You've heard that Linux is a very secure operating system. You've heard it's practically immune to viruses (practically being the key word). You've heard it's tough to crack. These are all true...and with good reason. Linux is such a strong operating system for two primary reasons - by design and with the help of security systems like AppArmor and SELinux.
But what is AppArmor? AppArmor is a security module implementation of name-based access controls. In other words, AppArmor protects your system against the exploitation of program flaws and compromises. This protection is done via profiles that will set a program to either "complain" or "enforce" against wrong doing.
In this article I will show you how to install AppArmor and how to use it to set an application in either "complain" or "enforce" mode.
The installation of AppArmor is simple:
That's it. You are now ready to begin working with AppArmor.
AppArmor is a command-line only tool. It uses two particular commands for setting an application to either "complain" (aa-complain) or "enforce" (aa-enforce). There is also one other tool that is useful - apparmor_status. Let's take a look at that command first.
You want to know the current status of AppArmor and what applications are currently in what mode. To find this out issue the command sudo apparmor_status. You should see listings similar to:
32 profiles are loaded.
12 profiles are in enforce mode.
20 profiles are in complain mode.
NOTE: I truncated the output to save space.
As you can see there are already certain applications in complain mode and certain applications in enforce mode. But what are these "modes"? Simple "complain" mode will log violations against the applications profile, whereas "enforce" will strictly enforce the applications profile. But what are (and where are) the profiles? You will find profiles for applications in /etc/apparmor.d. Each profile has its own settings, but all of them will have some unique characteristics. For example, with AppArmor you can define that an application have access to it's configuration files using the "r" switch as in the /etc/apparmor.d/usr.sbin.dovecot profile line:
Creating a profile is a bit beyond the scope of this article (we'll revisit this topic later).
Now, let's change an application from complain to enforce. Look back at our apparmor_status output. Let's switch the dovecot application from complain to enforce. To do this we use the aa-enforce command like so:
sudo aa-enforce /usr/sbin/dovecot
When you issue this command you will see the results appear immediately:
Setting /usr/sbin/dovecot to enforce mode.
To switch a command from enforce to complain you use the aa-complain command like so:
sudo aa-complain /usr/sbin/dovecot
Which will return the results:
Setting /usr/sbin/dovecot to complain mode.
You can run apparmor_status after you make changes to your applications to make sure the changes remain.
AppArmor is a crucial piece of the Linux security puzzle. Without this application it would be much easier to exploit the weaknesses in numerous applications. As a Linux administrator, you owe it to yourself to further your knowledge of this tool. Later we will revisit AppArmor and create/edit profiles for applications.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.