Apparmor unconfined & unconfined --paranoid

[ScrambledEggs]

Ive literally been researching/noting/applying Apparmor all day. I currently have 55 profiles in enforce mode and 0 in complain mode. I then used commands 'aa-unconfined' & 'aa-unconfined --paranoid' to see what the output would be.

aa-unconfined output:
712 /lib/systemd/systemd-resolved not confined
757 /usr/sbin/NetworkManager not confined

aa-unconfined --paranoid output:
1 /lib/systemd/systemd (/sbin/init) not confined
355 /lib/systemd/systemd-journald not confined
382 / (deleted) not confined
402 /lib/systemd/systemd-udevd not confined
712 /lib/systemd/systemd-resolved not confined
713 /lib/systemd/systemd-timesyncd not confined
751 /usr/lib/accountsservice/accounts-daemon not confined
752 /usr/sbin/acpid not confined
755 /usr/sbin/cron not confined
756 /usr/bin/dbus-daemon not confined
757 /usr/sbin/NetworkManager not confined
765 /usr/sbin/irqbalance not confined
773 /usr/bin/python3.8 (/usr/bin/python3) not confined
780 /usr/lib/policykit-1/polkitd not confined
784 /usr/sbin/rsyslogd confined by '/usr/sbin/rsyslogd (enforce)'
790 /usr/sbin/smartd not confined
793 /lib/systemd/systemd-logind not confined
796 /usr/sbin/thermald not confined
803 /usr/lib/udisks2/udisksd not confined
805 /sbin/wpa_supplicant not confined
882 /usr/sbin/ModemManager not confined
963 /usr/sbin/lightdm not confined
971 /usr/lib/xorg/Xorg not confined
973 /sbin/agetty not confined
1010 /usr/libexec/rtkit-daemon not confined
1053 /usr/sbin/lightdm not confined
1091 /usr/sbin/kerneloops not confined
1094 /usr/sbin/kerneloops not confined
1109 /lib/systemd/systemd not confined
1110 /lib/systemd/systemd not confined
1118 /usr/bin/pulseaudio not confined
1121 /usr/bin/gnome-keyring-daemon not confined
1124 /usr/bin/cinnamon-session not confined
1136 /usr/bin/dbus-daemon not confined
1205 /usr/libexec/at-spi-bus-launcher not confined
1210 /usr/bin/dbus-daemon not confined
1213 /usr/libexec/at-spi2-registryd not confined
1223 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-keyboard not confined
1224 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-xsettings not confined
1228 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-color not confined
1230 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-housekeeping not confined
1234 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-cursor not confined
1235 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-print-notifications not confined
1236 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-xrandr not confined
1246 /usr/libexec/gvfsd not confined
1250 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-automount not confined
1253 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-clipboard not confined
1260 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-sound not confined
1261 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-a11y-settings not confined
1265 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-media-keys not confined
1267 /usr/libexec/gvfsd-fuse not confined
1269 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-orientation not confined
1281 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-power not confined
1282 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-background not confined
1283 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-a11y-keyboard not confined
1284 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-wacom not confined
1285 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-screensaver-proxy not confined
1286 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-mouse not confined
1290 /usr/libexec/gvfs-udisks2-volume-monitor not confined
1296 /usr/libexec/gvfs-mtp-volume-monitor not confined
1300 /usr/libexec/gvfs-afc-volume-monitor not confined
1305 /usr/libexec/gvfs-gphoto2-volume-monitor not confined
1309 /usr/libexec/gvfs-goa-volume-monitor not confined
1313 /usr/libexec/goa-daemon not confined
1314 /usr/lib/upower/upowerd not confined
1334 /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-printer not confined
1344 /usr/libexec/colord not confined
1368 /usr/libexec/dconf-service not confined
1383 /usr/libexec/goa-identity-service not confined
1410 /usr/bin/python3.8 not confined
1414 /usr/bin/cinnamon not confined
1440 /usr/libexec/xapps/sn-watcher/xapp-sn-watcher not confined
1470 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 not confined
1471 /usr/bin/nemo-desktop not confined
1473 /usr/libexec/geoclue-2.0/demos/agent not confined
1476 /usr/bin/nm-applet not confined
1482 /usr/libexec/evolution-data-server/evolution-alarm-notify not confined
1483 /usr/bin/python3.8 not confined
1484 /usr/bin/kgpg not confined
1497 /usr/bin/perl (/usr/bin/perl /usr/bin/aa-notify -p -s 1 -w 60) not confined
1521 /usr/libexec/evolution-source-registry not confined
1528 /usr/libexec/evolution-calendar-factory not confined
1543 /usr/libexec/evolution-addressbook-factory not confined
1576 /usr/bin/gpg-agent not confined
1581 /usr/libexec/gvfsd-trash not confined
1589 /usr/libexec/gvfsd-metadata not confined
1593 /usr/bin/python3.8 not confined
1630 /usr/bin/python3.8 not confined
1676 /usr/bin/python3.8 not confined
1815 /usr/lib/firefox/firefox confined by 'firefox (enforce)'
1879 /usr/lib/firefox/firefox confined by 'firefox (enforce)'
1948 /usr/lib/firefox/firefox confined by 'firefox (enforce)'
1997 /usr/lib/firefox/firefox confined by 'firefox (enforce)'
2058 /usr/libexec/gnome-terminal-server not confined
2068 /bin/bash (bash) not confined
2093 /usr/bin/sudo not confined
2094 /usr/bin/python3.8 (/usr/bin/python3) not confined

Is my next step to ensure that all the processes are profiled and put in enforce mode?
Also, under 'aa-unconfined --paranoid' all the firefox processes are in enforced mode but when I actually use firefox, they show up here. The same with 'rsyslogd'.

Any help would be greatly appreciated.

I noticed there isnt much indepth explanation on configuring Apparmor.

 

[Condobloke]

Do you really think you need this level of protection/security ?

I have been using Linux since around 2014, without any other security than a firewall

My browser is safeguarded by Malwarebytes and AdBlock Plus

My passwords are protected by LastPass

My pc is still quick and reliable.

 

[ScrambledEggs]

I don't need this kind of security. I'm just wanting to know the ins and outs of Linux. And to be honest, the 6-7 hours I spent on research today, I've learned a crap load. Basically, doing all this is helping me learn the processes, what they do, how thier connected, how to read error logs, how to comb thru the file system, etc etc. I'm learning bthe best I can man.

 

[wizardfromoz]

And to be honest, the 6-7 hours I spent on research today, I've learned a crap load

You've got to like that, Brian

Good luck "Eggs"

Wizard

 

[ScrambledEggs]

Thanks! You guys will be hearing more from me. I'm using Linux Mint 20 as my base, and I have several VMs that I use to learn. So far I've tried Ku, Lu, Xu and Ubuntu, Kali, Debian, and a few others. I like Mint. In the beginning of my journey I was trying alall types of Linux distros to see what features they offered and the different desktop environments. At the time I had 2 laptops and was trying all types of installs, usb's external hdds, efi, bios, etc. I've experimented alot. As for the apparmor, I've been working with that for a while on and off. Today I thought I'd knock it out, to my surprise it isn't easy...