aa-audit

Set a profile to audit mode

$ sudo aa-audit [profile_name]

$ sudo aa-audit [profile1 profile2 ...]

$ sudo aa-audit [[-d|--dir]] [/path/to/profiles] [profile_name]

$ sudo aa-audit --force [profile_name]

$ sudo aa-audit --no-reload [profile_name]

$ sudo aa-audit [[-r|--remove]] [profile_name]

$ aa-audit [[-h|--help]]

aa-audit [OPTIONS] <profile_name>
aa-audit [OPTIONS] --file <profile_file>

-d, --debug
    Enables debug output for the command, providing more verbose information about its operations.

-f, --force
    Forces the operation. If the specified profile is not currently loaded into the kernel, it will attempt to load it in audit mode.

--file <profile_file>
    Specifies an AppArmor profile by its file path instead of its name in the kernel. The profile from the specified file will be loaded into audit mode.

--reload
    Reloads the profile after changing its mode. This ensures the mode change takes effect immediately if the profile was already loaded in the kernel.

-h, --help
    Displays a brief help message and exits.

-v, --version
    Displays the version information for the aa-audit command and exits.

The aa-audit command is a utility provided by AppArmor, a Linux security module that allows an administrator to restrict programs' capabilities with per-program profiles. When a profile is in audit mode (also known as complain mode), AppArmor does not enforce the rules defined within that profile. Instead, it permits all operations that would normally be denied by the profile and logs a message for each violation. This mode is particularly useful during the development and testing phases of AppArmor profiles, as it allows administrators to identify and fine-tune profile rules without blocking legitimate application behavior. After a profile has been properly audited and refined, it can then be put into enforce mode using aa-enforce.

aa-audit requires root privileges to execute.
When a profile is in audit mode, it does not block any operations; it only logs violations.
For the mode change to take effect on a currently running profile, it must be reloaded, which can be done using the --reload option or automatically if loading a profile from a file that wasn't already loaded.

The aa-audit command is functionally a synonym for aa-complain. Both commands achieve the same result: setting an AppArmor profile into a mode where violations are logged but not prevented. While either can be used, aa-audit explicitly states the intent to audit, which might be preferred for clarity in some contexts.

To verify the current mode of an AppArmor profile, you can inspect the contents of the /sys/kernel/security/apparmor/profiles file. A profile name followed by (enforce) indicates enforce mode, while (complain) or (audit) indicates audit/complain mode.

AppArmor, and consequently its associated utilities like aa-audit, originated from Immunix and was later acquired by Novell. It was integrated into the Linux kernel mainline in version 2.6.36. aa-audit is a fundamental part of the AppArmor toolkit, providing administrators with the means to safely test and develop security policies without immediately impacting application functionality. Its role has been consistent since AppArmor's widespread adoption, serving as a critical step in the profile lifecycle before enforcement.

aa-enforce(8), aa-complain(8), aa-disable(8), aa-remove(8), aa-genprof(8), aa-logprof(8), apparmor_parser(8)