All AppArmor events are logged using the system's audit interface (the auditd
logging to /var/log/audit/audit.log
). On top of this
infrastructure, event notification can be configured. Configure this feature
using YaST. It is based on severity levels according to
/etc/apparmor/severity.db
. Notification frequency and
type of notification (such as e-mail) can be configured.
If auditd is not running, AppArmor logs to the system log located under
/var/log/messages
using the LOG_KERN
facility.
Use YaST for generating reports in CSV or HTML format.
The Linux audit framework contains a dispatcher that can send AppArmor
events to any consumer application via dbus. The GNOME AppArmor Desktop Monitor
applet is one example of an application that gathers AppArmor events via dbus.
To configure audit to use the dbus dispatcher, just set the dispatcher in
your audit configuration in /etc/audit/auditd.conf
to
apparmor-dbus
and restart auditd:
dispatcher=/usr/bin/apparmor-dbus
Once the dbus dispatcher is configured correctly, add the AppArmor Desktop
Monitor to the GNOME panel. As soon as a REJECT
event is
logged, the applet's panel icon changes appearance and you can click the
applet to see the number of reject events per confined application. To view
the exact log messages, refer to the audit log under
/var/log/audit/audit.log
. Use the YaST Update
Profile Wizard to adjust the respective profile.