In this tutorial, we'll setting up AppArmor for application security.
AppArmor is a Linux security module that allows you to restrict the capabilities of individual programs. By enforcing mandatory access control policies, AppArmor enhances the security of your applications and system.
AppArmor is an easy-to-use Linux Security Module implementation that restricts applications’ capabilities and permissions with profiles that are set per-program. It provides mandatory access control (MAC) to supplement the more traditional UNIX model of discretionary access control (DAC).
In Ubuntu, AppArmor is installed and loaded by default – you can check this by running aa-status.
It uses profiles of an application to determine what files and permissions the application requires. Some packages will install their own profiles, and additional profiles can be found in the apparmor-profiles package.
Prerequisites
- A Linux distribution that supports AppArmor (e.g., Ubuntu server , KVM VPS or deskop, Debian).
- Root or sudo access.
Step 1: Update the system
Keep the system updated.
sudo apt-get update
Step 2: Install apparmor-utils
On Debian-based systems like Ubuntu, you can install apparmor-utils with the following command:
sudo apt-get install apparmor-utils
sudo apparmor_status
Note: By default AppArmor is installed in every Ubuntu, Debian based system but apparmor-utils package is not installed by default. It contains command-line utilities you can use to change the AppArmor operation mode, find the status of a profile, create new profiles, etc.
Step 3: Understanding AppArmor Profiles
AppArmor uses profiles to define the restrictions on an application. Profiles can be in one of three modes:
- Enforcing: The profile is actively restricting the application.
- Complain: Violations are logged but not enforced.
- Disabled: The profile is not loaded.
AppArmor profiles are the core components that define the security restrictions placed on individual applications or processes in a Linux system. These profiles describe what resources an application can access and what actions it can perform, thereby limiting its capabilities to only what's necessary for its operation.
AppArmor profiles are typically stored in /etc/apparmor.d/. Each profile is a text file named after the path of the executable it governs, with slashes replaced by dots (e.g., /usr/bin/nginx would be /etc/apparmor.d/usr.bin.nginx).
The profile file contains rules that specify what the application can do, such as:
/usr/bin/nginx {
# Allow reading configuration files
/etc/nginx/** r,
# Deny write access to configuration files
/etc/nginx/** w,
# Allow access to the log directory
/var/log/nginx/** rw,
}
Example: Simple AppArmor Profile
Here’s a basic example of an AppArmor profile for a hypothetical application located at /usr/bin/myapp:
/etc/apparmor.d/usr.bin.myapp
/usr/bin/myapp {
# Allow reading from configuration files
/etc/myapp/config r,
# Allow writing to log files
/var/log/myapp/** rw,
# Deny access to everything else
deny /bin/** rw,
deny /sbin/** rw,
deny /usr/** rw,
}
In this profile:
- The application can read from /etc/myapp/config.
- It can read and write to files in /var/log/myapp/.
- It is denied access to most of the rest of the filesystem, enhancing security by limiting its capabilities.
This it the overview of the AppArmor Profile. Learn more about AppArmor on the official docs page
To see the list of available profiles, use the following command:
sudo aa-status
Step 4: Create a New Profile
You can create a new profile for an application using the aa-genprof utility.
Start creating a profile for an application:
sudo aa-genprof /usr/bin/myapp
The utility will guide you through the process. It will ask you to run the application so that it can observe its behavior and suggest rules.
Once you have finished running the application, return to the terminal and answer the prompts to refine the profile.
Save the profile and exit.
Step 5: Set Profile Mode
Once your profile is created, you can set its mode:
To enforce the profile:
sudo aa-enforce /etc/apparmor.d/usr.bin.myapp
To set the profile in complain mode:
sudo aa-complain /etc/apparmor.d/usr.bin.myapp
Step 6: Manage Profiles
You can manually manage profiles using these commands:
Load a profile:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.myapp
Unload a profile:
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.myapp
Reload all profiles:
sudo systemctl reload apparmor
Step 7: Monitor Logs
AppArmor logs violations in /var/log/syslog or /var/log/audit/audit.log. You can monitor these logs to fine-tune your profiles:
sudo tail -f /var/log/syslog | grep apparmor
Step 8: Fine-Tune Profiles
If you notice issues or violations, you can refine your profile by editing it directly:
sudo nano /etc/apparmor.d/usr.bin.myapp
After making changes, reload the profile:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.myapp
Step 9: Disable AppArmor (If Needed)
If you need to disable AppArmor for any reason, you can set all profiles to complain mode:
sudo aa-complain /etc/apparmor.d/*
Or you can disable AppArmor completely by editing the GRUB configuration and removing the security=apparmor option, followed by updating GRUB and rebooting.
Conclusion
AppArmor is a powerful tool for enhancing the security of applications on your Linux system. By following this tutorial, you’ve learned how to install, configure, and manage AppArmor profiles, helping you to better protect your applications from potential security threats.
