Get to know Linux: AppArmor
You've heard that Linux is a very secure operating system. You've heard it's practically immune to viruses (practically being the key word). You've heard it's tough to crack. These are all true...and with good reason. Linux is such a strong operating system for two primary reasons - by design and with the help of security systems like AppArmor and SELinux.
But what is AppArmor? AppArmor is a security module implementation of name-based access controls. In other words, AppArmor protects your system against the exploitation of program flaws and compromises. This protection is done via profiles that will set a program to either "complain" or "enforce" against wrong doing.
In this article I will show you how to install AppArmor and how to use it to set an application in either "complain" or "enforce" mode.
Installation
The installation of AppArmor is simple:
- Open up Synaptic (or your favorite package manager).
- Search for "apparmor" (no quotes).
- Select apparmor for installation (make sure apparmor-utils and apparmor-profiles are installed as well).
- Click Apply to install.
That's it. You are now ready to begin working with AppArmor.
Usage
AppArmor is a command-line only tool. It uses two particular commands for setting an application to either "complain" (aa-complain) or "enforce" (aa-enforce). There is also one other tool that is useful - apparmor_status. Let's take a look at that command first.
You want to know the current status of AppArmor and what applications are currently in what mode. To find this out issue the command sudo apparmor_status. You should see listings similar to:
32 profiles are loaded.
12 profiles are in enforce mode.
/sbin/dhclient3
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/lib/NetworkManager/nm-dhcp-client.action
...
20 profiles are in complain mode.
/bin/ping
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
...
NOTE: I truncated the output to save space.
As you can see there are already certain applications in complain mode and certain applications in enforce mode. But what are these "modes"? Simple "complain" mode will log violations against the applications profile, whereas "enforce" will strictly enforce the applications profile. But what are (and where are) the profiles? You will find profiles for applications in /etc/apparmor.d. Each profile has its own settings, but all of them will have some unique characteristics. For example, with AppArmor you can define that an application have access to it's configuration files using the "r" switch as in the /etc/apparmor.d/usr.sbin.dovecot profile line:
/etc/dovecot/** r
Creating a profile is a bit beyond the scope of this article (we'll revisit this topic later).
Now, let's change an application from complain to enforce. Look back at our apparmor_status output. Let's switch the dovecot application from complain to enforce. To do this we use the aa-enforce command like so:
sudo aa-enforce /usr/sbin/dovecot
When you issue this command you will see the results appear immediately:
Setting /usr/sbin/dovecot to enforce mode.
To switch a command from enforce to complain you use the aa-complain command like so:
sudo aa-complain /usr/sbin/dovecot
Which will return the results:
Setting /usr/sbin/dovecot to complain mode.
You can run apparmor_status after you make changes to your applications to make sure the changes remain.
Final thoughts
AppArmor is a crucial piece of the Linux security puzzle. Without this application it would be much easier to exploit the weaknesses in numerous applications. As a Linux administrator, you owe it to yourself to further your knowledge of this tool. Later we will revisit AppArmor and create/edit profiles for applications.
Advertisement
Hi, Joe, I’m pretty damned good with security and even I’ve had boxes hacked. Doing what you’re supposed to security-wise is only half the battle, the rest is an unrelenting paranoia about system/network security.
I agree with Stef, this article seems more of a how to manual rather than explaining in-depth how to best use apparmor or examples of how it accomplishes its security magic. So not much use to anyone who is seeking a better understanding of linux security.
Well, this is a short description of how to use apparmor, not what it does. And to really know it, you have to know what is does in my opinion. So this article lacks that.
Let me guess, you run your system on root ?
Over past 13 years I never needed anything as far as the security, you just got to know how to lock it down and not leave nix* running as it came installed.
You’ve been extremely lucky then. Nobody is perfect. You WILL make mistakes. You WILL have apps on your system that have unpublished but exploited security issues. And if you stay connected to the Internet long enough, you WILL be rooted.
I’m pretty damned good with security and even I’ve had boxes hacked. Doing what you’re supposed to security-wise is only half the battle, the rest is an unrelenting paranoia about system/network security.
If he was root, he wouldn’t need to use sudo. However, many daemons run with elevated permissions that could face an attack outside userspace. Just a thought.