, see What Is AppArmor?" https://askubuntu.com/questions/236381/what-is-apparmor?rq=1
You do not need to be worried, but a certain level of concern is always appropriate.
Related videos on Youtube
boozedog
Updated on September 18, 2022Comments
-
boozedog over 1 year
1 Time(s): audit: type=1400 audit(1473854574.089:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=31430 comm="apparmor_parser" 1 Time(s): audit: type=1400 audit(1473854574.089:114): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=31430 comm="apparmor_parser" 1 Time(s): audit: type=1400 audit(1473854574.089:115): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=31430 comm="apparmor_parser"
Should I be worried?
I'm running Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
-
Mark A over 7 yearsFor us, this was a hack attempt. He got unpreviledged access to mysql via this account.
-
-
boozedog over 7 yearsThanks for your response. Sounds like the version of CUPS that ships with 14.04.5 is not AppArmor friendly. I don't do any printing on this machine so I'll just uninstall it.
-
sarnold over 3 yearsThe
profile="unconfined"
part simply means theapparmor_parser
process wasn't itself confined. -
goo over 2 yearsConsider how one would distribute a new security tool that will kill a process if it breaks the Rules, but lets/requires developers (for each package) to provide the Rules. The "unconfined" profile lets developers who haven't provided Rules, or gotten their package to "work" with
apparmor
, get along for now. In the fullness of time, "unconfined" will go away,apparmor
will Rule the World. And nothing will work.