apparmor_managing.xml

<?xml version="1.0"?>
<!DOCTYPE chapter [
  <!ENTITY % entities SYSTEM "generic-entities.ent">
  %entities;
]>

<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="cha-apparmor-managing">
 <title>Managing Profiled Applications</title>
 <info>
      <meta name="description">Maintain your security policy files regularly by updating profiles from system logs and monitoring for rejected actions</meta>
  <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
        <dm:bugtracker>
          </dm:bugtracker>
      </dm:docmanager>
    <revhistory xml:id="rh-cha-apparmor-managing">
   <revision>
     <date>2026-04-09</date>
     <revdescription>
       <para/>
     </revdescription>
   </revision>
 </revhistory>
</info>
    <para>
  After creating profiles and immunizing your applications,
  &productnamereg; becomes more efficient and better protected as long as
  you perform &aareg; profile maintenance (which involves analyzing log
  files, refining your profiles, backing up your set of profiles and keeping
  it up-to-date). You can deal with these issues before they become a
  problem by setting up event notification by e-mail, updating profiles from
  system log entries by running the aa-logprof tool, and dealing with
  maintenance issues.
 </para>
<!-- fs 2011-11-09 - see bnc #722915
     (reporting is not available in 12.1 (aa-eventd isn't maintained upstream,
      and doesn't understand the (not-so-)new audit.log format))

 <sect1 id="sec-apparmor-managing-monitor">
  <title>Monitoring Your Secured Applications</title>

  <para>
   Applications that are confined by &aa; security profiles generate
   messages when applications execute in unexpected ways or outside of their
   specified profile. These messages can be monitored by event notification,
   periodic report generation, or integration into a third-party reporting
   mechanism.
  </para>

  <para>
   For reporting and alerting, &aa; uses a user space daemon
   (<command>/usr/sbin/aa-eventd</command>). This daemon monitors log
   traffic, sends out notifications, and runs scheduled reports. It does not
   require any end user configuration and it is started automatically as
   part of the security event notification through the &yast; &aa; Control
   Panel or by the configuration of scheduled reports in the &yast; &aa;
   Reports module.
  </para>

  <para>
   Apart from transparently enabling and disabling aa-eventd with the &yast;
   modules, you can manually toggle its status with the
   <command>rcaaeventd</command> init script. The &aa; event daemon is not
   required for proper functioning of the profiling process (such as
   enforcement or learning). It is required for reporting only.
  </para>

  <para>
   Find more details on security event notification in
   <xref
    linkend="sec-apparmor-managing-config-sen"/> and on scheduled
   reports in <xref
    linkend="sec-apparmor-managing-config-reports"/>.
  </para>

  <para>
   If you prefer a simple way of being notified of any &aa; reject events
   that does not require you to check your e-mails or any log files, use the
   &aa; Desktop Monitor applet that integrates into the &gnome; desktop. Refer
   to <xref linkend="sec-apparmor-managing-dmon"/> for details.
  </para>
 </sect1>
 <sect1 id="sec-apparmor-managing-config-sen">
  <title>Configuring Security Event Notification</title>

  <para>
   Security event notification is a &aa; feature that informs you when
   systemic &aa; activity occurs. Activate it by selecting a notification
   frequency (receiving daily notification, for example). Enter an e-mail
   address so you can be notified by e-mail when &aa; security events
   occur. Select one of the following notification types:
  </para>

  <variablelist>
   <varlistentry>
    <term>Terse</term>
    <listitem>
     <para>
      Terse notification summarizes the total number of system events
      without providing details. For example:
     </para>
<screen>&wsIname; has had 41 security events since Mon Sep 10 14:53:16 2007.
</screen>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>Summary Notification</term>
    <listitem>
     <para>
      Summary notification displays the logged &aa; security events and
      lists the number of individual occurrences, including the date of the
      last occurrence. For example:
     </para>
<screen>AppArmor: PERMITTING access to capability &rsquo;setgid&rsquo; (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct  9 16:05:54 2004.</screen>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>Verbose Notification</term>
    <listitem>
     <para>
      Verbose notification displays unmodified, logged &aa; security
      events. It tells you every time an event occurs and writes a new line
      in the verbose log. These security events include the date and time
      the event occurred, when the application profile permits and rejects
      access, and the type of file permission access that is permitted or
      rejected. Verbose notification also reports several messages that the
      aa-logprof tool (see
      <xref linkend="sec-apparmor-commandline-profiling-summary-logprof"/>)
      uses to interpret profiles. For example:
     </para>
<screen>type=APPARMOR_DENIED msg=audit(1189428793.218:2880):
      operation="file_permission" requested_mask="::w" denied_mask="::w" fsuid=1000 name="/var/log/apache2/error_log" pid=22969 profile="/usr/sbin/httpd2-prefork"
</screen>
    </listitem>
   </varlistentry>
  </variablelist>

  <note>
   <para>
    You must set up a mail server that can send outgoing mail using the SMTP
    protocol (for example, postfix or exim) for event notification to work.
   </para>
  </note>

  <procedure>
   <step>
    <para>
     In the <guimenu>Enable Security Event Notification</guimenu> section of
     the <guimenu>&aa; Configuration</guimenu> window, click
     <guimenu>Configure</guimenu>.
    </para>
    <informalfigure>
     <mediaobject>
      <textobject role="description"><phrase>Security event
	  notification window</phrase>
      </textobject>
      <imageobject role="fo">
       <imagedata fileref="eventnotif.png" width="75%"/>
      </imageobject>
      <imageobject role="html">
       <imagedata fileref="eventnotif.png" width="75%"/>
      </imageobject>
     </mediaobject>
    </informalfigure>
   </step>
   <step>
    <para>
     In the <guimenu>Security Event Notification</guimenu> window, enable
     <guimenu>Terse</guimenu>, <guimenu>Summary</guimenu>, or
     <guimenu>Verbose</guimenu> event notification.
    </para>
    <substeps>
     <step>
      <para>
       In each applicable notification type section, enter the e-mail
       addresses of those who should receive notification in the field
       provided. If notification is enabled, you must enter an e-mail
       address. Separate multiple e-mail addresses with commas.
      </para>
     </step>
     <step>
      <para>
       For each notification type enabled, select the frequency of
       notification.
      </para>
      <para>
       Select a notification frequency from the following options:
      </para>
      <itemizedlist>
       <listitem>
        <para>
         Disabled
        </para>
       </listitem>
       <listitem>
        <para>
         1 minute
        </para>
       </listitem>
       <listitem>
        <para>
         5 minutes
        </para>
       </listitem>
       <listitem>
        <para>
         10 minutes
        </para>
       </listitem>
       <listitem>
        <para>
         15 minutes
        </para>
       </listitem>
       <listitem>
        <para>
         30 minutes
        </para>
       </listitem>
       <listitem>
        <para>
         1 hour
        </para>
       </listitem>
       <listitem>
        <para>
         1 day
        </para>
       </listitem>
       <listitem>
        <para>
         1 week
        </para>
       </listitem>
      </itemizedlist>
     </step>
     <step>
      <para>
       For each selected notification type, select the lowest severity level
       for which a notification should be sent. Security events are logged
       and the notifications are sent at the time indicated by the interval
       when events are equal to or greater than the selected severity level.
       If the interval is <guimenu>1 day</guimenu>, the notification is sent
       daily, if security events occur.
      </para>
      <note>
       <title>Severity Levels</title>
       <para>
        &aa; sends out event messages for things that are in the severity
        database and above the level selected. Severity levels are numbered
        1 through 10, with 10 being the most severe security incident. The
        <filename>/etc/severity.db</filename> file defines the severity
        level of potential security events. The severity levels are
        determined by the importance of different security events, such as
        certain resources accessed or services denied.
       </para>
      </note>
     </step>
    </substeps>
   </step>
   <step>
    <para>
     Click <guimenu>OK</guimenu>.
    </para>
   </step>
   <step>
    <para>
     Click <guimenu>Done</guimenu> in the <guimenu>&aa;
     Configuration</guimenu> window.
    </para>
   </step>
   <step>
    <para>
     Click <menuchoice> <guimenu>File</guimenu> <guimenu>Quit</guimenu>
     </menuchoice> in the &yast; Control Center.
    </para>
   </step>
  </procedure>

  <para>
   After configuring security event notification, read the reports and
   determine whether events require follow up. Follow up may include the
   procedures outlined in
   <xref linkend="sec-apparmor-managing-react"/>.
  </para>
 </sect1>
 <sect1 id="sec-apparmor-managing-config-reports">
  <title>Configuring Reports</title>

  <para>
   &aa;'s reporting feature adds flexibility by enhancing the way users can
   view security event data. The reporting tool performs the following:
  </para>

  <itemizedlist>
   <listitem>
    <para>
     Creates on-demand reports
    </para>
   </listitem>
   <listitem>
    <para>
     Exports reports
    </para>
   </listitem>
   <listitem>
    <para>
     Schedules periodic reports for archiving
    </para>
   </listitem>
   <listitem>
    <para>
     E-mails periodic reports
    </para>
   </listitem>
   <listitem>
    <para>
     Filters report data by date
    </para>
   </listitem>
   <listitem>
    <para>
     Filters report data by other options, such as program name
    </para>
   </listitem>
  </itemizedlist>

  <para>
   Using reports, you can read important &aa; security events reported in
   the log files without manually sifting through the messages only useful
   to the aa-logprof tool. Narrow down the size of the report by filtering
   by date range or program name. You can also export an
   <filename>html</filename> or <filename>csv</filename> file.
  </para>

  <para>
   The following are the three types of reports available in &aa;:
  </para>

  <variablelist>
   <varlistentry>
    <term>Executive Security Summary</term>
    <listitem>
     <para>
      A combined report, consisting of one or more security incident reports
      from one or more machines. This report can provide a single view of
      security events on multiple machines. For more details, refer to
      <xref linkend="sec-apparmor-managing-config-reports-view-ess"/>.
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>Application Audit Report</term>
    <listitem>
     <para>
      <remark role="clarity">
       2006-11-14 - jjaeger: SP1, provide an example for an application server
       </remark>
      An auditing tool that reports which application servers are running
      and whether the applications are confined by &aa;. Application servers
      are applications that accept incoming network connections. For more
      details, refer to
      <xref linkend="sec-apparmor-managing-config-reports-view-audit"/>.
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>Security Incident Report</term>
    <listitem>
     <para>
      A report that displays application security for a single host. It
      reports policy violations for locally confined applications during a
      specific time period. You can edit and customize this report or add
      new versions. For more details, refer to
      <xref linkend="sec-apparmor-managing-config-reports-view-sir"/>.
     </para>
    </listitem>
   </varlistentry>
  </variablelist>

  <para>
   To use the &aa; reporting features, proceed with the following steps:
  </para>

  <procedure>
   <step>
    <para>
     Open <menuchoice> <guimenu>&yast;</guimenu> <guimenu>&aa;</guimenu>
     </menuchoice>.
    </para>
   </step>
   <step>
    <para>
     In <guimenu>&aa;</guimenu>, click <guimenu>&aa; Reports</guimenu>. The
     <guimenu>&aa; Security Event Reports</guimenu> window appears. From the
     <guimenu>Reports</guimenu> window, select an option and proceed to the
     respective section for instructions:
    </para>
    <informalfigure>
     <mediaobject>
      <textobject role="description"><phrase>Reports window</phrase>
      </textobject>
      <imageobject role="fo">
       <imagedata fileref="report1.png" width="75%"/>
      </imageobject>
      <imageobject role="html">
       <imagedata fileref="report1.png" width="75%"/>
      </imageobject>
     </mediaobject>
    </informalfigure>
    <variablelist>
     <varlistentry>
      <term>View Archive</term>
      <listitem>
       <para>
        Displays all reports that have been run and stored in
        <filename>/var/log/apparmor/reports-archived/</filename>. Select the
        report you want to see in detail and click <guimenu>View</guimenu>.
        For <guimenu>View Archive</guimenu> instructions, proceed to
        <xref linkend="sec-apparmor-managing-config-reports-view"/>.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Run Now</term>
      <listitem>
       <para>
        Produces an instant version of the selected report type. If you
        select a security incident report, it can be further filtered in
        various ways. For <guimenu>Run Now</guimenu> instructions, proceed
        to
        <xref linkend="sec-apparmor-managing-config-reports-on-demand"/>.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Add</term>
      <listitem>
       <para>
        Creates a scheduled security incident report. For
        <guimenu>Add</guimenu> instructions, proceed to
        <xref linkend="sec-apparmor-managing-config-reports-new"/>.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Edit</term>
      <listitem>
       <para>
        Edits a scheduled security incident report.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Delete</term>
      <listitem>
       <para>
        Deletes a scheduled security incident report. All stock or canned
        reports cannot be deleted.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Back</term>
      <listitem>
       <para>
        Returns you to the &aa; main screen.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Abort</term>
      <listitem>
       <para>
        Returns you to the &aa; main screen.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Next</term>
      <listitem>
       <para>
        Performs the same function as the <guimenu>Run Now</guimenu> button.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </step>
  </procedure>

  <sect2 id="sec-apparmor-managing-config-reports-view">
   <title>Viewing Archived Reports</title>
   <para>
    <guimenu>View Reports</guimenu> enables you to specify the location of a
    collection of reports from one or more systems, including the ability to
    filter by date or names of programs accessed and display them all
    together in one report.
   </para>
   <procedure>
    <step>
     <para>
      From the <guimenu>&aa; Security Event Report</guimenu> window, select
      <guimenu>View Archive</guimenu>.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Security Event Report</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="reports_viewarch_pg1.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="reports_viewarch_pg1.png" width="75%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      Select the report type to view. Toggle between the different types:
      <guimenu>SIR</guimenu> (Security Incident Report), <guimenu>App
      Aud</guimenu> (Application Audit), and <guimenu>ESS</guimenu>
      (Executive Security Summary).
     </para>
    </step>
    <step>
     <para>
      You can alter the directory location of the archived reports in
      <guimenu>Location of Archived Reports</guimenu>. Select
      <guimenu>Accept</guimenu> to use the current directory or select
      <guimenu>Browse</guimenu> to find a new report location. The default
      directory is <filename>/var/log/apparmor/reports-archived</filename>.
     </para>
    </step>
    <step>
     <para>
      To view all the reports in the archive, select <guimenu>View
      All</guimenu>. To view a specific report, select a report file listed
      in the <guimenu>Report</guimenu> field then select
      <guimenu>View</guimenu>.
     </para>
    </step>
    <step>
     <para>
      For <guimenu>Application Audit</guimenu> and <guimenu>Executive
      Security Summary</guimenu> reports, proceed to
      <xref linkend="ste-apparmor-managing-config-reports-view-toc"/>.
     </para>
    </step>
    <step>
     <para>
      The <guimenu>Report Configuration Dialog</guimenu> opens for
      <guimenu>Security Incident</guimenu> reports.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Report Configuration</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="report_config.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="report_config.png" width="75%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      The <guimenu>Report Configuration</guimenu> dialog enables you to
      filter the reports selected in the previous screen. Enter the desired
      filter details. The fields are:
     </para>
     <variablelist>
      <varlistentry>
       <term>Date Range</term>
       <listitem>
        <para>
         To display reports for a certain time period, select
         <guimenu>Filter By Date Range</guimenu>. Enter the start and end
         dates that define the scope of the report.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Program Name</term>
       <listitem>
        <para>
         When you enter a program name or pattern that matches the name of
         the binary executable of the program of interest, the report
         displays security events that have occurred for a specific program.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Profile Name</term>
       <listitem>
        <para>
         When you enter the name of the profile, the report displays the
         security events that are generated for the specified profile. You
         can use this to see what is being confined by a specific profile.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>PID Number</term>
       <listitem>
        <para>
         <guimenu>PID number</guimenu> is a number that uniquely identifies
         one specific process or running program (this number is valid only
         during the lifetime of that process).
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Severity</term>
       <listitem>
        <para>
         Select the lowest severity level for security events to include in
         the report. The selected severity level (and above) are then
         included in the reports.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Detail</term>
       <listitem>
        <para>
         A source to which the profile has denied access. This includes
         capabilities and files. You can use this field to report the
         resources to which profiles prevent access.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Access Type</term>
       <listitem>
        <para>
         The access type describes what is actually happening with the
         security event. The options are <option>PERMITTING</option>,
         <option>REJECTING</option>, or <option>AUDITING</option>.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Mode</term>
       <listitem>
        <para>
         The <guimenu>Mode</guimenu> is the permission that the profile
         grants to the program or process to which it is applied. The
         options are <option>all</option> (all modes without filtering),
         <option>r</option> (read), <option>w</option> (write),
         <option>l</option> (link),<option>x</option> (execute), and
         <option>m</option> (mmap).
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Export Type</term>
       <listitem>
        <para>
         Enables you to export a CSV (comma separated values) or HTML file.
         The CSV file separates pieces of data in the log entries with
         commas using a standard data format for importing into
         table-oriented applications. You can enter a path for your exported
         report by typing the full path in the field provided.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Location to Store Log</term>
       <listitem>
        <para>
         Enables you to change the location at which to store the exported
         report. The default location is
         <filename>/var/log/apparmor/reports-exported</filename>. When you
         change this location, select <guimenu>Accept</guimenu>. Select
         <guimenu>Browse</guimenu> to browse the file system.
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </step>
    <step>
     <para>
      To see the report, filtered as desired, select
      <guimenu>Next</guimenu>. One of the three reports displays.
     </para>
    </step>
    <step id="ste-apparmor-managing-config-reports-view-toc">
     <para>
      Refer to the following sections for detailed information about each
      type of report.
     </para>
     <itemizedlist>
      <listitem>
       <para>
        For the application audit report, refer to
        <xref linkend="sec-apparmor-managing-config-reports-view-audit"/>.
       </para>
      </listitem>
      <listitem>
       <para>
        For the security incident report, refer to
        <xref linkend="sec-apparmor-managing-config-reports-view-sir"/>.
       </para>
      </listitem>
      <listitem>
       <para>
        For the executive summary report, refer to
        <xref linkend="sec-apparmor-managing-config-reports-view-ess"/>.
       </para>
      </listitem>
     </itemizedlist>
    </step>
   </procedure>
   <sect3 id="sec-apparmor-managing-config-reports-view-audit">
    <title>Application Audit Report</title>
    <para>
     An application audit report is an auditing tool that reports which
     application servers are running and whether they are confined by &aa;.
    </para>
    <informalfigure>
     <mediaobject>
      <textobject role="description"><phrase>Application audit report</phrase>
      </textobject>
      <imageobject role="fo">
       <imagedata fileref="reports_run_appaudit.png" width="75%"/>
      </imageobject>
      <imageobject role="html">
       <imagedata fileref="reports_run_appaudit.png" width="75%"/>
      </imageobject>
     </mediaobject>
    </informalfigure>
    <para>
     The following fields are provided in an application audit report:
    </para>
    <variablelist>
     <varlistentry>
      <term>Host</term>
      <listitem>
       <para>
        The machine protected by &aa; for which the security events are
        reported.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Date</term>
      <listitem>
       <para>
        The date during which security events occurred.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Program</term>
      <listitem>
       <para>
        The name and path of the executing process.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Profile</term>
      <listitem>
       <para>
        The absolute name of the security profile that is applied to the
        process.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>PID</term>
      <listitem>
       <para>
        A number that uniquely identifies one specific process or running
        program (this number is valid only during the lifetime of that
        process).
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>State</term>
      <listitem>
       <para>
        This field reveals whether the program listed in the program field
        is confined. If it is not confined, consider creating a profile for
        it.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Type</term>
      <listitem>
       <para>
        This field reveals the type of confinement the security event
        represents (either complain or enforce). If the application is not
        confined (state), no type of confinement is reported.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </sect3>
   <sect3 id="sec-apparmor-managing-config-reports-view-sir">
    <title>Security Incident Report</title>
    <para>
     A security incident report displays security events of interest to an
     administrator. The SIR reports policy violations for locally confined
     applications during a specified time period. It also reports policy
     exceptions and policy engine state changes. These two types of security
     events are defined as follows:
    </para>
    <variablelist>
     <varlistentry>
      <term>Policy Exceptions</term>
      <listitem>
       <para>
        When an application requests a resource that is not defined within
        its profile, a security event is triggered. A report is generated
        that displays security events of interest to an administrator. The
        SIR reports policy violations for locally confined applications
        during a specified time period. The SIR reports policy exceptions
        and policy engine state changes.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Policy Engine State Changes</term>
      <listitem>
       <para>
        Enforces policy for applications and maintains its own state,
        including when engines start or stop, when a policy is reloaded, and
        when global security feature are enabled or disabled.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
    <informalfigure>
     <mediaobject>
      <textobject role="description"><phrase>Security incident report</phrase>
      </textobject>
      <imageobject role="fo">
       <imagedata fileref="reports_run_sir.png" width="75%"/>
      </imageobject>
      <imageobject role="html">
       <imagedata fileref="reports_run_sir.png" width="75%"/>
      </imageobject>
     </mediaobject>
    </informalfigure>
    <para>
     The fields in the SIR report have the following meanings:
    </para>
    <variablelist>
     <varlistentry>
      <term>Host</term>
      <listitem>
       <para>
        The machine protected by &aa; for which the security events are
        reported.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Date</term>
      <listitem>
       <para>
        The date during which security events occurred.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Program</term>
      <listitem>
       <para>
        The name of the executing process.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Profile</term>
      <listitem>
       <para>
        The absolute name of the security profile that is applied to the
        process.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>PID</term>
      <listitem>
       <para>
        A number that uniquely identifies one specific process or running
        program (this number is valid only during the lifetime of that
        process).
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Severity</term>
      <listitem>
       <para>
        Severity levels of events are reported from the severity database.
        The severity database defines the importance of potential security
        events and numbers them 1 through 10, 10 being the most severe
        security incident. The severity levels are determined by the threat
        or importance of different security events, such as certain
        resources accessed or services denied.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Mode</term>
      <listitem>
       <para>
        The mode is the permission that the profile grants to the program or
        process to which it is applied. The options are <option>r</option>
        (read), <option>w</option> (write), <option>l</option> (link), and
        <option>x</option> (execute).
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Detail</term>
      <listitem>
       <para>
        A source to which the profile has denied access. This includes
        capabilities and files. You can use this field to report the
        resources to which the profile prevents access.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Access Type</term>
      <listitem>
       <para>
        The access type describes what is actually happening with the
        security event. The options are <option>PERMITTING</option>,
        <option>REJECTING</option>, or <option>AUDITING</option>.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </sect3>
   <sect3 id="sec-apparmor-managing-config-reports-view-ess">
    <title>Executive Security Summary</title>
    <para>
     A combined report consisting of one or more high-level reports from one
     or more machines. This report can provide a single view of security
     events on multiple machines as long as each machine's data is copied to
     the report archive directory, which is
     <filename>/var/log/apparmor/reports-archived</filename>. One line of
     the ESS report represents a range of SIR reports.
    </para>

 fs: 2006-06-06: commented out for 11.0

    <informalfigure>
     <mediaobject>
      <textobject role="description"><phrase>Executive security
	 summary</phrase>
      </textobject>
      <imageobject role="fo">
       <imagedata fileref="reports_run_execsummary.png" width="75%"/>
      </imageobject>
      <imageobject role="html">
       <imagedata fileref="reports_run_execsummary.png" width="75%"
	/>
      </imageobject>
     </mediaobject>
    </informalfigure>

    <para>
     The following fields are provided in an executive security summary:
    </para>
    <variablelist>
     <varlistentry>
      <term>Host</term>
      <listitem>
       <para>
        The machine protected by &aa; for which the security events are
        reported.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Start Date</term>
      <listitem>
       <para>
        The first date in a range of dates during which security events are
        reported.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>End Date</term>
      <listitem>
       <para>
        The last date in a range of dates during which security events are
        reported.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Num Rejects</term>
      <listitem>
       <para>
        In the date range given, the total number of security events that
        are rejected access attempts.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Num Events</term>
      <listitem>
       <para>
        In the date range given, the total number of security events.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>Ave. Sev</term>
      <listitem>
       <para>
        This is the average of the severity levels reported in the date
        range given. Unknown severities are disregarded in this figure.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>High Sev</term>
      <listitem>
       <para>
        This is the severity of the highest severity event reported in the
        date range given.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </sect3>
  </sect2>

  <sect2 id="sec-apparmor-managing-config-reports-on-demand">
   <title>Run Now: Running On-Demand Reports</title>
   <para>
    The <guimenu>Run Now</guimenu> report feature enables you to instantly
    extract report information from the &aa; event logs without waiting for
    scheduled events. If you need help navigating to the main report screen,
    see
    <xref linkend="sec-apparmor-managing-config-reports"/>.
    Perform the following steps to run a report from the list of reports:
   </para>
   <procedure>
    <step>
     <para>
      Select the report to run instantly from the list of reports in the
      <guimenu>Schedule Reports</guimenu> window.
     </para>
    </step>
    <step>
     <para>
      Select <guimenu>Run Now</guimenu> or <guimenu>Next</guimenu>. The next
      screen is dependent on which report you selected in the previous step.
      As an example, select a security incident report.
     </para>
    </step>
    <step>
     <para>
      The <guimenu>Report Configuration Dialog</guimenu> opens for security
      incident reports.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Report Configuration</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="report_config.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="report_config.png" width="75%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      The <guimenu>Report Configuration Dialog</guimenu> enables you to
      filter the reports selected in the previous screen. Enter the desired
      filter details. The following filter options are available:
     </para>
     <variablelist>
      <varlistentry>
       <term>Date Range</term>
       <listitem>
        <para>
         To limit reports to a certain time period, select <guimenu>Filter
         By Date Range</guimenu>. Enter the start and end dates that
         determine the scope of the report.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Program Name</term>
       <listitem>
        <para>
         When you enter a program name or pattern that matches the name of
         the binary executable for the relevant program, the report displays
         security events that have occurred for that program only.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Profile Name</term>
       <listitem>
        <para>
         When you enter the name of the profile, the report displays the
         security events that are generated for the specified profile. You
         can use this to see what is confined by a specific profile.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>PID Number</term>
       <listitem>
        <para>
         A number that uniquely identifies one specific process or running
         program (this number is valid only during the lifetime of that
         process).
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Severity</term>
       <listitem>
        <para>
         Select the lowest severity level for security events to include in
         the report. The selected severity level and above are included in
         the reports.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Detail</term>
       <listitem>
        <para>
         A source to which the profile has denied access. This includes
         capabilities and files. You can use this field to report the
         resources to which profiles prevent access.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Access Type</term>
       <listitem>
        <para>
         The access type describes the action being taken with the security
         event. The options are <option>PERMITTING</option>,
         <option>REJECTING</option>, or <option>AUDITING</option>.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Mode</term>
       <listitem>
        <para>
         The mode is the permission that the profile grants to the program
         or process to which it is applied. The options are
         <option>r</option> (read), <option>w</option> (write),
         <option>l</option> (link), and <option>x</option> (execute).
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Export Type</term>
       <listitem>
        <para>
         Enables you to export a CSV (comma separated values) or HTML file.
         The CSV file separates pieces of data in the log entries with
         commas, using a standard data format for importing into
         table-oriented applications. Enter a path for your exported report
         by typing in the full path in the field provided.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Location to Store Log</term>
       <listitem>
        <para>
         Enables you to change the location that the exported report is
         stored. The default location is
         <filename>/var/log/apparmor/reports-exported</filename>. When you
         change this location, select <guimenu>Accept</guimenu>. Select
         <guimenu>Browse</guimenu> to browse the file system.
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </step>
    <step>
     <para>
      To see the report, filtered as desired, select
      <guimenu>Next</guimenu>. One of the three reports displays.
     </para>
    </step>
   </procedure>
   <para>
    Refer the following sections for detailed information about each type of
    report.
   </para>
   <itemizedlist>
    <listitem>
     <para>
      For the application audit report, refer to
      <xref linkend="sec-apparmor-managing-config-reports-view-audit"/>.
     </para>
    </listitem>
    <listitem>
     <para>
      For the security incident report, refer to
      <xref linkend="sec-apparmor-managing-config-reports-view-sir"/>.
     </para>
    </listitem>
    <listitem>
     <para>
      For the executive summary report, refer to
      <xref linkend="sec-apparmor-managing-config-reports-view-ess"/>.
     </para>
    </listitem>
   </itemizedlist>
  </sect2>

  <sect2 id="sec-apparmor-managing-config-reports-new">
   <title>Adding New Reports</title>
   <para>
    Adding new reports enables you to create a scheduled security incident
    report that displays &aa; security events according to your preset
    filters. When a report is set up in <guimenu>Schedule Reports</guimenu>,
    it periodically launches a report of &aa; security events that have
    occurred on the system.
   </para>
   <para>
    You can configure a daily, weekly, monthly, or hourly report to run for
    a specified period. You can set the report to display rejections for
    certain severity levels or to filter by program name, profile name,
    severity level, or denied resources. This report can be exported to an
    HTML (Hypertext Markup Language) or CSV (Comma Separated Values) file
    format.
   </para>
   <note>
    <para>
     Return to the beginning of this section if you need help navigating to
     the main report screen (see
     <xref linkend="sec-apparmor-managing-config-reports"/>).
    </para>
   </note>
   <para>
    To add a new scheduled security incident report, proceed as follows:
   </para>
   <procedure>
    <step>
     <para>
      Click <guimenu>Add</guimenu> to create a new security incident report.
      The first page of <guimenu>Add Scheduled SIR</guimenu> opens.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Add scheduled SIR</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="reports_add_pg1.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="reports_add_pg1.png" width="75%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      Fill in the fields with the following filtering information, as
      necessary:
     </para>
     <variablelist>
      <varlistentry>
       <term>Report Name</term>
       <listitem>
        <para>
         Specify the name of the report. Use names that easily distinguish
         different reports.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Day of Month</term>
       <listitem>
        <para>
         Select any day of the month to activate monthly filtering in
         reports. If you select <literal>All</literal>, monthly filtering is
         not performed.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Day of Week</term>
       <listitem>
        <para>
         Select the day of the week on which to schedule weekly reports, if
         desired. If you select <literal>ALL</literal>, weekly filtering is
         not performed. If monthly reporting is selected, this field
         defaults to <literal>ALL</literal>.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Hour and Minute</term>
       <listitem>
        <para>
         Select the time. This specifies the hour and minute that you would
         like the reports to run. If you do not change the time, selected
         reports run at midnight. If neither month nor day of week are
         selected, the report runs daily at the specified time.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>E-Mail Target</term>
       <listitem>
        <para>
         You have the ability to send the scheduled security incident report
         via e-mail to up to three recipients. Enter the e-mail
         addresses for those who require the security incident information.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Export Type</term>
       <listitem>
        <para>
         This option enables you to export a CSV (comma separated values) or
         HTML file. The CSV file separates pieces of data in the log entries
         with commas using a standard data format for importing into
         table-oriented applications. Enter a path for your exported report
         by typing in the full path in the field provided.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Location to Store Log</term>
       <listitem>
        <para>
         Enables you to change the location where the exported report is
         stored. The default location is
         <filename>/var/log/apparmor/reports-exported</filename>. When you
         change this location, select <guimenu>Accept</guimenu>. Select
         <guimenu>Browse</guimenu> to browse the file system.
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </step>
    <step>
     <para>
      Click <guimenu>Next</guimenu> to proceed to the second page of
      <guimenu>Add Scheduled SIR</guimenu>.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Add scheduled SIR, page 2</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="reports_add_pg2.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="reports_add_pg2.png" width="50%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      Fill in the fields with the following filtering information, as
      necessary:
     </para>
     <variablelist>
      <varlistentry>
       <term>Program Name</term>
       <listitem>
        <para>
         You can specify a program name or pattern that matches the name of
         the binary executable for the program of interest. The report
         displays security events that have occurred for the specified
         program only.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Profile Name</term>
       <listitem>
        <para>
         You can specify the name of the profile for which the report should
         display security events. You can use this to see what is being
         confined by a specific profile.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>PID Number</term>
       <listitem>
        <para>
         A number that uniquely identifies one specific process or running
         program (this number is valid only during the lifetime of that
         process).
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Detail</term>
       <listitem>
        <para>
         A source to which the profile has denied access. This includes
         capabilities and files. You can use this field to create a report
         of resources to which profiles prevent access.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Severity</term>
       <listitem>
        <para>
         Select the lowest severity level of security events to include in
         the report. The selected severity level and above are included in
         the reports.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Access Type</term>
       <listitem>
        <para>
         The access type describes the action being taken with the security
         event. The options are <option>PERMITTING</option>,
         <option>REJECTING</option>, or <option>AUDITING</option>.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Mode</term>
       <listitem>
        <para>
         The mode is the permission that the profile grants to the program
         or process to which it is applied. The options are
         <literal>r</literal> (read), <literal>w</literal> (write),
         <literal>l</literal> (link), and <literal>x</literal> (execute).
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </step>
    <step>
     <para>
      Click <guimenu>Save</guimenu> to save this report. &aa; returns to
      the <guimenu>Scheduled Reports</guimenu> main window where the newly
      scheduled report appears in the list of reports.
     </para>
    </step>
   </procedure>
  </sect2>

  <sect2 id="sec-apparmor-managing-config-reports-edit">
   <title>Editing Reports</title>
   <para>
    From the &aa; <guimenu>Reports</guimenu> screen, you can select and edit
    a report. The three preconfigured reports (<emphasis>stock
    reports</emphasis>) cannot be edited or deleted.
   </para>
   <note>
    <para>
     Return to the beginning of this section if you need help navigating to
     the main report screen (see
     <xref linkend="sec-apparmor-managing-config-reports"/>).
    </para>
   </note>
   <para>
    Perform the following steps to modify a report from the list of reports:
   </para>
   <procedure>
    <step>
     <para>
      From the list of reports in the <guimenu>Schedule Reports</guimenu>
      window, select the report to edit. This example assumes that you have
      selected a security incident report.
     </para>
    </step>
    <step>
     <para>
      Click <guimenu>Edit</guimenu> to edit the security incident report.
      The first page of the <guimenu>Edit Scheduled SIR</guimenu> displays.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Edit scheduled SIR</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="reports_edit_pg1.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="reports_edit_pg1.png" width="75%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      Modify the following filtering information, as necessary:
     </para>
     <variablelist>
      <varlistentry>
       <term>Day of Month</term>
       <listitem>
        <para>
         Select any day of the month to activate monthly filtering in
         reports. If you select <literal>All</literal>, monthly filtering is
         not performed.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Day of Week</term>
       <listitem>
        <para>
         Select the day of the week on which to schedule the weekly reports.
         If you select <option>All</option>, weekly filtering is not
         performed. If monthly reporting is selected, this defaults to
         <option>All</option>.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Hour and Minute</term>
       <listitem>
        <para>
         Select the time. This specifies the hour and minute that you would
         like the reports to run. If you do not change the time, the
         selected report runs at midnight. If neither the day of the month
         nor day of the week is selected, the report runs daily at the
         specified time.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>E-Mail Target</term>
       <listitem>
        <para>
         You have the ability to send the scheduled security incident report
         via e-mail to up to three recipients. Enter the e-mail
         addresses for those who require the security incident information.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Export Type</term>
       <listitem>
        <para>
         This option enables you to export a CSV (comma separated values) or
         HTML file. The CSV file separates pieces of data in the log entries
         with commas, using a standard data format for importing into
         table-oriented applications. Enter a path for your exported report
         by typing the full path in the field provided.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Location to Store Log</term>
       <listitem>
        <para>
         Enables you to change the location where the exported report is
         stored. The default location is
         <filename>/var/log/apparmor/reports-exported</filename>. When you
         change this location, select <guimenu>Accept</guimenu>. Select
         <guimenu>Browse</guimenu> to browse the file system.
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </step>
    <step>
     <para>
      Click <guimenu>Next</guimenu> to proceed to the next <guimenu>Edit
      Scheduled SIR</guimenu> page. The second page of <guimenu>Edit
      Scheduled Reports</guimenu> opens.
     </para>
     <informalfigure>
      <mediaobject>
       <textobject role="description"><phrase>Edit scheduled reports, page two</phrase>
       </textobject>
       <imageobject role="fo">
        <imagedata fileref="reports_edit_pg2.png" width="75%"/>
       </imageobject>
       <imageobject role="html">
        <imagedata fileref="reports_edit_pg2.png" width="50%"/>
       </imageobject>
      </mediaobject>
     </informalfigure>
    </step>
    <step>
     <para>
      Modify the fields with the following filtering information, as
      necessary:
     </para>
     <variablelist>
      <varlistentry>
       <term>Program Name</term>
       <listitem>
        <para>
         You can specify a program name or pattern that matches the name of
         the binary executable for the program of interest. The report
         displays security events that have occurred for the specified
         program only.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Profile Name</term>
       <listitem>
        <para>
         You can specify the name of the profile for which to display
         security events. You can use this to see what is being confined by
         a specific profile.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>PID Number</term>
       <listitem>
        <para>
         Process ID number is a number that uniquely identifies one specific
         process or running program (this number is valid only during the
         lifetime of that process).
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Detail</term>
       <listitem>
        <para>
         A source to which the profile has denied access. This includes
         capabilities and files. You can use this field to create a report
         of resources to which profiles prevent access.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Severity</term>
       <listitem>
        <para>
         Select the lowest severity level for security events to include in
         the report. The selected severity level and above are included in
         the reports.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Access Type</term>
       <listitem>
        <para>
         The access type describes the action being taken with the security
         event. The options are <option>PERMITTING</option>,
         <option>REJECTING</option>, or <option>AUDITING</option>.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Mode</term>
       <listitem>
        <para>
         The mode is the permission that the profile grants to the program
         or process to which it is applied. The options are
         <literal>r</literal> (read), <literal>w</literal> (write),
         <literal>l</literal> (link), and <literal>x</literal> (execute).
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </step>
    <step>
     <para>
      Select <guimenu>Save</guimenu> to save the changes to this report.
      &aa; returns to the <guimenu>Scheduled Reports</guimenu> main window
      where the scheduled report appears in the list of reports.
     </para>
    </step>
   </procedure>
  </sect2>

  <sect2 id="sec-apparmor-managing-config-reports-del">
   <title>Deleting Reports</title>
   <para>
    <guimenu>Delete a Report</guimenu> enables you to permanently remove a
    report from the list of &aa; scheduled reports. To delete a report,
    follow these instructions:
   </para>
   <procedure>
    <step>
     <para>
      To remove a report from the list of reports, highlight the report and
      click <guimenu>Delete</guimenu>.
     </para>
    </step>
    <step>
     <para>
      From the confirmation pop-up, select <guimenu>Cancel</guimenu> if you
      do not want to delete the selected report. If you are sure you want to
      remove the report permanently from the list of reports, select
      <guimenu>Delete</guimenu>.
     </para>
    </step>
   </procedure>
  </sect2>
 </sect1>
-->
<!-- fs 2011-11-09 - see bnc #722915

Please make the section about aa-notify visible and expand it.
aa-notify does two things:
a) provide a summary of events (for example for a daily cronjob)
b) desktop notifications


 The Gnome desktop applet is obsolete. It was replaced by aa-notify, which can
 be started with:
    sudo DISPLAY=$DISPLAY /usr/sbin/aa-notify -p
 You also have to edit /etc/apparmor/notify.conf - change use_group to a group
 where your user is a member.

 BTW: the need for handing over $DISPLAY is caused by the very secure sudo
 config in openSUSE - it resets most environment variables. Maybe I get a more
 user-friendly way implemented upstream, but I'm afraid you'll always have to
 hand over $DISPLAY (or $DBUS_SESSION_BUS_ADDRESS) to
 aa-notify.
 Yes, I'm aware that this isn't a perfect solution, but it's the best I can
 offer for 12.1.

 <sect1 id="sec-apparmor-managing-dmon">
  <title>Configuring and Using the &aa; Desktop Monitor Applet</title>

  <para>
   The Linux audit framework contains a dispatcher that can send &aa; events
   to any consumer application via dbus. The &gnome; &aa; Desktop Monitor
   applet is one example of an application that gathers &aa; events via
   dbus. To configure audit to use the dbus dispatcher, set the
   dispatcher in your audit configuration in
   <filename>/etc/audit/auditd.conf</filename> to
   <literal>apparmor-dbus</literal> and restart auditd:
  </para>

<screen>dispatcher=/usr/bin/apparmor-dbus
</screen>

  <para>
   Once the dbus dispatcher is configured correctly, add the &aa; Desktop
   Monitor to the &gnome; panel by right-clicking the panel and selecting
   <menuchoice> <guimenu>Add to Panel</guimenu> <guimenu>&aa; Desktop
   Monitor</guimenu> </menuchoice>. As soon as a <literal>REJECT</literal>
   event is logged, the applet's panel icon changes appearance and you can
   click the applet to see the number of reject events per confined
   application. To view the exact log messages, refer to the audit log under
   <filename>/var/log/audit/audit.log</filename>. React to any
   <literal>REJECT</literal> events as described in
   <xref linkend="sec-apparmor-managing-react"/>.
  </para>
 </sect1>
-->
 <sect1 xml:id="sec-apparmor-managing-react">
  <title>Reacting to Security Event Rejections</title>

  <para>
   When you receive a security event rejection, examine the access violation
   and determine if that event indicated a threat or was part of normal
   application behavior. Application-specific knowledge is required to make
   the determination. If the rejected action is part of normal application
   behavior, run <command>aa-logprof</command> at the command line.
  </para>

  <para>
   If the rejected action is not part of normal application behavior, this
   access should be considered a possible intrusion attempt (that was
   prevented) and this notification should be passed to the person
   responsible for security within your organization.
  </para>
 </sect1>
 <sect1 xml:id="sec-apparmor-managing-maintain">
  <title>Maintaining Your Security Profiles</title>

  <para>
   In a production environment, you should plan on maintaining profiles for
   all of the deployed applications. The security policies are an integral
   part of your deployment. You should plan on taking steps to back up and
   restore security policy files, plan for software changes, and allow any
   needed modification of security policies that your environment dictates.
  </para>

  <sect2 xml:id="sec-apparmor-managing-maintain-backup">
   <title>Backing Up Your Security Profiles</title>
   <para>
    Backing up profiles might save you from having to re-profile all your
    programs after a disk crash. Also, if profiles are changed, you can
    easily restore previous settings by using the backed up files.
   </para>
   <para>
    Back up profiles by copying the profile files to a specified directory.
   </para>
   <procedure>
    <step>
     <para>
      You should first archive the files into one file. To do this, open a
      terminal window and enter the following as &rootuser;:
     </para>
<screen>tar zclpf profiles.tgz /etc/apparmor.d</screen>
     <para>
      The simplest method to ensure that your security policy files are
      regularly backed up is to include the directory
      <filename>/etc/apparmor.d</filename> in the list of directories that
      your backup system archives.
     </para>
    </step>
    <step>
     <para>
      You can also use <command>scp</command> or a file manager like
      Nautilus to store the files on some kind of storage media, the
      network, or another computer.
     </para>
    </step>
   </procedure>
  </sect2>

  <sect2 xml:id="sec-apparmor-managing-maintain-change">
   <title>Changing Your Security Profiles</title>
   <para>
    Maintenance of security profiles includes changing them if you decide
    that your system requires more or less security for its applications. To
    change your profiles in &aa;, refer to
    <xref linkend="sec-apparmor-yast-edit"/>.
   </para>
  </sect2>

  <sect2 xml:id="sec-apparmor-managing-maintain-change-new-software">
   <title>Introducing New Software into Your Environment</title>
   <para>
    When you add a new application version or patch to your system, you
    should always update the profile to fit your needs. You have several
    options, depending on your company's software deployment strategy. You
    can deploy your patches and upgrades into a test or production
    environment. The following explains how to do this with each method.
   </para>
   <para>
    If you intend to deploy a patch or upgrade in a test environment, the
    best method for updating your profiles is to run
    <command>aa-logprof</command> in a terminal as &rootuser;. For
    detailed instructions, refer to
    <xref linkend="sec-apparmor-commandline-profiling-summary-logprof"/>.
   </para>
   <para>
    If you intend to deploy a patch or upgrade directly into a production
    environment, the best method for updating your profiles is to monitor
    the system frequently to determine if any new rejections should be added
    to the profile and update as needed using <command>aa-logprof</command>.
    For detailed instructions, refer to
    <xref linkend="sec-apparmor-commandline-profiling-summary-logprof"/>.
   </para>
  </sect2>
 </sect1>
</chapter>