apparmor.d/docs/usage.md
2023-10-21 00:13:30 +01:00

4.7 KiB

title
Usage

Enabled profiles

Once installed and with the rules enabled, you can ensure the rules are loaded with:

sudo aa-status

It should give something like:

apparmor module is loaded.
1613 profiles are loaded.
1050 profiles are in enforce mode.
   ...
563 profiles are in complain mode.
   ...
0 profiles are in kill mode.
0 profiles are in unconfined mode.
170 processes have profiles defined.
140 processes are in enforce mode.
   ...
30 processes are in complain mode.
   ...
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

You can also list the current processes alongside with their security profile with:

ps auxZ

Most of the processes should then be confined:

unconfined                      root        /usr/lib/systemd/systemd --switched-root --system --deserialize 33
systemd-udevd (complain)        root        /usr/lib/systemd/systemd-udevd
systemd-journald (complain)     root        /usr/lib/systemd/systemd-journald
rngd (complain)                 root        /usr/bin/rngd -f
systemd-timesyncd (complain)    systemd+    /usr/lib/systemd/systemd-timesyncd
auditd (complain)               root        /sbin/auditd
acpid (complain)                root        /usr/bin/acpid --foreground --netlink
dbus-daemon (complain)          dbus        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
power-profiles-daemon (complain) root       /usr/lib/power-profiles-daemon
systemd-logind (complain)       root        /usr/lib/systemd/systemd-logind
systemd-machined (complain)     root        /usr/lib/systemd/systemd-machined
NetworkManager (complain)       root        /usr/bin/NetworkManager --no-daemon
polkitd (complain)              polkitd     /usr/lib/polkit-1/polkitd --no-debug
gdm (complain)                  root        /usr/bin/gdm
accounts-daemon (complain)      root        /usr/lib/accounts-daemon
rtkit-daemon (complain)         rtkit       /usr/lib/rtkit-daemon
packagekitd (complain)          root        /usr/lib/packagekitd
colord (complain)               colord      /usr/lib/colord
unconfined                      user        /usr/lib/systemd/systemd --user
unconfined                      user        (sd-pam)
gdm-wayland-session (complain)  user        /usr/lib/gdm-wayland-session /usr/bin/gnome-session
gnome-session-binary (complain) user        /usr/lib/gnome-session-binary
gnome-session-ctl (complain)    user        /usr/lib/gnome-session-ctl --monitor
gnome-session-binary (complain) user        /usr/lib/gnome-session-binary --systemd-service --session=gnome
gnome-shell (complain)          user        /usr/bin/gnome-shell
...
ps (complain)                   user        ps auxZ

??? info "Hide the kernel thread in ps"

To hide the kernel thread in `ps` use `ps auxZ | grep -v '\[.*\]'`. You can
add an alias in your shell:
```sh
alias p="ps auxZ | grep -v '\[.*\]'"
```

AppArmor Log

Ensure that auditd is installed and running on your system in order to read AppArmor log from /var/log/audit/audit.log. Then you can see the log with the provided command aa-log allowing you to review AppArmor generated messages in a colorful way.

Other AppArmor userspace tools such as aa-enforce, aa-complain, and aa-logprof should work as expected.

Basic use

To read the AppArmor log from /var/log/audit/audit.log:

aa-log

To optionally filter a given profile name: aa-log <profile-name> (your shell will autocomplete the profile name):

aa-log dnsmasq
DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
DENIED  dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r

!!! info

Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1`
parses `/var/log/audit/audit.log.1`.

Help

aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile]

    Review AppArmor generated messages in a colorful way. Supports logs from
    auditd, systemd, syslog as well as dbus session events.

    It can be given an optional profile name to filter the output with.

    Default logs are read from '/var/log/audit/audit.log'. Other files in 
    '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' 

Options:
    -h, --help         Show this help message and exit.
    -f, --file FILE    Set a logfile or a suffix to the default log file.
    -s, --systemd      Parse systemd logs from journalctl.
    -r, --rules        Convert the log into AppArmor rules.
    -R, --raw          Print the raw log without any formatting.