Apparmor


• A security framework for isolation and application control
• Included in Ubuntu and Debian 10

Install



apt install apparmor apparmor-utils
apt install apparmor-profiles           # additional profiles


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Activate Apparmor on Start-up



sudo nano /etc/default/grub

# Change the following line GRUB_CMDLINE_LINUX_DEFAULT="quiet" to
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

sudo update-grub
sudo reboot


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Check status



systemctl status apparmor

sudo aa-status              # requires apparmor-utils
# or
sudo apparmor_status


• List the programs which have no associated profile and which expose an open network socket

aa-unconfined


• List running executables which are currently confined by apparmor

ps auxZ | grep -v '^unconfined'


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enable/ Disable apparmor



systemctl start apparmor
systemctl disable apparmor


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Load and Unload a Profile



# Unload the profile
apparmor_parser -R /path/to/profile

# Load a profile
apparmor_parser -r -W /path/to/profile


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Create a Profile


• Requires package “apparmor-utils”

sudo aa-genprof <executables_name>


# Example
# Open a terminal #1
sudo aa-genprof apache2

# Open another terminal #2
sudo service apache2 stop        # shutdown apache
sudo service apache2 restart
# Refresh the webpage and browse wp-admin

# Go back to terminal #1 and choose (S)can
# You will be asked a series of questions for granting access to files, choose (A)llow/ (D)eny/ (G)lob ...
# (S)ave changes and (F)inish


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Assign Operating Mode to Profile Created



• There are 3 operating modes:
◇ Enforcing (default)
▪ Denies all unauthorized actions (without asking)
▪ May break the site

◇ Complain
▪ Tells us something would be denied and prompt us to fix it

◇ Un-confined

# To test out new profile, assign to complain mode
aa-complain apache2

# You will then be prompted for further action on any activity that is not defined in the original profile


Course of actions
• Inherit: Creates a rule that is denoted by “ix” within the profile, causes the executed binary to inherit permissions from the parent profile.
• Child: Creates a rule that is denoted by “Cx” within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).
• Deny: Creates a rule that AppArmor prepends with “deny” at the start of the line within the profile, causes the parents access to the resource be denied.
• Abort: Exits the AppArmor program without saving any changes.
• Finish: Exits the AppArmor program but WILL save changes

# After testing, put profile to enforce mode
aa-enforce apache2


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enable logging



sudo aa-logprof
# or
tail -f /var/log/syslog


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config Files Location



/etc/apparmor.d/
# You may manually add wildcards in the config file


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Further Readings



https://wiki.debian.org/AppArmor/HowToUse
YouTube: How to Install and Configure Apparmor on Linux


Index