AppArmor Profiles: Locking Down Programs on Ubuntu

Understanding AppArmor Security on Ubuntu

AppArmor functions as a security module on Ubuntu systems, restricting program capabilities to only those permissions essential for their standard operation.

This is especially beneficial for server-side applications, as it limits potential damage if a compromise were to occur.

Core Functionality and Availability

The AppArmor system is pre-installed on Ubuntu and a selection of other Linux distributions.

Ubuntu provides a set of pre-configured profiles, but the framework also supports the development of custom AppArmor profiles tailored to specific applications.

Built-in tools facilitate the monitoring of program behavior, aiding in the creation of effective security profiles.

Leveraging Existing Profiles

Prior to crafting a new profile for a particular application, it is recommended to investigate the apparmor-profiles package within Ubuntu’s software repositories.

A pre-existing profile for the desired application may already be available, saving development time and ensuring a well-tested configuration.

Creating Custom Profiles

If a suitable profile isn't found, you can create your own.

AppArmor’s utilities assist in observing a program’s actions, which is crucial for defining the necessary permissions within a profile.

This ensures the application functions correctly while remaining securely confined.

Developing and Executing a Test Plan

A comprehensive testing phase is required, involving the execution of the program under AppArmor’s observation. This entails a thorough walkthrough of all standard functionalities. Essentially, the software should be utilized in a manner mirroring its typical operational context: launching, halting, reloading, and exercising all available features.

Prior to initiating the test plan, a terminal should be opened and the following commands executed to facilitate the installation and operation of aa-genprof:

sudo apt-get install apparmor-utils

sudo aa-genprof /path/to/binary

With aa-genprof actively running within the terminal, the program can be started, and the previously designed test plan implemented. A more detailed and extensive test plan will minimize potential issues encountered at a later stage.

After completing the execution of your test plan, return to the terminal window and press the S key to initiate a scan of the system log for AppArmor-related events.

Each detected event will trigger a prompt requesting a specific action. For instance, the example illustrates that /usr/bin/man, after profiling, attempted to execute /usr/bin/tbl. You must then decide if /usr/bin/tbl should adopt the security constraints of /usr/bin/man, operate under its own AppArmor profile, or function without confinement.

Different prompts will appear depending on the specific action being considered; here, access to /dev/tty, representing the terminal device, is being authorized.

Upon completion of the entire process, you will be asked to preserve the newly created AppArmor profile.

Activating Complain Mode and Refining the Profile

Once the profile has been created, transition it into “complain mode.” This configuration allows AppArmor to function without imposing restrictions, but it meticulously records any limitations that would have been applied.

sudo aa-complain /path/to/binary

Utilize the application as you normally would for a period of time. Following typical usage while in complain mode, execute the subsequent command to analyze system logs for potential issues and subsequently refine the profile.

sudo aa-logprof

This process helps identify necessary adjustments to the AppArmor profile, ensuring optimal security without hindering functionality.

Implementing Enforce Mode for Application Security

Once the refinement of your AppArmor profile is complete, activating “enforce mode” will secure the application.

sudo aa-enforce /path/to/binary

It is recommended to periodically utilize the sudo aa-logprof command for profile adjustments and optimization.

AppArmor profiles are structured as simple text files. Consequently, they can be directly edited using a standard text editor for manual adjustments.

However, the aforementioned utilities are designed to streamline and guide you through the configuration process.