About Apparmor's audit log format

Thanks, I'll take a look

Originally Posted by crispin

The difference between the null-complain-profile and an actual named profile depends on whether and how you are using learning mode. If you start with "genpfrof someprogram" then that program may execute children. AppArmor doesn't know whether the children will be executed with Px, ix, ux etc. so it runs the child in the null-complain-profile, which complains about everything. This allows genprof to later go and collect all these events and apply them to the profiles you are creating in an appropriate way, depending on how you chose to grant the execute permissions. On the other hand, if the parent program itself is in learning mode, not spawned from a learning mode parent, then it will log the actual profile being used. This can happen because the program is the start of the learning mode, or it can happen because it was a child program that already had Px permission to execute, which causes AppArmor to apply the explicit profile rather than using the null-complain-profile. What are you analyzing the AppArmor logs for? The AppArmor logprof tool analyzes the log for you for the purpose of generating AppArmor profiles, but I can see other purposes, such as log scraping to feed events into distributed SIM (Security Incident Management) systems. If you would like technical assistance with your project, Mercenarylinux is a professional consulting company with expertise specifically in AppArmor. We are a big chunk of the team that originally built AppArmor, and would like to offer our services to customers with sophisticated AppArmor needs.