854
Comment: Initial instructions draft.
|
2913
Don't recommend installing apparmor-profiles: deny rules are effective even in complain mode
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
Install AppArmor userspace tools and some contributed profiles: | ## page was renamed from AppArmor/HowTo #language en ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~<<Navigation(siblings,1)>> ---- <<TableOfContents>> == Requirements == A Debian 7 "Wheezy" or newer GNU/Linux system is required. == Install software == Install !AppArmor userspace tools: |
Line 4: | Line 16: |
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils | $ sudo apt install apparmor apparmor-utils |
Line 7: | Line 19: |
Enable the AppArmor LSM: | (If you intend to use automatic profile generation tools, also install `auditd`.) == Enable AppArmor == Enable the !AppArmor LSM: |
Line 10: | Line 26: |
$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub | $ sudo mkdir /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg |
Line 15: | Line 33: |
See what running executable is currently confined by an AppArmor profile: | In the future, this should be automated, see DebianBug:702030 |
Line 17: | Line 35: |
== Inspect the current state == {{{ $ sudo aa-status }}} will list all loaded !AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined). |
|
Line 20: | Line 44: |
will list running executables which are currently confined by an !AppArmor profile. | |
Line 21: | Line 46: |
One place to find more profiles is [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=new-profile;users=apparmor@packages.debian.org|the patches, with new profiles included, that were submitted to Debian]]. | == Enable / install more profiles == |
Line 23: | Line 48: |
Once you've dropped the new profile into `/etc/apparmor.d/`, use `apparmor_parser(8)` to insert it into the kernel. | Find more profiles: |
Line 25: | Line 50: |
AppArmor audit logs can be found in `/var/log/kern.log`. | * in the DebianPkg:apparmor-profiles package; * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer); * in [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|the patches, with new profiles included]], that were submitted to Debian; * in Ubuntu. !AppArmor profiles live in `/etc/apparmor.d/`. One can use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert them into the kernel. This is done automatically when installing the DebianPkg:apparmor-profiles or the DebianPkg:apparmor-profiles-extra package. For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following: {{{ cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done }}} To set these profiles to enforce mode, use `aa-enforce` instead of `aa-complain`. '''Beware''' though: many of these profiles are not up-to-date and will break functionality in enforce mode; only enforce them if you're ready to improve them ''upstream''. == Debug == !AppArmor audit logs can be found in the systemd Journal or in `/var/log/syslog`. For more detailed instructions, please read the dedicated documentation for [[AppArmor/Debug|debugging AppArmor]]. == Report a bug == If you think that you've found a bug in !AppArmor or a software in Debian which ships its own profile, you might want to [[AppArmor/Reportbug | report a bug]]. == Learn more == [[AppArmor#External_links|Learn more]] or [[AppArmor/Contribute| start contributing]]. |
Translation(s): none
/Contribute /Debug /HowToUse /OutReachyRound9 /Progress /Reportbug /UserStories |
Contents
Requirements
A Debian 7 "Wheezy" or newer GNU/Linux system is required.
Install software
Install AppArmor userspace tools:
$ sudo apt install apparmor apparmor-utils
(If you intend to use automatic profile generation tools, also install auditd.)
Enable AppArmor
Enable the AppArmor LSM:
$ sudo mkdir /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
In the future, this should be automated, see 702030
Inspect the current state
$ sudo aa-status
will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).
$ ps auxZ | grep -v '^unconfined'
will list running executables which are currently confined by an AppArmor profile.
Enable / install more profiles
Find more profiles:
in the apparmor-profiles package;
in the apparmor-profiles-extra package (available in Jessie and newer);
in the patches, with new profiles included, that were submitted to Debian;
- in Ubuntu.
AppArmor profiles live in /etc/apparmor.d/. One can use apparmor_parser(8) to insert them into the kernel. This is done automatically when installing the apparmor-profiles or the apparmor-profiles-extra package.
For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following:
cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode; only enforce them if you're ready to improve them upstream.
Debug
AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.
For more detailed instructions, please read the dedicated documentation for debugging AppArmor.
Report a bug
If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.