AppArmor for Application Isolation
AppArmor for Application Isolation
sudo apt-get install apparmor apparmor-utils apparmor-profiles rsyslog -y
cd /usr/share/apparmor/extra-profiles/
/etc/apparmor.d/ # profiles dir used by AppArmor
sudo systemctl start rsyslog && sudo systemctl enable rsyslog
sudo systemctl status apparmor
sudo systemctl enable --now apparmor
AppArmor for Automatic Security Profile Generation
sudo aa-autodep nginx
Activate a Profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
Disable a Profile
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.nginx
Remove a Profile
rm /etc/apparmor.d/usr.sbin.nginx
Complain Mode
sudo aa-complain /usr/sbin/nginx
Make rules from programm logging
sudo aa-logprof /usr/sbin/nginx
Enforce Mode
sudo aa-enforce /usr/sbin/nginx
Status
sudo aa-status
Logging
tail -f /var/log/syslog
tail -f kern.log
sudo dmesg | grep apparmor
sudo journalctl -t apparmor -f
Access:
/var/log/nginx/ to the directory/var/log/nginx/* to files in the directory/var/log/nginx/** to all nested files and directories/var/run/nginx.pid rw, read, write accesowner /var/www/** rw, only to files owned (www-data) by the process running nginx
Main Access Rights Symbols
- r (read): Permission to read a file or directory.
- w (write): Permission to write to a file or directory.
- x (execute): Permission to execute a file.
- m (memory map): Permission to map a file to memory.
- k (lock): Permission to lock a file.
- l (link): Permission to create hard links to a file.
- a (append): Permission to append to a file.
- i (inherit): Permission for child processes to inherit the profile.
- Px (profile execute): Permission to execute a file with a specific profile.
- Cx (child execute): Permission to execute a file with a separate child profile.
Command Descriptions
aa-audit: Set a profile to audit mode.aa-autodep: Automatically generate a basic profile for an application.aa-cleanprof: Remove unused rules from a profile.aa-complain: Set a profile to complain mode.aa-decode: Decode hex-encoded AppArmor messages.aa-disable: Disable a profile.aa-easyprof: Create or manage profiles with ease.aa-enforce: Set a profile to enforce mode.aa-enabled: List all enabled profiles.aa-exec: Execute a command confined by a specific profile.aa-features-abi: Show features and ABI version of AppArmor.aa-genprof: Generate a profile by monitoring application behavior.aa-logprof: Update profiles based on log events.aa-mergeprof: Merge multiple profiles into one.aa-remove-unknown: Remove unknown profiles or entries.aa-status: Show the current AppArmor status.aa-teardown: Unload all AppArmor profiles.aa-unconfined: List processes running without confinement.aa-update-browser: Update browser-related AppArmor profiles.
