[Apparmor-general] AppArmor definition of a home directory too
rigid
Steve Beattie
sbeattie at suse.de
Thu Aug 2 14:44:53 MDT 2007
On Thu, Aug 02, 2007 at 12:52:31PM +1000, Michael.James at csiro.au wrote:
> To help stay ahead of trouble, put this into /etc/logdigest/alarming.local
>
> kernel: SubDomain: REJECTING
>
> You'll see all the hits in your logdigest email.
> (You do use logdigest don't you? It's magic for sysadmins)
The logdigest package, as of February 2006 or so, already searches for
the REJECT keyword as well as monitors the audit daemon's logfile in
/var/log/audit/audit.log (I pushed a patch upstream for that).
One thing to watch out for with logdigest is that, rather than collating
all the alarming events, reports on a per logfile basis. Because the
audit log got added to the list of logfiles to monitor last, logdigest
will report all of the alarming syslog events, then the rest of the
syslog events, *then* the audit log alarming events. Depending on what
gets reported in your syslog, this may make it easy to overlook apparmor
rejections that occur.
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070802/6ca9e5ac/attachment.pgp
More information about the Apparmor-general
mailing list