audit.log file that has the apparmor (AVC) entries that ausearch can't read.

This document (7015244) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

On a patched SLES11SP3 server running auditing, ausearch doesn't return any entries in audit.log for apparmor events, that are there. Here is an example of the entries:

type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

If I do a search a log that has these entries, I get the following results:

# ausearch -m AVC -if audit.log
<no matches>

However if I do a search in the same log for a different event--DAEMON_END--it
finds that:

# ausearch -m DAEMON_END -if audit.log
----
time->Tue Jan 28 12:26:56 2014
type=DAEMON_END msg=audit(1390937216.800:7163): auditd normal halt, sending
auid=9190 pid=8441 subj= res=success
----
time->Tue Jan 28 13:55:03 2014
type=DAEMON_END msg=audit(1390942503.158:3376): auditd normal halt, sending
auid=9190 pid=10393 subj= res=success
----

Resolution

Reported to engineering, solution pending....

Cause

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.