apparmor.d/docs/usage.md

---
title: Usage
---

## Enabled profiles

Once installed and with the rules enabled, you can ensure the rules are loaded with:
```sh
sudo aa-status
```

It should give something like:
```
apparmor module is loaded.
1613 profiles are loaded.
1050 profiles are in enforce mode.
   ...
563 profiles are in complain mode.
   ...
0 profiles are in kill mode.
0 profiles are in unconfined mode.
170 processes have profiles defined.
140 processes are in enforce mode.
   ...
30 processes are in complain mode.
   ...
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
```

You can also list the current processes alongside with their security profile with:
```sh
ps auxZ
```

Most of the processes should then be confined:
```
unconfined                      root        /usr/lib/systemd/systemd --switched-root --system --deserialize 33
systemd-udevd (complain)        root        /usr/lib/systemd/systemd-udevd
systemd-journald (complain)     root        /usr/lib/systemd/systemd-journald
rngd (complain)                 root        /usr/bin/rngd -f
systemd-timesyncd (complain)    systemd+    /usr/lib/systemd/systemd-timesyncd
auditd (complain)               root        /sbin/auditd
acpid (complain)                root        /usr/bin/acpid --foreground --netlink
dbus-daemon (complain)          dbus        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
power-profiles-daemon (complain) root       /usr/lib/power-profiles-daemon
systemd-logind (complain)       root        /usr/lib/systemd/systemd-logind
systemd-machined (complain)     root        /usr/lib/systemd/systemd-machined
NetworkManager (complain)       root        /usr/bin/NetworkManager --no-daemon
polkitd (complain)              polkitd     /usr/lib/polkit-1/polkitd --no-debug
gdm (complain)                  root        /usr/bin/gdm
accounts-daemon (complain)      root        /usr/lib/accounts-daemon
rtkit-daemon (complain)         rtkit       /usr/lib/rtkit-daemon
packagekitd (complain)          root        /usr/lib/packagekitd
colord (complain)               colord      /usr/lib/colord
unconfined                      user        /usr/lib/systemd/systemd --user
unconfined                      user        (sd-pam)
gdm-wayland-session (complain)  user        /usr/lib/gdm-wayland-session /usr/bin/gnome-session
gnome-session-binary (complain) user        /usr/lib/gnome-session-binary
gnome-session-ctl (complain)    user        /usr/lib/gnome-session-ctl --monitor
gnome-session-binary (complain) user        /usr/lib/gnome-session-binary --systemd-service --session=gnome
gnome-shell (complain)          user        /usr/bin/gnome-shell
...
ps (complain)                   user        ps auxZ
```

??? info "Hide the kernel thread in `ps`"

    To hide the kernel thread in `ps` use `ps auxZ | grep -v '\[.*\]'`. You can
    add an alias in your shell:
    ```sh
    alias p="ps auxZ | grep -v '\[.*\]'"
    ```


## AppArmor Log

Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way.

Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected.


### Basic use

To read the AppArmor log from `/var/log/audit/audit.log`:
```sh
$ aa-log
```

To optionally filter a given profile name: `aa-log <profile-name>` (your shell will autocomplete the profile name):
```
$ aa-log dnsmasq
DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
DENIED  dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
```

To generate AppArmor rule:
```sh
$ aa-log -r dnsmasq
profile dnsmasq {
  @{PROC}/@{pid}/environ r,
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,
}
```

!!! info

    Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1`
    parses `/var/log/audit/audit.log.1`.


### Help

```
aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile]

    Review AppArmor generated messages in a colorful way. Supports logs from
    auditd, systemd, syslog as well as dbus session events.

    It can be given an optional profile name to filter the output with.

    Default logs are read from '/var/log/audit/audit.log'. Other files in 
    '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' 

Options:
    -h, --help         Show this help message and exit.
    -f, --file FILE    Set a logfile or a suffix to the default log file.
    -s, --systemd      Parse systemd logs from journalctl.
    -r, --rules        Convert the log into AppArmor rules.
    -R, --raw          Print the raw log without any formatting.
```
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`---`
			`title: Usage`
			`---`

			`## Enabled profiles`

doc: cosmetic. 2023-09-19 20:18:15 +02:00			`Once installed and with the rules enabled, you can ensure the rules are loaded with:`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			```sh
			`sudo aa-status`
			```

			`It should give something like:`
			```
			`apparmor module is loaded.`
doc: minor improvments. 2023-10-21 01:13:30 +02:00			`1613 profiles are loaded.`
			`1050 profiles are in enforce mode.`
			`...`
			`563 profiles are in complain mode.`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`...`
			`0 profiles are in kill mode.`
			`0 profiles are in unconfined mode.`
doc: minor improvments. 2023-10-21 01:13:30 +02:00			`170 processes have profiles defined.`
			`140 processes are in enforce mode.`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`...`
doc: minor improvments. 2023-10-21 01:13:30 +02:00			`30 processes are in complain mode.`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`...`
			`0 processes are unconfined but have a profile defined.`
			`0 processes are in mixed mode.`
			`0 processes are in kill mode.`
			```

			`You can also list the current processes alongside with their security profile with:`
			```sh
			`ps auxZ`
			```

			`Most of the processes should then be confined:`
			```
			`unconfined root /usr/lib/systemd/systemd --switched-root --system --deserialize 33`
			`systemd-udevd (complain) root /usr/lib/systemd/systemd-udevd`
			`systemd-journald (complain) root /usr/lib/systemd/systemd-journald`
			`rngd (complain) root /usr/bin/rngd -f`
			`systemd-timesyncd (complain) systemd+ /usr/lib/systemd/systemd-timesyncd`
			`auditd (complain) root /sbin/auditd`
			`acpid (complain) root /usr/bin/acpid --foreground --netlink`
			`dbus-daemon (complain) dbus /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only`
			`power-profiles-daemon (complain) root /usr/lib/power-profiles-daemon`
			`systemd-logind (complain) root /usr/lib/systemd/systemd-logind`
			`systemd-machined (complain) root /usr/lib/systemd/systemd-machined`
			`NetworkManager (complain) root /usr/bin/NetworkManager --no-daemon`
			`polkitd (complain) polkitd /usr/lib/polkit-1/polkitd --no-debug`
			`gdm (complain) root /usr/bin/gdm`
			`accounts-daemon (complain) root /usr/lib/accounts-daemon`
			`rtkit-daemon (complain) rtkit /usr/lib/rtkit-daemon`
			`packagekitd (complain) root /usr/lib/packagekitd`
			`colord (complain) colord /usr/lib/colord`
			`unconfined user /usr/lib/systemd/systemd --user`
			`unconfined user (sd-pam)`
			`gdm-wayland-session (complain) user /usr/lib/gdm-wayland-session /usr/bin/gnome-session`
			`gnome-session-binary (complain) user /usr/lib/gnome-session-binary`
			`gnome-session-ctl (complain) user /usr/lib/gnome-session-ctl --monitor`
			`gnome-session-binary (complain) user /usr/lib/gnome-session-binary --systemd-service --session=gnome`
			`gnome-shell (complain) user /usr/bin/gnome-shell`
			`...`
			`ps (complain) user ps auxZ`
			```

			??? info "Hide the kernel thread in `ps`"

			To hide the kernel thread in `ps` use `ps auxZ \| grep -v '\[.*\]'`. You can
			`add an alias in your shell:`
			```sh
			`alias p="ps auxZ \| grep -v '\[.*\]'"`
			```


			`## AppArmor Log`

usage - Fix capitalisation 2024-06-07 21:32:24 +02:00			Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way.
docs: initial documentation website. 2023-01-29 22:18:22 +01:00
doc: cosmetic. 2023-09-19 20:18:15 +02:00			Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected.
docs: initial documentation website. 2023-01-29 22:18:22 +01:00

			`### Basic use`

			To read the AppArmor log from `/var/log/audit/audit.log`:
			```sh
doc: improve documentation. 2024-06-03 20:06:02 +02:00			`$ aa-log`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			```

doc: minor update. 2023-02-11 20:00:14 +01:00			To optionally filter a given profile name: `aa-log <profile-name>` (your shell will autocomplete the profile name):
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			```
doc: improve documentation. 2024-06-03 20:06:02 +02:00			`$ aa-log dnsmasq`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r`
			`DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r`
			`DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r`
			```

doc: improve documentation. 2024-06-03 20:06:02 +02:00			`To generate AppArmor rule:`
			```sh
			`$ aa-log -r dnsmasq`
			`profile dnsmasq {`
			`@{PROC}/@{pid}/environ r,`
			`@{PROC}/cmdline r,`
			`@{PROC}/sys/kernel/osrelease r,`
			`}`
			```

docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`!!! info`

			Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1`
			parses `/var/log/audit/audit.log.1`.


			`### Help`

			```
doc: minor improvments. 2023-10-21 01:13:30 +02:00			`aa-log [-h] [--systemd] [--file file] [--rules \| --raw] [profile]`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00
docs: update aa-log help message. 2023-03-07 19:30:57 +01:00			`Review AppArmor generated messages in a colorful way. Supports logs from`
			`auditd, systemd, syslog as well as dbus session events.`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00
docs: update aa-log help message. 2023-03-07 19:30:57 +01:00			`It can be given an optional profile name to filter the output with.`

			`Default logs are read from '/var/log/audit/audit.log'. Other files in`
			`'/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1'`

			`Options:`
			`-h, --help Show this help message and exit.`
			`-f, --file FILE Set a logfile or a suffix to the default log file.`
			`-s, --systemd Parse systemd logs from journalctl.`
doc: update variables ref & minor improvment. 2023-08-19 15:32:08 +02:00			`-r, --rules Convert the log into AppArmor rules.`
doc: minor improvments. 2023-10-21 01:13:30 +02:00			`-R, --raw Print the raw log without any formatting.`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			```