How to use the command 'aa-status' (with examples)
AppArmor is a Linux security module that allows implementing access control policies to restrict the capabilities of individual programs. The aa-status command is used to list currently loaded AppArmor modules and provides information about the loaded policies.
Use case 1: Check status
Code:
sudo aa-status
Motivation: This use case is useful when you want to check the status of the currently loaded AppArmor modules. It allows you to verify whether AppArmor is active and working as expected on your system.
Explanation: The command sudo aa-status is used to check the overall status of AppArmor. It displays information about the AppArmor profiles, including the number of loaded enforcing, non-enforcing, and complaining policies.
Example output:
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/bin/evince_index.desktop
...
Use case 2: Display the number of loaded policies
Code:
sudo aa-status --profiled
Motivation: This use case is beneficial when you want to know the number of loaded AppArmor policies on your system. It helps give you an overview of the level of security enforced by AppArmor.
Explanation: The command sudo aa-status --profiled displays the number of loaded policies. It only counts the policies that are currently profiled and being enforced.
Example output:
14 profiles are loaded.
Use case 3: Display the number of loaded enforcing policies
Code:
sudo aa-status --enforced
Motivation: This use case is handy when you specifically want to know the number of loaded policies that are currently enforced. It helps to understand the level of restrictions imposed by AppArmor on running processes.
Explanation: The command sudo aa-status --enforced displays the number of loaded policies that are being enforced. These policies define the security restrictions for specific programs or processes.
Example output:
14 profiles are loaded.
14 profiles are in enforce mode.
Use case 4: Display the number of loaded non-enforcing policies
Code:
sudo aa-status --complaining
Motivation: This use case is useful when you want to identify the number of loaded policies that are not being enforced. Non-enforcing policies can be helpful during the development or testing phase of an application.
Explanation: The command sudo aa-status --complaining shows the number of loaded policies that are not in enforce mode but are still complaining. These policies provide runtime information about the accesses being performed by an application.
Example output:
0 profiles are loaded.
Use case 5: Display the number of loaded enforcing policies that kill tasks
Code:
sudo aa-status --kill
Motivation: This use case is important when you want to determine the number of loaded enforcing policies that have been configured to kill tasks instantly if an access violation occurs. These policies help to prevent unauthorized actions.
Explanation: The command sudo aa-status --kill lists the number of loaded enforcing policies that have the ability to terminate processes or tasks immediately if they violate the security restrictions imposed by the policy.
Example output:
0 profiles are loaded.
Conclusion
The aa-status command is a handy tool for managing and monitoring AppArmor security profiles. It allows you to check the status of loaded profiles and provides information about the number of loaded policies, both enforcing and non-enforcing. Understanding the output of the aa-status command helps in identifying potential security risks or misconfigurations related to AppArmor profiles.
