AppArmor

All threads related to any flava of Linux or BSD.
Post Reply
User avatar
foldingstock
htd0rg lieutenant
Posts: 300
Joined: Sat Aug 16, 2008 10:38 pm

AppArmor

Post by foldingstock » Tue Jan 26, 2010 5:48 am

Just curious, has anyone here used or played with AppArmor in Linux? It looks like an interesting approach to security from the "home desktop" point of view.
AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
http://en.wikipedia.org/wiki/AppArmor
"If a man empties his purse into his head, no one can take it from him."
- Benjamin Franklin

robotmaxtron
n00b
Posts: 1
Joined: Fri May 20, 2011 1:22 pm

Re: AppArmor

Post by robotmaxtron » Fri May 20, 2011 1:29 pm

I've found a lot of success with SELinux both on a home desktop and for use on severs. SELinux has gone though a lot of changes over the last few years and is worth a second look from anybody who found it too complex.
I for one, welcome our robot overlords.

CaptainCheeseTits
n00b
Posts: 18
Joined: Wed Aug 17, 2011 1:42 pm

Re: AppArmor

Post by CaptainCheeseTits » Sun Sep 04, 2011 3:09 pm

Yeah activating AppArmor on all my apps is one of the 1st steps I take in hardening my OS. If you port scan yourself before and after you'll see that AppArmor closes the 2 or 3 ports that are open on Ubuntu installs by default.

User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: AppArmor

Post by Thor » Fri Sep 16, 2011 1:24 pm

I've heard good things about Apparmor. But I haven't used this myself. I run SELinux on one of my boxes and that has worked well for me, AFAIK. It's one of those things that you set and forget and without reading the manual and asking a million questions, will just assume it's working the way you think it should.

That being said, I haven't ran into any problems running SELinux on full enforcing mode at all really. At first I got some access errors, but it's setup to show you what program tried to do what, and then you can allow it at various levels, etc. It would provide a good sandbox on your system that not many would be able to get around. I'd look into it if I where looking to tighten things up. Some people report it being too restrictive, but im just not seeing that problem. I think it has changed greatly from where it once was some time ago.

I don't know if one is particularly better or not, but I lean towards SELinux because im familiar with it and there appears to be a bigger user base of it. AppArmor is supposed to be easier to setup, I think that depends on the distro. Some distros "natively" have good plans for either security setup, making it a matter of downloading only.
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.

Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us

Post Reply