Managing Profiled Applications

Contents

26.1. Monitoring Your Secured Applications
26.2. Configuring Security Event Notification
26.3. Configuring Reports
26.4. Configuring and Using the AppArmor Desktop Monitor Applet
26.5. Reacting to Security Event Rejections
26.6. Maintaining Your Security Profiles

After creating profiles and immunizing your applications, openSUSE® becomes more efficient and better protected as long as you perform Novell® AppArmor profile maintenance (which involves analyzing log files, refining your profiles, backing up your set of profiles and keeping it up-to-date). You can deal with these issues before they become a problem by setting up event notification by e-mail, running periodic reports, updating profiles from system log entries by running the aa-logprof tool through YaST, and dealing with maintenance issues.

Monitoring Your Secured Applications

Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their specified profile. These messages can be monitored by event notification, periodic report generation, or integration into a third-party reporting mechanism.

For reporting and alerting, AppArmor uses a userspace daemon (/usr/sbin/aa-eventd). This daemon monitors log traffic, sends out notifications, and runs scheduled reports. It does not require any end user configuration and it is started automatically as part of the security event notification through the YaST AppArmor Control Panel or by the configuration of scheduled reports in the YaST AppArmor Reports module.

Apart from transparently enabling and disabling aa-eventd with the YaST modules, you can manually toggle its status with the rcaaeventd init script. The AppArmor event daemon is not required for proper functioning of the profiling process (such as enforcement or learning). It is just required for reporting.

Find more details on security event notification in Section 26.2, “Configuring Security Event Notification” and on scheduled reports in Section 26.3, “Configuring Reports”.

If you prefer a simple way of being notified of any AppArmor reject events that does not require you to check your e-mails or any log files, use the AppArmor Desktop Monitor applet that integrates into the GNOME desktop. Refer to Section 26.4, “Configuring and Using the AppArmor Desktop Monitor Applet” for details.