Configuring Security Event Notification

Security event notification is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs. Activate it by selecting a notification frequency (receiving daily notification, for example). Enter an e-mail address, so you can be notified by e-mail when Novell AppArmor security events occur. Select one of the following notification types:

Terse

Terse notification summarizes the total number of system events without providing details. For example:

jupiter.example.com has had 41 security events since Mon Sep 10 14:53:16 2007.
Summary Notification

Summary notification displays the logged Novell AppArmor security events and lists the number of individual occurrences, including the date of the last occurrence. For example:

AppArmor: PERMITTING access to capability ’setgid’ (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct  9 16:05:54 2004.
Verbose Notification

Verbose notification displays unmodified, logged Novell AppArmor security events. It tells you every time an event occurs and writes a new line in the verbose log. These security events include the date and time the event occurred, when the application profile permits and rejects access, and the type of file permission access that is permitted or rejected. Verbose notification also reports several messages that the aa-logprof tool (see Section 5.6.3.5, “aa-logprof—Scanning the System Log”) uses to interpret profiles. For example:

type=APPARMOR_DENIED msg=audit(1189428793.218:2880):
      operation="file_permission" requested_mask="::w" denied_mask="::w" fsuid=1000 name="/var/log/apache2/error_log" pid=22969 profile="/usr/sbin/httpd2-prefork"
[Note]

You must set up a mail server that can send outgoing mail using the SMTP protocol (for example, postfix or exim) for event notification to work.

  1. In the Enable Security Event Notification section of the AppArmor Configuration window, click Configure.

    Security event notification window
  2. In the Security Event Notification window, enable Terse, Summary, or Verbose event notification.

    1. In each applicable notification type section, enter the e-mail addresses of those who should receive notification in the field provided. If notification is enabled, you must enter an e-mail address. Separate multiple e-mail addresses with commas.

    2. For each notification type enabled, select the frequency of notification.

      Select a notification frequency from the following options:

      • Disabled

      • 1 minute

      • 5 minutes

      • 10 minutes

      • 15 minutes

      • 30 minutes

      • 1 hour

      • 1 day

      • 1 week

    3. For each selected notification type, select the lowest severity level for which a notification should be sent. Security events are logged and the notifications are sent at the time indicated by the interval when events are equal to or greater than the selected severity level. If the interval is 1 day, the notification is sent daily, if security events occur.

      [Note]Severity Levels

      Novell AppArmor sends out event messages for things that are in the severity database and above the level selected. Severity levels are numbered 1 through 10, with 10 being the most severe security incident. The /etc/severity.db file defines the severity level of potential security events. The severity levels are determined by the importance of different security events, such as certain resources accessed or services denied.

  3. Click OK.

  4. Click Done in the Novell AppArmor Configuration window.

  5. Click File+Quit in the YaST Control Center.

After configuring security event notification, read the reports and determine whether events require follow up. Follow up may include the procedures outlined in Section 7.5, “Reacting to Security Event Rejections”.