Check the Status of Apparmor
Server - Ubuntu

 

 

Ubuntu ApparmorWhen you check the status you see that by default four profiles are active, in enforcing mode. These are protecting dhcp and tcpdump. You can see from the status that no profiles are in complain mode. Complain mode will help you learn what will happen if there were violations without hindering activity. It is like a warning only mode.

 

 

 

sudo apparmor_status

apparmor module is loaded.

5 profiles are loaded.

4 profiles are in enforce mode.

/sbin/dhclient

/usr/lib/NetworkManager/nm-dhcp-client.action

/usr/lib/connman/scripts/dhclient-script

/usr/sbin/tcpdump

1 profiles are in complain mode.

/usr/bin/ssh

1 processes have profiles defined.

1 processes are in enforce mode :

/sbin/dhclient (635)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

 

 

The default configuration really does not offer much in the way of protection so you will need to install some additional profiles. Once that is complete you will see a new list of profiles in /etc/apparmor.d.

 

sudo apt-get install apparmor-profiles

 

ls /etc/apparmor.d/

abstractions sbin.dhclient3.dpkg-old usr.lib.dovecot.imap usr.sbin.mdnsd

apache2.d sbin.klogd usr.lib.dovecot.imap-login usr.sbin.nmbd

bin.ping sbin.syslogd usr.lib.dovecot.managesieve-login usr.sbin.nscd

cache sbin.syslog-ng usr.lib.dovecot.pop3 usr.sbin.smbd

disable tunables usr.lib.dovecot.pop3-login usr.sbin.tcpdump

force-complain usr.bin.chromium-browser usr.sbin.avahi-daemon usr.sbin.traceroute

local usr.bin.ssh usr.sbin.dnsmasq

program-chunks usr.lib.dovecot.deliver usr.sbin.dovecot

sbin.dhclient usr.lib.dovecot.dovecot-auth usr.sbin.identd

 

Now when you view the status 29 profiles are loaded and 6 are in enforcing mode. However, obviously chromium-browser and dhcp client are not really issues for an Ubuntu server.

 

sudo apparmor_status

apparmor module is loaded.

29 profiles are loaded.

6 profiles are in enforce mode.

/sbin/dhclient

/usr/lib/NetworkManager/nm-dhcp-client.action

/usr/lib/chromium-browser/chromium-browser//browser_java

/usr/lib/chromium-browser/chromium-browser//browser_openjdk

/usr/lib/connman/scripts/dhclient-script

/usr/sbin/tcpdump

23 profiles are in complain mode.

/bin/ping

/sbin/klogd

/sbin/syslog-ng

/sbin/syslogd

/usr/bin/ssh

/usr/lib/chromium-browser/chromium-browser

/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox

/usr/lib/dovecot/deliver

/usr/lib/dovecot/dovecot-auth

/usr/lib/dovecot/imap

/usr/lib/dovecot/imap-login

/usr/lib/dovecot/managesieve-login

/usr/lib/dovecot/pop3

/usr/lib/dovecot/pop3-login

/usr/sbin/avahi-daemon

/usr/sbin/dnsmasq

/usr/sbin/dovecot

/usr/sbin/identd

/usr/sbin/mdnsd

/usr/sbin/nmbd

/usr/sbin/nscd

/usr/sbin/smbd

/usr/sbin/traceroute

1 processes have profiles defined.

1 processes are in enforce mode :

/sbin/dhclient (635)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.