On 2/6/25 05:33, Troels Arvin wrote:
Hello,
On some Ubuntu 22 and 24 systems, syslog is being cluttered with messages like
this which is completely uninteresting:
Feb 05 16:17:01 myhost.example.com audit[353829]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd"
name="/proc/420747/cmdline" pid=353829 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I would certainly like to know about DENIED events, but how can I have
apparmor/audit stop logging about ALLOWED events?
At the moment there is NOT a global auditing control, like "quiet_denied". The
"quiet" control will do it, but also stop logging of DENIED.
So the only way to stop ALLOWED events is to stop generating them by either
enforcing the profile
aa-enforce ...
or
removing the complain flag and reloading the profile.
or unloading the profile.
