LinuxCommandLibrary

aa-status

Show AppArmor status

TLDR

Check status

$ sudo aa-status
copy

Display status in JSON format
$ sudo aa-status --json
copy

Display status in pretty JSON format
$ sudo aa-status --pretty-json
copy

Display the number of loaded policies
$ sudo aa-status --profiled
copy

Display the number of loaded enforicing policies
$ sudo aa-status --enforced
copy

Display the number of loaded non-enforcing policies
$ sudo aa-status --complaining
copy

Display the number of loaded enforcing policies that kill tasks
$ sudo aa-status --kill
copy

SYNOPSIS

aa-status [--enabled] [-p|--profiles] [-f|--profile-attachments] [--verbose] [--show-cache] [--json[=compact|pretty]]

PARAMETERS

--enabled
    Print "apparmor module is ENABLED" or "DISABLED"

-p, --profiles
    List all currently loaded profiles

-f, --profile-attachments
    Show processes with attached profiles (PID, profile, mode)

--verbose
    Display extended information for profiles and processes

--show-cache
    Include per-profile cached access decision stats

--json[=compact|pretty]
    Output full status in JSON (compact or pretty-printed)

DESCRIPTION

The aa-status command queries the AppArmor kernel interface to show the current status of security profiles on a Linux system. AppArmor is a Linux Security Module (LSM) that restricts programs via per-profile policies in enforce (blocks violations), complain (logs only), or unconfined modes.

Default output includes:
• Total loaded profiles, broken down by enforce/complain
• Processes matched to profiles vs. unconfined
• One-line summaries per profile (mode, attach count)

This aids administrators in verifying AppArmor activation, profile loading, process confinement, and security posture. Options enable focused views like enabled/disabled status, full profile lists, per-process attachments (PID, profile, mode), verbose details, access decision caches, or machine-readable JSON.

Essential for debugging policy issues, auditing, and integration with monitoring scripts. Runs on systems with AppArmor enabled (e.g., Ubuntu, SUSE).

CAVEATS

Requires AppArmor kernel module loaded and procfs/sysfs mounted. Non-root users see limited process details. Default mixes summary and profiles; options are mutually exclusive in some combinations.

DEFAULT OUTPUT EXAMPLE

apparmor module is loaded.
14 profiles loaded.
9 profiles in enforce mode.
5 in complain.
0 processes unconfined.
Listing: /usr/bin/foo (enforce)

HISTORY

Introduced in AppArmor 2.1 (circa 2009) by Canonical/Immunix developers as a modern replacement for apparmor_status, enhancing usability over legacy Perl scripts. Evolved with JSON support in later Ubuntu releases (e.g., 16.04+).

SEE ALSO

aa-unconfined(8), aa-exec(8), apparmor_parser(8), aa-logprof(1), aa-genprof(1)

Copied to clipboard