Analyzing events

AppArmor provides an interactive tool to analyze the events occurring in the system. The aa-logprof is one such utility that scans the logs for the events in your system. The aa-logprof command scans the logs and provides a set actions for modifying a profile.

Consider the apparmor_example.sh script that is in the enforce mode. After a certain period of time, you modify the script and insert a command to list all the files in the directory. When you run the apparmor_example.sh script, a Permission denied error appears on the screen. As a new command is added to this script and permissions are not assigned to the updated entry, AppArmor does not allow the script to run. The permissions must be assigned before the script is executed. To evaluate the permissions that can be applied to the new entries, you can view the logs for details. On the appliance CLI Manager, the logs are available in the audit.log file in the /var/log/ directory. The following figure displays the logs that appear for the apparmor_example.sh script.

In the figure, the logs describe the profile for apparmor_example.sh. The logs contain the following information:

• AppArmor has denied an open operation for the profile that contains a new command.
• The script does not have access to a /dev/tty directory with the requested_mask=“r” permission as it is not defined for the new command.

Thus, the logs provide an insight on the different operations that occur when the script is executed. After analyzing the logs and evaluating the permissions, you can run the aa-logprof command to update the permissions for the script.

• The changes that are applied on the profiles are audited and logs are generated for it. For more information about the audit logs, refer to System Auditing.

• Important: It is not recommended to use the aa-logprof command for profiles defined by Protegrity. If you want to modify an existing profile, refer to Modifying an existing Profile.

Updating profile permissions

Perform the following steps to update profile permissions.

1. Login to the CLI Manager of the appliance.

2. Navigate to Administration > OS Console.

3. Run the aa-logprof command.

   Reading log entries from /var/log/syslog.
   Updating AppArmor profiles in /etc/apparmor.d.
   Complain-mode changes:
   
   Profile:  /etc/opt/apparmor_examples.sh
   Path:     /bin/rm
   Old Mode: r
   New Mode: mr
   Severity: unknown
   
    [1 - /bin/rm mr,]
   (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
   

4. Type the required permissions. Type F to finish scanning.

5. After the permissions are granted, the following screen appears.

   = Changed Local Profiles =
   The following local profiles were changed. Would you like to save them?
   
    [1 - /etc/opt/apparmor_examples.sh]
   (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
   

6. Type S to save the changes.

   Writing updated profile for /etc/opt/apparmor_examples.sh.
   

7. Navigate to the /etc/apparmor.d directory to view the profile.

• ←Previous
• Next→

Last modified January 30, 2025