Apparmor and its usage: Difference between revisions
m Mteivens moved page Creating malware lab to Apparmor and its usage |
No edit summary |
||
Line 1: | Line 1: | ||
=== AppArmor and its ussage === | |||
== Whats is AppArmor == | |||
'''[https://wiki.ubuntu.com/AppArmor AppArmor]''' is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control(DAC) model by providing (mandatory access control) (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by [https://www.canonical.com/ Canonical] since 2009. | |||
It is available by default on Ubuntu and Suse distributions. AppArmor relies on paths instead of inodes, which are used by another similar security mechanism [https://en.wikipedia.org/wiki/Security-Enhanced_Linux SELinux]. | |||
Apparmor uses rules, which are combined into profiles for every process you want to restrict by it. These profiles can be run in "enforce" or "complain" modes. To generate profile you can run it with AppArmor in profile mode. While enforced profile will disallow any restricted activity, profile ran in complain mode will still allow program to do what was intended, but log this violation in logfile. | |||
== AppArmor features == | |||
AppArmor can restrict following things | |||
* file access (read, write, link, lock) | |||
* library loading | |||
* execution of applications | |||
* coarse-grained network (protocol, type, domain) | |||
* capabilities | |||
* coarse owner checks (task must have the same euid/fsuid as the object being checked) starting with Ubuntu 9.10 | |||
* mount starting with Ubuntu 12.04 LTS | |||
* unix(7) named sockets starting with Ubuntu 13.10 | |||
* DBus API (path, interface, method) starting with Ubuntu 13.10 | |||
* signal(7) starting with Ubuntu 14.04 LTS | |||
* ptrace(2) starting with Ubuntu 14.04 LTS | |||
* unix(7) abstract and anonymous sockets starting with Ubuntu 14.10 | |||
== AppArmor commands == | |||
=== Check status === | |||
apparmor_status | |||
=== Load profile === | |||
cat /etc/apparmor.d/profile.name | apparmor_parser -a | |||
=== Reload singe profile === | |||
cat /etc/apparmor.d/profile.name | apparmor_parser -r | |||
=== Reload all profiles === | |||
systemctl reload apparmor | |||
=== Disable profile === | |||
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ | |||
apparmor_parser -R /etc/apparmor.d/profile.name | |||
=== Enabling disabled profile === | |||
rm /etc/apparmor.d/disable/profile.name | |||
cat /etc/apparmor.d/profile.name | apparmor_parser -a | |||
=== Run profile in comlpain mode === | |||
aa-enforce /path/to/program | |||
=== Disabling AppArmor === | |||
Open <code>/etc/default/grub</code> file and change or add this line <code>GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"</code>. | |||
Then run <code>update-grub2</code> and restart your PC. | |||
== Creating new profiles == | |||
First you probably need to install additional package by runing <code>apt install apparmor-utils</code> |
Revision as of 19:32, 25 April 2017
AppArmor and its ussage
Whats is AppArmor
AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control(DAC) model by providing (mandatory access control) (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009. It is available by default on Ubuntu and Suse distributions. AppArmor relies on paths instead of inodes, which are used by another similar security mechanism SELinux. Apparmor uses rules, which are combined into profiles for every process you want to restrict by it. These profiles can be run in "enforce" or "complain" modes. To generate profile you can run it with AppArmor in profile mode. While enforced profile will disallow any restricted activity, profile ran in complain mode will still allow program to do what was intended, but log this violation in logfile.
AppArmor features
AppArmor can restrict following things
- file access (read, write, link, lock)
- library loading
- execution of applications
- coarse-grained network (protocol, type, domain)
- capabilities
- coarse owner checks (task must have the same euid/fsuid as the object being checked) starting with Ubuntu 9.10
- mount starting with Ubuntu 12.04 LTS
- unix(7) named sockets starting with Ubuntu 13.10
- DBus API (path, interface, method) starting with Ubuntu 13.10
- signal(7) starting with Ubuntu 14.04 LTS
- ptrace(2) starting with Ubuntu 14.04 LTS
- unix(7) abstract and anonymous sockets starting with Ubuntu 14.10
AppArmor commands
Check status
apparmor_status
Load profile
cat /etc/apparmor.d/profile.name | apparmor_parser -a
Reload singe profile
cat /etc/apparmor.d/profile.name | apparmor_parser -r
Reload all profiles
systemctl reload apparmor
Disable profile
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/profile.name
Enabling disabled profile
rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | apparmor_parser -a
Run profile in comlpain mode
aa-enforce /path/to/program
Disabling AppArmor
Open /etc/default/grub
file and change or add this line GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"
.
Then run update-grub2
and restart your PC.
Creating new profiles
First you probably need to install additional package by runing apt install apparmor-utils