Apparmor: malformed event entries in /var/log/audit/audit.log

Support Software & Applications
1

As an additional measure for security I installed apparmor on my laptop and made apparmor profiles for my web browsers.

According to AppArmor - ArchWiki I had set up kernel ability via /etc/default/grub and brought my system (Manjaro/Archlinux) into this state:

# cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,apparmor,bpf

# aa-enabled
Yes

# for srv in auditd apparmor; do systemctl is-active $srv.service; done
active
active

After having disabled all pre-installed profiles in /etc/apparmor.d I made new ones for my browsers using “aa-genprof” resp. “aa-logprof”. Both of them seem to work correctly.

But ausearch and aureport don’t show apparmor event entries (AVC).

# aureport --avc; ausearch -m AVC

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
<no events of interest were found>

<no matches>

Example entry:

# grep AVC /var/log/audit/audit.log |grep -v STATUS |tail -1 |cat -v
type=AVC msg=audit(1743841994.406:599): apparmor="ALLOWED" operation="unlink" class="file" profile="/usr/lib/firefox/firefox" name="/home/adrian/.mozilla/firefox/v8q5l2n1.default/handlers.json" pid=11306 comm="firefox" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000^]FSUID="adrian" OUID="adrian"

Please note, that there isn’t a blank between the fields ouid and FSUID, but some other character shown by “cat -v” as “^]”!

And there is another phenomenon. The output of the “–debug” option of ausearch and aureport is pointing out, that all event entries of type AVC are malformed:

# ausearch --debug -i -m AVC 2>&1 |grep -v STATUS |grep AVC |tail -1 |cat -v
Malformed event skipped, rc=9. type=AVC msg=audit(1743841994.406:599): apparmor="ALLOWED" operation="unlink" class="file" profile="/usr/lib/firefox/firefox" name="/home/adrian/.mozilla/firefox/v8q5l2n1.default/handlers.json" pid=11306 comm="firefox" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

Replacement of the unwanted character “^]” by sed didn’t help. What else could be wrong with the log file entries?

There are no auditd rules:

# auditctl -l
No rules

The cause could lie in kernel component of lsm resp. apparmor. Or is something missing or wrong in my configuration? A couple of years ago I didn’t have problems with ausearch and AVC entries of apparmor on a SUSE server.