Good Idea to use AppArmor?

Questions about software.
MatthewLM
Posts: 42
Joined: 19 Apr 2014 12:05

Good Idea to use AppArmor?

Postby MatthewLM » 03 Oct 2014 11:42

Hi, would anyone recommend enabling AppArmor for SolydXK as per the debian how-to: https://wiki.debian.org/AppArmor/HowTo ?

I assume it would work fine but since there is no mention of it on these forums or elsewhere for SolydXK and since AppArmor would have quite a major effect, I was wondering if this is something with SolydXK support?

What disadvantages does AppArmor give? If it enhances system security, why isn't it enabled by default in debian and SolydXK?

kurotsugi
Posts: 2267
Joined: 09 Jan 2014 00:17

Re: Good Idea to use AppArmor?

Postby kurotsugi » 03 Oct 2014 13:37

the main drawback is that it's not quite user friendly for average user. especially those early linux adopter which recently move from windows. most of them didn't even know what is it. for these reasons security feature will remain optional. user can enable it but it won't made as default.

MatthewLM
Posts: 42
Joined: 19 Apr 2014 12:05

Re: Good Idea to use AppArmor?

Postby MatthewLM » 03 Oct 2014 14:43

True, but Ubuntu uses it behind the scenes. A typical user never needs to know it's there. Ubuntu enables AppArmor and installs security profiles without user involvement. So if Ubuntu does it, why not Debian/SolydXK?

User avatar
Zill
Posts: 1850
Joined: 13 Aug 2013 14:28
Location: Lincolnshire, UK

Re: Good Idea to use AppArmor?

Postby Zill » 03 Oct 2014 15:11

MatthewLM wrote:...So if Ubuntu does it, why not Debian/SolydXK?
... Because Debian/SolydXK is not Ubuntu! It would be rather silly having lots of identical distros, all with exactly the same installed packages and functionality. ;-)

AppArmor is in the Debian/SolydXK repos and so all users are free to install and use it if they wish. Choice is good! :-)

MatthewLM
Posts: 42
Joined: 19 Apr 2014 12:05

Re: Good Idea to use AppArmor?

Postby MatthewLM » 03 Oct 2014 15:14

But it's no good doing something differently unless there was a benefit to doing it. There has to be a benefit to not having AppArmor enabled or else why is it disabled? I'm not saying it should be enabled by default, I'm just curious as to why.

User avatar
Zill
Posts: 1850
Joined: 13 Aug 2013 14:28
Location: Lincolnshire, UK

Re: Good Idea to use AppArmor?

Postby Zill » 03 Oct 2014 15:33

MatthewLM: Linux systems are, unlike other OS's, generally secure by default OOTB for most desktop users. While it is possible for such users to degrade this security, the risks are normally quite low unless the user does something stupid.

However, some Linux users do require a higher level of security, particularly those running public-facing servers and other mission-critical systems. Security hardened versions such as SELinux and other security add-ons such as AppAmor can be used to provide additional security for those who need it.

Installing all this additional security does have a downside in increasing the complexity of the system, making maintenance harder for the sysadmin and increasing the size of the installation and all subsequent upgrades. It may also slow it down. For this reason, it is, IMHO, undesirable to automatically include such bloat that is, for many users, unnecessary.

Linux isn't really about a "one size fits all" approach but rather a bespoke suit that is "made to measure" to fit each user's individual requirements.

MatthewLM
Posts: 42
Joined: 19 Apr 2014 12:05

Re: Good Idea to use AppArmor?

Postby MatthewLM » 03 Oct 2014 15:40

Good answer. I suppose that as long as you keep the system up to date and generally secure AppArmor (or SELinux) is probably overkill for Desktops on Linux.

kurotsugi
Posts: 2267
Joined: 09 Jan 2014 00:17

Re: Good Idea to use AppArmor?

Postby kurotsugi » 03 Oct 2014 16:47

in my understanding the reason why ubuntu got benefit from apparmor is because they created an apparmor profile for their packages. it's easy for them because ubuntu is configured for desktop. on the other hand, debian is configured for both server and desktop. there's no such universal apparmor profile for both desktop and server. each need a specific profile. for this reason debian didn't provide an apparmor profile for their package.

the 'how apparmor works' it needs certain profile for the applications to make it work. in that case we can't use 'enable it and the user should not even have to know it' approaching model. enabling apparmor on solydxk might quite easy but without those profiles there's no benefit for doing it.

CMIIW


Return to “Software”

Who is online

Users browsing this forum: No registered users and 17 guests