Adjust one more URL to match organizational changes.
nowadays more profiles can be installed from packages..
|Deletions are marked like this.||Additions are marked like this.|
|Line 42:||Line 42:|
|* in the DebianPkg:apparmor-profiles-extra package;||* in the DebianPkg:apparmor-profiles-extra package (available in wheezy-backports and jessie);|
|Line 46:||Line 46:|
|Once you've dropped the new profile into `/etc/apparmor.d/`, use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert it into the kernel.||Once you've dropped the new profile (eg by installing a package) into `/etc/apparmor.d/`, use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert it into the kernel.|
A Debian 7 "Wheezy" or newer GNU/Linux system is required.
If you are using wheezy, upgrading to systemd 204-14 from wheezy-backports is recommended, but not mandatory.
Install AppArmor userspace tools and some contributed profiles:
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils
Enable the AppArmor LSM:
$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo update-grub $ sudo reboot
Inspect the current state
See what running executables are currently confined by an AppArmor profile:
$ ps auxZ | grep -v '^unconfined' $ sudo aa-status
Enable / install more profiles
Find more profiles:
in the apparmor-profiles package;
in the apparmor-profiles-extra package (available in wheezy-backports and jessie);
in the patches, with new profiles included, that were submitted to Debian;
- in Ubuntu.
Once you've dropped the new profile (eg by installing a package) into /etc/apparmor.d/, use apparmor_parser(8) to insert it into the kernel.
For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following:
cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
To set these profiles to enforce mode, use aa-enforce instead of aa-complain.
AppArmor audit logs can be found in /var/log/syslog.
See the "External links" section on the main AppArmor page.