audit-userspace icon indicating copy to clipboard operation
audit-userspace copied to clipboard
verified publisher icon linux-audit

ausearch does not find messages of type AVC

Open vam67423 opened this issue 1 year ago • 3 comments

When searching the audit logs for messages using type=AVC, ausearch returns nothing even if the audit.log file does contain those entries:

$ ausearch -m AVC
<no matches>

$ cat /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1707163426.971:4088): apparmor="ALLOWED" operation="open" class="file" profile=....

This makes the audit framework quite difficult to use, especially in combination with tools like apparmor/SELinux. While the logs are still present, users would expect to find them with ausearch.

Audit Version: 4.0-1 Linux Kernel: 6.7.3

vam67423 avatar Feb 05 '24 20:02 vam67423

If the event is malformed, it is skipped. You can use --debug to see the malformed events. An event is malformed if searchable fields are not in the right order or missing.

stevegrubb avatar Feb 06 '24 23:02 stevegrubb

I can confirm that AVC type logs created by apparmor version 3.1.6 are all marked as malformed events.

The malformed events would be an issue with apparmor I suppose?

vam67423 avatar Feb 07 '24 13:02 vam67423

Yes. If they are going to emit an access decision as an AVC, it has to exactly follow the format of an SE Linux AVC. The AppArmor kernel developers were given the AUDIT type block from 1500 to 1599 a long time ago so that they can format their events any way they wish. The AVC they are using is type number 1400. They should really define AUDIT_AA_DECISION 1500 (or whatever makes sense to AppArmor) and then use that.

stevegrubb avatar Feb 07 '24 14:02 stevegrubb