LinuxCommandLibrary

apparmor_status

Show AppArmor status and profile information

TLDR

View documentation for the original command

$ tldr aa-status
copy

SYNOPSIS

apparmor_status [-p|--print-profiles] [-c|--complain] [-e|--enforce] [-r|--reversible] [-u|--unknown] [-Q|--quiet] [--hint[=PROFILE]] [--debug]

PARAMETERS

-p, --print-profiles
    Print all profiles loaded into the kernel

-c, --complain
    Print only profiles in complain mode

-e, --enforce
    Print only profiles in enforce mode

-r, --reversible, --print-reversible
    Print profiles in reversible mode

-u, --unknown
    Print processes without matching profiles

-Q, --quiet
    Print only the summary line

--hint[=PROFILE]
    Print hint for specified or all profiles

--debug
    Print additional debugging information

DESCRIPTION

apparmor_status is a utility from the AppArmor toolkit that queries the Linux kernel for the current state of AppArmor, a mandatory access control (MAC) system. It reports whether the AppArmor module is loaded and active, counts loaded security profiles, categorizes them by mode (enforce, complain, or unconfined), and lists processes matched to profiles.

By default, it outputs a concise summary like:
10 profiles are loaded.
8 profiles are in enforce mode.
Followed by lists of profiles and processes. This helps administrators verify confinement, troubleshoot denials, and monitor security posture.

Options enable detailed views, such as listing only enforce-mode profiles or unknown processes. It's commonly used with sudo on Ubuntu and derivatives where AppArmor is default. Essential for compliance audits and debugging via /var/log/syslog or aa-logprof.

CAVEATS

Requires loaded AppArmor kernel module; run with sudo for complete process info. Output varies by kernel version and distro.

DEFAULT OUTPUT EXAMPLE

apparmor module is loaded.
10 profiles are loaded.
8 profiles are in enforce mode.
/usr/bin/evince
0 profiles are in complain mode.
2 processes are in enforce/complain modes.

HISTORY

Developed by Novell (2000s), integrated into Ubuntu (2009) as default MAC. apparmor_status added in early apparmor-utils; evolved with aa-status wrapper in newer versions.

SEE ALSO

aa-status(8), apparmor_parser(8), aa-logprof(8), aa-genprof(8)

Copied to clipboard