1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197
|
# This publication is intellectual property of Novell Inc. and Canonical
# Ltd. Its contents can be duplicated, either in part or in whole, provided
# that a copyright label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
# shall be held liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-status - display various information about the current AppArmor
policy.
=head1 SYNOPSIS
B<aa-status> [option]
=head1 DESCRIPTION
B<aa-status> will report various aspects of the current state of
AppArmor confinement. By default, it displays the same information as if
the I<--verbose> argument were given. A sample of what this looks like
is:
apparmor module is loaded.
110 profiles are loaded.
102 profiles are in enforce mode.
8 profiles are in complain mode.
Out of 129 processes running:
13 processes have profiles defined.
8 processes have profiles in enforce mode.
5 processes have profiles in complain mode.
Other argument options are provided to report individual aspects, to
support being used in scripts.
=head1 OPTIONS
B<aa-status> accepts only one argument at a time out of:
=over 4
=item --enabled
returns error code if AppArmor is not enabled.
=item --profiled
displays the number of loaded AppArmor policies.
=item --enforced
displays the number of loaded enforcing AppArmor policies.
=item --complaining
displays the number of loaded non-enforcing AppArmor policies.
=item --kill
displays the number of loaded enforcing AppArmor policies that will
kill tasks on policy violations.
=item --prompt
displays the number of loaded enforcing AppArmor policies, with
fallback to userspace mediation.
=item --special-unconfined
displays the number of loaded non-enforcing AppArmor policies that are
in the special unconfined mode.
=item --process-mixed
displays the number of processes confined by profile stacks with
profiles in different modes.
=item --verbose
displays multiple data points about loaded AppArmor policy
set (the default action if no arguments are given).
=item --json
displays multiple data points about loaded AppArmor policy
set in a JSON format, fit for machine consumption.
=item --pretty-json
same as --json, formatted to be readable by humans as well
as by machines.
=item --show
what data sets to show information about. Currently I<processes>,
I<profiles>, I<all> for both processes and profiles. The default is
I<all>.
=item --count
display only counts for selected information.
=item --filter.mode=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes and profiles apparmor profile
mode, reducing the output.
=item --filter.profiles=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes and profiles confining
profile, reducing the output.
=item --filter.pid=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes, so that only processes pids
matching the expression will be displayed.
=item --filter.exe=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes, so that only processes
executable name matching the expression will be displayed.
=item --help
displays a short usage statement.
=back
=head1 EXIT STATUS
Upon exiting, B<aa-status> will set its exit status to the
following values:
=over 4
=item B<0>
if apparmor is enabled and policy is loaded.
=item B<1>
if apparmor is not enabled/loaded.
=item B<2>
if apparmor is enabled but no policy is loaded.
=item B<3>
if the apparmor control files aren't available under
/sys/kernel/security/.
=item B<4>
if the user running the script doesn't have enough privileges to read
the apparmor control files.
=item B<42>
if an internal error occurred.
=back
=head1 BUGS
B<aa-status> must be run as root to read the state of the loaded
policy from the apparmor module. It uses the /proc filesystem to
determine which processes are confined and so is susceptible to race
conditions.
If you find any additional bugs, please report them at
L<https://gitlab.com/apparmor/apparmor/-/issues>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), and
L<https://wiki.apparmor.net>.
=cut
|