|
 |
|
| |
6.2 Configuring Security Event Notification
Security event notification is a Novell AppArmor feature that informs you when
systemic Novell AppArmor activity occurs. Activate it by selecting a notification
frequency (receiving daily notification, for example). Enter an e-mail
address, so you can be notified by e-mail when Novell AppArmor security events occur.
Select one of the following notification types:
- Terse
-
Terse notification summarizes the total number of system events
without providing details. For example:
jupiter.example.com has had 41 security events since Mon Sep 10 14:53:16 2007.
- Summary Notification
-
Summary notification displays the logged Novell AppArmor
security events and lists the number of individual occurrences,
including the date of the last occurrence. For example:
AppArmor: PERMITTING access to capability ’setgid’ (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct 9 16:05:54 2004.
- Verbose Notification
-
Verbose notification displays unmodified, logged Novell AppArmor security
events. It tells you every time an event occurs and writes a new line in
the verbose log. These security events include the date and time the
event occurred, when the application profile permits and
rejects access, and the type of file permission access that is permitted
or rejected. Verbose notification also reports several messages that the
aa-logprof tool (see
aa-logprof—Scanning the System Log) uses to interpret
profiles. For example:
type=APPARMOR_DENIED msg=audit(1189428793.218:2880): operation="file_permission" requested_mask="w" denied_mask="w" name="/var/log/apache2/error_log" pid=22969 profile="/usr/sbin/httpd2-prefork"
NOTE:
You must set up a mail server that can send outgoing mail using the SMTP
protocol (for example, postfix or exim) for event notification to work.
-
In the section of
the window, click
.
-
In the window, enable
, , or
event notification.
-
In each applicable notification type section, enter the e-mail
addresses of those who should receive notification in the field
provided. If notification is enabled, you must enter an e-mail
address. Separate multiple
e-mail addresses with commas.
-
For each notification type enabled, select the
frequency of notification.
Select a notification frequency from the following options:
-
Disabled
-
1 minute
-
5 minutes
-
10 minutes
-
15 minutes
-
30 minutes
-
1 hour
-
1 day
-
1 week
-
For each selected notification type, select the lowest severity level
for which a notification should be sent. Security events are logged and
the notifications are sent at the time indicated by the interval when
events are equal to or greater than the selected severity level. If the
interval is , the notification is sent daily, if
security events occur.
NOTE: Severity Levels
Novell AppArmor sends out event messages for things that are in the severity
database and above the level selected. Severity levels are
numbered 1 through 10, with 10 being the most severe security
incident. The
/etc/severity.db file defines the severity level
of potential security events. The severity levels are determined by the
importance of different security events, such as certain resources
accessed or services denied.
-
Click .
-
Click in the window.
-
Click
in the YaST Control Center.
After configuring security event notification, read the reports and
determine whether events require follow up. Follow up may include the
procedures outlined in Section 6.5, Reacting to Security Event Rejections.
|
|
|
