http://en.wikipedia.org/wiki/AppArmorAppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
AppArmor
- foldingstock
- htd0rg lieutenant
- Posts:300
- Joined:Sat Aug 16, 2008 10:38 pm [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Just curious, has anyone here used or played with AppArmor in Linux? It looks like an interesting approach to security from the "home desktop" point of view.
"If a man empties his purse into his head, no one can take it from him."
- Benjamin Franklin
- Benjamin Franklin
-
- n00b
- Posts:1
- Joined:Fri May 20, 2011 1:22 pm [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Re: AppArmor
I've found a lot of success with SELinux both on a home desktop and for use on severs. SELinux has gone though a lot of changes over the last few years and is worth a second look from anybody who found it too complex.
I for one, welcome our robot overlords.
-
- n00b
- Posts:18
- Joined:Wed Aug 17, 2011 1:42 pm [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Re: AppArmor
Yeah activating AppArmor on all my apps is one of the 1st steps I take in hardening my OS. If you port scan yourself before and after you'll see that AppArmor closes the 2 or 3 ports that are open on Ubuntu installs by default.
- Thor
- htd0rg lieutenant
- Posts:440
- Joined:Tue Dec 18, 2007 9:39 am
- Location:Location Location [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Re: AppArmor
I've heard good things about Apparmor. But I haven't used this myself. I run SELinux on one of my boxes and that has worked well for me, AFAIK. It's one of those things that you set and forget and without reading the manual and asking a million questions, will just assume it's working the way you think it should.
That being said, I haven't ran into any problems running SELinux on full enforcing mode at all really. At first I got some access errors, but it's setup to show you what program tried to do what, and then you can allow it at various levels, etc. It would provide a good sandbox on your system that not many would be able to get around. I'd look into it if I where looking to tighten things up. Some people report it being too restrictive, but im just not seeing that problem. I think it has changed greatly from where it once was some time ago.
I don't know if one is particularly better or not, but I lean towards SELinux because im familiar with it and there appears to be a bigger user base of it. AppArmor is supposed to be easier to setup, I think that depends on the distro. Some distros "natively" have good plans for either security setup, making it a matter of downloading only.
That being said, I haven't ran into any problems running SELinux on full enforcing mode at all really. At first I got some access errors, but it's setup to show you what program tried to do what, and then you can allow it at various levels, etc. It would provide a good sandbox on your system that not many would be able to get around. I'd look into it if I where looking to tighten things up. Some people report it being too restrictive, but im just not seeing that problem. I think it has changed greatly from where it once was some time ago.
I don't know if one is particularly better or not, but I lean towards SELinux because im familiar with it and there appears to be a bigger user base of it. AppArmor is supposed to be easier to setup, I think that depends on the distro. Some distros "natively" have good plans for either security setup, making it a matter of downloading only.
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.
Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us
- Whatever is said in Latin sounds profound.
Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us