• A security framework for isolation and application control
• Included in Ubuntu and Debian 10
apt install apparmor apparmor-utils
apt install apparmor-profiles # additional profiles
Activate Apparmor on Start-up
sudo nano /etc/default/grub
# Change the following line GRUB_CMDLINE_LINUX_DEFAULT="quiet" to
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"
systemctl status apparmor
sudo aa-status # requires apparmor-utils
• List the programs which have no associated profile and which expose an open network socket
• List running executables which are currently confined by apparmor
ps auxZ | grep -v '^unconfined'
Enable/ Disable apparmor
systemctl start apparmor
systemctl disable apparmor
Load and Unload a Profile
# Unload the profile
apparmor_parser -R /path/to/profile
# Load a profile
apparmor_parser -r -W /path/to/profile
Create a Profile
• Requires package “apparmor-utils”
sudo aa-genprof <executables_name>
# Open a terminal #1
sudo aa-genprof apache2
# Open another terminal #2
sudo service apache2 stop # shutdown apache
sudo service apache2 restart
# Refresh the webpage and browse wp-admin
# Go back to terminal #1 and choose (S)can
# You will be asked a series of questions for granting access to files, choose (A)llow/ (D)eny/ (G)lob ...
# (S)ave changes and (F)inish
Assign Operating Mode to Profile Created
• There are 3 operating modes:
◇ Enforcing (default)
▪ Denies all unauthorized actions (without asking)
▪ May break the site
▪ Tells us something would be denied and prompt us to fix it
# To test out new profile, assign to complain mode
# You will then be prompted for further action on any activity that is not defined in the original profile
Course of actions
• Inherit: Creates a rule that is denoted by “ix” within the profile, causes the executed binary to inherit permissions from the parent profile.
• Child: Creates a rule that is denoted by “Cx” within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).
• Deny: Creates a rule that AppArmor prepends with “deny” at the start of the line within the profile, causes the parents access to the resource be denied.
• Abort: Exits the AppArmor program without saving any changes.
• Finish: Exits the AppArmor program but WILL save changes
# After testing, put profile to enforce mode
tail -f /var/log/syslog
Config Files Location
# You may manually add wildcards in the config file
• YouTube: How to Install and Configure Apparmor on Linux