Debian stretch AppArmor and minimum security (2nd.)

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

In 2nd edition, we enable AppArmor (not optional), since Debian buster (current stable) enables it by default.


If you create and/or edit your AppArmor profiles, you should have at least 2GB /var/log, since it produces tons of audit logs.

Also, you should set maxsize logrotate setting.

Enabling AppArmor on read-only filesystem

We've done already. All we need is install AppArmor packages and enable it.

root# apt install apparmor{,-utils,-profiles,-profiles-extra}
root# mount -o remount,rw / # Don't forget.
root# mount -o remount,rw /boot # for update-grub, update-initramfs.
root# nano /etc/default/grub # add apparmor parameters
GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"
root# update-grub && reboot -n

Check AppArmor status

After login,

root# aa-enabled
YES (it works now.)
root# systemctl # does not shows any "fail"
root# journalctl # also confirm this.
date hostname apparmor[PID]: Starting AppArmor profiles:.
date hostname systemd[1]: Started AppArmor initialization.

Going further

AppArmor profiles are not so much provided. It's very difficult to create some universal profiles.

You should consider creating your own.

Read /etc/apparmor/logprof.conf first.

It tells you what kind of profiles SHOULD NOT BE PROVIDED.


If you create your own AppArmor profile, you'd better to do it one by one.

Also, consider executing logrotate -f YOURCONFIG before you create another profile.

tier1.jp will write about it in the future, but not in this guide.

ClamAV for scanning virus (optional)

root# apt install clamav
root# mount -o remount,rw / # DO NOT FORGET
root# dpkg-reconfigure clamav-freshclam # read and answer
root# mount -o remount,ro


If you do not use clamd, answer "No" to "clamd be notified after update?"

This setting does not provide on-access-scan.

You have to do it manually.

To scan recursively and make it report only infected files,

user$ clamscan -i -r SOMEPATH


chkrootkit might help, but it also have not so small number of false positives, and it depends on binutils, which could be abused.

In 2nd edition setting, tire1.jp does not recommend chkrootkit.


Firewall is difficult. The basic is DROP all, explicitly ACCEPT what you need, using conntrack and hashlimit.

root# apt install iptables-persistent


This package just provides persistent firewall setting scripts. You need to write rules.

Firewall varies and can be complicated.

We should discuss it in another article.

APT consistency

There are many other system consistency check software such as tripwire, debsums is an easy way.

First, you need to initialize.

root# apt install debsums
root# debsums_init # this does not require writable root "/"

And sometimes, run a system check command.

root# debsums -s

A milestone

You can stop using this guide on this stage.

  • You now have a small secure read-only Debian GNU/Linux with AppArmor.
  • If you are interested, keep going "Next".

Thank you for reading this. Have a nice day.

published: MODIFIED: