Differences between revisions 36 and 38 (spanning 2 versions)
Revision 36 as of 2017-06-26 15:27:05
Size: 2957
Editor: ?VincasDargis
Comment:
Revision 38 as of 2017-06-30 21:02:57
Size: 2864
Editor: ?IntRigeri
Comment: Split long command line
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:

If you are using wheezy, upgrading to systemd 204-14 from wheezy-backports is recommended, but not mandatory.
Line 28: Line 26:
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' | sudo tee /etc/default/grub.d/apparmor.cfg $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  
| sudo tee /etc/default/grub.d/apparmor.cfg
Line 51: Line 50:
 * in the DebianPkg:apparmor-profiles-extra package (available in wheezy-backports and jessie);  * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer);
Line 70: Line 69:
!AppArmor audit logs can be found in `/var/log/syslog`. !AppArmor audit logs can be found in the systemd Journal or in `/var/log/syslog`.

Translation(s): none


Requirements

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

Install software

Install AppArmor userspace tools and some contributed profiles:

$ sudo apt-get install apparmor apparmor-profiles apparmor-utils

(If you intend to use automatic profile generation tools, also install auditd.)

Enable AppArmor

Enable the AppArmor LSM:

$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

In the future, this should be automated, see 702030

Inspect the current state

$ sudo aa-status

will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).

$ ps auxZ | grep -v '^unconfined'

will list running executables which are currently confined by an AppArmor profile.

Enable / install more profiles

Find more profiles:

AppArmor profiles should live in /etc/apparmor.d/. One can use apparmor_parser(8) to insert them into the kernel. This is done automatically when installing the apparmor-profiles or the apparmor-profiles-extra package.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following:

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Note that many of these profiles are not up-to-date and might break functionality in enforce mode.

Debug

AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Report a bug

If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.

Learn more

Learn more or start contributing.