aa-status: Quick look at AppArmor status

A practical, command-first guide to checking which AppArmor profiles are loaded and how they are enforcing on your system.

Quickstart

• Basic check (read-only):

sudo aa-status

• If you’re not root, you’ll see restricted output; using sudo is the common path to a full report.

What you’ll see

When you run aa-status, you’ll typically get a header like:

> List currently loaded AppArmor modules.
> See also: `aa-complain`, `aa-disable`, `aa-enforce`.

Key parts of the output include:

• The number of loaded profiles in different modes (enforced, complain, etc.).
• Details about which profiles are loaded and their permissions.

Common options (examples)

• Display the number of loaded profiles (summary):

sudo aa-status --profiled

• Display the number of loaded enforcing policies:

sudo aa-status --enforced

• Display the number of loaded non-enforcing (complaining) policies:

sudo aa-status --complaining

• Display the number of loaded enforcing policies that kill tasks:

sudo aa-status --kill

Real-world examples

• Quick health check:

sudo aa-status

If the output shows many profiles in enforcing mode, your system is actively restricting actions. A high number of complaining profiles may indicate a misconfiguration or outdated policies.

• Identify how many policies are currently enforcing:

sudo aa-status --enforced

Use this to verify that critical paths (e.g., web servers, SSH) are protected as intended.

Common pitfalls

• Running without sudo often yields incomplete information. Always run with elevated privileges for a complete view.
• Misinterpreting “complaining” versus “enforcing”:
  • Enforcing: violations are blocked.
  • Complaining: violations are logged but not blocked.
• Output can be verbose on systems with many profiles; use the specific –enforced/–profiled flags to focus on what you care about.

Troubleshooting tips

• If aa-status shows unexpected results, ensure AppArmor is enabled and the kernel supports it.
• For stale or missing policy data, you might need to refresh or reload policy databases via appropriate tools (e.g., aa-complain, aa-enforce) or update AppArmor itself.
• When you upgrade the distro or kernel, review AppArmor profiles for compatibility.

Quick reference

• Basic: sudo aa-status
• Profiles count: sudo aa-status --profiled
• Enforcing: sudo aa-status --enforced
• Complaining: sudo aa-status --complaining
• Kill mode: sudo aa-status --kill

For more detailed information, see the AppArmor manpage: man aa-status.

See Also

• zramctl: Quick Start and Practical Guide
• How Does mate-calc-cmd Simplify Math Calculations in MATE?
• How to Master the Rename Command in Linux
• What Can uname do in Linux?
• mkfs.bcachefs: Create a bcached filesystem
• How to Master SSH: A Comprehensive Usage Guide