major.io - Words of wisdom from a Linux engineer focused on information security

Troubleshooting CyberPower PowerPanel issues in Linux

July 25, 2017 By Major Hayden 4 Comments

I have a CyberPower BRG1350AVRLCD at home and I’ve just connected it to a new device. However, the pwrstat command doesn’t retrieve any useful data on the new system:

# pwrstat -status

The UPS information shows as following:


    Current UPS status:
        State........................ Normal
        Power Supply by.............. Utility Power
        Last Power Event............. None

# pwrstat -status

The UPS information shows as following:

Current UPS status:

State........................ Normal

Power Supply by.............. Utility Power

Last Power Event............. None

I disconnected the USB cable and ran pwrstat again. Same output. I disconnected power from the UPS itself and ran pwrstat again. Same output. This can’t be right.

Checking the basics

A quick look at dmesg output shows that the UPS is connected and the kernel recognizes it:

[   65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd
[   65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501
[   65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2
[   65.830772] usb 3-1: Product: BRG1350AVRLCD
[   65.830773] usb 3-1: Manufacturer: CPS
[   65.830773] usb 3-1: SerialNumber: xxxxxxxxx
[   65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

[ 65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd

[ 65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501

[ 65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2

[ 65.830772] usb 3-1: Product: BRG1350AVRLCD

[ 65.830773] usb 3-1: Manufacturer: CPS

[ 65.830773] usb 3-1: SerialNumber: xxxxxxxxx

[ 65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

I checked the /var/log/pwrstatd.log file to see if there were any errors:

2017/07/25 12:01:17 PM  Daemon startups.
2017/07/25 12:01:24 PM  Communication is established.
2017/07/25 12:01:27 PM  Low Battery capacity is restored.
2017/07/25 12:05:19 PM  Daemon stops its service.
2017/07/25 12:05:19 PM  Daemon startups.
2017/07/25 12:05:19 PM  Communication is established.
2017/07/25 12:05:22 PM  Low Battery capacity is restored.
2017/07/25 12:06:27 PM  Daemon stops its service.

2017/07/25 12:01:17 PM Daemon startups.

2017/07/25 12:01:24 PM Communication is established.

2017/07/25 12:01:27 PM Low Battery capacity is restored.

2017/07/25 12:05:19 PM Daemon stops its service.

2017/07/25 12:05:19 PM Daemon startups.

2017/07/25 12:05:19 PM Communication is established.

2017/07/25 12:05:22 PM Low Battery capacity is restored.

2017/07/25 12:06:27 PM Daemon stops its service.

The pwrstatd daemon can see the device and communicate with it. This is unusual.

Digging into the daemon

If the daemon can truly see the UPS, then what is it talking to? I used lsof to examine what the pwrstatd daemon is doing:

# lsof -p 3975
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF      NODE NAME
pwrstatd 3975 root  cwd    DIR               8,68      224        96 /
pwrstatd 3975 root  rtd    DIR               8,68      224        96 /
pwrstatd 3975 root  txt    REG               8,68   224175 134439879 /usr/sbin/pwrstatd
pwrstatd 3975 root  mem    REG               8,68  2163104 134218946 /usr/lib64/libc-2.25.so
pwrstatd 3975 root  mem    REG               8,68  1226368 134218952 /usr/lib64/libm-2.25.so
pwrstatd 3975 root  mem    REG               8,68    19496 134218950 /usr/lib64/libdl-2.25.so
pwrstatd 3975 root  mem    REG               8,68   187552 134218939 /usr/lib64/ld-2.25.so
pwrstatd 3975 root    0r   CHR                1,3      0t0      1028 /dev/null
pwrstatd 3975 root    1u  unix 0xffff9e395e137400      0t0     37320 type=STREAM
pwrstatd 3975 root    2u  unix 0xffff9e395e137400      0t0     37320 type=STREAM
pwrstatd 3975 root    3u  unix 0xffff9e392f0c0c00      0t0     39485 /var/pwrstatd.ipc type=STREAM
pwrstatd 3975 root    4u   CHR             180,96      0t0     50282 /dev/ttyS1

# lsof -p 3975

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

pwrstatd 3975 root cwd DIR 8,68 224 96 /

pwrstatd 3975 root rtd DIR 8,68 224 96 /

pwrstatd 3975 root txt REG 8,68 224175 134439879 /usr/sbin/pwrstatd

pwrstatd 3975 root mem REG 8,68 2163104 134218946 /usr/lib64/libc-2.25.so

pwrstatd 3975 root mem REG 8,68 1226368 134218952 /usr/lib64/libm-2.25.so

pwrstatd 3975 root mem REG 8,68 19496 134218950 /usr/lib64/libdl-2.25.so

pwrstatd 3975 root mem REG 8,68 187552 134218939 /usr/lib64/ld-2.25.so

pwrstatd 3975 root 0r CHR 1,3 0t0 1028 /dev/null

pwrstatd 3975 root 1u unix 0xffff9e395e137400 0t0 37320 type=STREAM

pwrstatd 3975 root 2u unix 0xffff9e395e137400 0t0 37320 type=STREAM

pwrstatd 3975 root 3u unix 0xffff9e392f0c0c00 0t0 39485 /var/pwrstatd.ipc type=STREAM

pwrstatd 3975 root 4u CHR 180,96 0t0 50282 /dev/ttyS1

Wait a minute. The last line of the lsof output shows that pwrstatd is talking to /dev/ttyS1, but the device is supposed to be a hiddev device over USB. If you remember, we had this line in dmesg when the UPS was plugged in:

hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

1	hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

Things are beginning to make more sense now. I have a USB-to-serial device that allows my server to talk to the console port on my Cisco switch:

[   80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd
[   80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303
[   80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[   80.558028] usb 3-1: Product: USB-Serial Controller D
[   80.558029] usb 3-1: Manufacturer: Prolific Technology Inc. 
[   80.558308] pl2303 3-1:1.0: pl2303 converter detected
[   80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0

[ 80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd

[ 80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303

[ 80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 80.558028] usb 3-1: Product: USB-Serial Controller D

[ 80.558029] usb 3-1: Manufacturer: Prolific Technology Inc.

[ 80.558308] pl2303 3-1:1.0: pl2303 converter detected

[ 80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0

It appears that pwrstatd is trying to talk to my Cisco switch (through the USB-to-serial adapter) rather than my UPS! I’m sure they could have a great conversation together, but it’s hardly productive.

Fixing it

The /etc/pwrstatd.conf has a relevant section:

# The pwrstatd accepts four types of device node which includes the 'ttyS',
# 'ttyUSB', 'hiddev', and 'libusb' for communication with UPS. The pwrstatd
# defaults to enumerate all acceptable device nodes and pick up to use an
# available device node automatically. But this may cause a disturbance to the
# device node which is occupied by other software. Therefore, you can restrict
# this enumerate behave by using allowed-device-nodes option. You can assign
# the single device node path or multiple device node paths divided by a
# semicolon at this option. All groups of 'ttyS', 'ttyUSB', 'hiddev', or
# 'libusb' device node are enumerated without a suffix number assignment.
# Note, the 'libusb' does not support suffix number only.
#
# For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev
# path only.
# allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1
#
# For example: restrict to use ttyS and ttyUSB two groups of device node at
# /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to
# ttyUSBN, N is number).
# allowed-device-nodes = ttyS;ttyUSB
#
# For example: restrict to use hiddev group of device node at /dev,/dev/usb,
# and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).
# allowed-device-nodes = hiddev
#
# For example: restrict to use libusb device.
# allowed-device-nodes = libusb
allowed-device-nodes =

# The pwrstatd accepts four types of device node which includes the 'ttyS',

# 'ttyUSB', 'hiddev', and 'libusb' for communication with UPS. The pwrstatd

# defaults to enumerate all acceptable device nodes and pick up to use an

# available device node automatically. But this may cause a disturbance to the

# device node which is occupied by other software. Therefore, you can restrict

# this enumerate behave by using allowed-device-nodes option. You can assign

# the single device node path or multiple device node paths divided by a

# semicolon at this option. All groups of 'ttyS', 'ttyUSB', 'hiddev', or

# 'libusb' device node are enumerated without a suffix number assignment.

# Note, the 'libusb' does not support suffix number only.

# For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev

# path only.

# allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1

# For example: restrict to use ttyS and ttyUSB two groups of device node at

# /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to

# ttyUSBN, N is number).

# allowed-device-nodes = ttyS;ttyUSB

# For example: restrict to use hiddev group of device node at /dev,/dev/usb,

# and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).

# allowed-device-nodes = hiddev

# For example: restrict to use libusb device.

# allowed-device-nodes = libusb

allowed-device-nodes =

We need to explicitly tell pwrstatd to talk to the UPS on /dev/hid/hiddev0:

allowed-device-nodes = /dev/usb/hiddev0

1	allowed-device-nodes = /dev/usb/hiddev0

Let’s restart the pwrstatd daemon and see what we get:

# systemctl restart pwrstatd
# pwrstat -status

The UPS information shows as following:

    Properties:
        Model Name................... BRG1350AVRLCD
        Firmware Number..............
        Rating Voltage............... 120 V
        Rating Power................. 810 Watt(1350 VA)

    Current UPS status:
        State........................ Normal
        Power Supply by.............. Utility Power
        Utility Voltage.............. 121 V
        Output Voltage............... 121 V
        Battery Capacity............. 100 %
        Remaining Runtime............ 133 min.
        Load......................... 72 Watt(9 %)
        Line Interaction............. None
        Test Result.................. Unknown
        Last Power Event............. None

# systemctl restart pwrstatd

# pwrstat -status

The UPS information shows as following:

Properties:

Model Name................... BRG1350AVRLCD

Firmware Number..............

Rating Voltage............... 120 V

Rating Power................. 810 Watt(1350 VA)

Current UPS status:

State........................ Normal

Power Supply by.............. Utility Power

Utility Voltage.............. 121 V

Output Voltage............... 121 V

Battery Capacity............. 100 %

Remaining Runtime............ 133 min.

Load......................... 72 Watt(9 %)

Line Interaction............. None

Test Result.................. Unknown

Last Power Event............. None

Success!

Photo credit: Wikipedia

Apply the STIG to even more operating systems with ansible-hardening

July 21, 2017 By Major Hayden Leave a Comment

Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month. The role has a new name, new documentation and extra tests.

The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.

These controls are now applied to an even wider variety of Linux distributions:

CentOS 7
Debian 8 Jessie (new for Pike)
Fedora 25 (new for Pike)
openSUSE Leap 42.2+ (new for Pike)
Red Hat Enterprise Linux 7
SUSE Linux Enterprise 12 (new for Pike)
Ubuntu 14.04 Trusty
Ubuntu 16.04 Xenial

Any patches to the ansible-hardening role are tested against all of these operating systems (except RHEL 7 and SUSE Linux Enterprise). Support for openSUSE testing landed this week.

Work is underway to put the finishing touches on the master branch before the Pike release and we need your help!

If you have any of these operating systems deployed, please test the role on your systems! This is pre-release software, so it’s best to apply it only to a new server. Read the “Getting Started” documentation to get started with ansible-galaxy or git.

Photo credit: Wikipedia

Customize LDAP autocompletion format in Thunderbird

July 18, 2017 By Major Hayden Leave a Comment

Thunderbird can connect to an LDAP server and autocomplete email addresses as you type, but it needs some adjustment for some LDAP servers. One of the LDAP servers that I use regularly returns email addresses like this in the thunderbird interface:

username <firstname.lastname@domain.tld>

1	username <[email protected]>

The email address looks fine, but I’d much rather have the person’s full name instead of the username. Here’s what I’m looking for:

Firstname Lastname <firstname.lastname@domain.tld>

1	Firstname Lastname <[email protected]>

In older Thunderbird versions, setting ldap_2.servers.SERVER_NAME.autoComplete.nameFormat to displayName was enough. However, this option isn’t used in recent versions of Thunderbird.

Digging in

After a fair amount of searching the Thunderbird source code with awk, I found a mention of DisplayName in nsAbLDAPAutoCompleteSearch.js that looked promising:

      // Create a minimal map just for the display name and primary email.
      this._attributes =
        Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]
                  .createInstance(Components.interfaces.nsIAbLDAPAttributeMap);
      this._attributes.setAttributeList("DisplayName",
        this._book.attributeMap.getAttributeList("DisplayName", {}), true);
      this._attributes.setAttributeList("PrimaryEmail",
        this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);
    }

// Create a minimal map just for the display name and primary email.

this._attributes =

Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]

.createInstance(Components.interfaces.nsIAbLDAPAttributeMap);

this._attributes.setAttributeList("DisplayName",

this._book.attributeMap.getAttributeList("DisplayName", {}), true);

this._attributes.setAttributeList("PrimaryEmail",

this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);

}

Something is unusual here. The LDAP field is called displayName, but this attribute is called DisplayName (note the capitalization of the D). Just before that line, I see a lookup in an attributes map of some sort. There may be a configuration option that is called DisplayName.

In Thunderbird, I selected Edit > Preferences. I clicked the Advanced tab and then Config Editor. A quick search for DisplayName revealed an interesting configuration option:

ldap_2.servers.default.attrmap.DisplayName: cn,commonname

1	ldap_2.servers.default.attrmap.DisplayName: cn,commonname

Fixing it

That’s the problem! This needs to map to displayName in my case, and not cn,commonname (which returns a user’s username). There are two different ways to fix this:

# Change it for just one LDAP server
ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName
# Change it for all LDAP servers by default (careful)
ldap_2.servers.default.attrmap.DisplayName: displayName

# Change it for just one LDAP server

ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName

# Change it for all LDAP servers by default (careful)

ldap_2.servers.default.attrmap.DisplayName: displayName

After making the change, quit Thunderbird and relaunch it. Compose a new email and start typing in the email address field. The user’s first and last name should appear!

Old role, new name: ansible-hardening

June 27, 2017 By Major Hayden 2 Comments

The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role. Some users were unsure if they needed to use the role in an OpenStack cloud or if the OpenStack-Ansible project was required.

The role works everywhere — OpenStack cloud or not. I started a mailing list thread on the topic and we eventually settled on a new name: ansible-hardening! The updated documentation is already available.

The old openstack-ansible-security role is being retired and it will not receive any additional updates. Moving to the new role is easy:

Install ansible-hardening with ansible-galaxy (or git clone)
Change your playbooks to use the ansible-hardening role

There’s no need to change any variable names or tags — they are all kept the same in the new role.

As always, if you have questions or comments about the role, drop by #openstack-ansible on Freenode IRC or open a bug in Launchpad.

Enable AppArmor on a Debian Jessie cloud image

May 24, 2017 By Major Hayden 2 Comments

I merged some initial Debian support into the openstack-ansible-security role and ran into an issue enabling AppArmor. The apparmor service failed to start and I found this output in the system journal:

kernel: AppArmor: AppArmor disabled by boot time parameter

1	kernel: AppArmor: AppArmor disabled by boot time parameter

Digging in

That was unexpected. I was using the Debian jessie cloud image and it uses extlinux as the bootloader. The file didn’t reference AppArmor at all:

# cat /boot/extlinux/extlinux.conf 
default linux
timeout 1
label linux
kernel boot/vmlinuz-3.16.0-4-amd64
append initrd=boot/initrd.img-3.16.0-4-amd64 root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet

# cat /boot/extlinux/extlinux.conf

default linux

timeout 1

label linux

kernel boot/vmlinuz-3.16.0-4-amd64

append initrd=boot/initrd.img-3.16.0-4-amd64 root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet

I learned that AppArmor is disabled by default in Debian unless you explicitly enable it. In contrast, SELinux is enabled unless you turn it off. To make matters worse, Debian’s cloud image doesn’t have any facilities or scripts to automatically update the extlinux configuration file when new kernels are installed.

Making a repeatable fix

My two goals here were to:

Ensure AppArmor is enabled on the next boot
Ensure that AppArmor remains enabled when new kernels are installed

The first step is to install grub2:

apt-get -y install grub2

1	apt-get -y install grub2

During the installation, a package configuration window will appear that asks about where grub should be installed. I selected /dev/vda from the list and waited for apt to finish the package installation.

The next step is to edit /etc/default/grub and add in the AppArmor configuration. Adjust the GRUB_CMDLINE_LINUX_DEFAULT line to look like the one below:

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"
GRUB_CMDLINE_LINUX=""

GRUB_DEFAULT=0

GRUB_TIMEOUT=5

GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

GRUB_CMDLINE_LINUX=""

Ensure that the required AppArmor packages are installed:

apt-get -y install apparmor apparmor-profiles apparmor-utils

1	apt-get -y install apparmor apparmor-profiles apparmor-utils

Enable the AppArmor service upon reboot:

systemctl enable apparmor

1	systemctl enable apparmor

Run update-grub and reboot. After the reboot, run apparmor_status and you should see lots of AppArmor profiles loaded:

# apparmor_status 
apparmor module is loaded.
38 profiles are loaded.
3 profiles are in enforce mode.
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
35 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

# apparmor_status

apparmor module is loaded.

38 profiles are loaded.

3 profiles are in enforce mode.

/usr/lib/chromium-browser/chromium-browser//browser_java

/usr/lib/chromium-browser/chromium-browser//browser_openjdk

/usr/lib/chromium-browser/chromium-browser//sanitized_helper

35 profiles are in complain mode.

/sbin/klogd

/sbin/syslog-ng

/sbin/syslogd

/usr/lib/chromium-browser/chromium-browser

/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox

/usr/lib/chromium-browser/chromium-browser//lsb_release

/usr/lib/chromium-browser/chromium-browser//xdgsettings

/usr/lib/dovecot/anvil

/usr/lib/dovecot/auth

/usr/lib/dovecot/config

/usr/lib/dovecot/deliver

/usr/lib/dovecot/dict

/usr/lib/dovecot/dovecot-auth

/usr/lib/dovecot/dovecot-lda

/usr/lib/dovecot/imap

/usr/lib/dovecot/imap-login

/usr/lib/dovecot/lmtp

/usr/lib/dovecot/log

/usr/lib/dovecot/managesieve

/usr/lib/dovecot/managesieve-login

/usr/lib/dovecot/pop3

/usr/lib/dovecot/pop3-login

/usr/lib/dovecot/ssl-params

/usr/sbin/avahi-daemon

/usr/sbin/dnsmasq

/usr/sbin/dovecot

/usr/sbin/identd

/usr/sbin/mdnsd

/usr/sbin/nmbd

/usr/sbin/nscd

/usr/sbin/smbd

/usr/sbin/smbldap-useradd

/usr/sbin/smbldap-useradd///etc/init.d/nscd

/usr/{sbin/traceroute,bin/traceroute.db}

/{usr/,}bin/ping

0 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

Final thoughts

I’m still unsure about why AppArmor is disabled by default. There aren’t that many profiles shipped by default (38 on my freshly installed jessie system versus 417 SELinux policies in Fedora 25) and many of them affect services that wouldn’t cause significant disruptions on the system.

There is a discussion that ended last year around how to automate the AppArmor enablement process when the AppArmor packages are installed. This would be a great first step to make the process easier, but it would probably make more sense to take the step of enabling it by default.

Photo credit: Max Pixel