4.2 Setting Up Event Notification

Security event notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs. This feature is currently available via YaST.

When you enter an e-mail address, you are notified via e-mail when Novell AppArmor security events occur. You can enable three types of notifications, which are:

Terse

Terse notification summarizes the total number of system events without providing details. For example: 

dhcp-101.up.wirex.com has had 10 security events since Tue Oct 12 11:10:00 2004
Summary Notification

The summary notification displays the logged Novell AppArmor security events and lists the number of individual occurrences, including the date of the last occurrence. For example: 

SubDomain: PERMITTING access to capability ’setgid’ (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct  9 16:05:54 2004.
Verbose Notification

The verbose notification displays unmodified, logged Novell AppArmor security events. It tells you every time an event occurs and writes a new line in the verbose log. These security events include the date and time the event occurred, when the application profile permits and rejects access, and the type of file permission access that is permitted or rejected. Verbose notification also reports several messages that the logprof tool (see logprof) uses to interpret profiles. For example: 

Oct  9 15:40:31 SubDomain: PERMITTING r access to /etc/apache2/httpd.conf (httpd2-prefork(6068) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork)

NOTE: To configure event notification, refer to Section 4.2.2, Configuring Security Event Notification. After configuring security event notification, read the reports and determine whether events require follow up. Follow up may include the procedures outlined in Section 4.4.1, Receiving a Security Event Rejection.

4.2.1 Severity Level Notification

You can set up Novell AppArmor to send you event messages for things that are in the severity database and above the level that you select.These are numbered one through ten, ten being the most severe security incident. The severity.db file defines the severity level of potential security events. The severity levels are determined by the importance of different security events, such as certain resources accessed or services denied.

4.2.2 Configuring Security Event Notification

Security event notification is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs. When you select a notification frequency (receiving daily notification, for example), you activate the notification. You are required to enter an e-mail address, so you can be notified via e-mail when Novell AppArmor security events occur.

NOTE: You must set up a mail server on your SUSE Linux that can send outgoing mail using the SMTP protocol (for example, postfix or exim) for event notification to work.

  1. In the Enable Security Event Notification section of the AppArmor Configuration window, click Configure.

    Security event notification window

  2. In the Security Event Notification window, you have the option to enable Terse, Summary, or Verbose event notification, which are defined in Section 4.2.1, Severity Level Notification. To be sent a notification e-mail outlining recent Novell AppArmor security events, determine your notification type preference.

  3. In each applicable notification type section, enter the e-mail addresses of those who should receive notification in the field provided. If notification is enabled, you must enter an e-mail address. Otherwise you receive an error message. Separate multiple e-mail addresses with commas.

  4. For each notification type that you would like enabled, select the frequency of notification.

    Select a notification frequency from the following options:

    • Disabled

    • 1 minute

    • 5 minutes

    • 10 minutes

    • 15 minutes

    • 30 minutes

    • 1 hour

    • 1 day

    • 1 week

  5. For each selected notification type, select the lowest severity level for which a notification should be sent. Security events are logged and the notifications are sent at the time indicated by the interval when events are equal to or greater than the selected severity level. If the interval is 1 day, the notification is sent daily, if security events occur. Refer to Section 4.2.1, Severity Level Notification for more information about severity levels.

  6. Click OK.

  7. Click Done in the Novell AppArmor Configuration window.

  8. Click File Quit in the YaST Control Center.