avcstat - Linux

Overview

The avcstat command in Linux provides detailed statistics about AppArmor security violations and policy denials. It offers insights into the frequency and nature of security events detected by AppArmor, allowing administrators to identify and address security concerns effectively.

Syntax

avcstat [options] [<target>]

Options/Flags

  • -a, –all: Display all statistics, including events for all profiles (default).
  • -f, –failed: Display only statistics for events that resulted in access denials.
  • -p, –profile : Limit statistics to the specified AppArmor profile.
  • -A, –audit: Display statistics for audit-only events (no enforcement).
  • -h, –help: Display help and usage information.

Examples

Simple usage:

avcstat

Display only failed events:

avcstat -f

Filter statistics for a specific profile:

avcstat -p myprofile

Show only audit-only events:

avcstat -A

Common Issues

  • Elevated privileges: avcstat requires root privileges to display all profile statistics.
  • Permission denied: If avcstat fails with "permission denied" for a specific profile, ensure that the current user has read access to the profile’s audit log.

Integration

avcstat can be integrated with other security monitoring tools and scripts:

  • Log analysis: Parse avcstat output using tools like logwatch or grep to track security-related events.
  • Auditing: Regularly run avcstat as part of an auditing script to monitor AppArmor activity and identify potential security risks.

Related Commands

  • apparmor_parser: Parses AppArmor audit logs into a human-readable format.
  • apparmor_status: Displays the status of AppArmor profiles.
  • auditctl: Configures audit settings and policies for the system.