aa-genprof

Start generating a profile for a program

$ sudo aa-genprof [program_path]

$ sudo aa-genprof [[-d|--dir]] [/path/to/profiles] [program_path]

$ sudo aa-genprof [[-f|--file]] [/path/to/logfile] [program_path]

$ aa-genprof [[-h|--help]]

aa-genprof [OPTIONS] [TARGET]

-r, --recurse
    Generate profiles for child processes spawned by the target application.

-d <directory>, --dir=<directory>
    Specify the directory where profiles are searched for or where new profiles will be stored.

-f <file>, --file=<file>
    Process a specific input log file instead of the system's default audit logs.

-p <PID>, --profile=<PID>
    Initiate profiling for a currently running process, identified by its Process ID (PID).

-o <output_file>, --output=<output_file>
    Write the generated or updated AppArmor profile to a specified output file.

-i <input_file>, --input=<input_file>
    Use a specific audit log file as input for analysis, bypassing the live system logs.

-k, --keep
    When generating a profile, keep any existing profile rules and add new ones, rather than starting from scratch.

-U, --update
    Update an existing AppArmor profile with new rules based on observed behavior, instead of creating a new one.

-N <name>, --name=<name>
    Assign a specific name to the new profile being generated.

-V, --verbose
    Produce more detailed and verbose output during the execution process, aiding in debugging.

-h, --help
    Display a concise help message detailing command usage and available options, then exit.

aa-genprof is a fundamental utility within the AppArmor security framework, meticulously crafted to streamline the creation and refinement of AppArmor security profiles. Instead of the arduous task of manually writing complex rules, aa-genprof intelligently observes an application's behavior as it runs, typically while the application is under AppArmor's complain or audit mode. It diligently analyzes the audit logs emitted by the kernel, pinpoints actions that would be denied by a strict confinement profile, and then interactively prompts the user to either permit or deny these specific actions. This iterative and guided process facilitates the construction of a robust, tailored security profile that rigorously confines an application to only the resources it legitimately requires, thereby significantly minimizing its potential attack surface. It stands as an indispensable tool for securing newly deployed applications or enhancing the security posture of existing ones.

aa-genprof requires root privileges to operate effectively as it interacts directly with the kernel and system-wide AppArmor profiles.
For optimal results, the target application should be run in AppArmor's complain or audit mode during the profiling session. The quality of the generated profile is directly proportional to how thoroughly the application's functionalities are exercised during this observation period. It's advisable to run the profiling in a controlled, clean environment to prevent unrelated system activities from influencing the profile generation process.

aa-genprof typically orchestrates an interactive session. It may first guide the user to place the target application into complain mode, then instruct them to thoroughly run the application, exercising all its functionalities. Subsequently, it analyzes the generated audit logs. For each observed action that would otherwise be unconfined, it presents the user with various options (e.g., 'allow read', 'allow write', 'deny', 'generalize path'), enabling a step-by-step construction or refinement of the profile.

The efficacy and completeness of the AppArmor profile produced by aa-genprof are critically dependent on how comprehensively the application's features and workflows are utilized during the profiling phase. All common use cases, edge cases, and even error conditions should be triggered to ensure that every necessary file, network, or capability access permission is accurately captured and included in the profile.

AppArmor, originally developed by Immunix and later acquired by Novell, was open-sourced and became a key security feature within SUSE Linux. It was subsequently integrated into the Linux kernel mainline starting with version 2.6.36. aa-genprof has been a cornerstone utility of AppArmor from its early days, designed to mitigate the complexity of profile creation—often considered the most challenging aspect of implementing a Mandatory Access Control (MAC) system. Its interactive approach has always been central to its design, aiming to make robust security profile generation accessible to a broader range of users.

aa-logprof(8), aa-enforce(8), aa-complain(8), aa-disable(8), apparmor_parser(8), auditd(8)