LabEx
Log InJoin For Free

How to check if an AppArmor profile is active in Linux

LinuxLinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to check the status of AppArmor profiles on a Linux system. AppArmor is a security module that uses profiles to restrict the actions of applications, enhancing system security. You will explore three methods to determine if AppArmor profiles are active and how they are configured.

Specifically, you will use the aa-status command to list loaded profiles and their modes (enforce or complain), examine the contents of the /etc/apparmor.d directory to see available profile files, and inspect the AppArmor status within the /sys/kernel/security filesystem. These steps will provide a comprehensive understanding of how to verify AppArmor's operational state.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/UserandGroupManagementGroup(["User and Group Management"]) linux(("Linux")) -.-> linux/VersionControlandTextEditorsGroup(["Version Control and Text Editors"]) linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux/BasicFileOperationsGroup -.-> linux/ls("Content Listing") linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/UserandGroupManagementGroup -.-> linux/sudo("Privilege Granting") linux/VersionControlandTextEditorsGroup -.-> linux/nano("Simple Text Editing") subgraph Lab Skills linux/ls -.-> lab-558778{{"How to check if an AppArmor profile is active in Linux"}} linux/cat -.-> lab-558778{{"How to check if an AppArmor profile is active in Linux"}} linux/sudo -.-> lab-558778{{"How to check if an AppArmor profile is active in Linux"}} linux/nano -.-> lab-558778{{"How to check if an AppArmor profile is active in Linux"}} end

List AppArmor profiles with aa-status

In this step, you will learn how to list the active AppArmor profiles on your system using the aa-status command. AppArmor is a security module that provides mandatory access control (MAC) by confining programs to a limited set of resources.

Think of AppArmor profiles as security policies for specific applications. They define what files, network resources, and other system capabilities an application is allowed to access. This helps prevent malicious software or compromised applications from causing widespread damage.

To see which profiles are currently loaded and enforced, open your terminal and type the following command:

sudo aa-status

You need to use sudo because checking the status of AppArmor requires administrative privileges.

After running the command, you will see output similar to this:

apparmor module is loaded.
...
profiles are loaded.
...
profiles are in enforce mode.
...
profiles are in complain mode.
...
processes are unconfined.
...

The output provides a summary of the AppArmor status:

  • apparmor module is loaded: Indicates that the AppArmor kernel module is active.
  • profiles are loaded: Shows the total number of AppArmor profiles loaded into the kernel.
  • profiles are in enforce mode: Lists profiles that are actively restricting the behavior of the associated applications. If an application attempts to do something not allowed by its enforced profile, the action is blocked, and a log message is generated.
  • profiles are in complain mode: Lists profiles that are monitoring the behavior of the associated applications but are not enforcing restrictions. If an application attempts to do something not allowed by its complain profile, the action is allowed, but a log message is generated. This mode is useful for developing and testing profiles.
  • processes are unconfined: Shows the number of running processes that are not currently being managed by an AppArmor profile.

Understanding the output of aa-status is the first step in managing AppArmor and understanding the security posture of your system.

Click Continue to proceed to the next step.

Check profiles in /etc/apparmor.d

In the previous step, you saw a list of loaded AppArmor profiles using aa-status. Now, let's explore where these profiles are stored on the file system.

AppArmor profiles are typically located in the /etc/apparmor.d/ directory. This directory contains the profile files, which are plain text files defining the rules for each confined application.

To list the contents of this directory, use the ls command:

ls /etc/apparmor.d/

You will see a list of files and directories. Each file in this directory (that is not in a subdirectory like abstractions or tunables) usually represents a specific AppArmor profile for an application.

Example output:

bootchartd             usr.sbin.tcpdump
...

These filenames often correspond to the path of the executable they are designed to confine. For example, usr.sbin.tcpdump is the profile for the /usr/sbin/tcpdump command.

You can view the content of a profile file using a text editor like nano. Let's look at the profile for usr.sbin.tcpdump. Type the following command:

nano /etc/apparmor.d/usr.sbin.tcpdump

This will open the profile file in the nano editor. You will see lines defining file access rules, network permissions, and other restrictions. Don't worry about understanding every line right now; the goal is just to see the structure of a profile file.

To exit nano, press Ctrl + X. If you made any changes, it will ask if you want to save. Press N for No, then Enter to confirm.

Exploring the files in /etc/apparmor.d/ gives you insight into the specific security policies applied to different applications on your system.

Click Continue to move on.

Inspect AppArmor status in /sys/kernel/security

In addition to the aa-status command, you can also inspect the status of AppArmor directly through the /sys filesystem. The /sys filesystem provides an interface to kernel data structures, and it includes information about security modules like AppArmor.

The relevant directory for AppArmor status within /sys is /sys/kernel/security/apparmor/.

Let's list the contents of this directory to see what information is available:

ls /sys/kernel/security/apparmor/

You will see files and directories that provide details about the AppArmor state, such as loaded profiles, policy rules, and enforcement status.

Example output:

features  profiles  policy  revision  ...

One particularly useful file is profiles. You can view its content using the cat command:

cat /sys/kernel/security/apparmor/profiles

This file lists the currently loaded AppArmor profiles and their status (e.g., enforce, complain, or unconfined). The output is similar to the list of profiles you saw with aa-status, but it's a direct view of the kernel's state.

Example output:

/usr/sbin/tcpdump (enforce)
...

Inspecting the /sys/kernel/security/apparmor/ directory and its files provides a lower-level way to understand the AppArmor status and can be helpful for debugging or advanced analysis.

You have now learned three different ways to check the status and presence of AppArmor profiles on a Linux system.

Click Continue to complete the lab.

Summary

In this lab, you learned how to check if an AppArmor profile is active in Linux. You began by using the aa-status command with sudo to list the loaded AppArmor profiles and understand their status, including whether they are in enforce or complain mode. This command provides a quick overview of the AppArmor module's state and the number of profiles actively managing processes.

The lab also covered how to inspect the /etc/apparmor.d directory to view the available AppArmor profile files, which represent the security policies for different applications. Finally, you learned how to examine the /sys/kernel/security path to confirm the AppArmor kernel module's presence and status within the system's security framework.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

LinuxShell
Beginner
Linux for Noobs

Linux for Noobs

LinuxShell
Intermediate
Practice Linux Commands

Practice Linux Commands

LinuxShell
Beginner