aa-audit

Set a profile to audit mode

$ sudo aa-audit [profile_name]

$ sudo aa-audit [profile1] [profile2]

$ sudo aa-audit -d /path/to/profiles [profile_name]

$ sudo aa-audit -r [profile_name]

$ sudo aa-audit --no-reload [profile_name]

aa-audit executable [executable ...] [-d /path/to/profiles] [--no-reload] [-r]

aa-audit configures AppArmor security profiles to operate in audit mode. In this mode, security policy is enforced and all access attempts (both successes and failures) are logged to the system log. This allows administrators to monitor application behavior while still enforcing security policies.

-d, --dir /path/to/profiles

Specifies the directory containing AppArmor profiles; defaults to /etc/apparmor.d

Prevents automatic profile reloading after modifications

Deactivates audit mode for the specified profile(s)

Display help information

Audit mode generates significant log output as it records all access attempts. This can impact system performance and fill up log files quickly on busy systems.

Part of the AppArmor application security framework, developed as an alternative to SELinux for Linux systems. AppArmor was originally developed by Immunix and later acquired by Novell in 2005.

aa-enforce(8), aa-complain(8), aa-disable(8), aa-status(8), apparmor(7)