Usage
Enabled profiles¶
Once installed and with the rules enabled, you can ensure the rules are loaded with:
It should give something like:
apparmor module is loaded.
1613 profiles are loaded.
1050 profiles are in enforce mode.
...
563 profiles are in complain mode.
...
0 profiles are in kill mode.
0 profiles are in unconfined mode.
170 processes have profiles defined.
140 processes are in enforce mode.
...
30 processes are in complain mode.
...
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
You can also list the current processes alongside with their security profile with:
Most of the processes should then be confined:
unconfined root /usr/lib/systemd/systemd --switched-root --system --deserialize 33
systemd-udevd (complain) root /usr/lib/systemd/systemd-udevd
systemd-journald (complain) root /usr/lib/systemd/systemd-journald
rngd (complain) root /usr/bin/rngd -f
systemd-timesyncd (complain) systemd+ /usr/lib/systemd/systemd-timesyncd
auditd (complain) root /sbin/auditd
acpid (complain) root /usr/bin/acpid --foreground --netlink
dbus-daemon (complain) dbus /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
power-profiles-daemon (complain) root /usr/lib/power-profiles-daemon
systemd-logind (complain) root /usr/lib/systemd/systemd-logind
systemd-machined (complain) root /usr/lib/systemd/systemd-machined
NetworkManager (complain) root /usr/bin/NetworkManager --no-daemon
polkitd (complain) polkitd /usr/lib/polkit-1/polkitd --no-debug
gdm (complain) root /usr/bin/gdm
accounts-daemon (complain) root /usr/lib/accounts-daemon
rtkit-daemon (complain) rtkit /usr/lib/rtkit-daemon
packagekitd (complain) root /usr/lib/packagekitd
colord (complain) colord /usr/lib/colord
unconfined user /usr/lib/systemd/systemd --user
unconfined user (sd-pam)
gdm-wayland-session (complain) user /usr/lib/gdm-wayland-session /usr/bin/gnome-session
gnome-session-binary (complain) user /usr/lib/gnome-session-binary
gnome-session-ctl (complain) user /usr/lib/gnome-session-ctl --monitor
gnome-session-binary (complain) user /usr/lib/gnome-session-binary --systemd-service --session=gnome
gnome-shell (complain) user /usr/bin/gnome-shell
...
ps (complain) user ps auxZ
Hide the kernel thread in ps
To hide the kernel thread in ps
use ps auxZ | grep -v '\[.*\]'
. You can add an alias in your shell:
AppArmor Log¶
Ensure that Auditd
is installed and running on your system in order to read AppArmor log from /var/log/audit/audit.log
. Then you can see the log with the provided command aa-log
allowing you to review AppArmor generated messages in a colourful way.
Other AppArmor userspace tools such as aa-enforce
, aa-complain
, and aa-logprof
should work as expected. You can also configure a desktop notification on denied actions.
Basic use¶
To read the AppArmor log from /var/log/audit/audit.log
:
To optionally filter a given profile name: aa-log <profile-name>
(your shell will autocomplete the profile name):
$ aa-log dnsmasq
DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
To generate AppArmor rule:
$ aa-log -r dnsmasq
profile dnsmasq {
@{PROC}/@{pid}/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
}
Info
Other logs file in /var/log/audit/
can easily be checked: aa-log -f 1
parses /var/log/audit/audit.log.1
.
Help¶
aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile]
Review AppArmor generated messages in a colorful way. Supports logs from
auditd, systemd, syslog as well as dbus session events.
It can be given an optional profile name to filter the output with.
Default logs are read from '/var/log/audit/audit.log'. Other files in
'/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1'
Options:
-h, --help Show this help message and exit.
-f, --file FILE Set a logfile or a suffix to the default log file.
-s, --systemd Parse systemd logs from journalctl.
-r, --rules Convert the log into AppArmor rules.
-R, --raw Print the raw log without any formatting.