Differences between revisions 1 and 47 (spanning 46 versions)
Revision 1 as of 2012-05-11 15:40:30
Size: 854
Editor: ?IntRigeri
Comment: Initial instructions draft.
Revision 47 as of 2019-03-13 06:57:29
Size: 3391
Editor: ?IntRigeri
Comment: AppArmor is enabled by default in Buster
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Install AppArmor userspace tools and some contributed profiles: ## page was renamed from AppArmor/HowTo
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~<<Navigation(siblings,1)>>
----
<<TableOfContents>>

== Requirements ==

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

== Install software ==

Install !AppArmor userspace tools:
Line 4: Line 16:
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils $ sudo apt install apparmor apparmor-utils
Line 7: Line 19:
Enable the AppArmor LSM: (If you intend to use automatic profile generation tools, also install `auditd`.)

== Enable AppArmor ==

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the !AppArmor Linux Security Modules (LSM):
Line 10: Line 28:
$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo mkdir -p /etc/default/grub.d
$ echo
'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee
/etc/default/grub.d/apparmor.cfg
Line 15: Line 35:
See what running executable is currently confined by an AppArmor profile: == Inspect the current state ==
Line 17: Line 37:
{{{
$ sudo aa-status
}}}
will list all loaded !AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).
Line 20: Line 44:
will list running executables which are currently confined by an !AppArmor profile.
Line 21: Line 46:
One place to find more profiles is [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=new-profile;users=apparmor@packages.debian.org|the patches, with new profiles included, that were submitted to Debian]]. == Enable / install more profiles ==
Line 23: Line 48:
Once you've dropped the new profile into `/etc/apparmor.d/`, use `apparmor_parser(8)` to insert it into the kernel. Find more profiles:
Line 25: Line 50:
AppArmor audit logs can be found in `/var/log/kern.log`.  * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer);
 * in the DebianPkg:apparmor-profiles package;
 * in [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|the patches, with new profiles included]], that were submitted to Debian;
 * in Ubuntu.

!AppArmor profiles live in `/etc/apparmor.d/`. One can use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert them into the kernel. This is done automatically when installing packages that drop policy in `/etc/apparmor.d/`.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except `deny` rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:

{{{
cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
}}}

To set these profiles to enforce mode, use `aa-enforce` instead of `aa-complain`. '''Beware''' though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them ''upstream''.

== Debug ==

!AppArmor audit logs can be found in the systemd Journal or in `/var/log/syslog`.

For more detailed instructions, please read the dedicated documentation for [[AppArmor/Debug|debugging AppArmor]].

== Report a bug ==

If you think that you've found a bug in !AppArmor or a software in Debian which ships its own profile, you might want to [[AppArmor/Reportbug | report a bug]].

== Learn more ==

[[AppArmor#External_links|Learn more]] or [[AppArmor/Contribute| start contributing]].

== Disable AppArmor ==

First, you can disable individual profiles with `aa-disable`.

But if you want to entirely disable AppArmor on your system, run:

{{{
$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot
}}}

Translation(s): none


Requirements

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

Install software

Install AppArmor userspace tools:

$ sudo apt install apparmor apparmor-utils

(If you intend to use automatic profile generation tools, also install auditd.)

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the AppArmor Linux Security Modules (LSM):

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

$ sudo aa-status

will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).

$ ps auxZ | grep -v '^unconfined'

will list running executables which are currently confined by an AppArmor profile.

Enable / install more profiles

Find more profiles:

AppArmor profiles live in /etc/apparmor.d/. One can use apparmor_parser(8) to insert them into the kernel. This is done automatically when installing packages that drop policy in /etc/apparmor.d/.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.

Debug

AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Report a bug

If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.

Learn more

Learn more or start contributing.

Disable AppArmor

First, you can disable individual profiles with aa-disable.

But if you want to entirely disable AppArmor on your system, run:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot