Results 1 to 3 of 3

Thread: AppArmor Feedback

  1. #1
    DaveInRoseville NNTP User

    Default AppArmor Feedback

    Hi,

    I'm interested in getting feedback from anyone who has deployed AppArmor in a company environment. Specifically I would like to know:

    1. How much of a performance hit can I expect with AppArmor ?

    2. Is it buggy ? How good is the support from SuSe for AppArmor ?

    3. How user friendly is the policy parser ?

    4. What are the basic gotcha's that I should be aware of when setting it up ?

    5. How much disk space should I allocate for event logs ?

    6. Is AppArmor better than SELinux ?

    7. In your opinion, given the additional burden of managing and maintaining AppArmor, is it worth it ?

    Any feedback would be appreciated. Thanks,

    Dave

  2. #2

    Default Re: AppArmor Feedback

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    1. Per the documentation, a very small one. A few percentage points.

    2. I haven't had any issues with it though I do not tinker with it much.

    3. For an initial setup I think it's pretty nice. It has a "learning
    mode" that lets you just turn it on for a process and then do your normal
    (non-malicious) stuff and then it walks you through tuning what it found.

    4. If you start seeing completely strange issues a first step when using
    LSM in any form (SELinux, AppArmor, or other) is to disable the
    functionality to see if that is related. Because it works at the kernel
    level this can stop ANYTHING from happening, whether you are root or not.
    For example I've used it to prevent root-powerful processes from using
    the ls command. Be careful when setting up your rules or you can make
    life painful for yourself in a hurry.

    5. I guess this depends on your environment. Try for a while and add
    more if needed. I'm guessing hundreds of MB would be a nice amount of
    room. Use aggressive log management to handle things if they get beyond that.

    6. It's the same backend, so it's just the frontend you need to worry
    about. SELinux is not something I've done much with but my experience
    with it has shown it to be perhaps a little complex overall. It may have
    some additional possibilities via the provided tools as well though I am
    not experienced enough in either technology to know for sure.

    7. Putting a server where it may be attacked? Yes. For your prsonal
    laptop that has the firewall covering all ports 24x7 anyway? Probably not
    (at least not beyond any defaults).

    Good luck.





    DaveInRoseville wrote:
    > Hi,
    >
    > I'm interested in getting feedback from anyone who has deployed
    > AppArmor in a company environment. Specifically I would like to know:
    >
    > 1. How much of a performance hit can I expect with AppArmor ?
    >
    > 2. Is it buggy ? How good is the support from SuSe for AppArmor ?
    >
    > 3. How user friendly is the policy parser ?
    >
    > 4. What are the basic gotcha's that I should be aware of when setting
    > it up ?
    >
    > 5. How much disk space should I allocate for event logs ?
    >
    > 6. Is AppArmor better than SELinux ?
    >
    > 7. In your opinion, given the additional burden of managing and
    > maintaining AppArmor, is it worth it ?
    >
    > Any feedback would be appreciated. Thanks,
    >
    > Dave
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJKbzkQAAoJEF+XTK08PnB5oFsP/1smJdMr/PSqnUHZMEP8wDus
    yY8kgmCIrEhQnpqOsTQH8vGxbjdg3qxptHrPhspWWCBgUPgJNW4h6ymGxkFoMTiI
    VxVx6xIsJbSVNDuYt6zA4QV8KYNbAyA0hWt3JFQmZ0ldzQ+yB8JBcwr1a/mgvjUH
    U8rKflzu0uOO72LNFWjDUIymU0nnKFbsmGpNPHqIfkkKN8tshUAmr5IeMxc77TYC
    l8Faooweeqaz8TtSjeTqNlfu0gMKEOGJtVc7+ZoO32UizL5CPYNQFVnTfmzYUpDW
    zxlVNZf71feBpBGLd7gSHUo2oHuxkgQAzF1QstQ/5sVokGG5mOI+uFiCHguo1qKA
    gzYRvk8LCAxQYUljygiAvnPBU59fTHH3ka3O3GyPEeGfcm2QX5aEIE6WeuTH3A6/
    pjYotmecgCP1W1YKy8EBkv9M93nFvQU+EMP9gR2E4T/Y69w2MG8C/WQxF3tZrIgG
    1yVA1l3wHmAtU6ew1mC3qXRu559jRAd1YfQuGpLldPduo2Qs08m4xiy6JHH2K8x9
    Al5LlDKGdp1MLPMAj4MC/rpqAOTCNV1Xu9/uUMSGyP0jI6a0YSJkquPXsD13x5HE
    RhEmRbPuGshakg57z8E7tbokuBYPUO3UcawXmu9P21/FTXRDkd6En7fgyxH5Sf/9
    M0wFJqfGbR9KMMhh5TLB
    =O1/q
    -----END PGP SIGNATURE-----

  3. #3
    brassy NNTP User

    Default Re: AppArmor Feedback

    > Any feedback would be appreciated. Thanks,

    Hi Dave,

    are you using openSUSE "in a company environment"?? if you are, you
    are one brave dude/dudette!

    let me GUESS you are running SUSE Linux Enterprise Server and/or
    Desktop (aks: SLES and SLED).....am i right? if so, you need to
    recognize that while SLES/D version 10 or 11 are similar to openSUSE's
    current version 11.1 they are _*NOT*_ the same..

    here, you are in a "community" of openSUSE _users_ and volunteer
    helpers....we fight the bugs before Novell polishes them up and SELLS
    SLES and SLED...and we try to help the new folks fleeing lessor
    products in droves...

    if you are using an Enterprise product then you paid for them, and for
    the support you should get from Novell and the users of Novell's
    products in forums.novell.com

    otoh, if you really are brave enough to use this half-baked loaf, then
    say so...and, maybe there are a few around here who can answer..

    hmmmm...i think AppArmor (set at some useful but non-intrusive level)
    is included in the default install of openSUSE....i've never been
    'afraid' of intrusion enough to fiddle with it or the default fire
    wall (on the other hand i am behind a hardware firewall (in my router,
    connected to a ISP provided "ADSL modem") and i have a STRONG
    password, STRONGER root pass, run rkhunter, running no ftpd, sshd,
    apache, etc etc etc, have even ping turned off and and and....BUT,
    have never fiddled with AppArmor...so, i can't help more..

    --
    brassy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •