avcstat - Linux
Overview
The avcstat
command in Linux provides detailed statistics about AppArmor security violations and policy denials. It offers insights into the frequency and nature of security events detected by AppArmor, allowing administrators to identify and address security concerns effectively.
Syntax
avcstat [options] [<target>]
Options/Flags
- -a, –all: Display all statistics, including events for all profiles (default).
- -f, –failed: Display only statistics for events that resulted in access denials.
- -p, –profile
: Limit statistics to the specified AppArmor profile. - -A, –audit: Display statistics for audit-only events (no enforcement).
- -h, –help: Display help and usage information.
Examples
Simple usage:
avcstat
Display only failed events:
avcstat -f
Filter statistics for a specific profile:
avcstat -p myprofile
Show only audit-only events:
avcstat -A
Common Issues
- Elevated privileges:
avcstat
requires root privileges to display all profile statistics. - Permission denied: If
avcstat
fails with "permission denied" for a specific profile, ensure that the current user has read access to the profile’s audit log.
Integration
avcstat
can be integrated with other security monitoring tools and scripts:
- Log analysis: Parse
avcstat
output using tools likelogwatch
orgrep
to track security-related events. - Auditing: Regularly run
avcstat
as part of an auditing script to monitor AppArmor activity and identify potential security risks.
Related Commands
apparmor_parser
: Parses AppArmor audit logs into a human-readable format.apparmor_status
: Displays the status of AppArmor profiles.auditctl
: Configures audit settings and policies for the system.