aa-logprof

Interactively review and update profiles based on system logs

$ sudo aa-logprof

$ sudo aa-logprof [[-d|--dir]] [/path/to/profiles]

$ sudo aa-logprof [[-f|--file]] [/path/to/logfile]

$ sudo aa-logprof [[-m|--logmark]] "[log_marker_text]"

$ aa-logprof [[-h|--help]]

aa-logprof [-d <directory>] [-f <file>] [-p <profile>] [-n] [--dry-run] [--verbose] [...other_options...]

-d , --dir
    Specifies a directory containing AppArmor profiles to scan for updates.

-f , --file
    Specifies an alternative log file to parse instead of the default system logs (e.g., syslog or auditd logs).

-p , --profile
    Processes only a specific AppArmor profile, ignoring denials from other profiles.

-n, --no-confirm
    Runs in non-interactive mode, automatically applying suggested changes without user confirmation. Use with extreme caution as it can lead to overly permissive profiles.

--dry-run
    Shows the proposed changes to profiles without actually writing them to disk. Useful for reviewing potential modifications.

-v, --verbose
    Increases the verbosity of the output, providing more detailed information during the parsing and profiling process.

-a, --append
    Appends new rules to existing profile rules, rather than attempting to replace or modify them directly.

-r, --replace
    Replaces existing rules in profiles with the new, suggested rules. This is the default behavior if neither -a nor -r is specified explicitly.

--skip-new-rules
    Prevents aa-logprof from prompting to add new rules based on logged denials.

--skip-old-rules
    Prevents aa-logprof from prompting to remove old, unused rules from profiles.

--skip-network
    Skips prompts for network-related rules, focusing only on file and capability denials.

--skip-mount
    Skips prompts for mount-related rules, focusing on other types of denials.

--ignore-changes
    Does not automatically save changes at the end of the session. Changes must be explicitly saved if desired.

--write-rules
    Forces aa-logprof to write out any pending changes to the profile immediately, even if --ignore-changes is specified. This is often used in conjunction with --no-confirm for automated profile updates.

aa-logprof is a crucial interactive utility within the AppArmor security framework. Its primary function is to analyze system logs, specifically looking for denial messages generated by AppArmor profiles that are in "complain" or "enforce" mode. When a program attempts an action not explicitly permitted by its AppArmor profile, AppArmor logs a denial.

aa-logprof parses these logs and presents the user with a series of choices for each detected denial. For instance, if a program tries to access a file that is currently disallowed, aa-logprof will highlight this event and prompt the user to permit the access, deny it, or generalize the rule to cover similar future accesses. This interactive process allows system administrators to incrementally build and refine robust AppArmor profiles tailored to the specific behavior of applications, moving them from a complaining (logging) state to an enforcing (blocking) state with minimal disruption. It significantly simplifies the profile generation and maintenance process, enabling a granular security posture for Linux systems.

The effective use of aa-logprof requires root privileges as it modifies system-level AppArmor profiles. The interactive nature means it can be time-consuming for profiles with many denial events. Users must carefully review each suggested change; blindly accepting recommendations, especially with the --no-confirm option, can lead to overly permissive profiles that compromise security. It relies on the system's logging mechanism; ensuring logs are properly configured and retained is essential for accurate profiling. Furthermore, aa-logprof may not capture all possible execution paths of a complex application, requiring ongoing monitoring and refinement.

aa-logprof is predominantly used in an interactive mode. After execution, it presents a series of prompts for each unhandled denial or suggested rule change. Users are given options like 'Allow', 'Deny', 'Glob' (generalize rule), 'Halt' (stop processing), and 'Save'. This iterative process allows for precise tuning of AppArmor profiles. The typical workflow involves running the application, provoking denied actions, and then running aa-logprof to add the necessary rules, repeating until the profile is complete.

AppArmor profiles are typically stored in the /etc/apparmor.d/ directory. aa-logprof will automatically look for profiles in this location unless an alternative directory is specified using the -d or --dir option. The modified profiles need to be reloaded into the kernel for the changes to take effect, which aa-logprof often prompts for or performs automatically upon saving.

aa-logprof is an integral component of the AppArmor security framework, which originated at Immunix and was later acquired by Novell (now SUSE). Developed to simplify the process of creating and maintaining AppArmor profiles, it automates the tedious task of manually parsing log files for access violations. Its design allows administrators to interactively refine security policies based on observed application behavior, making it a cornerstone for transitioning applications from an unconfined state to a securely sandboxed environment. Over time, it has evolved with the AppArmor project, adapting to new kernel features and user feedback to provide a more robust and user-friendly profiling experience.

aa-genprof(8), aa-complain(8), aa-enforce(8), aa-status(8), apparmor(7), auditd(8)