apparmor_status

View documentation for the original command

$ tldr aa-status

apparmor_status [OPTIONS]

-h, --help
    Display a help message and exit.

-v, --version
    Show version information and exit.

-a, --all
    List all processes, including those running unconfined. By default, only confined processes are shown.

-d, --debug
    Print additional debug information, useful for troubleshooting.

-q, --quiet
    Suppress normal output and only display errors.

apparmor_status is a utility that provides a comprehensive overview of the AppArmor security system's current state on a Linux system.
It allows administrators to quickly ascertain whether AppArmor is enabled, which security profiles are loaded into the kernel, and how applications are being confined. The command distinguishes between profiles operating in enforce mode (actively enforcing security rules) and complain mode (logging violations without blocking them).
It lists processes that are actively confined by an AppArmor profile, as well as those that are running unconfined. This tool is invaluable for troubleshooting AppArmor configurations, verifying successful profile loading, and monitoring the security posture of confined applications. Its output helps identify potential security gaps or misconfigurations within the AppArmor framework.

apparmor_status typically requires root privileges (or `sudo`) to execute properly and access kernel-level AppArmor information. Without sufficient permissions, it may report an inability to connect to the AppArmor control socket or show incomplete information. The command's output reflects the AppArmor state at the moment of execution; it does not provide real-time monitoring.

The command's output typically distinguishes between "enforce" and "complain" modes.
Processes in enforce mode are actively protected and will be blocked if they attempt to violate their profile rules. Processes in complain mode, however, will only log violations to the system's audit logs (e.g., `/var/log/audit/audit.log` or `dmesg`) without blocking the action, making it useful for profile development and testing.

For apparmor_status to report meaningful information, the AppArmor kernel security module must be loaded and enabled.
If AppArmor is not active, the command will indicate this, usually by stating that AppArmor is "not available" or "not enabled."

AppArmor, originally developed by Immunix and later acquired by Novell, became part of the Linux kernel mainline starting with version 2.6.36. The apparmor_status command is a fundamental component of the AppArmor utilities suite, designed to provide an immediate diagnostic view of the system's AppArmor confinement status. Its development has closely tracked the evolution of AppArmor itself, aiming to simplify the process of understanding and managing application security profiles. It is a key tool for administrators to quickly assess the state of their AppArmor deployments.

aa-enforce(8), aa-complain(8), aa-disable(8), aa-genprof(8), aa-logprof(8), aa-unconfined(8), apparmor(7), dmesg(1)