Apparmor by Ekta Ahuja @ null Pune Meet, August 2011
Citation preview
1. Presented By: EktaAhuja
AppArmor
2. About Me
Student: MSc.CA at SICSR
Windows & Information Security Enthusiast
Database Freak
3. Agenda
What is Apparmor?
Why Use Apparmor?
Apparmor Profiles
Demo
4. Introduction
AppArmoris the most effective and easy-to-use Linux application
security system available on the market today. AppArmor is a
security framework that proactively protects the operating system
and applications from external or internal threats, even zero-day
attacks, by enforcing good program behavior and preventing even
unknown software flaws from being exploited. AppArmor security
profiles completely define what system resources individual
programs can access, and with what privileges. A number of default
policies are included with AppArmor, and using a combination of
advanced static analysis and learning-based tools, AppArmor
policies for even very complex applications can be deployed
successfully in a matter of hours.
5. Why AppArmor..??
6. Which Programs can be Protected..??
General recommendation :
Every program that mediates Privileges.
Network Services :
Every program(server/client) with open ports.
Cron jobs :
Cron jobs that run with root privilages can be protected.
Web Applications :
CGI scripts, Java Applets etc.
7. AppArmor Profiles
For each application that we want to protect we can create a
separate profile.
A profile contains:
The full path of the program that is confined.
With the #include directive we can pull in components of other
profiles.
Add POSIX capabilities with the capability statement.
A path entry, specifying which part of filesystem the program can
access.
8. Profile Types:
9. Generating Profiles
10. Key of a Profile
Each rule also specifies permissions:
r read
w - write
ux - unconstrained execute
Ux - unconstrained execute -- scrub the environment
px - discrete profile execute
Px - discrete profile execute -- scrub the environment
ix - inherit execute m - allow PROT_EXEC with mmap(2) calls
l - link
cx- local security profile
11. Parts of Profile:
Example: Hypothetical application -- /usr/bin/foo
#include
/usr/bin/foo
{
#include
capability setgid,
network inettcp,
link /etc/sysconfig/foo -> /etc/foo.conf,
/bin/mount ux,
/dev/{,u}random r,
/etc/ld.so.cache r,
/etc/foo/* r,
/lib/ld-*.so* mr,
/lib/lib*.so* mr,
/proc/[0-9]** r,
/usr/lib/** mr,
/tmp/ r,
/tmp/foo.pid wr, /tmp/foo.* lrw,
/@{HOME}/.foo_filerw,
12. Parts of Profile (cont..)
/@{HOME}/.foo_lockkw,
owner /shared/foo/** rw,
/usr/bin/foobarcx,
/bin/** px -> bin_generic,
# a comment about foo's local (children)profile for
/usr/bin/foobar.
profile /usr/bin/foobar {
/bin/bash rmix,
/bin/cat rmix,
/bin/more rmix,
/var/log/foobar* rwl,
/etc/foobar r,
}
# foo's hat, bar.
^bar {
/lib/ld-*.so* mr,
/usr/bin/bar px,
/var/spool/* rwl,
}
}
13. Profile Modes
Enforce Mode
Complain Mode (Learning Mode)
14. Flow of Logic
Collapse a few rules and make it more generic and open.
15. Demo Time
16. References
![Mandatory Access Controlsrn/mac_apparmor.pdf · Example AppArmor Messages # tail -f /var/log/syslog | grep apparmor Nov 1 19:17:11 localhost kernel: [6070087.303192] type=1400 audit(1478053031.105:4257):](https://img.pdfslide.us/doc/110x75/5f0a96ff7e708231d42c60c6/mandatory-access-control-srnmac-example-apparmor-messages-tail-f-varlogsyslog.jpg)
![6177 Copyright © 2011 ACM It is posted here for your ... · AppArmor, previously known as SubDomain [Cowan et al. 2000], also implements mandatory controls for Linux, although using](https://img.pdfslide.us/doc/110x75/5f0cc9cf7e708231d4372268/6177-copyright-2011-acm-it-is-posted-here-for-your-apparmor-previously-known.jpg)
