Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)

Loooking through the docs, it looks for me that this needs to be setup in the according apparmor profile.

http://manpages.ubuntu.com/manpages/cosmic/man5/apparmor.d.5.html

Quote from the man page:

Rule Qualifiers

There are several rule qualifiers that can be applied to permission rules. Rule qualifiers can modify the rule and/or permissions within the rule.

allow
Specifies that permissions requests that match the rule are allowed. This is the default value for rules and does not need to be specified. Conflicts with the deny qualifier.

audit
Specifies that permissions requests that match the rule should be recorded to the audit log.

deny
Specifies that permissions requests that match the rule should be denied without logging. Can be combined with 'audit' to enable logging. Conflicts with the allow qualifier.

Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)

Tags:

Logging

Ubuntu

Apparmor

Auditd

Related

Recent Posts