4197
Comment: WIP wording, formatting, clarify installing/enabling, packages, improve links
|
3994
WIP cleanup, wording, formatting, prepare merge with main AppArmor page
|
Deletions are marked like this. | Additions are marked like this. |
Line 38: | Line 38: |
!AppArmor profiles can be set to different modes: * `complain` mode: violations to the policy will only be logged * `enforce` mode: operations that violate the policy will be blocked. Not that `deny` rules in profiles are enforced/blocked even in `complain` mode. |
|
Line 50: | Line 57: |
List of processes with tcp or udp ports that do not have AppArmor profiles loaded: | List of processes with tcp or udp ports that do not have !AppArmor profiles loaded: |
Line 69: | Line 76: |
Files dropped by Debian packages in `/etc/apparmor.d/` are automatically enabled. Other profiles need to be copied to this directory and manually set to `complain` or `enforce` mode. | Debian packages that install profiles to `/etc/apparmor.d/` automatically enable them (`complain` mode). Other profiles need to be copied to this directory and manually set to `complain` or `enforce` mode. |
Line 71: | Line 78: |
- `complain` mode: violations to the policy will only be logged - `enforce` mode: operations that violate the policy will be blocked. |
|
Line 88: | Line 93: |
Not that `deny` rules in profiles are *always* enforced/blocked, even in `complain` mode. | |
Line 95: | Line 100: |
!AppArmor audit logs can be found in the systemd Journal or in `/var/log/syslog`. | !AppArmor audit logs can be found in the [[systemd]] journal or in `/var/log/syslog`. |
Line 99: | Line 104: |
== Report a bug == | |
Line 101: | Line 105: |
If you think that you've found a bug in !AppArmor or a software in Debian which ships its own profile, you might want to [[AppArmor/Reportbug | report a bug]]. == Learn more == [[AppArmor#External_links|Learn more]] or [[AppArmor/Contribute| start contributing]]. |
|
Line 109: | Line 108: |
First, you can disable individual profiles with `aa-disable`. | Disable an individual profiles: |
Line 111: | Line 110: |
But if you want to entirely disable AppArmor on your system, run: | {{{ $ sudo aa-disable /etc/apparmor.d/usr.bin.example }}} Completely disable AppArmor on your system: |
Line 124: | Line 127: |
Translation(s): none
This page describes how to use AppArmor on Debian.
Contents
Install software
AppArmor is available in Debian since Debian 7 "Wheezy".
Install AppArmor userspace tools:
auditd (If you intend to use automatic profile generation tools)
Enable AppArmor
If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.
Enable the AppArmor Linux Security Modules (LSM):
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
Inspect the current state
AppArmor profiles can be set to different modes:
complain mode: violations to the policy will only be logged
enforce mode: operations that violate the policy will be blocked.
Not that deny rules in profiles are enforced/blocked even in complain mode.
List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):
$ sudo aa-status
List running executables which are currently confined by an AppArmor profile:
$ ps auxZ | grep -v '^unconfined'
List of processes with tcp or udp ports that do not have AppArmor profiles loaded:
$ sudo aa-unconfined
Find / install more profiles
AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To find more profiles:
apparmor-profiles-extra provides and enables Debian-specific (not upstreamed) profiles.
apparmor-profiles provides various experimental profiles, and enables some by default.
Check the equivalent Ubuntu packages
Check newly submitted pacthes/profiles for AppArmor in Debian
Enabling profiles
Debian packages that install profiles to /etc/apparmor.d/ automatically enable them (complain mode). Other profiles need to be copied to this directory and manually set to complain or enforce mode.
For example to install an "extra" profile from the /usr/share/apparmor/extra-profiles/ directory provided by apparmor-profiles and set it to complain mode:
# list available profiles $ ls /usr/share/apparmor/extra-profiles/ # install the profile $ sudo cp /usr/share/apparmor/extra-profiles/usr.bin.example /etc/apparmor.d/ # set the profile to complain mode sudo aa-complain /etc/apparmor.d/usr.bin.example
To set a profile to enforce mode, use aa-enforce instead of aa-complain. Beware though: many profiles are not up-to-date and will break functionality in enforce mode, be ready to debug!
Debug
AppArmor audit logs can be found in the systemd journal or in /var/log/syslog.
For more detailed instructions, please read the dedicated documentation for debugging AppArmor.
Disable AppArmor
Disable an individual profiles:
$ sudo aa-disable /etc/apparmor.d/usr.bin.example
Completely disable AppArmor on your system:
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
See also
apparmor_parser(8) manpage