Jaime Frutos Morales's blog

27/08/2009

How to install and configure AppArmor in Ubuntu Server 9.04

Filed under: SysAdmin, Ubuntu — acidborg @ 11:42

Description: “AppArmor (“Application Armor”) is security software for Linux, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program’s typical behavior.

AppArmor is implemented using the Linux Security Modules kernel interface.

AppArmor was created in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain.[1] Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux.[2] They also claim that AppArmor requires fewer modifications to work with existing systems:[citation needed] for example, SELinux requires a filesystem that supports “security labels”, and thus cannot provide access control for files mounted via NFS. AppArmor is file-system agnostic.

Installation: Run this command to install it: apt-get install apparmor-profiles apparmor-utils

Configuration (all processes in enforce mode):

  • To show AppArmor’s status use this command: aa-status
  • Output example:

    apparmor module is loaded.
    18 profiles are loaded.
    6 profiles are in enforce mode.
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/sbin/avahi-daemon
    /usr/lib/connman/scripts/dhclient-script
    /usr/sbin/tcpdump
    /sbin/dhclient3
    /sbin/dhclient-script
    12 profiles are in complain mode.
    /usr/sbin/traceroute
    /bin/ping
    /usr/sbin/mdnsd
    /usr/sbin/ntpd
    /usr/sbin/identd
    /usr/sbin/nmbd
    /usr/sbin/dnsmasq
    /sbin/klogd
    /usr/sbin/smbd
    /sbin/syslogd
    /sbin/syslog-ng
    /usr/sbin/nscd
    2 processes have profiles defined.
    0 processes are in enforce mode :
    0 processes are in complain mode.
    2 processes are unconfined but have a profile defined.
    /sbin/klogd (2100)
    /sbin/syslogd (2080)

  • To set enforce mode to all available AppArmor’s profiles use this command: aa-enforce /etc/apparmor.d/*
  • Output example:

    Setting /etc/apparmor.d/bin.ping to enforce mode.
    Setting /etc/apparmor.d/sbin.dhclient3 to enforce mode.
    Setting /etc/apparmor.d/sbin.klogd to enforce mode.
    Setting /etc/apparmor.d/sbin.syslogd to enforce mode.
    Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.identd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.ntpd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.tcpdump to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode.

  • Execute aa-status again to check the changes:
  • Output example:

    apparmor module is loaded.
    18 profiles are loaded.
    18 profiles are in enforce mode.
    /usr/sbin/traceroute
    /bin/ping
    /usr/sbin/mdnsd
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/sbin/avahi-daemon
    /usr/lib/connman/scripts/dhclient-script
    /usr/sbin/ntpd
    /usr/sbin/identd
    /usr/sbin/tcpdump
    /usr/sbin/nmbd
    /usr/sbin/dnsmasq
    /sbin/klogd
    /usr/sbin/smbd
    /sbin/syslogd
    /sbin/syslog-ng
    /usr/sbin/nscd
    /sbin/dhclient3
    /sbin/dhclient-script
    0 profiles are in complain mode.
    2 processes have profiles defined.
    0 processes are in enforce mode :
    0 processes are in complain mode.
    2 processes are unconfined but have a profile defined.
    /sbin/klogd (2100)
    /sbin/syslogd (2080)

  • Restart processes which are unconfined but have a profile defined. Following my example, these commands should be run:

  • /etc/init.d/klogd restart
    /etc/init.d/sysklogd restart

  • Finally, execute aa-status again and make sure all processes with a defined profile are in enforce mode:
  • Output example:

    apparmor module is loaded.
    18 profiles are loaded.
    18 profiles are in enforce mode.
    /usr/sbin/traceroute
    /bin/ping
    /usr/sbin/mdnsd
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/sbin/avahi-daemon
    /usr/lib/connman/scripts/dhclient-script
    /usr/sbin/ntpd
    /usr/sbin/identd
    /usr/sbin/tcpdump
    /usr/sbin/nmbd
    /usr/sbin/dnsmasq
    /sbin/klogd
    /usr/sbin/smbd
    /sbin/syslogd
    /sbin/syslog-ng
    /usr/sbin/nscd
    /sbin/dhclient3
    /sbin/dhclient-script
    0 profiles are in complain mode.
    2 processes have profiles defined.
    2 processes are in enforce mode :
    /sbin/syslogd (24416)
    /sbin/klogd (24147)
    0 processes are in complain mode.
    0 processes are unconfined but have a profile defined.

Advertisements

Create a free website or blog at WordPress.com.

%d bloggers like this: