Differences between revisions 1 and 28 (spanning 27 versions)
Revision 1 as of 2012-05-11 15:40:30
Size: 854
Editor: ?IntRigeri
Comment: Initial instructions draft.
Revision 28 as of 2015-01-29 16:17:17
Size: 2650
Editor: UlrikeUhlig
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Install AppArmor userspace tools and some contributed profiles: ## page was renamed from AppArmor/HowTo
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~<<Navigation(siblings,1)>>
----
<<TableOfContents>>

== Requirements ==

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

If you are using wheezy, upgrading to systemd 204-14 from wheezy-backports is recommended, but not mandatory.

== Install software ==

Install !AppArmor userspace tools and some contributed profiles:
Line 7: Line 21:
Enable the AppArmor LSM: == Enable AppArmor ==

Enable the !AppArmor LSM:
Line 15: Line 31:
See what running executable is currently confined by an AppArmor profile: In the future, this should be automated, see [[http://bugs.debian.org/702030|#702030]]
Line 17: Line 33:
== Inspect the current state ==

{{{
$ sudo aa-status
}}}
will list all loaded !AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).
Line 20: Line 42:
will list running executables which are currently confined by an !AppArmor profile.
Line 21: Line 44:
One place to find more profiles is [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=new-profile;users=apparmor@packages.debian.org|the patches, with new profiles included, that were submitted to Debian]]. == Enable / install more profiles ==
Line 23: Line 46:
Once you've dropped the new profile into `/etc/apparmor.d/`, use `apparmor_parser(8)` to insert it into the kernel. Find more profiles:
Line 25: Line 48:
AppArmor audit logs can be found in `/var/log/kern.log`.  * in the DebianPkg:apparmor-profiles package;
 * in the DebianPkg:apparmor-profiles-extra package (available in wheezy-backports and jessie);
 * in [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|the patches, with new profiles included]], that were submitted to Debian;
 * in Ubuntu.

Once you've dropped the new profile (this is automated when installing the DebianPkg:apparmor-profiles or the DebianPkg:apparmor-profiles-extra package) into `/etc/apparmor.d/`, use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert it into the kernel.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following:

{{{
cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/
for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
}}}

To set these profiles to enforce mode, use `aa-enforce` instead of `aa-complain`. Note that many of these profiles are not up-to-date and might break functionality in enforce mode.

!AppArmor audit logs can be found in `/var/log/syslog`.

== Debug ==

Please read the dedicated documentation for [[AppArmor/Debug|debugging AppArmor]].

== Learn more ==

[[AppArmor#External_links|Learn more]] or [[AppArmor/Contribute| start contributing]].

Translation(s): none


Requirements

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

If you are using wheezy, upgrading to systemd 204-14 from wheezy-backports is recommended, but not mandatory.

Install software

Install AppArmor userspace tools and some contributed profiles:

$ sudo apt-get install apparmor apparmor-profiles apparmor-utils

Enable AppArmor

Enable the AppArmor LSM:

$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo update-grub
$ sudo reboot

In the future, this should be automated, see #702030

Inspect the current state

$ sudo aa-status

will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).

$ ps auxZ | grep -v '^unconfined'

will list running executables which are currently confined by an AppArmor profile.

Enable / install more profiles

Find more profiles:

Once you've dropped the new profile (this is automated when installing the apparmor-profiles or the apparmor-profiles-extra package) into /etc/apparmor.d/, use apparmor_parser(8) to insert it into the kernel.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following:

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/
for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Note that many of these profiles are not up-to-date and might break functionality in enforce mode.

AppArmor audit logs can be found in /var/log/syslog.

Debug

Please read the dedicated documentation for debugging AppArmor.

Learn more

Learn more or start contributing.