Is Manjaro security enhanced with SE Linux or Apparmor and a firewall? Does it need installation?
1 Like
Manjaro supports AppArmor, but it’s not activated by default (at least I think so).
1 Like
Is this AppArmor, important ? Do I need it ?
thank u
In recent .iso (xfce) it seemd to be installed by default, but maybe not activated. I don’t recall. In any case install apparmor, if not installed.
Enable apparmor: systemctl enable apparmor.service
add in grub to GRUB_CMDLINE_LINUX_DEFAULT
apparmor=1 security=apparmor
then update grub: sudo update-grub
Restart computer
Then check in terminal:
aa-enabled
systemctl status apparmor
1 Like
It is enabled by default, although the amount of profiles that are enforced on a default installation is pretty close to zero.
On a fairly recent Manjaro KDE installation (in VM):
[froggy@kde ~]$ sudo aa-status
[sudo] password for froggy:
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
lsb_release
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
[froggy@kde ~]$
4 Likes
apparmor is atleast prepackaged in any version with SNAP …
whether or not those profiles are very effective
(or even enabled via snapd.apparmor.service as opposed to snapd.service … well I wouldnt know as SNAPs are not my thing)
…
darnit @Frog 
Anyhoo…
“Security is something you configure”
https://wiki.archlinux.org/index.php/Security
4 Likes
It is enabled by default,
I just checked
thanks for the tipp
Firejail and netfilter will not conflict with Apparmor will it, nor each other?
Novatian,
I am an average Joe user but I guess you will feel much better if you consider the following:
- install the security check tool “lynis” from the official repo and make a check of a default install of Manjaro (pretty good),
- visit the website “Shields up!” and make all the tests there, you will also feel satisfied,
- run a firewall like “ufw”,
- update regularly,
- install “firejail” and all the standard configuration profiles with “sudo firecfg” or (to avoid a possible hiccup) run just your browsers with firejail,
- remember that you are likely behind a router with its security features.
Please keep in mind that other Linux distros without Apparmor or SELinux by default like PCLOS have (as far as I know) not reported any security disasters. I really think rolling release with tweaks like those above works quite well. Of course a level of 100% security is not available.
1 Like
Sorry for the late reply. I guess it depends on the way how your installation was made?
I installed my current system via CLI and apparmor was not enabled by default.
I enabled it as per ArchWiki.
These are the kernel parameters that enable apparmor on most installations. I guess this was done at some point by the graphical installer. Not anymore on /etc/default/grub though: