AppArmor is designed to provide easy-to-use application security. It is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities.
The following instructions aim to apply application specific rules or "profiles" to "confine" application, to only the directories, files, and posix 1003.1e draft capabilities needed for normal functioning. In the event that an is compromised, Apparmor's confinement helps to prevent the compromising of the system as a whole.
AppArmor is a powerful program and, when an application is confined, AppArmor can restrict the activity of even the root user. AppArmor was designed as an alternative to SELinux and is designed to be easier to use.
AppArmor is configured by writing a profile for an application. Profiles are written one application at at time and and typically targeted at applications which have network access. These profiles are a text files which restrict or confine an application. These restrictions are in addition to the standard Linux permissions. For example, you can not give access to a directory or file with AppArmor if such access violates the permissions.
Let us imagine, for example, that an application is hijacked (due to some flaw in the code). Let us also imagine the cracker may then use this application to access your home directory or system files, allowing him or her to read and modify system files and/or execute arbitrary code. This hypothetical flaw in this application then leads to an escalation of privileges and root access is obtained.
The "traditional" security model would remedy the problem by first correcting the flaw in the code (i.e. a "security update" for the application) and possibly result in a new rule for HIDS, such as viruses scanners or root kits.
The problem with this model it it does nothing to protect against the next attack, aka a Zero Day Attack. AppArmor adds another check to the system, asking the question, should the application be accessing or making changes to system files? AppArmor confines the application and if there is a new exploit, AppArmor will help prevent any escalation of privileges.
AppArmor profiles are stored in /etc/apparmor.d
On Ubuntu, AppArmor logs profile violations to /var/log/messages.
Profiles are names for the application they confine, using the full path, dropping the first / and converting the others to a .
Once a profile is defined it is automatically activated when the application is started. There are 2 modes of operation, complain and enforce.
complain - In complain mode AA monitors applications and logs violations to your profile without restricting or confining the application. Think of this as "Testing" mode.
enforce - In enforce mode AA monitors applications and logs violations to your profile. In the event of a violation, access to the resource is denied and the application is confined.
Issue the following command:
sudo aptitude install apparmor
AppArmor is installed by default, so this step is probably not required.
Issue the following command:
sudo aptitude install apparmor-profiles
Installing apparmor-profiles will automatically add profiles for a number of common applications.
By default these additional profiles have their default permissions set to complain mode. These will be manually activated later.
Additional profiles can also be writen and customized as required. Profiles are text files and are fairly easy to understand.
Issue the following command:
sudo /etc/init.d/apparmor start
Issue the following command:
sudo /etc/init.d/apparmor stop
http://www.linux.com/feature/58789
Copyright ShareWiz by Peter Roux