{"id":105242,"date":"2024-01-05T10:16:00","date_gmt":"2024-01-05T15:16:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=105242"},"modified":"2024-03-13T16:19:37","modified_gmt":"2024-03-13T20:19:37","slug":"how-to-configure-apparmor-for-security-debian-ubuntu","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu","title":{"rendered":"How to Configure AppArmor for Security on Debian or Ubuntu"},"content":{"rendered":"\n<p><a class=\"wp-block-cgb-button button\" href=\"#step1\">Jump to Tutorial<\/a><\/p>\n\n\n\n<p>AppArmor, short for Application Armor, is a kernel security module for Debian-based Linux distributions that allows you to define per-application security profiles. These profiles restrict what system resources an application can access, effectively creating a sandbox around each application. This security mechanism helps prevent unauthorized access to sensitive data and reduces the risk of security breaches.<\/p>\n\n\n\n<p>AppArmor uses a mandatory access control (MAC) system that adds an extra layer of security to your system by restricting the capabilities of individual applications.&nbsp;<\/p>\n\n\n\n<p>There are key benefits when using AppArmor:<\/p>\n\n\n\n<ul>\n<li><strong>Isolation<\/strong>: AppArmor helps contain security threats by isolating applications from each other and the rest of the system.<\/li>\n\n\n\n<li><strong>Fine-grained control<\/strong>: You can specify what files, directories, and capabilities an application can access.<\/li>\n\n\n\n<li><strong>Security compliance<\/strong>: Many Linux distributions, including Debian and Ubuntu, use AppArmor by default to enforce security policies.<\/li>\n<\/ul>\n\n\n\n<p>For example, if you want to run a web server on your system, such as Nginx, you can use AppArmor to create a security profile for Nginx to ensure it can only access the necessary resources and deny access to other parts of the system. This minimizes the potential damage that a compromised Nginx server can do.<\/p>\n\n\n\n<p>This guide will walk you through the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.<\/p>\n\n\n\n<figure class=\"image is-16by9\">\n<iframe class=\"has-ratio\" width=\"300\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/9JZbIqSaFIM?rel=0\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen=\"\"><\/iframe>\n<\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step1\">Step 1: Update the System<\/h2>\n\n\n\n<p>In our tutorial, we are using Debian 11, but you are free to use any Debian version or Ubuntu.<\/p>\n\n\n\n<p>First, it is a good idea to update your system so you can get the latest package versions including security patches.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo apt update<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo apt upgrade<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"161\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/1-1.png\" alt=\"screenshot of code\" class=\"wp-image-105260\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/1-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/1-1-300x94.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Press <strong>y <\/strong>and press <strong>Enter<\/strong> to continue with the upgrade process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step2\">Step 2: Understanding AppArmor Service and Profiles<\/h2>\n\n\n\n<p>Next, we will check if AppArmor is installed on your system. You can do so by running the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo aa-status<\/p>\n<\/div><\/div>\n\n\n\n<p>By default, AppArmor is installed on Debian and Ubuntu distributions and you can see the ordinary output in the screenshot below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"362\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png\" alt=\"screenshot of code\" class=\"wp-image-105257\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1-300x212.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>The output tells you how many profiles are loaded, the mode (enforce or complain) of those profiles, how many processes have associated profiles, and whether any processes are running without profiles.<\/p>\n\n\n\n<p>In AppArmor, profiles can be in one of two modes: enforce or complain. Profiles in &#8220;enforce&#8221; mode actively enforce the security rules, meaning that the profile restrictions are in effect for the associated applications.<\/p>\n\n\n\n<p>Profiles in &#8220;complain&#8221; mode do not actively enforce the rules but generate audit messages when violations occur. You can think of this as a \u201clearning mode.\u201d This line indicates that there are currently no profiles in complain mode.<\/p>\n\n\n\n<p>AppArmor uses profiles to define the security rules for applications. These profiles are stored in the <strong>\/etc\/apparmor.d\/<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"60\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/3-1.png\" alt=\"screenshot of code\" class=\"wp-image-105253\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/3-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/3-1-300x35.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>It\u2019s necessary to install additional packages in order to use various AppArmor utilities:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo apt install apparmor-utils<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"143\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/4-1.png\" alt=\"screenshot of code\" class=\"wp-image-105251\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/4-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/4-1-300x84.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step3\">Step 3: Creating Custom Profiles<\/h2>\n\n\n\n<p>For this example, we will first install the Nginx web server.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo apt install nginx<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"135\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/5-1.png\" alt=\"screenshot of code\" class=\"wp-image-105248\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/5-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/5-1-300x79.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>This will install Nginx alongside various dependencies and also start the service automatically.<\/p>\n\n\n\n<p>We can confirm that our Nginx is working by visiting the IP address of our server where you will get the default Nginx page.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"199\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/6-1.png\" alt=\"screenshot of code\" class=\"wp-image-105247\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/6-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/6-1-300x117.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>We can check the current profiles for AppArmor in <strong>\/etc\/apparmor.d<\/strong> directory and verify if one exists for the Nginx web server:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"36\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/7-1.png\" alt=\"screenshot of code\" class=\"wp-image-105261\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/7-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/7-1-300x21.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>By listing the directory we can see that there is no profile for Nginx, so we can create a new one.<\/p>\n\n\n\n<p>We can do so by running the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo aa-autodep nginx<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"51\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/8.png\" alt=\"screenshot of code\" class=\"wp-image-105258\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/8.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/8-300x30.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>We can check the default Nginx profile if we run the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo cat \/etc\/apparmor.d\/usr.sbin.nginx<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"208\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/9.png\" alt=\"screenshot of code\" class=\"wp-image-105254\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/9.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/9-300x122.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>The line that consists of <strong>\/usr\/sbin\/nginx mr<\/strong>, where <strong>m<\/strong> allows a file to be mapped into memory and <strong>r<\/strong> means read mode.<\/p>\n\n\n\n<p>Now, we will activate the complain mode so that it doesn&#8217;t enforce the policy but produces a log each time it detects a violation of the security policy.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo aa-complain \/usr\/sbin\/nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>Next, we need to restart our Nginx service.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart nginx<\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step4\">Step 4: Enforcing the Profile<\/h2>\n\n\n\n<p>For this step, we will create a custom AppArmor profile, where we will need to write a profile definition for Nginx.&nbsp;<\/p>\n\n\n\n<p>Use your preferred text editor to edit the file:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo nano \/etc\/apparmor.d\/usr.sbin.nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>Edit the file so that the new profile looks like this:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>#include &lt;tunables\/global&gt;<br>\/usr\/sbin\/nginx {<br>&nbsp; #include &lt;abstractions\/apache2-common&gt;<br>&nbsp; #include &lt;abstractions\/base&gt;<br>&nbsp; #include &lt;abstractions\/nis&gt;<br>&nbsp; #include &lt;abstractions\/web-data&gt;<br>&nbsp; capability dac_override,<br>&nbsp; capability dac_read_search,<br>&nbsp; capability net_bind_service,<br>&nbsp; capability setgid,<br>&nbsp; capability setuid,<br><br>&nbsp; deny \/var\/www\/html\/forbidden\/* r,<br><br>&nbsp; \/etc\/group r,<br>&nbsp; \/etc\/nginx\/conf.d\/ r,<br>&nbsp; \/etc\/nginx\/mime.types r,<br>&nbsp; \/etc\/nginx\/nginx.conf r,<br>&nbsp; \/etc\/nsswitch.conf r,<br>&nbsp; \/etc\/passwd r,<br>&nbsp; \/etc\/ssl\/openssl.cnf r,<br>&nbsp; \/run\/nginx.pid rw,<br>&nbsp; \/usr\/sbin\/nginx mr,<br>&nbsp; \/var\/log\/nginx\/access.log w,<br>&nbsp; \/var\/log\/nginx\/error.log w,<br>&nbsp; owner \/etc\/nginx\/modules-enabled\/ r,<br>&nbsp; owner \/etc\/nginx\/sites-available\/default r,<br>&nbsp; owner \/etc\/nginx\/sites-enabled\/ r,<br>&nbsp; owner \/usr\/share\/nginx\/modules-available\/mod-http-geoip.conf r,<br>&nbsp; owner \/usr\/share\/nginx\/modules-available\/mod-http-image-filter.conf r,<br>&nbsp; owner \/usr\/share\/nginx\/modules-available\/mod-http-xslt-filter.conf r,<br>&nbsp; owner \/usr\/share\/nginx\/modules-available\/mod-mail.conf r,<br>&nbsp; owner \/usr\/share\/nginx\/modules-available\/mod-stream-geoip.conf r,<br>&nbsp; owner \/usr\/share\/nginx\/modules-available\/mod-stream.conf r,<br>}<\/p>\n<\/div><\/div>\n\n\n\n<p>We are creating an AppArmor profile where Nginx will restrict access to the <strong>\/var\/www\/html\/forbidden<\/strong> directory.<\/p>\n\n\n\n<p>Next, we can create the specific directory by running the command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo mkdir -p \/var\/www\/html\/forbidden<\/p>\n<\/div><\/div>\n\n\n\n<p>Inside that directory we can create a simple html file:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo nano \/var\/www\/html\/forbidden\/index.html<\/p>\n<\/div><\/div>\n\n\n\n<p>Now, just add a simple line of text:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>&lt;<strong>h1<\/strong>&gt;This is forbidden.&lt;\/<strong>h1<\/strong>&gt;<\/p>\n<\/div><\/div>\n\n\n\n<p>After saving the file, we can load the new AppArmor profile by running the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo apparmor_parser -r \/etc\/apparmor.d\/usr.sbin.nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>When you run this command, it loads the specified AppArmor profile into the AppArmor kernel module. Loading the profile means that the security rules and restrictions defined in the profile will become active, and they will be enforced when the associated application (in this case, Nginx) runs.<\/p>\n\n\n\n<p>If you\u2019ve made changes to the profile definition file (e.g., to customize the security rules for Nginx), using the <strong>-r<\/strong> option is necessary to apply those changes. This ensures that the updated profile is, in effect, enhancing the security of the associated application.<\/p>\n\n\n\n<p>After loading the profile, you need to enforce it for the Nginx service. Use the <strong>aa-enforce<\/strong> command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo aa-enforce \/usr\/sbin\/nginx<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"31\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/10.png\" alt=\"screenshot of code\" class=\"wp-image-105252\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/10.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/10-300x18.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>In order to test if the profile is functioning correctly, restart the Nginx service.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>Now, if we run a simple curl command toward our localhost, we will see that the index page is still working properly.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>curl http:\/\/localhost<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"188\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/11.png\" alt=\"screenshot of code\" class=\"wp-image-105249\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/11.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/11-300x110.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>However, if we run the curl command again, this time toward our forbidden directory, we will see that AppArmor blocked it.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>curl http:\/\/localhost\/forbidden\/index.html<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"138\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/12.png\" alt=\"screenshot of code\" class=\"wp-image-105250\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/12.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/12-300x81.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>In the screenshot above we can see that the file exists and has real content in it, but due to security rules, it doesn&#8217;t allow us to access it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step5\">Step 5: Debugging the Profile<\/h2>\n\n\n\n<p>If, after applying enforce mode to your AppArmor profile, some service doesn&#8217;t restart or work in an unexpected way, we can use the built-in log utility from AppArmor.<\/p>\n\n\n\n<p>We can try to edit our Nginx profile again by running:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo nano \/etc\/apparmor.d\/usr.sbin.nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>So we remove the following line:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>\/etc\/nginx\/nginx.conf r,<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"135\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/13.png\" alt=\"screenshot of code\" class=\"wp-image-105262\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/13.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/13-300x79.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>After saving the file, we can apply new changes to the AppArmor parser:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo apparmor_parser -r \/etc\/apparmor.d\/usr.sbin.nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>We can try to restart our Nginx service:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>But that will fail, and we will not able to start it again.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"38\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/14.png\" alt=\"screenshot of code\" class=\"wp-image-105259\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/14.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/14-300x22.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>For that reason, we will use a logging utility for AppArmor:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo aa-logprof<\/p>\n<\/div><\/div>\n\n\n\n<p>Based on the output, we can see that AppArmor doesn&#8217;t have a defined line related to the nginx.conf file that we previously deleted.<\/p>\n\n\n\n<p>For that reason, we can press <strong>A <\/strong>to allow that policy, which will again add it to our AppArmor custom profile.<\/p>\n\n\n\n<p>Next, press <strong>S <\/strong>to save changes.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"90\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/15.png\" alt=\"screenshot of code\" class=\"wp-image-105256\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/15.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/15-300x53.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>This action will save the profile and we can try to restart our Nginx service again.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart nginx<\/p>\n<\/div><\/div>\n\n\n\n<p>If we run the status command, we can see that the Nginx is running again:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl status nginx<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"64\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/16.png\" alt=\"screenshot of code\" class=\"wp-image-105255\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/16.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/16-300x38.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>This way, each time you are in complain or enforce mode for AppArmor and receive any errors with the service, you can use the logging utility that will give you more insights about issues and the ability to add neecessary lines in your custom profile automatically.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"\/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><p><strong>Note:<\/strong> Consider deploying a logging utility to detect whether attackers are attempting to disable AppArmor to evade your defenses.<\/p><\/div><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>AppArmor is a useful tool for enhancing the security of your Debian-based systems. By creating and enforcing custom profiles, you can control the access and behavior of these services, making your system more secure against potential threats. It&#8217;s important to carefully design and test your profiles to find the right balance between security and functionality.<\/p>\n\n\n\n<div class=\"promotion-banner-small is-flex-direction-column has-items-aligned-flex-start has-items-aligned-center-tablet\">\n    <div class=\"promo-small-image is-hidden-mobile\">\n        <img decoding=\"async\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2016\/09\/Devices-General.jpg\" alt=\"cross-platform management\">\n    <\/div>\n    <div class=\"promo-small-content\">\n        <p class=\"is-type-body-tiny is-type-weight-bold is-important promo-small-title\">\n            Secure &amp; Manage Linux Systems        <\/p>\n        <p class=\"is-type-body-default is-important\">\n            Cross-OS device management for the modern organization        <\/p>\n    <\/div>\n    <div class=\"promo-small-cta\">\n        <a href=\"https:\/\/jumpcloud.com\/platform\/cloud-device-management\" data-promo=\"Linux Device Management\" class=\"button is-primary-green promo-small-banner-link\">Learn More<\/a>\n    <\/div>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.<\/p>\n","protected":false},"author":150,"featured_media":105257,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[2781],"tags":[],"collection":[2778],"platform":[],"funnel_stage":[3017],"coauthors":[2535],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Configure AppArmor for Security on Debian or Ubuntu - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Configure AppArmor for Security on Debian or Ubuntu\" \/>\n<meta property=\"og:description\" content=\"Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-05T15:16:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-13T20:19:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"362\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"David Worthington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Worthington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\"},\"author\":{\"name\":\"David Worthington\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\"},\"headline\":\"How to Configure AppArmor for Security on Debian or Ubuntu\",\"datePublished\":\"2024-01-05T15:16:00+00:00\",\"dateModified\":\"2024-03-13T20:19:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\"},\"wordCount\":1584,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png\",\"articleSection\":[\"How-To\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\",\"url\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\",\"name\":\"How to Configure AppArmor for Security on Debian or Ubuntu - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png\",\"datePublished\":\"2024-01-05T15:16:00+00:00\",\"dateModified\":\"2024-03-13T20:19:37+00:00\",\"description\":\"Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png\",\"width\":512,\"height\":362,\"caption\":\"screenshot of code\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Configure AppArmor for Security on Debian or Ubuntu\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\",\"name\":\"David Worthington\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"caption\":\"David Worthington\"},\"description\":\"I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.\",\"sameAs\":[\"https:\/\/jumpcloud.com\/blog\",\"david.worthington@jumpcloud.com\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How to Configure AppArmor for Security on Debian or Ubuntu - JumpCloud","description":"Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu","og_locale":"en_US","og_type":"article","og_title":"How to Configure AppArmor for Security on Debian or Ubuntu","og_description":"Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.","og_url":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu","og_site_name":"JumpCloud","article_published_time":"2024-01-05T15:16:00+00:00","article_modified_time":"2024-03-13T20:19:37+00:00","og_image":[{"width":512,"height":362,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png","type":"image\/png"}],"author":"David Worthington","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Worthington","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu"},"author":{"name":"David Worthington","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e"},"headline":"How to Configure AppArmor for Security on Debian or Ubuntu","datePublished":"2024-01-05T15:16:00+00:00","dateModified":"2024-03-13T20:19:37+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu"},"wordCount":1584,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png","articleSection":["How-To"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu","url":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu","name":"How to Configure AppArmor for Security on Debian or Ubuntu - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png","datePublished":"2024-01-05T15:16:00+00:00","dateModified":"2024-03-13T20:19:37+00:00","description":"Learn the process of configuring AppArmor on Debian-based systems to enhance the security of your environment.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/2-1.png","width":512,"height":362,"caption":"screenshot of code"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-apparmor-for-security-debian-ubuntu#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"How to Configure AppArmor for Security on Debian or Ubuntu"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e","name":"David Worthington","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411","url":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","caption":"David Worthington"},"description":"I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.","sameAs":["https:\/\/jumpcloud.com\/blog","david.worthington@jumpcloud.com"]}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/105242"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=105242"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/105242\/revisions"}],"predecessor-version":[{"id":107042,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/105242\/revisions\/107042"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media\/105257"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=105242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=105242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=105242"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=105242"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=105242"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=105242"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=105242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}