SlideShare a Scribd company logo
1 of 14
Download to read offline
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
AppArmor
App sandboxing comes standard in Ubuntu Linux
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
What is
• it’s not a proper MAC tool
• just meant for app sandboxing
• can’t defend against root privilege escalation
• module of LSM
• apparmor-utils
• init scripts, log parser for learning mode, policy
generator
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Development timeline
• 1998 born from WireX as subdomain
• 2005 bought by Novell and renamed as AppArmor
• 2007 Novell stops development
• Ubuntu 7.10 released!
• 2009 Canonical takes over Novell, it reborn
• 2016 still in development as open-source project
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Features
• enforce is not default. no policy means unconfined!
• policy split in profiles: one profile per executable
• policy can be modified by hand in text editors
• loads all profiles at startup (both complain and enforce)
• path-based ACL (for loaded profiles)
• notifications to the user via aa-notify
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
How it works
• uses LSM
• path-based profiles (save in /etc/apparmor.d)
• each profile manages…
• accessible paths (permissions)
• system capabilities the executable has
• complain mode to log (…and then learn)
• again: enforce is not default. no policy means unconfined!
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Out of the box
• Comes preinstalled and
active since Ubuntu 7.10
• By default some profiles
are already in enforcing
mode, others in complain
root@vm1:/home/francesco# aa-status
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/bin/ubuntu-core-launcher
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/tcpdump
webbrowser-app
webbrowser-app//oxide_helper
0 profiles are in complain mode.
0 processes are unconfined but have a profile
defined.
defaults in
Ubuntu 16.04
after installation
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Installation
• sudo apt-get install …
• apparmor, the system itself
• apparmor-utils, managing utilities
• apparmor-profiles, for additional profiles
• (optional) apparmor-notify, to get desktop notification
upon attempted violation
• auditd, not part of but needed for logs
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Usage
• aa-status to see what’s active, what’s not
• aa-genprof to scaffold a (empty) policy
• aa-logprof to generate policy out of log (learning mode)
• (e.g.) aa-logprof -f /var/log/audit/audit.log
• aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name)
• aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name)
• apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile
• apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Policy example (for vsftpd)
#include <tunables/global>
/usr/sbin/vsftpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/authentication>
/dev/urandom r,
/etc/fstab r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mtab r,
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/usr/sbin/vsftpd rmix,
/var/log/vsftpd.log w,
/var/log/xferlog w,
# anon chroots
/ r,
/pub r,
/pub/** r,
@{HOMEDIRS} r,
@{HOME}/** rwl,
}
wildcards
path and relative permissions
including rules in other
pre-defined files
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Permissions
• r read
• w write
• ux unconfined execute
• Ux unconfined execute - scrub environment
• px discrete profile execute
• Px discrete profile execute - scrub environment
• i ineherit execute
• m allow PROT_EXEC with mmap calls
• l link
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The good
• friendly management tools
• policies easy to maintain
• using audit.log and aa-logprof
• integrates with audit
• decent logs
• integrates with Ubuntu system notifications
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The bad
• basic enforcing (e.g. can’t limit access to range of tcp ports)
• useless against root privilege escalation (can be disabled or removed!)
• no memory protection
• bugged utilities (learning mode often not working)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Resources
• Official wiki (wiki.apparmor.net/)
• Ubuntu wiki (wiki.ubuntu.com/AppArmor/)
• Debian wiki (https://wiki.debian.org/AppArmor/HowToUse)
• Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor)
• irc.oftc.net #apparmor
• Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!

More Related Content

What's hot

Erasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterErasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterRed_Hat_Storage
 
Linuxの2038年問題を調べてみた
Linuxの2038年問題を調べてみたLinuxの2038年問題を調べてみた
Linuxの2038年問題を調べてみたwata2ki
 
Redis Reliability, Performance & Innovation
Redis Reliability, Performance & InnovationRedis Reliability, Performance & Innovation
Redis Reliability, Performance & InnovationRedis Labs
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409稔 小林
 
カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15
カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15
カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15Takaya Saeki
 
ARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいwata2ki
 
第4回Linux-HA勉強会資料 Pacemakerの紹介
第4回Linux-HA勉強会資料 Pacemakerの紹介第4回Linux-HA勉強会資料 Pacemakerの紹介
第4回Linux-HA勉強会資料 Pacemakerの紹介ksk_ha
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
Linux command ppt
Linux command pptLinux command ppt
Linux command pptkalyanineve
 
Docker volume基礎/Project Longhorn紹介
Docker volume基礎/Project Longhorn紹介Docker volume基礎/Project Longhorn紹介
Docker volume基礎/Project Longhorn紹介Masahito Zembutsu
 
Binderのはじめの一歩とAndroid
Binderのはじめの一歩とAndroidBinderのはじめの一歩とAndroid
Binderのはじめの一歩とAndroidl_b__
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 -  XDP closer integration with network stackKernel Recipes 2019 -  XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 
Bash Shell Scripting
Bash Shell ScriptingBash Shell Scripting
Bash Shell ScriptingRaghu nath
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance AnalysisBrendan Gregg
 
PostgreSQL HA
PostgreSQL   HAPostgreSQL   HA
PostgreSQL HAharoonm
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築Daein Park
 

What's hot (20)

Erasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterErasure codes and storage tiers on gluster
Erasure codes and storage tiers on gluster
 
Linuxの2038年問題を調べてみた
Linuxの2038年問題を調べてみたLinuxの2038年問題を調べてみた
Linuxの2038年問題を調べてみた
 
Redis Reliability, Performance & Innovation
Redis Reliability, Performance & InnovationRedis Reliability, Performance & Innovation
Redis Reliability, Performance & Innovation
 
FizzBuzzで学ぶJavaの進化
FizzBuzzで学ぶJavaの進化FizzBuzzで学ぶJavaの進化
FizzBuzzで学ぶJavaの進化
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409
 
カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15
カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15
カーネル空間ですべてのプロセスを動かすには -TAL, SFI, Wasmとか - カーネル/VM探検隊15
 
ZeroMQ
ZeroMQZeroMQ
ZeroMQ
 
ARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくい
 
第4回Linux-HA勉強会資料 Pacemakerの紹介
第4回Linux-HA勉強会資料 Pacemakerの紹介第4回Linux-HA勉強会資料 Pacemakerの紹介
第4回Linux-HA勉強会資料 Pacemakerの紹介
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
Linux command ppt
Linux command pptLinux command ppt
Linux command ppt
 
Docker volume基礎/Project Longhorn紹介
Docker volume基礎/Project Longhorn紹介Docker volume基礎/Project Longhorn紹介
Docker volume基礎/Project Longhorn紹介
 
Binderのはじめの一歩とAndroid
Binderのはじめの一歩とAndroidBinderのはじめの一歩とAndroid
Binderのはじめの一歩とAndroid
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 -  XDP closer integration with network stackKernel Recipes 2019 -  XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stack
 
Bash Shell Scripting
Bash Shell ScriptingBash Shell Scripting
Bash Shell Scripting
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
 
PostgreSQL HA
PostgreSQL   HAPostgreSQL   HA
PostgreSQL HA
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file system
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 
OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築
 

Similar to Getting started with AppArmor

Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 
HowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuHowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuA Jorge Garcia
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next levelAlessandro Franceschi
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Chris Tankersley
 
Go profiling introduction
Go profiling introductionGo profiling introduction
Go profiling introductionWilliam Lin
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk   an introduction to linux memory forensics(120513) #fitalk   an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk   an introduction to linux memory forensics(120513) #fitalk   an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurityFrancesco Pira
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineNick Anderson
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsAppZero
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解Rex Tsai
 

Similar to Getting started with AppArmor (20)

161110
161110161110
161110
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher case
 
HowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuHowTo Install openMPI on Ubuntu
HowTo Install openMPI on Ubuntu
 
Flatpak
FlatpakFlatpak
Flatpak
 
161117
161117161117
161117
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next level
 
Python on exadata
Python on exadataPython on exadata
Python on exadata
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
 
Go profiling introduction
Go profiling introductionGo profiling introduction
Go profiling introduction
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk   an introduction to linux memory forensics(120513) #fitalk   an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk   an introduction to linux memory forensics(120513) #fitalk   an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurity
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngine
 
PHP Development Tools
PHP  Development ToolsPHP  Development Tools
PHP Development Tools
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解
 

Recently uploaded

Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 

Recently uploaded (20)

Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 

Getting started with AppArmor

  • 1. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux
  • 2. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator
  • 3. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project
  • 4. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify
  • 5. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!
  • 6. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation
  • 7. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs
  • 8. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
  • 9. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-defined files
  • 10. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link
  • 11. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notifications
  • 12. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)
  • 13. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Official wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
  • 14. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!