aa-notify 命令

常用示例

说明

aa-notify displays information about logged AppArmor security events, specifically DENIED messages that occur when applications attempt actions blocked by their AppArmor profiles. The tool operates in two modes: summary mode shows a report of past denials from a specified time period, while poll mode continuously monitors logs and delivers desktop notifications in real-time. This makes it useful for both auditing historical security events and receiving immediate alerts about policy violations. AppArmor messages are read from the systemd journal, /var/log/syslog, /var/log/kern.log, or /var/log/audit/audit.log when auditd is installed. The tool requires appropriate privileges to read these logs, typically running under sudo.

参数

-p, --poll

Poll AppArmor logs continuously and display desktop notifications for DENIED messages

-f _FILE_, --file=_FILE_

Search FILE for AppArmor messages instead of the default log locations

-l, --since-last

Show summary of messages since last login

-s _NUM_, --since-days=_NUM_

Show summary of messages for the last NUM days

-u _USER_, --user=_USER_

Drop privileges to USER when running privileged; required with --poll for desktop notifications

-w _NUM_, --wait=_NUM_

Wait NUM seconds before displaying notifications (useful for autostart)

--display _$DISPLAY_

Set the DISPLAY environment variable for desktop notifications

-v, --verbose

Show full messages along with summaries

-h, --help

Display usage information