aa-logprof

Interactively review and update profiles based on system logs

$ sudo aa-logprof

$ sudo aa-logprof -d /path/to/profiles

$ sudo aa-logprof -f /path/to/logfile

$ sudo aa-logprof -m "log_marker_text"

aa-logprof [-d /path/to/profiles] [-f /path/to/logfile] [-m mark]

aa-logprof is an interactive utility that scans AppArmor security logs and prompts users to review and update existing security profiles. When launched, it identifies new AppArmor events not covered by current profiles and suggests modifications.
Upon exit, updated profiles are saved and reloaded if AppArmor is active. Interactive responses include: (A)llow, (D)eny, (I)gnore, (N)ew, (G)lob last piece, (Q)uit.

-d, --dir /path/to/profiles

Specifies where to look for the AppArmor security profile set; defaults to /etc/apparmor.d

Specifies the location of the logfile; defaults are read from /etc/apparmor/logprof.conf

Filters out log entries preceding a specified mark; use quotes if mark contains spaces

Display help information

/etc/apparmor/logprof.conf

Controls default logfile location, repository settings, and behavior options for log-based profile updates.

Log analysis depends on audit daemon configuration. Ensure auditd or klogd is properly configured to capture AppArmor events.

Part of the AppArmor utilities package for managing application security profiles on Linux systems.

aa-genprof(8), aa-enforce(8), aa-complain(8), auditd(8), apparmor(7)