aa-unconfined

List unconfined processes using the ss command (default)

$ sudo aa-unconfined

$ sudo aa-unconfined --with-netstat

$ sudo aa-unconfined --paranoid

aa-unconfined [--paranoid] [--with-ss | --with-netstat]

aa-unconfined identifies processes that listen on network sockets but lack AppArmor security profiles. It accomplishes this by checking processes with open TCP or UDP connections against loaded kernel AppArmor policies.
This tool is useful for identifying services that may benefit from AppArmor confinement.

--paranoid

Examines all processes from the /proc filesystem that have active TCP or UDP ports without AppArmor confinement

Uses the ss(8) utility to identify network socket listeners (default)

Uses the netstat(8) command for network socket discovery instead of ss

Display help information

The tool must run with root privileges and has limitations: it cannot reliably handle deleted executables, may miss processes started before profile loading, and is susceptible to race conditions. It only monitors TCP and UDP protocols.

Part of the AppArmor utilities package for managing application security profiles on Linux systems.

aa-status(8), aa-genprof(8), ss(8), netstat(8), apparmor(7)