Getting started with AppArmor

Getting started with AppArmor
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-defined files
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notifications
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Official wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!

Check these out next

Getting started with AppArmor

Recommended

More Related Content

Slideshows for you(20)

Similar to Getting started with AppArmor(20)

Recently uploaded(20)

Getting started with AppArmor