Harden Your Ubuntu Systems with AppArmor
July 8, 2008
A lot of you probably use Linux for some of your application server needs. Although there are a lot of different Linux flavors, most of them are based on Debian or Red Hat code. I've worked with several Red Hat-based Linux platforms, such as Red Hat Enterprise Linux and CentOS, but I prefer Debian-based systems—in particular Ubuntu Server. The reasons are simple: Ubuntu Server is very mature, it's easy to administer and keep up to date, it rarely ever breaks, it's fast, it's free, and community support is phenomenal.
As you might know, when Canonical (the company that leads Ubuntu development) released version 7.10, the company included AppArmor, which helps limit the file resources that an application can access. AppArmor was maintained by Novell until last year and now the open-source community has picked up the ball (see the FAQ about AppArmor at the URL below).
http://developer.novell.com/wiki/index.php/Apparmor_FAQ
In a nutshell, AppArmor is a kernel-level subsystem that works by using a unique policy profile for each of the applications and services that you want to protect. Profiles contain lists of capabilities and file system access rights that reduce potential attack surface area. All forms of access not specifically defined in an application or service profile are denied. So for example, if someone finds a way to inject and launch malicious code through Apache, that exploit most likely won’t work if Apache is protected by AppArmor and the associated profile does not allow any sort of execute privileges. The same goes for MySQL Server and other common applications such as Firefox.
If you haven't enabled AppArmor on your Ubuntu desktops and servers then you're missing out on some incredibly powerful security defenses. Consider checking it out. The following basic information will help you get started.
AppArmor is a service, so first of all you need to make sure the service is started on your system. Secondly, you might want to install some basic profiles that have been made available to the Ubuntu community. Use your package manager to install "apparmor-profiles." With that done, you need to know that AppArmor uses profiles in two different modes: Enforce and Complain. Enforce mode is used to completely enforce your application or service policy. Anything not implicitly allowed is disallowed, which might break functionality if your policy profile isn't broad enough. That's where Complain mode comes in handy. You can think of Complain mode as a learning mode. Any application or service whose profile is in Complain mode will run as usual, but its policy is not enforced. Instead, its policy is compared with real-time activity, and any problems or errors that might occur if the policy were in Enforce mode are logged. This gives you the opportunity to review the logs and debug your profiles before making them live on the system.
You also need to know that before you can automatically generate policies, the target service or application must be running. Not only that, but after enabling AppArmor you must restart any applications or services. Also note that policy profiles are text-based files stored in the /etc/apparmor.d directory. Finally, you need to know a few commands because as far as I know there's no GUI for AppArmor on Ubuntu systems. Below is a list of common commands along with a brief description of what they each do:
/etc/init.d/apparmor {stop|start|reload}— This command controls the service itself
aa-status—Displays a list of policies in use as well as which ones are in Complain or Enforce mode
aa-unconfined—Displays a list of applications and services with open network ports that do not have AppArmor protection enabled
aa-complain—Forces a policy into Complain mode for debugging purposes
aa-enforce—Forces a policy into Enforce mode for real-time live protection
aa-autodep—Attempts to generate a profile for an application or service, and the generated profile will most likely need further tuning
aa-genprof—Attempts to generate a profile using aa-autodep, sets the profile to Complain mode, and writes a marker to the system log
aa-logprof—Powerful log analyzer that can show access errors and help you automatically add new rules to a profile
When I enabled AppArmor for Apache2, there were problems with the base policy. I had to add file access rights for Apache's configuration files, PHP libraries, the Web content files, etc., and figuring it all out took quite a while. To get a head start on the process, have a look at the Maven blog at the first URL below, which will give you a good idea of what might be required for your particular installation. You might also want to install the Apache module, libapache2-mod-apparmor, to handle issues where Apache might have to "change hats" to interact with Perl scripts, etc. You can read about the change_hat functionality of AppArmor at the second URL below.
http://www.maven.pl/2006/12/13/apparmor-protection-for-your-apache-including-mod_php-mod_python-and-others
http://man-wiki.net/index.php/2:change_hat
If you need more help getting started with AppArmor, be sure to review the "man" pages for each command. Also, have a look at the AppArmor wiki pages at Ubuntu's Web site at the first URL below, and refer to Novell's AppArmor documentation at the second URL below.
https://help.ubuntu.com/community/AppArmor
http://www.novell.com/documentation/apparmor
About the Author(s)
You May Also Like