Apparmor and its usage: Difference between revisions
No edit summary |
|||
Line 48: | Line 48: | ||
=== Run profile in complain mode === | === Run profile in complain mode === | ||
aa-complain /path/to/program | aa-complain /path/to/program | ||
=== Run profile in enforce mode === | |||
aa-enforce /path/to/program | |||
=== Disabling AppArmor === | === Disabling AppArmor === | ||
Open <code>/etc/default/grub</code> file and change or add this line <code>GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"</code>. | Open <code>/etc/default/grub</code> file and change or add this line <code>GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"</code>. | ||
Then run <code>update-grub2</code> and restart your PC. | Then run <code>update-grub2</code> and restart your PC. | ||
== Permission flags == | |||
* r - read | |||
* w - write -- conflicts with append | |||
* a - append -- conflicts with write | |||
* ux - unconfined execute | |||
* Ux - unconfined execute -- scrub the environment | |||
* px - discrete profile execute | |||
* Px - discrete profile execute -- scrub the environment | |||
* cx - transition to subprofile on execute | |||
* Cx - transition to subprofile on execute -- scrub the environment | |||
* ix - inherit execute | |||
* m - allow PROT_EXEC with mmap(2) calls | |||
* l - link | |||
* k - lock | |||
== Creating new profiles == | == Creating new profiles == | ||
Line 62: | Line 81: | ||
For example, lets try and profile Vsftpd. After installing it, this command needs to be run first <code>aa-genprof /usr/sbin/vsftpd</code>. It will stay in monitoring mode. Then in other terminal window restart or start Vsftpd daemon by running <code>systemctl restart vsftpd</code>. After that just proceed with casual tasks. Connect with local user to FTP, upload, download, create and delete files and directories. Also create file in /tmp. After doing this, switch to first terminal window and push '''S''' for ''(S)can system log for AppArmor events''. Aa-genprof will then asks a couple of questions about actions what vsftpd did and you can either approve or disable them, alone with some more options. For example this rule <code>/home/user1/* r</code> | For example, lets try and profile Vsftpd. After installing it, this command needs to be run first <code>aa-genprof /usr/sbin/vsftpd</code>. It will stay in monitoring mode. Then in other terminal window restart or start Vsftpd daemon by running <code>systemctl restart vsftpd</code>. After that just proceed with casual tasks. Connect with local user to FTP, upload, download, create and delete files and directories. Also create file in /tmp. After doing this, switch to first terminal window and push '''S''' for ''(S)can system log for AppArmor events''. Aa-genprof will then asks a couple of questions about actions what vsftpd did and you can either approve or disable them, alone with some more options. For example this rule <code>/home/user1/* r</code>is very narrow and ftp will not work properly if your system have more than one user. First profile that was made for vsftpd looked like this | ||
<pre> # Last Modified: Wed Apr 26 00:39:00 2017 | |||
#include <tunables/global> | |||
/usr/sbin/vsftpd { | |||
#include <abstractions/authentication> | |||
#include <abstractions/base> | |||
#include <abstractions/nameservice> | |||
#include <abstractions/lxc/container-base> | |||
/dev/urandom r, | |||
/etc/fstab r, | |||
/etc/ftpusers r, | |||
/etc/hosts.allow r, | |||
/etc/hosts.deny r, | |||
/etc/mtab r, | |||
/etc/shells r, | |||
/etc/vsftpd.* r, | |||
/etc/vsftpd/* r, | |||
/home/*/ rw, | |||
/usr/sbin/vsftpd mrix, | |||
/var/log/vsftpd.log w, | |||
} | |||
</pre> | |||
After you test it out, you will notice, that you can still access pretty much everything even when this profile does not specify it. It is because the line <code>#include <abstractions/lxc/container-base></code> gives wide access. So instead i changed permissions to be more narrow, and now profile looked like this. User will be able to write in his home directory and in /tmp. He will not see contents in /home. | |||
<pre> | |||
# Last Modified: Wed Apr 26 20:39:27 2017 | |||
#include <tunables/global> | |||
/usr/sbin/vsftpd { | |||
#include <abstractions/authentication> | |||
#include <abstractions/base> | |||
#include <abstractions/nameservice> | |||
capability audit_write, | |||
capability setgid, | |||
capability setuid, | |||
capability sys_admin, | |||
capability sys_chroot, | |||
/ r, | |||
/dev/urandom r, | |||
/etc/fstab r, | |||
/etc/ftpusers r, | |||
/etc/hosts.allow r, | |||
/etc/hosts.deny r, | |||
/etc/mtab r, | |||
/etc/shells r, | |||
/etc/vsftpd.* r, | |||
/etc/vsftpd/* r, | |||
/tmp/ r, | |||
/tmp/* w, | |||
/usr/sbin/vsftpd mrix, | |||
/var/log/vsftpd.log w, | |||
@{HOME}/ r, | |||
@{HOME}/* w, | |||
} | |||
</pre> |
Revision as of 19:47, 26 April 2017
AppArmor and its ussage
Whats is AppArmor
AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control(DAC) model by providing (mandatory access control) (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009. It is available by default on Ubuntu and Suse distributions. AppArmor relies on paths instead of inodes, which are used by another similar security mechanism SELinux. Apparmor uses rules, which are combined into profiles for every process you want to restrict by it. These profiles can be run in "enforce" or "complain" modes. To generate profile you can run it with AppArmor in profile mode. While enforced profile will disallow any restricted activity, profile ran in complain mode will still allow program to do what was intended, but log this violation in logfile.
AppArmor features
AppArmor can restrict following things
- file access (read, write, link, lock)
- library loading
- execution of applications
- coarse-grained network (protocol, type, domain)
- capabilities
- coarse owner checks (task must have the same euid/fsuid as the object being checked) starting with Ubuntu 9.10
- mount starting with Ubuntu 12.04 LTS
- unix(7) named sockets starting with Ubuntu 13.10
- DBus API (path, interface, method) starting with Ubuntu 13.10
- signal(7) starting with Ubuntu 14.04 LTS
- ptrace(2) starting with Ubuntu 14.04 LTS
- unix(7) abstract and anonymous sockets starting with Ubuntu 14.10
AppArmor commands
Check status
apparmor_status
or
aa-status
Load profile
cat /etc/apparmor.d/profile.name | apparmor_parser -a
Reload singe profile
cat /etc/apparmor.d/profile.name | apparmor_parser -r
Reload all profiles
systemctl reload apparmor
Disable profile
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/profile.name
Enabling disabled profile
rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | apparmor_parser -a
Run profile in complain mode
aa-complain /path/to/program
Run profile in enforce mode
aa-enforce /path/to/program
Disabling AppArmor
Open /etc/default/grub
file and change or add this line GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"
.
Then run update-grub2
and restart your PC.
Permission flags
- r - read
- w - write -- conflicts with append
- a - append -- conflicts with write
- ux - unconfined execute
- Ux - unconfined execute -- scrub the environment
- px - discrete profile execute
- Px - discrete profile execute -- scrub the environment
- cx - transition to subprofile on execute
- Cx - transition to subprofile on execute -- scrub the environment
- ix - inherit execute
- m - allow PROT_EXEC with mmap(2) calls
- l - link
- k - lock
Creating new profiles
There are two ways of profiling. First one is called Stand-Alone profiling and second one is Systematic profiling.
- Stand-alone is more fit if oyu want to create profile for one application, however setbacks are, that you need to keep running the profiling process whole time, while you are creating profile.
- Systematic profiling is meant for multiple processes, and you can restart server and programs while still profiling.
Stand-alone profiling
First you probably need to install additional package by runing apt install apparmor-utils
.
For example, lets try and profile Vsftpd. After installing it, this command needs to be run first aa-genprof /usr/sbin/vsftpd
. It will stay in monitoring mode. Then in other terminal window restart or start Vsftpd daemon by running systemctl restart vsftpd
. After that just proceed with casual tasks. Connect with local user to FTP, upload, download, create and delete files and directories. Also create file in /tmp. After doing this, switch to first terminal window and push S for (S)can system log for AppArmor events. Aa-genprof will then asks a couple of questions about actions what vsftpd did and you can either approve or disable them, alone with some more options. For example this rule /home/user1/* r
is very narrow and ftp will not work properly if your system have more than one user. First profile that was made for vsftpd looked like this
# Last Modified: Wed Apr 26 00:39:00 2017 #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/lxc/container-base> /dev/urandom r, /etc/fstab r, /etc/ftpusers r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /home/*/ rw, /usr/sbin/vsftpd mrix, /var/log/vsftpd.log w, }
After you test it out, you will notice, that you can still access pretty much everything even when this profile does not specify it. It is because the line #include <abstractions/lxc/container-base>
gives wide access. So instead i changed permissions to be more narrow, and now profile looked like this. User will be able to write in his home directory and in /tmp. He will not see contents in /home.
# Last Modified: Wed Apr 26 20:39:27 2017 #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/nameservice> capability audit_write, capability setgid, capability setuid, capability sys_admin, capability sys_chroot, / r, /dev/urandom r, /etc/fstab r, /etc/ftpusers r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /tmp/ r, /tmp/* w, /usr/sbin/vsftpd mrix, /var/log/vsftpd.log w, @{HOME}/ r, @{HOME}/* w, }