Get to know Linux: AppArmor

You’ve heard that Linux is a very secure operating system. You’ve heard it’s practically immune to viruses (practically being the key word). You’ve heard it’s tough to crack. These are all true…and with good reason. Linux is such a strong operating system for two primary reasons – by design and with the help of security systems like AppArmor and SELinux.

But what is AppArmor? AppArmor is a security module implementation of name-based access controls. In other words, AppArmor protects your system against the exploitation of program flaws and compromises. This protection is done via profiles that will set a program to either “complain” or “enforce” against wrong doing.

In this article I will show you how to install AppArmor and how to use it to set an application in either “complain” or “enforce” mode.

Installation

The installation of AppArmor is simple:

Open up Synaptic (or your favorite package manager).Search for “apparmor” (no quotes).Select apparmor for installation (make sure apparmor-utils and apparmor-profiles are installed as well).Click Apply to install.

That’s it. You are now ready to start working with AppArmor.

Usage

AppArmor is a command-line only tool. It uses two particular commands for setting an application to either “complain” (aa-complain) or “enforce” (aa-enforce). There is also one other tool that is useful – apparmor_status. Let’s take a look at that command first.

You want to know the current status of AppArmor and what applications are currently in what mode. To find this out issue the command sudo apparmor_status. You should see listings similar to:

32 profiles are loaded.
12 profiles are in enforce mode.
/sbin/dhclient3
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/lib/NetworkManager/nm-dhcp-client.action
…
20 profiles are in complain mode.
/bin/ping
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
…

NOTE: I truncated the output to save space.

As you can see there are already certain applications in complain mode and certain applications in enforce mode. But what are these “modes”? Simple “complain” mode will log violations against the applications profile, whereas “enforce” will strictly enforce the applications profile. But what are (and where are) the profiles? You will find profiles for applications in /etc/apparmor.d. Each profile has its own settings, but all of them will have some unique characteristics. For example, with AppArmor you can define that an application have access to it’s configuration files using the “r” switch as in the /etc/apparmor.d/usr.sbin.dovecot profile line:

/etc/dovecot/** r

Creating a profile is a bit beyond the scope of this article (we’ll revisit this topic later).

Now, let’s change an application from complain to enforce. Look back at our apparmor_status output. Let’s switch the dovecot application from complain to enforce. To do this we use the aa-enforce command like so:

sudo aa-enforce /usr/sbin/dovecot

When you issue this command you will see the results appear immediately:

Setting /usr/sbin/dovecot to enforce mode.

To switch a command from enforce to complain you use the aa-complain command like so:

sudo aa-complain /usr/sbin/dovecot

Which will return the results:

Setting /usr/sbin/dovecot to complain mode.

You can run apparmor_status after you make changes to your applications to make sure the changes remain.

Final thoughts

AppArmor is a crucial piece of the Linux security puzzle. Without this application it would be much easier to exploit the weaknesses in numerous applications. As a Linux administrator, you owe it to yourself to further your knowledge of this tool. Later we will revisit AppArmor and create/edit profiles for applications.

Related News:

Details :
Submited at Wednesday, March 24th, 2010 at 1:00 pm on Technologies by nuterman
Comment RSS 2.0 - leave a comment - trackback

Leave Comment Here...

Translation

Tag clouds

404 Not Found

Get to know Linux: AppArmor

Related News: