LinuxCommandLibrary

aa-logprof

Update AppArmor profiles from log denials

TLDR

Interactively review and update profiles based on system logs

$ sudo aa-logprof
copy

Use a specific directory for AppArmor profiles
$ sudo aa-logprof [[-d|--dir]] /[path/to/profiles]
copy

Use a specific log file instead of the default
$ sudo aa-logprof [[-f|--file]] /[path/to/logfile]
copy

Ignore all log entries before the specified mark
$ sudo aa-logprof [[-m|--logmark]] "[log_marker_text]"
copy

Display help
$ aa-logprof [[-h|--help]]
copy

SYNOPSIS

aa-logprof [options] [logfile]

PARAMETERS

-d DIR, --dir=DIR
    Look for profiles in DIR (default /etc/apparmor.d/)

-f FILE, --logfile=FILE
    Read events from FILE (default syslog)

-p POLICY, --policy=POLICY
    Default policy: complain/enforce/reject

--add=PROFILE
    Interactively add new profile for PROFILE

-m, --manual
    Manual mode: show events, no suggestions

-q, --quiet
    Quiet: update profiles without prompts

-C, --check
    Check profile loadability (with -q)

-h, --help
    Print help

-v, --version
    Print version

DESCRIPTION

aa-logprof is a utility in the AppArmor Linux security toolkit that interactively analyzes kernel audit logs to update or create application security profiles. It scans logs (typically /var/log/syslog or /var/log/audit/audit.log) for denial events and presents a menu-driven interface. Users review access attempts—such as file reads/writes, capabilities, or network binds—and choose actions like allow, deny, inherit, or discretize profiles.

This tool excels in the "learning" or "complain" mode, where AppArmor logs violations without blocking, allowing profile refinement based on real usage. Suggestions include globbing paths (e.g., /home/** r) or explicit rules. Changes are previewed, saved to /etc/apparmor.d/, and can be loaded via apparmor_parser. Ideal for administrators tuning profiles iteratively, it reduces manual rule-writing and enhances security confinement.

Requires root privileges for profile updates; works best with recent logs containing AppArmor events.

CAVEATS

Requires root for updates; needs AppArmor-loaded kernel and recent denial logs; interactive by default, may require manual intervention for complex events.

EXAMPLES

aa-logprof
Process default logs interactively.

aa-logprof -f /var/log/audit/audit.log
Use audit log.

aa-logprof --add /usr/bin/myapp
Create new profile.

HISTORY

Developed for AppArmor (from Immunix project, 1990s); integrated into SUSE/Novell, then Ubuntu/Canonical (2009+); renamed from logprof to aa-logprof in modern versions.

SEE ALSO

aa-genprof(8), aa-autodep(8), aa-complain(1), aa-enforce(1), apparmor_parser(8), logprof(8)

Copied to clipboard