Source: linux Version: 4.12.6-1 Severity: normal Hi,
Currently the code in the kernel is not using the expected audit event ids (it's using the one allocated to SELinux, 1400 to 1499) when it's logging its messages (denials,...). This has been discussed on the linux-audit back to 2014 and again in 2016, but it seems that nothing has moved. This makes auseach and other audit tools not list these messages as they are seen as invalids. Upstream of the audit framework insists that AppArmor should use events ids from the range that has been allocated to them (1500-1599). AFAIKS, the apparmor userspace is already supporting messaging from both ranges (would be nice if this was confirmed). IMVHO, in regard to the recent proposal of enabling apparmor in debian by default, this needs to be addressed first. Regards, Laurent Bigonville -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)