FS#60870 - [audit] ausearch does not support AppArmor entries
Attached to Project:
Arch Linux
Opened by Maciek Borzecki (bboozzoo) - Tuesday, 20 November 2018, 10:04 GMT
Last edited by David Runge (dvzrv) - Saturday, 02 September 2023, 13:38 GMT
Opened by Maciek Borzecki (bboozzoo) - Tuesday, 20 November 2018, 10:04 GMT
Last edited by David Runge (dvzrv) - Saturday, 02 September 2023, 13:38 GMT
|
Details
Description:
Using ausearch -m AVC does not list AppArmor related audit logs. Running with --debug, ausearch reports AppArmor events are malformed. Additional info: * package versions: apparmor 2.13.1-3 audit 2.8.4-2 * default audit config Steps to reproduce: * cause AppArmor denial * ausearch -m AVC does not list the denial * ausearch -m AVC --debug lists AppArmor denials, eg: $ ausearch -ts today --debug time->Tue Nov 20 07:06:20 2018 type=SERVICE_STOP msg=audit(1542693980.189:309): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-coredump@7-25644-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Malformed event skipped, rc=9. type=AVC msg=audit(1542697043.919:310): apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=3261 comm="evil" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1542697046.866:311): apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=3285 comm="evil" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 |
This task depends upon
Closed by David Runge (dvzrv)
Saturday, 02 September 2023, 13:38 GMT
Reason for closing: No response
Saturday, 02 September 2023, 13:38 GMT
Reason for closing: No response
Let me know if I can be of any help.
You should trigger this discussion with the upstream author and convince them to have something like an #ifdef or similar that was already mentioned once.
We don't want to carry around feature sensitive custom patches for all eternity, if you want to see this happening we gonna need a good solution to be upstreamed that makes the author and apparmor users both happy.
TLDR: please bring this upstream and trigger a solution there, last one is 4 years old.
- https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1117804
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726