- debian version of SELinux; not at powerful and fine-grained - app-specific profiles that integrate into kernel instead of system-level security - app-specific profiles located in `/etc/apparmor.d` folder - profiles associated with locations of apps such as `usr.bin.tcpdump` or `usr.bin.man` - `which app` to find app location - each profile specifies perms for various files and systems - can override default profiles by placing new one in `/etc/apparmor.d/local` - parses allow before deny commands - three common modes: enforce, complain, disable - enforce - stops app from breaking policy and adds event to audit log - see `/var/log/syslog`, `/var/log/audit/audit.log`, and `/var/log/journal` for violations - complain - adds event to audit log - disable - off - lesser used modes: kill, unconfined - `sudo aa-enabled` to show whether appamor is enabled - `sudo systemctl stop apparmor.service` to stop apparmor - `sudo systemctl start apparmor.service` to start apparmor - `aa-status` shows apps/processes with defined profiles and their modes ![[images/Pasted image 20250801183553.png]] - `sudo aa-complain /usr/bin/man` changes mode profile for `man` to complain mode - `sudo aa-disable /usr/bin/man` changes mode profile for `man` to disable mode - `sudo apt install aa-profiles` to add additional profiles - `sudo aa-genprof /usr/bin/ss` to generates a default profile for `ss` app and dumps to `stdout` - `sudo aa-easyprof /usr/bin/ss` to generates a blank profile for `ss` app and dumps to `stdout` - `sudo aa-easyprof /usr/bin/ss > /etc/apparmor.d/usr.bin.ss` to generate a blank profile for `ss` app - `sudo aa-enforce /etc/apparmor.d/usr.bin.ss` to place `ss` into enforce mode with the blank profile - `sudo aa-logprof` tweaks profiled for apps based on associated log entries