SlideShare a Scribd company logo

Getting started with AppArmor

Francesco Pira
Francesco Pira

An introduction and base commands to get started with AppArmor, the application sandboxing tool built-in Ubuntu Linux

Software
1 of 14
Download to read offline
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-defined files
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notifications
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Official wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!

Recommended

Input output files in java
Input output files in javaInput output files in java
Input output files in javaKavitha713564
 
Operating System - Unit I - Introduction
Operating System - Unit I - IntroductionOperating System - Unit I - Introduction
Operating System - Unit I - Introductioncscarcas
 
SPOOLING.ppt
SPOOLING.pptSPOOLING.ppt
SPOOLING.pptAayushigupta243868
 
openFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習B
openFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習BopenFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習B
openFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習BAtsushi Tadokoro
 
Garbage collection
Garbage collectionGarbage collection
Garbage collectionMudit Gupta
 
Java Networking
Java NetworkingJava Networking
Java NetworkingSunil OS
 
Linux Inter Process Communication
Linux Inter Process CommunicationLinux Inter Process Communication
Linux Inter Process CommunicationAbhishek Sagar
 
Linux boot process
Linux boot processLinux boot process
Linux boot processArchana Chandrasekharan
 

Recommended

Input output files in java
Input output files in javaInput output files in java
Input output files in javaKavitha713564
 
Operating System - Unit I - Introduction
Operating System - Unit I - IntroductionOperating System - Unit I - Introduction
Operating System - Unit I - Introductioncscarcas
 
SPOOLING.ppt
SPOOLING.pptSPOOLING.ppt
SPOOLING.pptAayushigupta243868
 
openFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習B
openFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習BopenFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習B
openFrameworks基礎 たくさんの図形を動かす 静的配列と動的配列 - 芸大グラフィックスプログラミング演習BAtsushi Tadokoro
 
Garbage collection
Garbage collectionGarbage collection
Garbage collectionMudit Gupta
 
Java Networking
Java NetworkingJava Networking
Java NetworkingSunil OS
 
Linux Inter Process Communication
Linux Inter Process CommunicationLinux Inter Process Communication
Linux Inter Process CommunicationAbhishek Sagar
 
Linux boot process
Linux boot processLinux boot process
Linux boot processArchana Chandrasekharan
 
What is Exception Handling?
What is Exception Handling?What is Exception Handling?
What is Exception Handling?Syed Bahadur Shah
 
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYAPYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYAMaulik Borsaniya
 
Files and streams
Files and streamsFiles and streams
Files and streamsPranali Chaudhari
 
Inter process communication using Linux System Calls
Inter process communication using Linux System CallsInter process communication using Linux System Calls
Inter process communication using Linux System Callsjyoti9vssut
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Basic i/o & file handling in java
Basic i/o & file handling in javaBasic i/o & file handling in java
Basic i/o & file handling in javaJayasankarPR2
 
Embedded Android : System Development - Part I
Embedded Android : System Development - Part IEmbedded Android : System Development - Part I
Embedded Android : System Development - Part IEmertxe Information Technologies Pvt Ltd
 
Java I/o streams
Java I/o streamsJava I/o streams
Java I/o streamsHamid Ghorbani
 
Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)RajKumar Rampelli
 
Object Oriented Paradigm
Object Oriented ParadigmObject Oriented Paradigm
Object Oriented ParadigmHüseyin Ergin
 
Kernel. Operating System
Kernel. Operating SystemKernel. Operating System
Kernel. Operating Systempratikkadam78
 
Scanner class java
Scanner class javaScanner class java
Scanner class javaKongu Engineering College, Perundurai, Erode
 
Operating System Chapter 4 Multithreaded programming
Operating System Chapter 4 Multithreaded programmingOperating System Chapter 4 Multithreaded programming
Operating System Chapter 4 Multithreaded programmingguesta40f80
 
BusyBox for Embedded Linux
BusyBox for Embedded LinuxBusyBox for Embedded Linux
BusyBox for Embedded LinuxEmertxe Information Technologies Pvt Ltd
 
Inheritance and polymorphism
Inheritance and polymorphism Inheritance and polymorphism
Inheritance and polymorphism baabtra.com - No. 1 supplier of quality freshers
 
Monitors
MonitorsMonitors
MonitorsMohd Arif
 
Shared memory and semaphore? And how to use them? An explanation about those ...
Shared memory and semaphore? And how to use them? An explanation about those ...Shared memory and semaphore? And how to use them? An explanation about those ...
Shared memory and semaphore? And how to use them? An explanation about those ...durga_421
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on AndroidGary Bisson
 
Introduction to MPI
Introduction to MPIIntroduction to MPI
Introduction to MPIAkhila Prabhakaran
 
Generics in java
Generics in javaGenerics in java
Generics in javasuraj pandey
 
161110
161110161110
161110robo_lab
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 

More Related Content

What's hot

PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYAPYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYAMaulik Borsaniya
 
Inter process communication using Linux System Calls
Inter process communication using Linux System CallsInter process communication using Linux System Calls
Inter process communication using Linux System Callsjyoti9vssut
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Basic i/o & file handling in java
Basic i/o & file handling in javaBasic i/o & file handling in java
Basic i/o & file handling in javaJayasankarPR2
 
Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)RajKumar Rampelli
 
Object Oriented Paradigm
Object Oriented ParadigmObject Oriented Paradigm
Object Oriented ParadigmHüseyin Ergin
 
Kernel. Operating System
Kernel. Operating SystemKernel. Operating System
Kernel. Operating Systempratikkadam78
 
Operating System Chapter 4 Multithreaded programming
Operating System Chapter 4 Multithreaded programmingOperating System Chapter 4 Multithreaded programming
Operating System Chapter 4 Multithreaded programmingguesta40f80
 
Shared memory and semaphore? And how to use them? An explanation about those ...
Shared memory and semaphore? And how to use them? An explanation about those ...Shared memory and semaphore? And how to use them? An explanation about those ...
Shared memory and semaphore? And how to use them? An explanation about those ...durga_421
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on AndroidGary Bisson
 

What's hot (20)

What is Exception Handling?
What is Exception Handling?What is Exception Handling?
What is Exception Handling?
 
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYAPYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
PYTHON-Chapter 3-Classes and Object-oriented Programming: MAULIK BORSANIYA
 
Files and streams
Files and streamsFiles and streams
Files and streams
 
Inter process communication using Linux System Calls
Inter process communication using Linux System CallsInter process communication using Linux System Calls
Inter process communication using Linux System Calls
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
Basic i/o & file handling in java
Basic i/o & file handling in javaBasic i/o & file handling in java
Basic i/o & file handling in java
 
Embedded Android : System Development - Part I
Embedded Android : System Development - Part IEmbedded Android : System Development - Part I
Embedded Android : System Development - Part I
 
Java I/o streams
Java I/o streamsJava I/o streams
Java I/o streams
 
Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)
 
Object Oriented Paradigm
Object Oriented ParadigmObject Oriented Paradigm
Object Oriented Paradigm
 
Kernel. Operating System
Kernel. Operating SystemKernel. Operating System
Kernel. Operating System
 
Scanner class java
Scanner class javaScanner class java
Scanner class java
 
Operating System Chapter 4 Multithreaded programming
Operating System Chapter 4 Multithreaded programmingOperating System Chapter 4 Multithreaded programming
Operating System Chapter 4 Multithreaded programming
 
BusyBox for Embedded Linux
BusyBox for Embedded LinuxBusyBox for Embedded Linux
BusyBox for Embedded Linux
 
Inheritance and polymorphism
Inheritance and polymorphism Inheritance and polymorphism
Inheritance and polymorphism
 
Monitors
MonitorsMonitors
Monitors
 
Shared memory and semaphore? And how to use them? An explanation about those ...
Shared memory and semaphore? And how to use them? An explanation about those ...Shared memory and semaphore? And how to use them? An explanation about those ...
Shared memory and semaphore? And how to use them? An explanation about those ...
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on Android
 
Introduction to MPI
Introduction to MPIIntroduction to MPI
Introduction to MPI
 
Generics in java
Generics in javaGenerics in java
Generics in java
 

Similar to Getting started with AppArmor

Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 
HowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuHowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuA Jorge Garcia
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next levelAlessandro Franceschi
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Chris Tankersley
 
Go profiling introduction
Go profiling introductionGo profiling introduction
Go profiling introductionWilliam Lin
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurityFrancesco Pira
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineNick Anderson
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsAppZero
 

Similar to Getting started with AppArmor (20)

161110
161110161110
161110
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher case
 
HowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuHowTo Install openMPI on Ubuntu
HowTo Install openMPI on Ubuntu
 
Apparmor
ApparmorApparmor
Apparmor
 
Flatpak
FlatpakFlatpak
Flatpak
 
161117
161117161117
161117
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next level
 
Python on exadata
Python on exadataPython on exadata
Python on exadata
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
 
Go profiling introduction
Go profiling introductionGo profiling introduction
Go profiling introduction
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurity
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngine
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
 

Recently uploaded

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 

Recently uploaded (20)

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 

Getting started with AppArmor

  • 1. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux
  • 2. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator
  • 3. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project
  • 4. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify
  • 5. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!
  • 6. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation
  • 7. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs
  • 8. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
  • 9. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-defined files
  • 10. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link
  • 11. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notifications
  • 12. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)
  • 13. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Official wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
  • 14. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!