All AppArmor events are logged using the system's audit interface (the auditd
logging to /var/log/audit/audit.log
). On top of this
infrastructure, event notification can be configured. Configure this
feature using YaST. It is based on severity levels according to
/etc/apparmor/severity.db
. Notification frequency
and type of notification (such as e-mail) can be configured.
If auditd is not running, AppArmor logs to the system log located under
/var/log/messages
using the LOG_KERN
facility.
Use YaST for generating reports in CSV or HTML format.
The Linux audit framework contains a dispatcher that can send AppArmor
events to any consumer application via dbus. The GNOME AppArmor Desktop
Monitor applet is one example of an application that gathers AppArmor events
via dbus. To configure audit to use the dbus dispatcher, just set the
dispatcher in your audit configuration in
/etc/audit/auditd.conf
to
apparmor-dbus
and restart auditd:
dispatcher=/usr/bin/apparmor-dbus
Once the dbus dispatcher is configured correctly, add the AppArmor Desktop
Monitor to the GNOME panel. As soon as a REJECT
event
is logged, the applet's panel icon changes appearance and you can click
the applet to see the number of reject events per confined application.
To view the exact log messages, refer to the audit log under
/var/log/audit/audit.log
. Use the YaST Update
Profile Wizard to adjust the respective profile.