Many of you have probably heard of AppArmor when working with Debian-based systems more so Ubuntu. However, since it is not an app that shows in the GUI, some users might not be familiar with it.
Application Armor abbreviated as AppArmor is a security module on Linux systems. It is a Mandatory Access Control (MAC) system used by the Linux kernel to restrict the capabilities of a program as configured on program profiles. These profiles can allow or deny capabilities such as network access, raw socket access, read, write and execute permissions on files etc. These profiles are usually loaded to the Kernel on system boot. The AppArmor profiles exist in two modes, these are enforcement and complain. The enforcement mode enforces the policy defined in the profile and also reports any policy violation attempts either using syslog or audits. The complain mode on the other hand does not enforce the policy but only reports the policy violation attempts.
The AppArmor technology has been around for some time. It was first seen in Immunix and later integrated into Novell/SUSE, Mandriva and Ubuntu systems. AppArmor is considered to be a drop in replacement to SELinux, which is at times considered difficult for setup and maintain. In contrast to SELinux, which works by applying labels to files, AppArmor works with file paths. The exponents of AppArmor argue that it is less complex and easier to configure than SELinux.
In today’s article, we will learn the AppArmor Cheat Sheet for Linux System Administrators.
1. Check AppArmor Status
AppArmor is installed by default on Ubuntu systems and loads automatically on system boot. To check the status, issue the below command:
sudo apparmor_status
##OR
sudo aa-statusSample Output:
The above output shows the loaded profiles and the AppArmor mode.
2. View AppArmor Profiles
AppArmor has several preloaded profiles which are located in the “/etc/apparmor.d/” directory. Some of the profiles are disabled and others are active.
To check all the profiles, you can issue:
$ ls /etc/apparmor.d/*
/etc/apparmor.d/lsb_release
/etc/apparmor.d/nvidia_modprobe
/etc/apparmor.d/sbin.dhclient
/etc/apparmor.d/usr.bin.evince
/etc/apparmor.d/usr.bin.man
....
/etc/apparmor.d/disable:
usr.sbin.rsyslogd
/etc/apparmor.d/force-complain:
/etc/apparmor.d/local:
lsb_release usr.bin.tcpdump usr.sbin.cups-browsed
nvidia_modprobe usr.lib.libreoffice.program.oosplash usr.sbin.cupsd
README usr.lib.libreoffice.program.senddoc usr.sbin.mysqld
sbin.dhclient usr.lib.libreoffice.program.soffice.bin usr.sbin.rsyslogd
usr.bin.evince usr.lib.libreoffice.program.xpdfimport
usr.bin.man usr.lib.snapd.snap-confine.real
/etc/apparmor.d/tunables:
alias etc home.d multiarch.d securityfs xdg-user-dirs
apparmorfs global kernelvars proc share xdg-user-dirs.d
dovecot home multiarch run sysThe profiles here have a naming syntax. For example, a profile for /usr/bin/man will be located in /etc/apparmor.d/usr.bin.man.
The disabled profiles are located under the “/etc/apparmor.d/disable”
$ ls /etc/apparmor.d/disable/*
/etc/apparmor.d/disable/usr.sbin.rsyslogd3. Enable/Disable AppArmor Profiles
While AppArmor allows you to have multiple profiles, they are individually enabled or disabled. To enable or disable a profile, you need to install apparmor-utils
First update and upgrade your system to avoid “Segmentation fault” errors.
sudo apt update && sudo apt upgrade -yNow install the required utility
sudo apt install apparmor-utils- Enable AppArmor Profiles
Now proceed and enable a disabled profile using the command with the below syntax:
##Enable a Profile
sudo aa-enforce /path/to/profileFor example, to enable the Rsyslogd profile, we can run:
$ sudo aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.Another example of enabling the HTTPD profile.
sudo aa-enforce /usr/sbin/httpd- Disable AppArmor Profiles
To disable a profile, you just switch it to the complain mode using:
sudo aa-complain /path/to/profileFor example:
sudo aa-complain /etc/apparmor.d/usr.sbin.rsyslogd
##OR
sudo aa-complain /usr/sbin/httpd4. Creating AppArmor Profiles
AppArmor allows users to create their custom profiles to protect apps. The profile usually has several configurations and variables for your application. AppArmor eliminates the tussle by allowing you to start from a template or interactively.
For the interactive method, it inspects the actions performed by the binary and lets you decide the actions you like, whether to deny or allow.
To achieve that, you issue a command with the below syntax:
sudo aa-genprof /path/to/binaryFor example:
sudo aa-genprof /usr/bin/scpSample Output:
Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/bin/scp.
Setting /usr/bin/scp to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Profiling: /usr/bin/scp
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inishNow open a separate terminal and perform all the actions the binary can perform. For example:
scp ~/test remote_user@remote_IP:~/After performing the task, press S on the AppArmor profiling window. In the recorded actions, set whether to ignore, allow, etc.
[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/syslog.
Profile: /usr/bin/scp
Execute: /usr/bin/ssh
Severity: unknown
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inishOnce complete, press “S” to save the changes.
The following local profiles were changed. Would you like to save them?
[1 - /usr/bin/scp]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)tNow press “f” and you will have the profile saved as /etc/apparmor.d/path.to.binary. (/etc/apparmor.d/usr.bin.scp fo this case)
$ cat /etc/apparmor.d/usr.bin.scp
# Last Modified: Fri Sep 29 14:14:11 2023
#include <tunables/global>
/usr/bin/scp flags=(complain) {
#include <abstractions/base>
deny /usr/bin/ssh x,
deny owner /home/*/mysql-community-client_8.1.0-1ubuntu22.04_amd64.deb r,
/usr/bin/scp mr,
}Above is the sample AppArmor profile I have created for SCP.
Create Profile From Template
Yoi can create a skeleton of the App profile. Begin by installing the required package:
sudo apt install apparmor-easyprofNow create the template with the command:
sudo aa-easyprof /path/to/binarySample Output:
# vim:syntax=apparmor
# AppArmor policy for binary
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###
#include <tunables/global>
# No template variables specified
"/path/to/binary" {
#include <abstractions/base>
# No abstractions specified
# No policy groups specified
# No read paths specified
# No write paths specified
}You can then proceed and edit the profile as desired.
To enforce the profile, use:
sudo apparmor_parser -a /etc/apparmor.d/profile.nameThere are many other command to manage AppArmor profiles:
#Load a new profile in complain mode
sudo apparmor_parser -C /etc/apparmor.d/profile.name
#Replace existing profile
sudo apparmor_parser -r /etc/apparmor.d/profile.name
#Remove profile
sudo apparmor_parser -R /etc/apparmor.d/profile.name5. Modifying a Profile from Logs
It is also possible to modify a profile from logs. The tool reads the logs and ask if you want to permit some of the forbidden actions. To achieve that, use:
sudo aa-logprofYou can then navigate using arrow keys and select the desired profile.
6. View Logs
You can view the AUDIT and DENIED logs from /var/log/audit/audit.log. Install the required package:
sudo apt install apparmor-notifyProceed and view the logs:
sudo aa-notify -s 1 -vSample Output:
There are other options you can use, check with the command:
$ aa-notify -h
USAGE: aa-notify [OPTIONS]
Display AppArmor notifications or messages for DENIED entries.
OPTIONS:
-p, --poll poll AppArmor logs and display notifications
--display $DISPLAY set the DISPLAY environment variable to $DISPLAY
(might be needed if sudo resets $DISPLAY)
-f FILE, --file=FILE search FILE for AppArmor messages
-l, --since-last display stats since last login
-s NUM, --since-days=NUM show stats for last NUM days (can be used alone
or with -p)
-v, --verbose show messages with stats
-h, --help display this help
-u USER, --user=USER user to drop privileges to when not using sudo
-w NUM, --wait=NUM wait NUM seconds before displaying
notifications (with -p)7. Manage AppArmor Service
Tha AppArmor service can be managed just like any other system service. To stop the service run:
sudo systemctl stop apparmorTo restart the service:
sudo systemctl restart apparmorCheck the status of the service:
$ systemctl status apparmor
apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2023-09-29 15:44:32 EAT; 3s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 66332 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUC>
Main PID: 66332 (code=exited, status=0/SUCCESS)
Ful 29 15:44:32 thor-Standard-PC-i440FX-PIIX-1996 systemd[1]: Starting Load AppArmor profiles>
Ful 29 15:44:32 thor-Standard-PC-i440FX-PIIX-1996 apparmor.systemd[66332]: Restarting AppArmor
.....Final Thoughts
That marks the end of this guide on the AppArmor Cheat Sheet for Linux System Administrators. There are several other commands and cheat sheets not covered here, please feel free to share them in the comments below.
See more:
- Kubectl Cheat Sheet for Kubernetes Admins & CKA Exam Prep
- Stratis Storage Cheat Sheet – reference guide
- Ansible Vault Cheat Sheet / Reference guide
Very good and informative ! Thank you !
Happy to hear this.. Thank you!