--- title: Usage --- ## Enabled profiles Once installed and with the rules enabled, you can ensure the rules are loaded with: ```sh sudo aa-status ``` It should give something like: ``` apparmor module is loaded. 1613 profiles are loaded. 1050 profiles are in enforce mode. ... 563 profiles are in complain mode. ... 0 profiles are in kill mode. 0 profiles are in unconfined mode. 170 processes have profiles defined. 140 processes are in enforce mode. ... 30 processes are in complain mode. ... 0 processes are in prompt mode. 0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. ``` You can also list the current processes alongside with their security profile with: ```sh ps auxZ ``` Most of the processes should then be confined: ``` unconfined root /usr/lib/systemd/systemd --switched-root --system --deserialize 33 systemd-udevd (complain) root /usr/lib/systemd/systemd-udevd systemd-journald (complain) root /usr/lib/systemd/systemd-journald rngd (complain) root /usr/bin/rngd -f systemd-timesyncd (complain) systemd+ /usr/lib/systemd/systemd-timesyncd auditd (complain) root /sbin/auditd acpid (complain) root /usr/bin/acpid --foreground --netlink dbus-daemon (complain) dbus /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only power-profiles-daemon (complain) root /usr/lib/power-profiles-daemon systemd-logind (complain) root /usr/lib/systemd/systemd-logind systemd-machined (complain) root /usr/lib/systemd/systemd-machined NetworkManager (complain) root /usr/bin/NetworkManager --no-daemon polkitd (complain) polkitd /usr/lib/polkit-1/polkitd --no-debug gdm (complain) root /usr/bin/gdm accounts-daemon (complain) root /usr/lib/accounts-daemon rtkit-daemon (complain) rtkit /usr/lib/rtkit-daemon packagekitd (complain) root /usr/lib/packagekitd colord (complain) colord /usr/lib/colord unconfined user /usr/lib/systemd/systemd --user unconfined user (sd-pam) gdm-wayland-session (complain) user /usr/lib/gdm-wayland-session /usr/bin/gnome-session gnome-session-binary (complain) user /usr/lib/gnome-session-binary gnome-session-ctl (complain) user /usr/lib/gnome-session-ctl --monitor gnome-session-binary (complain) user /usr/lib/gnome-session-binary --systemd-service --session=gnome gnome-shell (complain) user /usr/bin/gnome-shell ... ps (complain) user ps auxZ ``` ??? info "Hide the kernel thread in `ps`" To hide the kernel thread in `ps` use `ps auxZ | grep -v '\[.*\]'`. You can add an alias in your shell: ```sh alias p="ps auxZ | grep -v '\[.*\]'" ``` ## AppArmor Log Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colourful way. Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). ### Basic use To read the AppArmor log from `/var/log/audit/audit.log`: ```sh $ aa-log ``` To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): ``` $ aa-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r ``` To generate AppArmor rule: ```sh $ aa-log -r dnsmasq profile dnsmasq { @{PROC}/@{pid}/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, } ``` !!! info Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1` parses `/var/log/audit/audit.log.1`. ### Help ``` aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] Review AppArmor generated messages in a colorful way. Supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. Default logs are read from '/var/log/audit/audit.log'. Other files in '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. -f, --file FILE Set a logfile or a suffix to the default log file. -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. ```