Secure Execution Environments

Logging and auditing

Access violations can be logged

For posterior auditing.

Logged violations can be used to interactively improve profiles with aa-logprof

Auditing definitions

Per profile rule.

Global /sys/module/apparmor/parameters/audit

Profile auditing types

Profiles can specify a global auditing.

  • All matched rules within a profile produce a log entry.

Profile rules can individually specify their audit.

  • Produce a log when matched

Global auditing types

  • normal

    • Profiles’ audit types are respected.

  • quiet_denied

    • No logging of denials.

    • Overrides profile/rule individual auditing.

  • quiet

    • No logging.

    • Overrides profile/rule individual auditing.

  • all

    • All rules of all profiles produce a log when matched.

Profiles’ loading and enforcement

Profiles are loaded in the kernel, and associated to an executable file (defined in the profile).

If a profile exists for the loaded executable file, profiles are associated with processes upon an exec syscall.

Profiles can be modified in run-time. Processes associated with the profile will reflect the modifications.

New profiles loaded for an executable file are not enforced in existing processes using that file without any profile

PreviousEnforcement modesNextProfiles

Last updated