bsdnerds logo

bsdnerds.org

AppArmor

AppArmor is an important security feature included by default in Ubuntu since Ubuntu 7.10. However, it runs silently in the background, so you may not know what it is and what it does.

AppArmor blocks vulnerable processes by limiting the damage that security vulnerabilities can cause in these processes. AppArmor can also be used to block Mozilla Firefox for more security, but not by default.

Related course: AppArmor Linux Security

What is AppArmor?

AppArmor is similar to SELinux, which is used by default in Fedora and Red Hat. Although they work differently, AppArmor and SELinux provide “Mandatory Access Control” (MAC) security. In fact, AppArmor allows Ubuntu developers to limit the actions that can be performed by processes.

For example, a restricted application in the default Ubuntu configuration is the Evince PDF viewer. Although Evince can work under your user account, you can only perform specific actions. Evince only has the minimum permissions needed to run and use PDF documents.

If a vulnerability was discovered in the Evince PDF renderer and you opened a malicious PDF document taking control of Evince, AppArmor would limit the damage that Evince could cause. Evince would have access to everything you have access to in the traditional Linux security model.

With AppArmor, you only have access to items that a PDF viewer needs to access.

AppArmor is particularly useful for limiting exploitable software, such as a web browser or server software.

Viewing the AppArmor status

To view the AppArmor status, the following command should be run in a terminal:

sudo apparmor_status

You will see if AppArmor is running on the system (default) if AppArmor profiles are installed, and processes are running in confined mode.

AppArmor profiles

In AppArmor, processes are limited by profiles. The list shows the protocols installed on the system- these come with Ubuntu. Other profiles can be installed by installing the AppArmor-profiles package. Some packages, such as server software, may come with their own AppArmor profiles installed on the system. You can also create your own AppArmor profiles to restrict the software.

AppArmor modes

You can run the profiles in “complain mode” or “enforce mode”.

When running in enforce mode (the default settings of profiles provided with Ubuntu), AppArmor prevent applications from performing restricted actions. In complaint mode, AppArmor allows applications to take restricted action and creates a registry entry to complain about it.

The complaint mode is ideal for testing an AppArmor profile before activating it in enforce mode: you will see errors that would occur in enforce mode.

Profiles are stored in the /etc/AppArmor.d directory is plain file text profiles with comments.

Enabling AppArmor for Firefox

You may also notice that AppArmor comes with a Firefox profile: it is the usr.bin.firefox file located in the /etc/AppArmor.d directory. It is not enabled by default because it can limit Firefox too much and cause problems. The /etc/apparmor.d/disable folder contains a link to this file, indicating that it is disabled.
To enable the Firefox profile and restrict Firefox to AppArmor, run the following commands:

sudo rm /etc/apparmor.d/disable/usr.bin.firefox
cat /etc/apparmor.d/usr.bin.firefox | Sudo apparmor_parser -a```

After running these commands, run the sudo apparmor_status command again and you will see that the Firefox profiles are loaded.
If it causes problems, to disable the Firefox profile run the following commands:

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox```

AppArmor VS SELINUX

The Linux kernel is the main component of Linux operating systems. It is responsible for managing system resources, communication between hardware and software, and security.

The kernel plays a vital role in supporting security at higher levels. Unfortunately, the stock kernel is not protected immediately. There are important Linux kernel patches to protect your box.

There is a significant difference in the way they are administered and integrated into the system. They also make it easy to control access between processes and objects, processes and other processes, objects, and other objects.

SELinux

SELinux (Security-Enhanced Linux) is a feature of Linux that provides various security policies for the Linux kernel. It is included with CentOS / RHEL / Fedora and some other distributions.

To see its status, run this command

getenforce

While it’s included by default, it takes much more time to configure and correctly setup than AppArmor.

selinux

Features of SELinux

  • Clear separation of the application strategy
  • Well-defined policy interfaces
  • Support for policy consulting applications that require access control.
  • SELinux is independent of policy languages and specific policies
  • SELinux is not concerned about specific security label formats and contents.
  • SELinux has labels and individual controls for main objects and services
  • Cache access decisions for more efficiency
  • SELinux provides policy changes support
  • SELinux offers different measures for system integrity (domain type) protection and data privacy (multi-level security)
  • The SELinux is very flexible
  • Controls the beginning of the process, the inheritance and the execution of the program
  • Control file systems, directories, files and descriptors
  • Checks on sockets, messages and network interfaces
  • Controls the use of “functions”

Pros and cons of SELinux

  • SELinux has high Administrator skillset (learning curve)
  • Access control engine is complex and powerful
  • Requires a detailed configuration
  • It has GUI tools to write and modify
  • It has CLI tools for writing and modification
  • Not very easy to use
  • Has the binary package that most Linux distribution have.
  • It has no impact on system performance
  • It has compatible audit and logging
  • Commercial users are the typical user base
  • It is well documented

AppArmor

AppArmor (Application Armor) is another security software for Linux, updated and released by Novell under GPL. AppArmor was created to replace SELinux and it works with file paths.

AppArmor is the most efficient and easy-to-use Linux application security system on the market.

AppArmor security framework proactively protects the operating system from threats (whether internal or external), including zero-day attacks, thereby enhancing program behaviour and preventing unknown software failures.

AppArmor security profiles fully define the system resources that each program can access and with which privileges. AppArmor comes with several standard strategies. Using a combination of advanced static analysis and learning tools, AppArmor policies for very complex applications can be implemented successfully within hours.

The default in Ubuntu, OpenSUSE and Suse Enterprise Linux is AppArmor. To see if AppArmor is running, run this command:

sudo service apparmor status

You should see it’s running. If not, you can type

sudo service apparmor start

and that will enable it.

Features

  • Full integration.
  • It is easy to deploy
  • On Suse, AppArmor includes a complete set of YaST-based consoles and tools to help you develop, implement, and manage application security policies.
  • Protects the operating system, custom applications, and third-party applications from external and internal threats by adhering to the appropriate behaviour of applications.
  • Reports and alerts: Built-in features let you schedule detailed event reports and configure alerts based on user-defined events.
  • Confinement of sub-process. AppArmor allows you to set security policies for individual Perl and PHP scripts to increase the security of the Web server.

Pros and cons

  • Medium Administrator skillset
  • It has a complex and powerful access control engine
  • Well detailed configuration is needed
  • It has GUI tools to write and modify
  • It has CLI tools for writing and modification
  • It is easy to use for almost all users
  • Binary Package: Available for Ubuntu / Suse / Opensuse and distributions.
  • It does not have an impact on system performance
  • Security framework: mandatory access controls.
  • It supports Audit and logging.
  • Commercial users are the typical users
  • Documentation: documented (mainly available in Opensuse and Suse Enterprise Linux).