At a minimum, the audit system should collect any execution attempt
of the apparmor_parser command for all users and root. If
the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following
lines to /etc/audit/audit.rules file:
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged