Collaborate Disseminate
I’m looking to profile a service running inside a specific docker container. I went through the documentation of aa-genprof and aa-autodep and both take program as input to profile. I can’t seem to find a way to point those programs to pro… Continue reading Getting apparmor to profile a program inside docker container
I’m using PHP-FPM with Apache2 on my server, as PHP-FPM doesn’t run as Apache2 module, I figured it would need a profile for it.
This is my first time working with AppArmor, so I’m afraid of crashing the server or leaving everything open f… Continue reading Is this profile for AppArmor insecure?
I’m setting up an Apache 2.4 server on Ubuntu 20.04 LTS, and following all CSI Benchmarks recommendations to secure it.
The CSI recommends configuring AppArmor and generating a profile for Apache2 to restrict what it can and cannot access … Continue reading Best profile for Apache2 + PHP-FPM on AppArmor
I’m trying to harden a Linux installation on a personal computer – I decided to try both SELinux and AppArmor as a Mandatory Access Control (MAC) to supplement the default Discretionary Access Control (DAC) that Linux comes with by default… Continue reading Linux whitelist-based Mandatory Access Control instead of a blacklist-based model
My question is similar to these:
Protect sensitive data from sysadmin prying eyes
Restrict access to a specific directory on Linux
From those, I understand that SELinux could accomplish my goal. But we do not have the r… Continue reading Restrict privileged users from accessing certain directories on Linux servers with Grsecurity?
Is apparmor default deny? For example consider the case under SELinux in enforcing mode, where I install a package with no policy associated with it. SELinux’s default behaviour is to deny all syscalls that application makes…. Continue reading Is apparmor default deny?
I like lowering my access privilege mid-program (e.g. restrict my program to the current directory and files, disable networking). I imagine this is a pretty common wish.
I would like to be able to do this as a normal user, without the in… Continue reading Opt-in a security profile at runtime, without tedious setup
Would very much like to use apparmor to restrict specific dbus communications within my system. However the following line appears in my syslog:
Dec 28 09:36:21 apex snapd[1127]: AppArmor status: apparmor is enabled but some features are … Continue reading apparmor: How to enable dbus feature of apparmor (‘dbus mediation’), in the linux kernel?
Being very new to apparmor, would just like to start by placing some simple 1 line restriction on a program. And leave everything else as-is. Also, for other reasons it’s not possible for me to easily profile this specific ex… Continue reading Apparmor – how to ‘allow everything’ rule, then tighten up?
I’m using AppArmor in complain mode for a process in our production environment and I see some false positive profile violations in my logs. I’d like to roll out an updated profile but I cannot restart the process.
Is there any way to re… Continue reading Replace application’s AppArmor profile without process restart