aa-decode

Decode a hex string

$ aa-decode [hexstring]

$ sudo aa-decode [logfile]

$ sudo aa-decode - < [logfile]

$ aa-decode [[-h|--help]]

aa-decode [OPTIONS] [FILE...]

--help, -h
    Displays help information and exits.

--input <file>, -i <file>
    Specifies the input file to read audit messages from. If not specified, aa-decode reads from standard input (stdin).

--output <file>, -o <file>
    Specifies the output file to write decoded messages to. If not specified, output is written to standard output (stdout).

--debug, -d
    Enables debug mode, providing more detailed internal information for troubleshooting.

--verbose, -v
    Increases the verbosity of output messages.

--json, -j
    Outputs the decoded messages in JSON format, which can be useful for programmatic parsing.

aa-decode is a utility from the AppArmor suite designed to interpret and humanize compressed or encoded AppArmor audit messages found in system logs (e.g., syslog or auditd logs). These messages are often condensed to conserve space and make log analysis challenging directly. By piping log content to aa-decode or specifying a log file, users can translate cryptic audit entries into a readable format, revealing details about AppArmor policy violations, denials, or other security events. This command is crucial for system administrators and security analysts to understand and debug AppArmor behavior, aiding in security incident response and policy refinement.

aa-decode specifically decodes AppArmor's internal compressed/encoded audit messages. It will not decode general syslog entries or auditd records that are not AppArmor-specific. Its utility is limited to environments where AppArmor is actively used and generating such messages. The exact format of the input audit messages is critical for successful decoding.

To decode AppArmor messages from dmesg output:
dmesg | grep 'apparmor' | aa-decode

To decode from a specific log file:
aa-decode -i /var/log/audit/audit.log

aa-decode expects input messages that contain the AppArmor specific encoding, typically found within audit records logged by the kernel. These often start with AUDIT_APPARMOR_... and contain a field like apparmor="ENCODED_DATA".

aa-decode is an integral part of the AppArmor security framework, which was initially developed by Immunix and later acquired by Novell (now SUSE). Its primary role has remained consistent: to provide human-readable interpretations of AppArmor's concise audit log entries, aiding in system monitoring and policy refinement.

apparmor(7), aa-logprof(8), aa-status(8), auditd(8)