Differences between revisions 49 and 50
Revision 49 as of 2020-01-31 19:11:42
Size: 3462
Editor: nodiscc
Comment: CategorySystemSecurity
Revision 50 as of 2020-01-31 19:15:20
Size: 3511
Editor: nodiscc
Comment: formatting,shorten
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
This page describes how to use '''AppArmor''' on Debian This page describes how to use '''AppArmor''' on Debian.
Line 9: Line 9:
----

== Requirements ==

A Debian 7 "Wheezy" or newer GNU/Linux system is required.
---
Line 17: Line 13:
Install !AppArmor userspace tools: !AppArmor is available in Debian since Debian 7 "Wheezy".
Line 19: Line 15:
{{{
$ sudo apt install apparmor apparmor-utils
}}}
[[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] !AppArmor userspace tools:
Line 23: Line 17:
(If you intend to use automatic profile generation tools, also install `auditd`.)  * [[DebianPkg:apparmor]]
 * [[DebianPkg:apparmor-utils]]
 * [[DebianPkg:auditd]]
(If you intend to use automatic profile generation tools)

Translation(s): none

This page describes how to use AppArmor on Debian.

---

Install software

AppArmor is available in Debian since Debian 7 "Wheezy".

Install AppArmor userspace tools:

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the AppArmor Linux Security Modules (LSM):

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

$ sudo aa-status

will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).

$ ps auxZ | grep -v '^unconfined'

will list running executables which are currently confined by an AppArmor profile.

Enable / install more profiles

Find more profiles:

AppArmor profiles live in /etc/apparmor.d/. One can use apparmor_parser(8) to insert them into the kernel. This is done automatically when installing packages that drop policy in /etc/apparmor.d/.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.

Debug

AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Report a bug

If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.

Learn more

Learn more or start contributing.

Disable AppArmor

First, you can disable individual profiles with aa-disable.

But if you want to entirely disable AppArmor on your system, run:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot


CategorySystemSecurity