AppArmor¶
This role installs and pre-configures AppArmor, a Linux application security system. Information about AppArmor can be found in the official documentation.
Components¶
apparmor-profiles (A collection of profiles for the AppArmor application security system)
apparmor-utils (Additional userspace utils to assist with AppArmor profile management)
Configuration¶
The pre-configured AppArmor profiles are stored in /etc/apparmor.d/
.
By default, all these profiles are loaded in complain
mode, which represents a
learning mode. Actions that violate profile rules are only logged, not
prohibited. Technically, the complain
mode is realized by having symlinks in
/etc/apparmor.d/force-complain/
that point to the respective profile in
/etc/apparmor.d/
.
To enable a profile, simply remove the corresponding symlink in
/etc/apparmor.d/force-complain/
as a service user.
Service users may put own AppArmor profiles in /etc/apparmor.d/local/
.
For information about how to create AppArmor profiles, the official quick
language guide is a
good place to start.
Note
Please note that profiles created in /etc/apparmor.d/local/
are
enabled by default as long as you put a corresponding symlink in
/etc/apparmor.d/force-complain/
.
Interaction¶
Service users may restart AppArmor by executing /etc/init.d/apparmor restart.
They may also inquire information about AppArmors’s currently loaded policy be executing sudo aa-status.
Further, service users may list processes that have network access and have no AppArmor profile assigned by executing sudo aa-unconfined.
Monitoring¶
Log messages from AppArmor will appear in our general logcheck which customers do also receive notifications about.
You can manually inspect the log files on a machine for entries by grepping this way:
$ zgrep -i /var/log/messages*