aa-audit

Set a profile to audit mode

$ sudo aa-audit [profile_name]

$ sudo aa-audit [profile1 profile2 ...]

$ sudo aa-audit [[-d|--dir]] /[path/to/profiles] [profile_name]

$ sudo aa-audit --force [profile_name]

$ sudo aa-audit --no-reload [profile_name]

$ sudo aa-audit [[-r|--remove]] [profile_name]

$ aa-audit [[-h|--help]]

aa-audit profile [profile …]

profile
    Name or absolute path to AppArmor profile(s) to set into audit mode

-h, --help
    Display usage information

--version
    Display version information

aa-audit is a utility from the AppArmor toolkit for Linux systems using the AppArmor Mandatory Access Control (MAC) framework. It changes the enforcement mode of specified AppArmor profiles to audit mode.

In audit mode, the kernel does not enforce the profile's restrictions but logs all access attempts that match profile rules—both permitted and denied. This generates comprehensive AUDIT log entries in addition to standard violation logs, ideal for profiling application behavior, tuning rules, and debugging without interrupting operations.

Logs appear in kernel logs (e.g., via dmesg, journalctl, or auditd). It's commonly used during profile development before switching to complain (log violations only, no enforcement) or enforce (block violations) modes. Requires root privileges and loaded profiles; use aa-status to verify.

Must run as root (sudo). Profiles must be already loaded (aa-status to check). Does not load unloaded profiles. Audit mode generates high log volume.

sudo aa-audit /usr/bin/bash
Sets bash profile to audit mode.

sudo aa-audit usr.sbin.nginx
Sets nginx profile (by name).

journalctl -k | grep APPARMOR or aa-logprof to analyze audit data.

Part of AppArmor utilities since ~2009 (AppArmor v2), developed originally by Novell (SUSE) and Canonical (Ubuntu). Audit mode added for advanced tuning; maintained in libapparmor-utils package.

aa-enforce(8), aa-complain(8), aa-status(8), aa-logprof(1), apparmor(7), apparmor.d(5)