Ubuntu Server with AppArmor

AppArmor is a system that is intended to protect the Linux system as a whole from individual applications that can be exploited based on vulnerabilities that they have. Here is the problem as demonstrated by the recent Pwn2Own contest at CanSecWest where three fully patched laptops, Mac, Windows Vista and Ubuntu were placed in a contest to see who and how long it would take to hack these systems. The MacBook Air with a fully patched leopard was first after a Safari browser vulnerability was employed to bring it down. The Vista machine was next brought down by a vulnerability in Adobe Flash. The Ubuntu machine was not hacked in the 3 day contest. There is no joy in seeing this situation as in reality, from information gathered by those who discovered and initiated the exploits, each OS was vulnerable it was only a matter of time. Each could have been taken down by a browser exploit. The reality is even a deeper problem, in that most users have nothing close to the factory defaults with fully patched systems.

Now of course Ubuntu servers typically will not have the graphical interface loaded, although it is more common than anyone cares to admit. Check out this article on the state of Ubuntu Servers. But the point is, Zero Day Exploits exist and will continue to exist for the Ubuntu Server as well as the Desktop.

So how does this relate to AppArmor? Two important points. First, AppArmor is designed to protect against these Zero Day Exploits. In other words, protect against those exploits that have not been revealed or discovered and come upon the scene and you need protection the first day, not after a week and patches are then provided. Second, AppArmor gives you a way to protect each application individually.

Checking the Default AppArmor
The system defaults are not too encouraging. The only protection your server has is for cups. IN fact, you probably do not want to run the printer daemon, cups on the server anyway so the default protection for the Ubuntu Server with AppArmor does not exist. See for yourself, check the status.

# apparmor_status

apparmor module is loaded.

2 profiles are loaded.

2 profiles are in enforce mode.

/usr/sbin/cupsd

/usr/lib/cups/backend/cups-pdf

0 profiles are in complain mode.

1 processes have profiles defined.

1 processes are in enforce mode :

/usr/sbin/cupsd (4974)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

 

This will change somewhat when you add certain applications. For example if you install MySQL it will add a profile automatically. Here is the same command after MySQL is added.


# apparmor_status

apparmor module is loaded.

3 profiles are loaded.

3 profiles are in enforce mode.

/usr/sbin/mysqld

/usr/sbin/cupsd

/usr/lib/cups/backend/cups-pdf

0 profiles are in complain mode.

2 processes have profiles defined.

2 processes are in enforce mode :

/usr/sbin/mysqld (7323)

/usr/sbin/cupsd (4974)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

 

However, after installing Postfix, Dovecot, Squirrelmail, DNS, Apache, MySQL, etc. only two profiles were added, MySQL and named. This means that either you must create the profiles for each daemon you need to protect or you locate profiles that you can add. The universe has a list of profiles that you can download and install on your system for some added protection.

sudo apt-get install apparmor-profiles

Here you can see that it has added additional profiles, most of which are only in complain mode.

# apparmor_status

apparmor module is loaded.

16 profiles are loaded.

5 profiles are in enforce mode.

/usr/lib/cups/backend/cups-pdf

/usr/sbin/mysqld

/usr/sbin/cupsd

/usr/sbin/named

/usr/sbin/avahi-daemon

11 profiles are in complain mode.

/usr/sbin/ntpd

/usr/sbin/identd

/usr/sbin/nmbd

/sbin/klogd

/sbin/syslogd

/usr/sbin/smbd

/sbin/syslog-ng

/usr/sbin/traceroute

/usr/sbin/nscd

/usr/sbin/mdnsd

/bin/ping

9 processes have profiles defined.

2 processes are in enforce mode :

/usr/sbin/mysqld (7323)

/usr/sbin/cupsd (4974)

0 processes are in complain mode.

7 processes are unconfined but have a profile defined.

/usr/sbin/nmbd (7592)

/sbin/syslogd (4798)

/usr/sbin/smbd (7598)

/sbin/klogd (4857)

/usr/sbin/smbd (7594)

/usr/sbin/avahi-daemon (4943)

/usr/sbin/avahi-daemon (4944)



Using Complain Mode

Complain mode helps you see where you have issues without stopping you from being able to use a service. This is a valuable learning process but it does not provide you with any security enhancement. This process is so that you can make adjustments before you place it in enforce mode. This is OK for testing but to really understand if it is all working correctly you need to put it into enforce mode. Here are the steps to place a new application into complain mode for testing.

Locate an Daemon or Application

If you want to set up Apache for AppArmor you will need to create a profile first.

sudo aa-genprof /usr/sbin/apache2

You will have the option to connect to the repository that is maintained for AppArmor by Suse, although the developers were dropped and now work for Microsoft.

In order to set up the profile Apache must be running so if you are on the Ubuntu Server at tty1 you need to move to tty2 by doing Ctrl+ALt+F2. Login, and then with the sudo command start apache.

sudo /etc/init.d/apache2 start

The scan requires all of the processes to be running. Now go back to tty1 and select S so you can scan your system. You will be asked to allow a number of processes and you will see this line of choices. Allow each option to set up the profile.

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish

When it is complete it will ask if you want to upload your profile to the SUSE repository.

Make your choice and then select finish. Now you can test the profile by placing it in Complain Mode.

sudo aa-complain /usr/sbin/apache2

Now when you do the apparmor_status command you will see apache is in an unconfined process. This means that because the process, apache, was running it must be restarted in order for the profile to take affect.

sudo /etc/init.d/apache2 restart

Now all of your apache processes will be in Complain Mode.

Place All Profiles in Complain Mode

This option will allow you to place all of your processes in Complain Mode.

sudo aa-complain /etc/apparmor.d/*


Unconfined Processes with a Profile

You may install profiles of running processes which are active but not confined to the limits that AppArmor places on them. This is due to the fact that these processes were running when the profile was installed so you will need to reboot or restart the processes so it is protected by the kernel.

Here is an example of samba:

Here you can see 7 processes that have profiles but are unconfined.

7 processes are unconfined but have a profile defined.

/usr/sbin/nmbd (7592)

/sbin/syslogd (4798)

/usr/sbin/smbd (7598)

/sbin/klogd (4857)

/usr/sbin/smbd (7594)

/usr/sbin/avahi-daemon (4943)

/usr/sbin/avahi-daemon (4944)

If you restart samba with:

/etc/init.d/samba restart

It solves the issue.

# apparmor_status

apparmor module is loaded.

17 profiles are loaded.

4 profiles are in enforce mode.

/usr/lib/cups/backend/cups-pdf

/usr/sbin/mysqld

/usr/sbin/cupsd

/usr/sbin/avahi-daemon

13 profiles are in complain mode.

/usr/sbin/identd

/usr/sbin/ntpd

/usr/lib/firefox-3.0b4/firefox.sh

/usr/lib/firefox-3.0b4/firefox

/sbin/klogd

/usr/sbin/nmbd

/sbin/syslogd

/usr/sbin/smbd

/sbin/syslog-ng

/usr/sbin/traceroute

/usr/sbin/nscd

/bin/ping

/usr/sbin/mdnsd

10 processes have profiles defined.

2 processes are in enforce mode :

/usr/sbin/mysqld (7323)

/usr/sbin/cupsd (4974)

4 processes are in complain mode.

/usr/sbin/smbd (8084)

/usr/sbin/nmbd (8078)

/usr/sbin/smbd (8080)

/usr/lib/firefox-3.0b4/firefox.sh (7901)

4 processes are unconfined but have a profile defined.

/sbin/syslogd (4798)

/sbin/klogd (4857)

/usr/sbin/avahi-daemon (4943)

/usr/sbin/avahi-daemon (4944)

 

Changing to Enforce Mode
Once you have tested the system you will be ready to move to Enforce Mode. This is easy to achive with this command:

sudo aa-enforce /usr/sbin/apache2

Now apache is in Enforce Mode.

Tracking Problems

Once you have set up the profile then run the program and check the audit log by using the aa-logprof command. This will look for error messages, provide a severity level and then give you the option to accept a correction or not. Here is an example for a firefox profile. The processes is the same for a sever install as the desktop install.

# aa-logprof

Reading log entries from /var/log/messages.

Updating AppArmor profiles in /etc/apparmor.d.

Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 3937.

Enforce-mode changes:


Profile: /usr/lib/firefox-3.0b4/firefox.sh

Path: /home/mike/.mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/

Mode: r

Severity: 4


1 - /home/mike/.mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/

[2 - /home/*/.mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/]

 

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish

Adding /home/*/.mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/ r to profile.


Profile: /usr/lib/firefox-3.0b4/firefox.sh

Path: /home/mike/.mozilla/firefox/z6lwz03d.default/Cache.Trash/

Mode: rw

Severity: 6


1 - /home/mike/.mozilla/firefox/z6lwz03d.default/Cache.Trash/

[2 - /home/*/.mozilla/firefox/z6lwz03d.default/Cache.Trash/]


(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish

 


Copyright CyberMontana Inc. and BeginLinux.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874