Kapitel 6. Managing Profiled Applications


6.1. Monitoring Your Secured Applications
6.2. Configuring Security Event Notification
6.3. Configuring Reports
6.4. Configuring and Using the AppArmor Desktop Monitor Applet
6.5. Reacting to Security Event Rejections
6.6. Maintaining Your Security Profiles

After creating profiles and immunizing your applications, openSUSE® becomes more efficient and better protected if you perform Novell® AppArmor profile maintenance, which involves analyzing log files and refining your profiles as well as backing up your set of profiles and keeping it up-to-date. You can deal with these issues before they become a problem by setting up event notification by e-mail, running periodic reports, updating profiles from system log entries by running the aa-logprof tool through YaST, and dealing with maintenance issues.

6.1. Monitoring Your Secured Applications

Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their specified profile. These messages can be monitored by event notification, periodic report generation, or integration into a third-party reporting mechanism.

For reporting and alerting, AppArmor uses a userspace daemon (/usr/sbin/aa-eventd). This daemon monitors log traffic, sends out notifications, and runs scheduled reports. It does not require any end user configuration and it is started automatically as part of the security event notification through the YaST AppArmor Control Panel or by the configuration of scheduled reports in the YaST AppArmor Reports module.

Apart from transparently enabling and disabling aa-eventd with the YaST modules, you can manually toggle its status with the rcaaeventd init script. The AppArmor event daemon is not required for proper functioning of the profiling process (such as enforcement or learning). It is just required for reporting.

Find more details on security event notification in Abschnitt 6.2, „Configuring Security Event Notification“ and on scheduled reports in Abschnitt 6.3, „Configuring Reports“.

If you prefer a simple way of being notified of any AppArmor reject events that does not require you to check your e-mails or any log files, use the AppArmor Desktop Monitor applet that integrates into the GNOME desktop. Refer to Abschnitt 6.4, „Configuring and Using the AppArmor Desktop Monitor Applet“ for details.