Graphic frontend for something like AppArmor

[dolphin]

I'm a new Mint and Linux user. I wish user could have more control over application's access to internet. For windows firewalls it is a basic feature to restrict or block internet access for every program separately. I have found AppArmor, but for beginners there should be an application with Graphic frontend build-in into Mint that would do similar job.
https://help.ubuntu.com/community/AppArmor

[JasonLG]

I'm a new Mint and Linux user. I wish user could have more control over application's access to internet. For windows firewalls it is a basic feature to restrict or block internet access for every program separately. I have found AppArmor, but for beginners there should be an application with Graphic frontend build-in into Mint that would do similar job.
https://help.ubuntu.com/community/AppArmor

AppArmour isn't a firewall. Mint has a very effective built in firewall it's called iptables. Iptables has many GUI frontends to choose from. The one I find useful is Gufw. It can be configured to block all traffic in and out except what you explicitly allow.

[dolphin]

In iptables to block outgoing connection from a program that I have installed on my PC I have to know IP address of outgoing connection. How am I suppose to know it? When it already started to connect it is to late to block even when I notice it. This simply doesn't make sense to me. Anyway, I'm concerned about my privacy. For example my organizers with private addresses and data. The only thing I can do now is to believe that programs developers for Linux don't put in their software anything that may collect data, not necessarily private but for example marketing data. The problem will increase when there will be more commercial programs for Linux.

[JasonLG]

In iptables to block outgoing connection from a program that I have installed on my PC I have to know IP address of outgoing connection. How am I suppose to know it? When it already started to connect it is to late to block even when I notice it. This simply doesn't make sense to me. Anyway, I'm concerned about my privacy. For example my organizers with private addresses and data. The only thing I can do now is to believe that programs developers for Linux don't put in their software anything that may collect data, not necessarily private but for example marketing data. The problem will increase when there will be more commercial programs for Linux.

No you don't, all you have to do is block all outgoing traffic and set rules to only allow programs you specify. All you need to know is what ports they are using and optionally what protocol. Gufw is a very simple way to configure iptables, give it a try.

[dolphin]

All you need to know is what ports they are using and optionally what protocol.

Yeah, How am I suppose to know it? When user sees an unwanted connection it's already too late to block it. Crazy Linux thinking. Firewall should work like Zone Alarm does. When any process wants to connect to internet a message pop-ups in a learning mode and user decides whether to allow or not.

[JasonLG]

All you need to know is what ports they are using and optionally what protocol.

Yeah, How am I suppose to know it? When user sees an unwanted connection it's already too late to block it. Crazy Linux thinking. Firewall should work like Zone Alarm does. When any process wants to connect to internet a message pop-ups in a learning mode and user decides whether to allow or not.

You'll know the same way everyone else figures that stuff out, by reading the man pages, how to's and the program's site. If you expect to be spoon feed information than Linux may not be for you. In general being a Linux user means reading and learning for yourself.

Nothing crazy about it. If you do what I said, block all out going connections and only allow programs you want, you will not have any "unwanted connections" because everything is blocked except for what you expressly let through. You apparently didn't read my post very well.

If you want more bells and whistles try http://www.fs-security.com/.

[dolphin]

"In general being a Linux user means reading and learning for yourself."

Well, I'm not in favor of this attitude. Although I have to go through this stage as a new linux user I appreciate if there is simple, yet full-featured application. My attitude is that user shouldn't have to think to much about OS but instead use programs and be able to forget about OS. I really appreciate great job of developers of linux and that linux is free of charge but there is nothing wrong when I want applications to be fully-featured and more user friendly. There is a difference between desktop users and trained IT specialists.
Let's say I will catch a virus or a keylogger (sooner or later they will be also for linux) and using 'man' won't help me.

If you do what I said, block all out going connections and only allow programs you want, you will not have any "unwanted connections" because everything is blocked except for what you expressly let through.

If I have outgoing port 80 opened for firefox and opera and some programs or viruses or keyloggers may use it. If somebody someday create a keylogger for linux you will not be warned or informed which port or IP it uses.

If you expect to be spoon feed information than Linux may not be for you.

I don't expect that. I expect to use user friendly OS designed not specifically for IT professionals and servers but for ordinary people who want to use programs with graphic applications and don't be forced to read and learn all the time. I prefer to use my time for taking advantage of applications. That's is the reason why people use linux for desktop.

Now I use Net activity viewer. I thought about something similar implemented in firewall but with the ability to block outgoing connections and information about them that pops-ups and user can decide what to do. It is nothing more that windows users already have. Why linux can't be equally simple? If you prefer to type in terminal you can still do it. But I don't and I think many new linux users would share my viewpoint.

[altair4]

May I ask what kind of environment you are running in that requires you to use things like firewall rules utilities and AppArmor?

Are you not behind a router?

You seek a GUI for AppArmor. You presume that the rest of us use AppArmor without a GUI. I'm guessing most of don't use AppArmor at all unless it's in the default somewhere and I've been using it without knowing.

[dolphin]

I don't use a router. I just got used to windows firewalls. For me it should look for example like this:
http://support.avast.com/index.php?_m=k ... 0,1#idt_02
see Figure VIII. A
I don't understand why it is so strange for you. For me it normal firewall feature.

[altair4]

I don't understand why it is so strange for you. For me it normal firewall feature.

Probably because I don't touch, alter, or in any way modify the built in iptables settings on a base linux install.
I vaguely remember reading about apparmor years ago when I still had SuSE running somewhere and thought it was some kind of kiosk utility.

Anyway I don't want to get into a "Why can't linux be more like Windows" kind of argument. I was just kind of curious as to why your interest seems to be centered around security.

[libssd]

Technically Gufw is a GUI, but, to put it charitably, documentation is "terse."

Thanks for the reminder about Firestarter.

There is a very good thread on security on the Ubuntu forums: http://ubuntuforums.org/showthread.php?t=510812

The author provides a pretty good brief summary of the topic:

Security is an ongoing process and, like an onion, it has layers and stinks. The best defense you have is to read and learn how to secure your OS.

To which he adds:

If you are coming from a Windows background you are used to terms like antivirus, spyware, and firewalls. Linux is different and these are not as important. They are discussed first because these are FAQ on the forums. Unfortunately, it is sometimes difficult for new users to wade through some of the FUD (some of which is produced by anti-virus companies) ...

[JasonLG]

I'm sorry that you're "not in favor of that attitude". But it's not an attitude, it's the truth. The fact that Linux is not created by a central company like Microsoft or Apple means that there is no one place to go to for all the information. You're going to have to do some searching and reading of various sources if you want to learn about Linux.

Linux isn't like Windows. Because of the permissions system in Linux you would have to actually manually install a virus or keylogger. So for the most part if you get either it would be because you were stupid enough to install them yourself. They can't install themselves like in Windows. I think your worries are unfounded, in general viruses are not much of a concern on Linux and developers of open source software are not in the habit of writing malicious software.

1st Linux is not Windows. 2nd My guess why no one has wrote an app like you describe is because it isn't needed. If you think you need it so bad than write it, if you don't know how learn how, if you don't want to learn how than don't complain.

I'm a GUI guy myself but if you're that desperately afraid of the terminal then Linux is not for you.

I don't use a router. I just got used to windows firewalls. For me it should look for example like this:
http://support.avast.com/index.php?_m=k ... 0,1#idt_02
see Figure VIII. A
I don't understand why it is so strange for you. For me it normal firewall feature.

That's not a firewall, it's an anti-virus, which by the way has a Linux version.

You need to read these 2 things before you complain anymore.

http://linux.oneandoneis2.org/LNW.htm
http://forums.linuxmint.com/viewtopic.php?f=90&t=31723

[libssd]

My use of Linux is entirely from a netbook, and I've been fairly lazy about security, knowing that it's by design less insecure than Windows. At the moment I have taken these steps:

1. Firewall enabled (incoming Deny; outgoing Allow) via Gufw
2. Apparmor-profiles, apparmor-utils and apparmor packages installed
3. Manually added profile for Chrome browser from <dead link removed, it's now malware website>

I know the answer to the question "is this enough" is almost always "it depends" but is there anything else I absolutely should be doing?

Code: Select all

$ sudo apparmor_status
apparmor module is loaded.
31 profiles are loaded.
11 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
   /usr/share/gdm/guest-session/Xsession
20 profiles are in complain mode.
   /bin/ping
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/traceroute
4 processes have profiles defined.
2 processes are in enforce mode :
   /sbin/dhclient3 (2098) 
   /usr/sbin/cupsd (1273) 
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (664) 
   /usr/sbin/avahi-daemon (660) 
0 processes are unconfined but have a profile defined.

[altair4]

libssd, Now you got my attention.

I noticed the following in your list profiles:

dhclient3
cups-pdf
cupsd
ping
avahi-daemon
dnsmasq
mdnsd
nmbd
smbd

All of those will impact samba, cups, and probably other types of resource sharing across the LAN.

I have two very important questions I would like to ask you.

If I'm trying to help someone with a samba problem I take it this will tell me if he's using apparmor ?:

Code: Select all

sudo apparmor_status

Is there a corresponding command that will disable it or stop it, like:

Code: Select all

sudo apparmor_stop

?

EDIT: Been searching around. It looks like it's a service so it obeys the normal service rules:

sudo service apparmor start
sudo service apparmor stop
sudo service apparmor restart

Is this correct?

[libssd]

I was messing around with a bunch of security settings this afternoon, after which my CUPS printers disappeared. I just restored from a backup, and they are again visible, BUT...

Code: Select all

$ sudo apparmor_status
[sudo] password for libssd: 
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
   /usr/share/gdm/guest-session/Xsession
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
   /sbin/dhclient3 (1881) 
   /usr/sbin/cupsd (1025) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

So, AppArmor doesn't seem to be blocking CUPS traffic.

Backups are golden; restores are priceless.

[altair4]

Good grief, Diagnosing a Samba problem is hard enough now I have to tell them to stop the apparmor service
Sorry for the hijack folks. It just never occurred to me to even ask if they were running it.

[libssd]

Good grief, Diagnosing a Samba problem is hard enough now I have to tell them to stop the apparmor service
Sorry for the hijack folks. It just never occurred to me to even ask if they were running it.

That sounds like a positive outcome from this thread.

[dolphin]

That's not a firewall, it's an anti-virus, which by the way has a Linux version.

It's not only antyvirus. It's Internet Security which means it's firewall too. Old linux users have trouble to admit that some linux applications are underdeveloped. I'm talking about AppArmor.
It's year 2010. Writing in Terminal is a sad joke for desktop users.

"The most convenient interface to AppArmor is provided by means of the AppArmor YaST modules which can be used either in graphical or ncurses mode. "
Novell Doc: AppArmor Quick Start

Why not in Mint?

[libssd]

After a lot of searching, I've come to the conclusion that nobody has built a YAST deb package for Ubuntu/Mint, and such seems unlikely. There are a lot of negative comments about YAST, such as this:

yast is terrible to compile and it is definitely not helping ubuntu in any way imho. i know of other linux-distros that try to get that thing running and it only complicates life, crashes and behaves in an unpredicted way (i am a linux developer myself ). the ubuntu distro is working the way it is. so why change its simplicity and mess it up with a very problematic tool?

[altair4]

Old linux users have trouble to admit that some linux applications are underdeveloped. I'm talking about AppArmor.
It's year 2010. Writing in Terminal is a sad joke for desktop users.

This is going to be my last post in this topic because this is getting silly and I've added to it.

Once again you've made the assumption that we are all using AppArmor from the command line. I'm on three different forums ( none of them SuSE related ) and AppArmor in any form has only been mentioned by two users and that's in this topic. If more people used it ( say 3 for example ) then maybe somebody who could would write a GUI for it.