From e158fbc834ecf4628cae5e8d2b7cf9d68660fca9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cerm=C3=A1k?= Date: Thu, 20 Feb 2025 17:45:23 +0100 Subject: [PATCH] Use auditd to process AppArmor/audit logs (#3885) Use auditd so logs from AppArmor and other audit events are processed by that instead of printed to the Systemd journal. This will reduce the log spam from BPF usually present in host logs and still preserve the audit logs for debugging. The default configs seems to be sane for our purpose, rotating up to 5 files of 8MiB each. The difference is that /var/log/audit will be now on tmpfs but given how AppArmor is used on typical HA setup, we don't need to preserve the logs over reboots. --- buildroot-external/configs/generic_aarch64_defconfig | 1 + buildroot-external/configs/generic_x86_64_defconfig | 1 + buildroot-external/configs/green_defconfig | 1 + buildroot-external/configs/khadas_vim3_defconfig | 1 + buildroot-external/configs/odroid_c2_defconfig | 1 + buildroot-external/configs/odroid_c4_defconfig | 1 + buildroot-external/configs/odroid_m1_defconfig | 1 + buildroot-external/configs/odroid_m1s_defconfig | 1 + buildroot-external/configs/odroid_n2_defconfig | 1 + buildroot-external/configs/odroid_xu4_defconfig | 1 + buildroot-external/configs/ova_defconfig | 1 + buildroot-external/configs/rpi2_defconfig | 1 + buildroot-external/configs/rpi3_64_defconfig | 1 + buildroot-external/configs/rpi3_defconfig | 1 + buildroot-external/configs/rpi4_64_defconfig | 1 + buildroot-external/configs/rpi4_defconfig | 1 + buildroot-external/configs/rpi5_64_defconfig | 1 + buildroot-external/configs/tinker_defconfig | 1 + buildroot-external/configs/yellow_defconfig | 1 + 19 files changed, 19 insertions(+) diff --git a/buildroot-external/configs/generic_aarch64_defconfig b/buildroot-external/configs/generic_aarch64_defconfig index b0da2d702..500c82d27 100644 --- a/buildroot-external/configs/generic_aarch64_defconfig +++ b/buildroot-external/configs/generic_aarch64_defconfig @@ -135,6 +135,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_OPENVMTOOLS=y diff --git a/buildroot-external/configs/generic_x86_64_defconfig b/buildroot-external/configs/generic_x86_64_defconfig index 3858ae417..4a39b2af4 100644 --- a/buildroot-external/configs/generic_x86_64_defconfig +++ b/buildroot-external/configs/generic_x86_64_defconfig @@ -135,6 +135,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_OPENVMTOOLS=y diff --git a/buildroot-external/configs/green_defconfig b/buildroot-external/configs/green_defconfig index 93d3fa42d..387ce5e03 100755 --- a/buildroot-external/configs/green_defconfig +++ b/buildroot-external/configs/green_defconfig @@ -114,6 +114,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/khadas_vim3_defconfig b/buildroot-external/configs/khadas_vim3_defconfig index fb6cc313d..2ce2290bd 100644 --- a/buildroot-external/configs/khadas_vim3_defconfig +++ b/buildroot-external/configs/khadas_vim3_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/odroid_c2_defconfig b/buildroot-external/configs/odroid_c2_defconfig index dc813a024..5f6965c5d 100644 --- a/buildroot-external/configs/odroid_c2_defconfig +++ b/buildroot-external/configs/odroid_c2_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/odroid_c4_defconfig b/buildroot-external/configs/odroid_c4_defconfig index fe6529185..56f4e6ffd 100644 --- a/buildroot-external/configs/odroid_c4_defconfig +++ b/buildroot-external/configs/odroid_c4_defconfig @@ -107,6 +107,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/odroid_m1_defconfig b/buildroot-external/configs/odroid_m1_defconfig index 8f371d994..80fdbd18e 100644 --- a/buildroot-external/configs/odroid_m1_defconfig +++ b/buildroot-external/configs/odroid_m1_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/odroid_m1s_defconfig b/buildroot-external/configs/odroid_m1s_defconfig index db1753d04..784cd1a2c 100644 --- a/buildroot-external/configs/odroid_m1s_defconfig +++ b/buildroot-external/configs/odroid_m1s_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/odroid_n2_defconfig b/buildroot-external/configs/odroid_n2_defconfig index 7e1e4fa7a..56948a739 100644 --- a/buildroot-external/configs/odroid_n2_defconfig +++ b/buildroot-external/configs/odroid_n2_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/odroid_xu4_defconfig b/buildroot-external/configs/odroid_xu4_defconfig index 0470c56d3..5e7c86c40 100644 --- a/buildroot-external/configs/odroid_xu4_defconfig +++ b/buildroot-external/configs/odroid_xu4_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/ova_defconfig b/buildroot-external/configs/ova_defconfig index 9fd566a5e..1d9fa5054 100644 --- a/buildroot-external/configs/ova_defconfig +++ b/buildroot-external/configs/ova_defconfig @@ -138,6 +138,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_OPENVMTOOLS=y diff --git a/buildroot-external/configs/rpi2_defconfig b/buildroot-external/configs/rpi2_defconfig index 915ebfaca..12adedc26 100644 --- a/buildroot-external/configs/rpi2_defconfig +++ b/buildroot-external/configs/rpi2_defconfig @@ -112,6 +112,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/rpi3_64_defconfig b/buildroot-external/configs/rpi3_64_defconfig index 115f7566d..c7cfd2010 100644 --- a/buildroot-external/configs/rpi3_64_defconfig +++ b/buildroot-external/configs/rpi3_64_defconfig @@ -113,6 +113,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/rpi3_defconfig b/buildroot-external/configs/rpi3_defconfig index 819059efb..3a28f03d6 100644 --- a/buildroot-external/configs/rpi3_defconfig +++ b/buildroot-external/configs/rpi3_defconfig @@ -114,6 +114,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/rpi4_64_defconfig b/buildroot-external/configs/rpi4_64_defconfig index 2d34620b0..8ea001323 100644 --- a/buildroot-external/configs/rpi4_64_defconfig +++ b/buildroot-external/configs/rpi4_64_defconfig @@ -114,6 +114,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/rpi4_defconfig b/buildroot-external/configs/rpi4_defconfig index 02ccb4b0a..6604d9718 100644 --- a/buildroot-external/configs/rpi4_defconfig +++ b/buildroot-external/configs/rpi4_defconfig @@ -113,6 +113,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/rpi5_64_defconfig b/buildroot-external/configs/rpi5_64_defconfig index 0359f82b4..6eb9fc6a5 100644 --- a/buildroot-external/configs/rpi5_64_defconfig +++ b/buildroot-external/configs/rpi5_64_defconfig @@ -112,6 +112,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/tinker_defconfig b/buildroot-external/configs/tinker_defconfig index 09b06215c..09873b6bb 100644 --- a/buildroot-external/configs/tinker_defconfig +++ b/buildroot-external/configs/tinker_defconfig @@ -109,6 +109,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y diff --git a/buildroot-external/configs/yellow_defconfig b/buildroot-external/configs/yellow_defconfig index 7e5f258fc..770b97e63 100644 --- a/buildroot-external/configs/yellow_defconfig +++ b/buildroot-external/configs/yellow_defconfig @@ -116,6 +116,7 @@ BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION=y BR2_PACKAGE_APPARMOR=y BR2_PACKAGE_APPARMOR_PROFILES=y BR2_PACKAGE_TINI=y +BR2_PACKAGE_AUDIT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_PROCPS_NG=y