sudo apt-get install apparmor apparmor-utils apparmor-profiles rsyslog -y
cd /usr/share/apparmor/extra-profiles/
/etc/apparmor.d/  # profiles dir used by AppArmor
sudo systemctl start rsyslog && sudo systemctl enable rsyslog
sudo systemctl status apparmor
sudo systemctl enable --now apparmor

AppArmor for Automatic Security Profile Generation

sudo systemctl cat nginx.service

sudo aa-autodep /usr/sbin/nginx 

Activate a Profile

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx

Disable a Profile

sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.nginx

Remove a Profile

rm /etc/apparmor.d/usr.sbin.nginx

Complain Mode

sudo aa-complain /usr/sbin/nginx

Make rules from programm logging

sudo aa-logprof -f /etc/apparmor.d/usr.sbin.nginx or sudo aa-logprof

Enforce Mode

sudo aa-enforce /usr/sbin/nginx

Status

sudo aa-status

Logging

tail -f /var/log/syslog

tail -f kern.log

sudo dmesg | grep apparmor

sudo journalctl -t apparmor -f

Access:

• /var/log/nginx/ to the directory
• /var/log/nginx/* to files in the directory
• /var/log/nginx/** to all nested files and directories
• /var/run/nginx.pid rw, read, write acces
• owner /var/www/** rw, only to files owned (www-data) by the process running nginx

Main Access Rights Symbols

• r (read): Permission to read a file or directory.
• w (write): Permission to write to a file or directory.
• x (execute): Permission to execute a file.
• m (memory map): Permission to map a file to memory.
• k (lock): Permission to lock a file.
• l (link): Permission to create hard links to a file.
• a (append): Permission to append to a file.
• i (inherit): Permission for child processes to inherit the profile.
• Px (profile execute): Permission to execute a file with a specific profile.
• Cx (child execute): Permission to execute a file with a separate child profile.

Command Descriptions

• aa-audit: Set a profile to audit mode.
• aa-autodep: Automatically generate a basic profile for an application.
• aa-cleanprof: Remove unused rules from a profile.
• aa-complain: Set a profile to complain mode.
• aa-decode: Decode hex-encoded AppArmor messages.
• aa-disable: Disable a profile.
• aa-easyprof: Create or manage profiles with ease.
• aa-enforce: Set a profile to enforce mode.
• aa-enabled: List all enabled profiles.
• aa-exec: Execute a command confined by a specific profile.
• aa-features-abi: Show features and ABI version of AppArmor.
• aa-genprof: Generate a profile by monitoring application behavior.
• aa-logprof: Update profiles based on log events.
• aa-mergeprof: Merge multiple profiles into one.
• aa-remove-unknown: Remove unknown profiles or entries.
• aa-status: Show the current AppArmor status.
• aa-teardown: Unload all AppArmor profiles.
• aa-unconfined: List processes running without confinement.
• aa-update-browser: Update browser-related AppArmor profiles.