AppArmor provides the ability to audit given rules so that when they are
matched an audit message will appear in the audit log. To enable audit
messages for a given rule the audit
keyword is
prepended to the rule:
audit /etc/foo/* rw,
If it is desirable to audit only a given permission the rule can be split into two rules. The following example will result in audit messages when files are opened for writing, but not when they are opened for just reading:
audit /etc/foo/* w, /etc/foo/* r,
Audit messages are not generated for every read or write of a file but only when a file is opened for read or write. |
Audit control can be combined with owner conditional file rules to provide auditing when a user access files they own (at the moment it is not possible to audit files they don't own):
audit owner /home/*/.ssh/** rw,