Application Armor is a module that is used for security purposes. As an administrator, you need to be able to restrict the capabilities of programs using a pre-program profile. If you have used Ubuntu, you have certainly used its security features but you have not been informed because it is included by default and runs silently in the background. Let’s see what is AppArmor and why you need to create it. Join us with this article to learn How To Create An AppArmor Profile In Ubuntu 18.04. If you are looking for a perfect and secure Linux VPS, buy your preferred Ubuntu VPS package, and continue reading.
To let this tutorial work better, please consider the below Prerequisites:
A non-root user with sudo privileges.
To set up, follow our Initial Setup With Ubuntu 18.04.
Tutorial Create An AppArmor Profile In Ubuntu 18.04
The AppArmor profiles are simple text files that can contain comments and are stored in the /etc/apparmor.d directory. They provide some capabilities such as network access, raw socket access, and the permission to read, write, or execute files on matching paths. If you wish to restrict the damage security vulnerabilities, the AppArmor could be effective by supplying the traditional Unix Discretionary Access Control model. Ubuntu developers use the AppArmor to restrict the process of actions. As an example, SELinux in Fedora and Red Hat is also used by default like the AppArmor in Ubuntu. Their function is the same, to provide Mandatory Access Control. AppArmor supports access controls for files, Linux capabilities, network, mount, remount, and unmount, pivot_root, ptrace, signal, DBus, and Unix domain sockets.
Create an AppArmor profile
You can use the following command to check the status of AppArmor:
sudo apparmor_status
First, to install the application you want to confine and some useful AppArmor utilities, run the command below:
sudo apt install apparmor-easyprof apparmor-notify apparmor-utils certspotter
How to generate a basic profile
You are recommended to use the easiest method of starting. Create a skeleton profile. Then you can set Apparmor to complain mode for your target to use the aa-logrof tool to evaluate the denials. To generate the skeleton policy, you will use aa-easyprof .
aa-easyprof /usr/bin/certspotter
# vim:syntax=apparmor # AppArmor policy for certspotter # ###AUTHOR### # ###COPYRIGHT### # ###COMMENT###
#include <tunables/global> # No template variables specified "/usr/bin/certspotter" { #include <abstractions/base> # No abstractions specified # No policy groups specified # No read paths specified
# No write paths specified }
Write the output into the profile file.
aa-easyprof /usr/bin/certspotter > usr.bin.certspotter sudo mv usr.bin.certspotter /etc/apparmor.d
Use the command below to load the profile into the kernel:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.certspotter
We are going to generate an AppArmor profile for certspotter. It does not have any profile yet and is a new utility in Ubuntu. What the certspotter doe is to monitor certificate transparency logs to see if the new ones have been generated for domains listed in a watchlist or not. As a certspotter, you are asked to set up a corn job to have a regular monitor of new entries. Now, let’s use this useful utility.
Running the certspotter would cause an immediate (safe) crash.
certspotter certspotter: /home/testuser/.certspotter/watchlist: open /home/testuser/.certspotter/watchlist permission denied
There is no chance to browse the source code, so you can limit what it could on your system. Since the basic profile does not allow certspotter access to resources it needs, you can view the AppArmor denial messages to check what went wrong here.
What is AppArmor and Complan Mode
If you install the audit, for non-DBus policy violations, AppArmor denials are logged /var/log/audit/audit.log. Otherwise, it would log to /var/log/syslog. The rate of AppArmor denials could make some problems while profiling, kernel will limit them. So, install auditd or adjust the rate-limiting in the kernel to stop happening this:
sudo sysctl -w kernel.printk_ratelimit=0
There is one more method to view AppArmor denials. You can use the aa-notify tool. You will find this a very simple program that could report any new AppArmor denials by consulting var/log/syslog. Again if you have installed audited, it will consult /var/log/audit/audit.log. Let’s see an example.
/usr/bin/aa-notify -s 1 -v
It would show you all AppArmpr denials within the last day. It could be an easy way if you use the aa-logprof tool to evaluate the log entries that AppArmor makes in complain mode and developed this profile. To see what will happen if you set AppArmor profile for certspotter to complain mode for this policy stay here.
sudo aa-complain certspotter
And run certspotter one ore time:
certspotter
As below, it would start generating AppArmor entries in the logs immediately.
Dec 24 13:34:24 tutorials audit[18643]: AVC apparmor="ALLOWED" operation="recvmsg" profile="/usr/bin/certspotter" pid=18643 comm="certspotter" laddr=10.0.2.15 lport=46314 faddr=10.0.2.16 fport=443 family="inet" sock_type="stream" protocol=6 requested_mast="receive" denied_mask="receive"
Because you have not created the profile rules yet to allow it to access the network.
How to use aa-logprof to refine the profile
You can parse the AppArmor messages and suggest policy rules by the aa-logprof. It will permit certspotter to run under confinement.
sudo aa-logprof Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Complain-mode changes: Profile: /usr/bin/certspotter Path: /proc/sys/net/core/somaxconn New Mode: r Severity: 6 [1 - /proc/sys/net/core/somaxconn r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N) ew / Audi(t) / Abo(r)t / (F)inish A
Profile: /usr/bin/certspotter Path: /etc/nsswitch.conf New Mode: r Severity: unknown
Let certspotter read this file which specifies the maximum number of open socket connections. Type A to allow it.
[1 - #include <abstractions/nameservice>] 2 - /etc/nsswitch.conf r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N) ew / Audi(t) / Abo(r)t / (F)inish A
certspotter retrieve information from the certificates transparency logs, it uses the network to do this. Feel free to use the existing name service abstraction which grants common access patterns or also you can especially allow this first network-related access. In /etc/apparmor.d/abstractions/nameservice you can review the abstraction’s details.
Profile: /usr/bin/certspotter Path: /proc/sys/kernel/hostname New Mode: r Severity: 6 [1 - /proc/sys/kernel/hostname r,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N) ew / Audi(t) / Abo(r)t / (F)inish A
It is ok to let certspotter knows the system’s hostname. So, do this.
Profile: /usr/bin/certspotter Path: /home/testuser/.certspotter/watchlist New Mode: r Severity: 4 [1 - /home/*/.certspotter/watchlist r,] 2 - /home/testuser/.certspotter/watchlist r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N) ew / Audi(t) / Abo(r)t / (F)inish A
To determine which domains to monitor, certspotter reads the watchlist. You need it to work for all users of the system and not just for yourself. So, the first suggested rule works better than the second. Since you know that certspotter uses the .certspotter directory to write information that it discovers, its lock file, and other data, so this ”r” (read) rule will be insufficient. Also, you can use the @{HOME} tunable rather than the globbed path. Now, accept it as a placeholder and take a TODO to touch it up later.
Note: @{HOME} is a variable that can be defined and manipulated outside the profile.
Profile: /usr/bin/certspotter Path: /home/testuser/.certspotter/version New Mode: r Severity: 4
[1 - /home/*/.certspotter/version r,] 2 - /home/testuser/.certspotter/version r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N) ew / Audi(t) / Abo(r)t / (F)inish
As we mentioned, you can touch up the watchlist rule, after that, you need to cover all of these entries about files in HOME/.certspotter, so you will ignore these suggested rules.
<rule suggestions for other files in $HOME/.certspotter omitted>
Enforce-mode changes: = Change Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/bin/certspotter] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Change b/w (C)lean profiles / Abo(r)t S
Once you save the profile, aa-logprof would cause the profile to be reloaded automatically. It will silence all of the AppArmor messages about certspotter using the network immediately.
How to edit the profile manually
In this part, you should go back and touch up the profile to allow certspotter to read and write from the HOME/.certspotter directory.
sudo vi /etc/apparmor.d/usr.bin.certspotter
Here, you need to change /home/*/.certspotter/watchlist r, line to owner @{HOME}/.certspotter/** rw, .
The ** glob means certspotter can now read and write to all files, directories, and all paths under the current user’s .certspotter directory in their home directory. It is time to touch up the ###COMMENT### placeholders with your preferred information. Then, reload the policy one more time.
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.certspotter
AppArmor deny rules
To ensure that certspotter cannot exfiltrate some of the data from HOME, you need to add a few rules. If you add explicit dey rules they can prevent profile mistakes because by default AppArmor profile default-deny.
deny @{HOME}/Documents/ rw, deny @{HOME}/Private/ rw, deny @{HOME}/Pictures/ rw, deny @{HOME}/Videos/ rw, deny @{HOME}/fake/ rw, deny @{HOME}/.config/ rw, deny @{HOME}/.ssh/ rw, deny @{HOME}/.bashrc rw,
While there is no fake directory on this system, the policy rule is still valid and AppArmor will enforce rules on it if it ever gets created someday. consider that AppArmor is able to tell the difference between a file and a directory when you use the trailing ”/” while specifying a directory itself. So, remember to reload the policy.
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.certspotter
To check if the certspotter works well or not, run the following command.
/usr/bin/certspotter
If you see it is working with no new denials, you can take AppArmor out of complaint mode for this profile and set it to enforcing:
sudo aa-enforce certspotter
Why the deny rules are not able to be overridden by an allow rule? Because you cannot just deny all of @{HOME} to certspotter and just allow it access to @{HOME}/.certspotter.
As the project recommends, you can add a corn job for certspotter to do the final test.
crontab -e 33 14 * * * /usr/bin/certspotter
However, you are recommended to check periodically the existence of any new denials. If you wish to exercise a less common code path, you can run through the certspotter package tests and have bonus points.
Conclusion
In this article, you have learned How To Create An AppArmor Profile In Ubuntu 18.04. If you have followed from A to Z of this guide, you should have created your first AppArmor profile. To ensure the generating, you can ask someone to check your final profile for not granting the privilege.
