Is Manjaro security enhanced with SE Linux or Apparmor and a firewall? Does it need installation?
Manjaro supports AppArmor, but it’s not activated by default (at least I think so).
SELinux is not currently supported. See SELinux: Current status in Arch Linux
Is this AppArmor, important ? Do I need it ?
In recent .iso (xfce) it seemd to be installed by default, but maybe not activated. I don’t recall. In any case install apparmor, if not installed.
Enable apparmor: systemctl enable apparmor.service
add in grub to GRUB_CMDLINE_LINUX_DEFAULT
then update grub: sudo update-grub
Then check in terminal:
systemctl status apparmor
It is enabled by default, although the amount of profiles that are enforced on a default installation is pretty close to zero.
On a fairly recent Manjaro KDE installation (in VM):
[froggy@kde ~]$ sudo aa-status [sudo] password for froggy: apparmor module is loaded. 5 profiles are loaded. 5 profiles are in enforce mode. /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper lsb_release nvidia_modprobe nvidia_modprobe//kmod 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. [froggy@kde ~]$
apparmor is atleast prepackaged in any version with SNAP …
whether or not those profiles are very effective
(or even enabled via snapd.apparmor.service as opposed to snapd.service … well I wouldnt know as SNAPs are not my thing)
“Security is something you configure”
It is enabled by default,
I just checked
thanks for the tipp
Firejail and netfilter will not conflict with Apparmor will it, nor each other?
I am an average Joe user but I guess you will feel much better if you consider the following:
- install the security check tool “lynis” from the official repo and make a check of a default install of Manjaro (pretty good),
- visit the website “Shields up!” and make all the tests there, you will also feel satisfied,
- run a firewall like “ufw”,
- update regularly,
- install “firejail” and all the standard configuration profiles with “sudo firecfg” or (to avoid a possible hiccup) run just your browsers with firejail,
- remember that you are likely behind a router with its security features.
Please keep in mind that other Linux distros without Apparmor or SELinux by default like PCLOS have (as far as I know) not reported any security disasters. I really think rolling release with tweaks like those above works quite well. Of course a level of 100% security is not available.
Sorry for the late reply. I guess it depends on the way how your installation was made?
I installed my current system via CLI and
apparmor was not enabled by default.
I enabled it as per ArchWiki.
These are the kernel parameters that enable
apparmor on most installations. I guess this was done at some point by the graphical installer. Not anymore on