Auditing Rules

AppArmor provides the ability to audit given rules so that when they are matched an audit message will appear in the audit log. To enable audit messages for a given rule the audit keyword is prepended to the rule:

audit /etc/foo/*        rw,

If it is desirable to audit only a given permission the rule can be split into two rules. The following example will result in audit messages when files are opened for writing, but not when they are opened for just reading:

audit /etc/foo/*  w,
/etc/foo/*        r,
[Note]

Audit messages are not generated for every read or write of a file but only when a file is opened for read or write.

Audit control can be combined with owner conditional file rules to provide auditing when a user access files they own (at the moment it is not possible to audit files they don't own):

audit owner /home/*/.ssh/**       rw,