Chapter 4. Managing Profiled Applications

Contents

4.1. Monitoring Your Secured Applications
4.2. Setting Up Event Notification
4.3. Reports
4.4. Reacting to Security Events
4.5. Maintaining Your Security Profiles

After creating profiles and immunizing your applications, SUSE Linux becomes more efficient and better protected if you perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. You can deal with common issues and concerns before they become a problem by setting up event notification by e-mail, running periodic reports, updating profiles from system log entries by running the aa-logprof tool through YaST, and dealing with maintenance issues.

4.1. Monitoring Your Secured Applications

Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their specified profile. These messages can be monitored by event notification, periodic report generation, or integration into a third-party reporting mechanism.

For reporting and alerting, AppArmor uses a userspace daemon (/usr/sbin/aa-eventd). This daemon monitors log traffic, sends out notifications, and runs scheduled reports. It does not require any end user configuration and it is started automatically as part of the security event notification through the YaST AppArmor Control Panel or by the configuration of scheduled reports in the YaST AppArmor Reports module.

Apart from transparently enabling and disabling aa-eventd via the YaST modules, you can manually toggle its status with the rcaaeventd init script. The AppArmor event daemon is not required for proper functioning of the profiling process (such as enforcement or learning). It is just required for reporting.

Find more details on security event notification in Section 4.2.2, “Configuring Security Event Notification” and on scheduled reports in Section 4.3, “Reports”.