docs: initial documentation website.

2023-01-29 21:18:22 +00:00 · 2023-01-29 21:18:22 +00:00 · ecf82c7176
commit ecf82c7176
parent 3c3f164e91
17 changed files with 1143 additions and 0 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@ -0,0 +1,121 @@
+---
+title: Usage
+---
+
+## Enabled profiles
+
+Once installed and with the rules enabled, you can ensure the rules are loaded
+with:
+```sh
+sudo aa-status
+```
+
+It should give something like:
+```
+apparmor module is loaded.
+1441 profiles are loaded.
+112 profiles are in enforce mode.
+   ...
+0 profiles are in kill mode.
+0 profiles are in unconfined mode.
+155 processes have profiles defined.
+14 processes are in enforce mode.
+   ...
+141 processes are in complain mode.
+   ...
+0 processes are unconfined but have a profile defined.
+0 processes are in mixed mode.
+0 processes are in kill mode.
+```
+
+You can also list the current processes alongside with their security profile with:
+```sh
+ps auxZ
+```
+
+Most of the processes should then be confined:
+```
+unconfined                      root        /usr/lib/systemd/systemd --switched-root --system --deserialize 33
+systemd-udevd (complain)        root        /usr/lib/systemd/systemd-udevd
+systemd-journald (complain)     root        /usr/lib/systemd/systemd-journald
+rngd (complain)                 root        /usr/bin/rngd -f
+systemd-timesyncd (complain)    systemd+    /usr/lib/systemd/systemd-timesyncd
+auditd (complain)               root        /sbin/auditd
+acpid (complain)                root        /usr/bin/acpid --foreground --netlink
+dbus-daemon (complain)          dbus        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
+power-profiles-daemon (complain) root       /usr/lib/power-profiles-daemon
+systemd-logind (complain)       root        /usr/lib/systemd/systemd-logind
+systemd-machined (complain)     root        /usr/lib/systemd/systemd-machined
+NetworkManager (complain)       root        /usr/bin/NetworkManager --no-daemon
+polkitd (complain)              polkitd     /usr/lib/polkit-1/polkitd --no-debug
+gdm (complain)                  root        /usr/bin/gdm
+accounts-daemon (complain)      root        /usr/lib/accounts-daemon
+rtkit-daemon (complain)         rtkit       /usr/lib/rtkit-daemon
+packagekitd (complain)          root        /usr/lib/packagekitd
+colord (complain)               colord      /usr/lib/colord
+unconfined                      user        /usr/lib/systemd/systemd --user
+unconfined                      user        (sd-pam)
+gdm-wayland-session (complain)  user        /usr/lib/gdm-wayland-session /usr/bin/gnome-session
+gnome-session-binary (complain) user        /usr/lib/gnome-session-binary
+gnome-session-ctl (complain)    user        /usr/lib/gnome-session-ctl --monitor
+gnome-session-binary (complain) user        /usr/lib/gnome-session-binary --systemd-service --session=gnome
+gnome-shell (complain)          user        /usr/bin/gnome-shell
+...
+ps (complain)                   user        ps auxZ
+```
+
+??? info "Hide the kernel thread in `ps`"
+
+    To hide the kernel thread in `ps` use `ps auxZ | grep -v '\[.*\]'`. You can
+    add an alias in your shell:
+    ```sh
+    alias p="ps auxZ | grep -v '\[.*\]'"
+    ```
+
+
+## AppArmor Log
+
+Ensure that `auditd` is installed and running on your system in order to read
+AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the
+provided command `aa-log` allowing you to review AppArmor generated messages in
+a colorful way.
+
+Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof`
+should work as expected.
+
+
+### Basic use
+
+To read the AppArmor log from `/var/log/audit/audit.log`:
+```sh
+aa-log
+```
+
+To optionally filter a given profile name: `aa-log <profile-name>` (zsh will
+autocomplete the profile name):
+```
+aa-log dnsmasq
+DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
+DENIED  dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
+DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
+```
+
+!!! info
+
+    Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1`
+    parses `/var/log/audit/audit.log.1`.
+
+
+### Help
+
+```
+aa-log [-h] [-s] [-f file] [profile]
+
+  Review AppArmor generated messages in a colorful way.
+  It can be given an optional profile name to filter the output with.
+
+  -f file
+    	Set a logfile or a suffix to the default log file. (default "/var/log/audit/audit.log")
+  -h	Show this help message and exit.
+  -s	Parse systemd dbus logs.
+```