• A security framework for isolation and application control
• Included in Ubuntu and Debian 10


apt install apparmor apparmor-utils
apt install apparmor-profiles           # additional profiles


Activate Apparmor on Start-up

sudo nano /etc/default/grub

# Change the following line GRUB_CMDLINE_LINUX_DEFAULT="quiet" to
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

sudo update-grub
sudo reboot


Check status

systemctl status apparmor

sudo aa-status              # requires apparmor-utils
# or
sudo apparmor_status

• List the programs which have no associated profile and which expose an open network socket


• List running executables which are currently confined by apparmor

ps auxZ | grep -v '^unconfined'


Enable/ Disable apparmor

systemctl start apparmor
systemctl disable apparmor


Load and Unload a Profile

# Unload the profile
apparmor_parser -R /path/to/profile

# Load a profile
apparmor_parser -r -W /path/to/profile


Create a Profile

• Requires package “apparmor-utils”

sudo aa-genprof <executables_name>

# Example
# Open a terminal #1
sudo aa-genprof apache2

# Open another terminal #2
sudo service apache2 stop        # shutdown apache
sudo service apache2 restart
# Refresh the webpage and browse wp-admin

# Go back to terminal #1 and choose (S)can
# You will be asked a series of questions for granting access to files, choose (A)llow/ (D)eny/ (G)lob ...
# (S)ave changes and (F)inish


Assign Operating Mode to Profile Created

• There are 3 operating modes:
◇ Enforcing (default)
▪ Denies all unauthorized actions (without asking)
▪ May break the site

◇ Complain
▪ Tells us something would be denied and prompt us to fix it

◇ Un-confined

# To test out new profile, assign to complain mode
aa-complain apache2

# You will then be prompted for further action on any activity that is not defined in the original profile

Course of actions
• Inherit: Creates a rule that is denoted by “ix” within the profile, causes the executed binary to inherit permissions from the parent profile.
• Child: Creates a rule that is denoted by “Cx” within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).
• Deny: Creates a rule that AppArmor prepends with “deny” at the start of the line within the profile, causes the parents access to the resource be denied.
• Abort: Exits the AppArmor program without saving any changes.
• Finish: Exits the AppArmor program but WILL save changes

# After testing, put profile to enforce mode
aa-enforce apache2


Enable logging

sudo aa-logprof
# or
tail -f /var/log/syslog


Config Files Location

# You may manually add wildcards in the config file


Further Readings
YouTube: How to Install and Configure Apparmor on Linux