ausearch does not find messages of type AVC

[vam67423]

When searching the audit logs for messages using type=AVC, ausearch returns nothing even if the audit.log file does contain those entries:

$ ausearch -m AVC
<no matches>

$ cat /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1707163426.971:4088): apparmor="ALLOWED" operation="open" class="file" profile=....

This makes the audit framework quite difficult to use, especially in combination with tools like apparmor/SELinux. While the logs are still present, users would expect to find them with ausearch.

Audit Version: 4.0-1
Linux Kernel: 6.7.3

[stevegrubb]

If the event is malformed, it is skipped. You can use --debug to see the malformed events. An event is malformed if searchable fields are not in the right order or missing.

[vam67423]

I can confirm that AVC type logs created by apparmor version 3.1.6 are all marked as malformed events.

The malformed events would be an issue with apparmor I suppose?

[stevegrubb]

Yes. If they are going to emit an access decision as an AVC, it has to exactly follow the format of an SE Linux AVC. The AppArmor kernel developers were given the AUDIT type block from 1500 to 1599 a long time ago so that they can format their events any way they wish. The AVC they are using is type number 1400. They should really define AUDIT_AA_DECISION 1500 (or whatever makes sense to AppArmor) and then use that.

[stevegrubb]

Thanks for the report. I don't think there's anything here for us to do. I hope this was reported to the distribution with the malformed events. Closing this.