| openSUSE-Dokumentation Chapter 2. Profile Components and Syntax / 2.10. Auditing Rules | ||||
|---|---|---|---|---|
 | 2.9. Resource Limit Control | Chapter 3. AppArmor Profile Repositories |  | |
| openSUSE-Dokumentation Chapter 2. Profile Components and Syntax / 2.10. Auditing Rules | ||||
|---|---|---|---|---|
| 2.9. Resource Limit Control | Chapter 3. AppArmor Profile Repositories | | |
AppArmor provides the ability to audit given rules so that when they are
matched an audit message will appear in the audit log. To enable audit
messages for a given rule the audit keyword is
prepended to the rule:
audit /etc/foo/* rw,
If it is desirable to audit only a given permission the rule can be split into two rules. The following example will result in audit messages when files are opened for writing, but not when they are opened for just reading:
audit /etc/foo/* w, /etc/foo/* r,
![[Note]](admon/note.png) | |
Audit messages are not generated for every read or write of a file but only when a file is opened for read or write. | |
Audit control can be combined with owner conditional file rules to provide auditing when a user access files they own (at the moment it is not possible to audit files they don't own):
audit owner /home/*/.ssh/** rw,
