Differences between revisions 15 and 17 (spanning 2 versions)
Revision 15 as of 2014-12-19 13:38:59
Size: 2306
Editor: UlrikeUhlig
Comment:
Revision 17 as of 2014-12-19 13:49:12
Size: 2353
Editor: UlrikeUhlig
Comment:
Deletions are marked like this. Additions are marked like this.
Line 28: Line 28:
In the future, this should be automated, see [[http://bugs.debian.org/702030|#702030]]
Line 29: Line 31:

See what running executables are currently confined by an !AppArmor profile:
Line 35: Line 35:
will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined). will list all loaded !AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).
Line 39: Line 39:
will list currently running confined processes. will list running executables which are currently confined by an !AppArmor profile:

Translation(s): none


Requirements

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

If you are using wheezy, upgrading to systemd 204-14 from wheezy-backports is recommended, but not mandatory.

Install software

Install AppArmor userspace tools and some contributed profiles:

$ sudo apt-get install apparmor apparmor-profiles apparmor-utils

Enable AppArmor

Enable the AppArmor LSM:

$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo update-grub
$ sudo reboot

In the future, this should be automated, see #702030

Inspect the current state

$ sudo aa-status

will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).

$ ps auxZ | grep -v '^unconfined'

will list running executables which are currently confined by an AppArmor profile:

Enable / install more profiles

Find more profiles:

Once you've dropped the new profile (this is automated when installing one of the apparmor-profiles and the ebianPkg:apparmor-profiles-extra package) into /etc/apparmor.d/, use apparmor_parser(8) to insert it into the kernel.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following:

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/
for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain.

AppArmor audit logs can be found in /var/log/syslog.

Learn more

See the "External links" section on the main AppArmor page.