Security in Manjaro?

Novatian · 27 September 2020 14:54

Is Manjaro security enhanced with SE Linux or Apparmor and a firewall? Does it need installation?

Strit · 27 September 2020 14:56

Manjaro supports AppArmor, but it’s not activated by default (at least I think so).

Yochanan · 27 September 2020 15:27

SELinux is not currently supported. See SELinux: Current status in Arch Linux

Fires · 27 September 2020 17:05

Is this AppArmor, important ? Do I need it ?

thank u

jrichard326 · 27 September 2020 17:30

In recent .iso (xfce) it seemd to be installed by default, but maybe not activated. I don’t recall. In any case install apparmor, if not installed.
Enable apparmor: systemctl enable apparmor.service

add in grub to GRUB_CMDLINE_LINUX_DEFAULT
apparmor=1 security=apparmor
then update grub: sudo update-grub

Restart computer

Then check in terminal:
aa-enabled

systemctl status apparmor

Frog · 27 September 2020 17:53

It is enabled by default, although the amount of profiles that are enforced on a default installation is pretty close to zero.

On a fairly recent Manjaro KDE installation (in VM):

[froggy@kde ~]$ sudo aa-status
[sudo] password for froggy: 
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
[froggy@kde ~]$

cscs · 27 September 2020 17:59

apparmor is atleast prepackaged in any version with SNAP …
whether or not those profiles are very effective
(or even enabled via snapd.apparmor.service as opposed to snapd.service … well I wouldnt know as SNAPs are not my thing)

…
darnit @Frog

Anyhoo…
“Security is something you configure”
https://wiki.archlinux.org/index.php/Security

Fires · 27 September 2020 18:20

It is enabled by default,

I just checked

thanks for the tipp

Novatian · 28 September 2020 04:16

Firejail and netfilter will not conflict with Apparmor will it, nor each other?

Zwackelmann · 28 September 2020 17:12

Novatian,

I am an average Joe user but I guess you will feel much better if you consider the following:

install the security check tool “lynis” from the official repo and make a check of a default install of Manjaro (pretty good),
visit the website “Shields up!” and make all the tests there, you will also feel satisfied,
run a firewall like “ufw”,
update regularly,
install “firejail” and all the standard configuration profiles with “sudo firecfg” or (to avoid a possible hiccup) run just your browsers with firejail,
remember that you are likely behind a router with its security features.

Please keep in mind that other Linux distros without Apparmor or SELinux by default like PCLOS have (as far as I know) not reported any security disasters. I really think rolling release with tweaks like those above works quite well. Of course a level of 100% security is not available.

El_Brujo · 2 June 2021 05:20

Sorry for the late reply. I guess it depends on the way how your installation was made?

I installed my current system via CLI and apparmor was not enabled by default.
I enabled it as per ArchWiki.

These are the kernel parameters that enable apparmor on most installations. I guess this was done at some point by the graphical installer. Not anymore on /etc/default/grub though: