Differences between revisions 1 and 52 (spanning 51 versions)
Revision 1 as of 2012-05-11 15:40:30
Size: 854
Editor: ?IntRigeri
Comment: Initial instructions draft.
Revision 52 as of 2020-01-31 19:17:46
Size: 3626
Editor: nodiscc
Comment: formatting, add aa-unconfined
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Install AppArmor userspace tools and some contributed profiles: ## page was renamed from AppArmor/HowTo
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~

This page describes how to use '''AppArmor''' on Debian.

<<TableOfContents>>

----

== Install software ==

!AppArmor is available in Debian since Debian 7 "Wheezy".

[[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] !AppArmor userspace tools:

 * [[DebianPkg:apparmor]]
 * [[DebianPkg:apparmor-utils]]
 * [[DebianPkg:auditd]] (If you intend to use automatic profile generation tools)

== Enable AppArmor ==

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the !AppArmor Linux Security Modules (LSM):
Line 4: Line 28:
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils
}}}

Ena
ble the AppArmor LSM:

{{{

$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee
/etc/default/grub.d/apparmor.cfg
Line 15: Line 35:
See what running executable is currently confined by an AppArmor profile: == Inspect the current state ==

List all loaded !AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

{{{
$ sudo aa-status
}}}

List running executables which are currently confined by an !AppArmor profile:
Line 21: Line 49:
One place to find more profiles is [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=new-profile;users=apparmor@packages.debian.org|the patches, with new profiles included, that were submitted to Debian]]. List of processes with tcp or udp ports that do not have AppArmor profiles loaded
Line 23: Line 51:
Once you've dropped the new profile into `/etc/apparmor.d/`, use `apparmor_parser(8)` to insert it into the kernel. {{{
$ sudo aa-unconfined
}}
Line 25: Line 55:
AppArmor audit logs can be found in `/var/log/kern.log`. == Enable / install more profiles ==

Find more profiles:

 * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer);
 * in the DebianPkg:apparmor-profiles package;
 * in [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|the patches, with new profiles included]], that were submitted to Debian;
 * in Ubuntu.

!AppArmor profiles live in `/etc/apparmor.d/`. One can use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert them into the kernel. This is done automatically when installing packages that drop policy in `/etc/apparmor.d/`.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except `deny` rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:

{{{
cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
}}}

To set these profiles to enforce mode, use `aa-enforce` instead of `aa-complain`. '''Beware''' though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them ''upstream''.

== Debug ==

!AppArmor audit logs can be found in the systemd Journal or in `/var/log/syslog`.

For more detailed instructions, please read the dedicated documentation for [[AppArmor/Debug|debugging AppArmor]].

== Report a bug ==

If you think that you've found a bug in !AppArmor or a software in Debian which ships its own profile, you might want to [[AppArmor/Reportbug | report a bug]].

== Learn more ==

[[AppArmor#External_links|Learn more]] or [[AppArmor/Contribute| start contributing]].

== Disable AppArmor ==

First, you can disable individual profiles with `aa-disable`.

But if you want to entirely disable AppArmor on your system, run:

{{{
$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot
}}}

----

CategorySystemSecurity

Translation(s): none

This page describes how to use AppArmor on Debian.


Install software

AppArmor is available in Debian since Debian 7 "Wheezy".

Install AppArmor userspace tools:

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the AppArmor Linux Security Modules (LSM):

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

$ sudo aa-status

List running executables which are currently confined by an AppArmor profile:

$ ps auxZ | grep -v '^unconfined'

List of processes with tcp or udp ports that do not have AppArmor profiles loaded

$ sudo aa-unconfined
}}

== Enable / install more profiles ==

Find more profiles:

 * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer);
 * in the DebianPkg:apparmor-profiles package;
 * in [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|the patches, with new profiles included]], that were submitted to Debian;
 * in Ubuntu.

!AppArmor profiles live in `/etc/apparmor.d/`. One can use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert them into the kernel. This is done automatically when installing packages that drop policy in `/etc/apparmor.d/`.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except `deny` rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:

{{{
cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.

Debug

AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Report a bug

If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.

Learn more

Learn more or start contributing.

Disable AppArmor

First, you can disable individual profiles with aa-disable.

But if you want to entirely disable AppArmor on your system, run:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot


CategorySystemSecurity