advertisement
Security
4. AppArmor
AppArmor is a Linux Security Module implementation of name-based mandatory access controls.
AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.
AppArmor is installed and loaded by default. It uses profiles of an application to determine what files and permissions the application requires. Some packages will install their own profiles, and additional profiles can be found in the apparmor-profiles package.
To install the apparmor-profiles package from a terminal prompt:
sudo apt-get install apparmor-profiles
AppArmor profiles have two modes of execution:
• Complaining/Learning: profile violations are permitted and logged. Useful for testing and developing new profiles.
• Enforced/Confined: enforces profile policy as well as logging the violation.
4.1. Using AppArmor
The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.
• apparmor_status is used to view the current status of AppArmor profiles.
sudo apparmor_status
• aa-complain places a profile into complain mode.
sudo aa-complain /path/to/bin
• aa-enforce places a profile into enforce mode.
sudo aa-enforce /path/to/bin
• The
/etc/apparmor.d
directory is where the AppArmor profiles are located. It can be used to manipulate the mode of all profiles.
Enter the following to place all profiles into complain mode:
sudo aa-complain /etc/apparmor.d/*
To place all profiles in enforce mode:
sudo aa-enforce /etc/apparmor.d/*
119
Security
• apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -r option. To load a profile:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
To reload a profile:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
•
/etc/init.d/apparmor
can be used to reload all profiles:
sudo /etc/init.d/apparmor reload
• The
/etc/apparmor.d/disable
directory can be used along with the apparmor_parser -R option to
disable a profile.
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name
To re-enable a disabled profile remove the symbolic link to the profile in
/etc/apparmor.d/ disable/
. Then load the profile using the -a option.
sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
• AppArmor can be disabled, and the kernel module unloaded by entering the following:
sudo /etc/init.d/apparmor stop sudo update-rc.d -f apparmor remove
• To re-enable AppArmor enter:
sudo /etc/init.d/apparmor start sudo update-rc.d apparmor defaults
Replace profile.name with the name of the profile you want to manipulate. Also, replace
/ path/to/bin/
with the actual executable file path. For example for the ping command use
/ bin/ping
4.2. Profiles
AppArmor profiles are simple text files located in
/etc/apparmor.d/
. The files are named after the full path to the executable they profile replacing the "/" with ".". For example
/etc/apparmor.d/ bin.ping
is the AppArmor profile for the
/bin/ping
command.
There are two main type of rules used in profiles:
• Path entries: which detail which files an application can access in the file system.
120
Security
• Capability entries: determine what privileges a confined process is allowed to use.
As an example take a look at
/etc/apparmor.d/bin.ping
:
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
• #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.
• /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.
• capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.
• /bin/ping mixr,: allows the application read and execute access to the file.
After editing a profile file the profile must be reloaded. See Section 4.1, “Using
AppArmor” [p. 119] for details.
4.2.1. Creating a Profile
• Design a test plan: Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.
Some standard test cases are:
• Starting the program.
• Stopping the program.
• Reloading the program.
• Testing all the commands supported by the init script.
• Generate the new profile: Use aa-genprof to generate a new profile. From a terminal:
sudo aa-genprof executable
For example:
sudo aa-genprof slapd
121
Security
• To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor
11
package:
• Include your test plan and test cases.
• Attach your new profile to the bug.
4.2.2. Updating Profiles
When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.
From a terminal:
sudo aa-logprof
4.3. References
• See the AppArmor Administration Guide
12
for advanced configuration options.
• For details using AppArmor with other Ubuntu releases see the AppArmor Community Wiki
13
page.
• The OpenSUSE AppArmor
14
page is another introduction to AppArmor.
• A great place to ask for AppArmor assistance, and get involved with the Ubuntu Server community, is the #ubuntu-server IRC channel on freenode
15
.
122
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 7 1. Introduction
- 8 1. Support
- 9 2. Installation
- 10 1. Preparing to Install
- 12 2. Installing from CD
- 15 3. Upgrading
- 16 4. Advanced Installation
- 23 3. Package Management
- 24 1. Introduction
- 25 2. dpkg
- 26 3. Apt-Get
- 28 4. Aptitude
- 30 5. Automatic Updates
- 32 6. Configuration
- 34 7. References
- 35 4. Networking
- 36 1. Network Configuration
- 44 2. TCP/IP
- 48 3. Dynamic Host Configuration Protocol (DHCP)
- 51 4. Time Synchronisation with NTP
- 53 5. Remote Administration
- 54 1. OpenSSH Server
- 57 2. eBox
- 60 6. Network Authentication
- 61 1. OpenLDAP Server
- 80 2. Samba and LDAP
- 85 3. Kerberos
- 92 4. Kerberos and LDAP
- 98 7. Domain Name Service (DNS)
- 99 1. Installation
- 100 2. Configuration
- 105 3. Troubleshooting
- 109 4. References
- 110 8. Security
- 111 1. User Management
- 117 2. Console Security
- 118 3. Firewall
- 125 4. AppArmor
- 129 5. Certificates
- 134 6. eCryptfs
- 136 9. Monitoring
- 137 1. Overview
- 138 2. Nagios
- 142 3. Munin
- 144 10. Web Servers
- 145 1. HTTPD - Apache2 Web Server
- 152 2. PHP5 - Scripting Language
- 154 3. Squid - Proxy Server
- 156 4. Ruby on Rails
- 158 5. Apache Tomcat
- 162 11. Databases
- 163 1. MySQL
- 165 2. PostgreSQL
- 167 12. LAMP Applications
- 168 1. Overview
- 169 2. Moin Moin
- 171 3. MediaWiki
- 173 4. phpMyAdmin
- 175 13. File Servers
- 176 1. FTP Server
- 180 2. Network File System (NFS)
- 182 3. CUPS - Print Server
- 185 14. Email Services
- 186 1. Postfix
- 193 2. Exim
- 196 3. Dovecot Server
- 198 4. Mailman
- 204 5. Mail Filtering
- 210 15. Chat Applications
- 211 1. Overview
- 212 2. IRC Server
- 214 3. Jabber Instant Messaging Server
- 216 16. Version Control System
- 217 1. Bazaar
- 218 2. Subversion
- 223 3. CVS Server
- 225 4. References
- 226 17. Windows Networking
- 227 1. Introduction
- 228 2. Samba File Server
- 230 3. Samba Print Server
- 232 4. Securing a Samba File and Print Server
- 236 5. Samba as a Domain Controller
- 240 6. Samba Active Directory Integration
- 242 7. Likewise Open
- 246 18. Backups
- 247 1. Shell Scripts
- 251 2. Archive Rotation
- 254 3. Bacula
- 259 19. Virtualization
- 260 1. libvirt
- 265 2. JeOS and vmbuilder
- 275 3. UEC
- 284 4. OpenNebula
- 287 20. Clustering
- 288 1. DRBD
- 291 21. VPN
- 292 1. OpenVPN
- 296 22. Other Useful Applications
- 297 1. pam_motd
- 299 2. etckeeper
- 301 3. Byobu
- 303 4. References
- 304 A. Appendix
- 305 1. Reporting Bugs in Ubuntu Server Edition