Check AppArmor Status

About This Task

AppArmor is a Linux kernel security module that provides mandatory access control (MAC) to restrict application capabilities, protecting systems from security threats by enforcing specific rules on a per-application basis.

AppArmor uses profiles to provide MAC to the applications you specify.

There are a few different methods for checking the status in this procedure, including:

  • Verify whether the kernel module is enabled directly

  • Check the kernel configuration

  • Use the aa-status application to view status and additional information concerning AppArmor profiles

Before You Begin

You must have an eLxr Server 12 development host setup with sudo privileges. For details, see eLxr QuickStart: Quick Start Overview.

Procedure

Check the Kernel Parameter

Run the following command from the terminal.

#  cat /sys/module/apparmor/parameters/enabled

Y

The Y indicates kernel support for AppArmor.

Check the Kernel Configuration

Run the following command from the terminal.

# grep APPARMOR /boot/config-$(uname -r)

CONFIG_SECURITY_APPARMOR=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y
CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y

In this example every APPARMOR config option is enabled, with the exception of DEBUG. This represents the default operation.

Check Detailed Status with the aa-status Tool

The aa-status tool provides more detailed information than the kernel options above, including information on the number of available profiles, which mode they run in, and the processes confined by AppArmor.

Run the following command from the terminal.

# /usr/sbin/aa-status

apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
  /usr/sbin/cups-browsed (2128)
  /usr/sbin/cupsd (805)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

This output represents a fresh eLxr 12 installation with no additional applications. In this example, there are 14 profiles representing the specified applications, and two processes being enforced with AppArmor.

Results

In this procedure, you learned how check AppArmor status. To learn how to set or disable AppArmor enforcing, see Set AppArmor Enforcing Mode.

For more detailed information on AppArmor modes, see AppArmor Documentation on GitLab.