Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
This is the exact description of AppArmor (from the Novell website), a great security tool included in Ubuntu since 04.2007. Even though it is shipped with every new install, it only monitors CUPS… This can be changed very easily, and it should be changed, since AppArmor brings a great new layer to your security cake. Let’s grab a bite, and see how it works.
Introduction
AppArmor allows you to control every application that has access to the Internet. With this tool you can control which files and directories are accessed by this application, and which posix 1003.1e capabilities. This is very, very powerful.
In the event an application contains a vulnerability that has not been addressed by a software update, AppArmor can prevent intrusion or compromising of the entire system by confining the application. In other words, it protects against a Zero Day Attack.
To achieve such performance, AppArmor uses profiles for each application/process it is used to survey. A profile is a simple text file that contains every restriction for an application, which means AppArmor will (with your help) generate a profile for each application you want to restrict.
For each new profile created, AppArmor works in two ways : complain and enforce.
In complain mode, AppArmor will only report violations and will not act to restrict the application. It can be considered a “passive mode”.
In enforcement mode, AppArmor will also log violations but if a violation is attempted, the application is denied and confined. This is indeed more an “active mode”.
Your violations are stored in /var/log/messages
The basics
As mentioned before, AppArmor is installed by default with every new Ubuntu install. But only CUPS is profiled, in complain mode. Obviously, we want to change this.
The very first thing you can do is install the apparmor-profiles package. This will install pre-configured profiles for the following applications :
usr.sbin.avahi-daemon, usr.sbin.nmbd, bin.ping, sbin.klogd, usr.sbin.nscd, sbin.syslogd, usr.sbin.dnsmasq, usr.sbin.ntpd, sbin.syslog-ng, usr.sbin.identd, usr.sbin.smbd, gdm-guest-session, usr.sbin.mdnsd, usr.sbin.traceroute
All of these profiles will be activated in complain mode. In order to enable the enforce mode for a single application, you should proceed :
$ sudo enforce /path/to/bin
If you’d like to set all profiles in enforce mode, enter :
$ sudo enforce /etc/apparmor.d/*
Your profiles are stored in /etc/apparmor.d
Creating new profiles
Generate or update a profile. When running, you must specify a program to profile. If the specified program is not an absolute path, genprof searches the $PATH variable. If a profile does not exist, genprof creates one using autodep.
This is an excerpt from the Novell documentation again. In order to use AppArmor to its full extend, we really should create profiles for additional applications. Basically, any application that has Internet access can be considered “risky”, and is eligible to AppArmor profiling.
To create a profile, we will use genproof, as follows (Firefox will be my – classical – example) :
$ sudo genprof firefox
This will generate a profile in /etc/apparmor.d/usr.lib.firefox-3.0.7.firefox.sh
This is a very basic step that will create a profile for Firefox and place it in complain mode. While this may not be enough, the next step is crucial : adjusting the profile to your needs.
This is a complex and thorough process. If you are willing to go through with this, I pass the torch to the – excellent – Novell documentation on profiling an application.
If you would like to spot applications/processes that should be monitored by AppArmor, you can use the unconfined command line to output a list of processes with open udp and/or tcp ports which don’t have an AppArmor profile yet.
$ sudo aa-unconfined
Do not forget to reload AppArmor after you have created/edited a profile :
$ /etc/init.d/apparmor restart
Conclusion
AppArmor is a really powerful tool. It can be deployed on client and server machines alike. It can be adapted precisely to suit your needs, each application at a time. And given its nature it is a security tool that’s almost a must-have for any machine that should be heavily secured.
Further reading :
{ 1 trackback }
{ 0 comments… add one now }