How to implement and activate AppArmor profiles in Ubuntu

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lotuseclat79

Thread Starter
Joined
Sep 12, 2003
Messages
20,583
This is a short tutorial to show you what you have to do to instrument
AppArmor on Ubuntu Gutsy Gibbon (7.10) - it comes installed in the kernel,
and there are default profiles, but it is not activated, the profiles may not even
be installed, and therefore are not protecting your system.

The idea of AppArmor profiles is to monitor the applications (Internet facing
are the ones to be the most concerned about), and log instances where the
rules are in conflict with the execution of the application.

Since Firefox, as probably the most important Internet facing application
in use aside from email software, is a prime target for malware, this short
tutuorial will guide you to instrumenting and activating an AppArmor profile
(which you will create) for it, and guide you on how to install other already
existing profiles.

First, if you are running Ubuntu Gutsy Gibbon (7.10), you already have
AppArmor installed in the kernel, but it is not activated, nor are any of
the default profiles running. After following the guidelines herein, you
will have a system that activates AppArmor on bootup, and has a new profile
that further monitors Firefox and other executables.

If you bring up Synaptic Package Manager and install apparmor-docs then
you will be able to have access to a file named techdoc.pdf which if you
follow its instructions will provide the same result as this thread post.
Another way to accomplish the same thing is to bring up your browser
and access the following web page which contains the same information:
http://en.opensuse.org/AppArmor_Geeks. Do not be concerned that it is an
OpenSuSe document which is irrelevant.

First, issue the following command from the regular ubuntu user account:
$ sudo apt-get update
You may have to issue it again if you get error message output at the end.

Second, crank up the Synaptic Package Manager and search for the package
name apparmor. Mark for installation: apparmor-profiles and apparmor-docs.
Click on Apply to download and install them automatically.

Next, do the following operations as root, i.e. $ sudo -i gets you the
# prompt for the root account.

1) Mount the securityfs as a (rw) read, write file system:
# mount securityfs -t securityfs /sys/kernel/security

2) Copy and edit into a new file the very last firefox profile in either
the techdoc.pdf file or the web page at AppArmor_Geeks (they are the same).
The edit you need to make is to change the string /usr/lib/firefox/firefox.sh to
/usr/lib/firefox/firefox. Name the firefox profile by the file name: usr.lib.firefox.firefox

3) Place the usr.lib.firefox.firefox file into /etc/apparmor.d
It should have about the same size and permissions as follows:
-rw-r--r-- 1 root root 1307 2008-04-03 14:22 /etc/apparmor.d/usr.lib.firefox.firefox

4) Start up AppArmor:
# /etc/init.d/apparmor start

5) To view the AppArmor profiles loaded into the kernel that are running:
# cat /sys/kernel/security/apparmor/profiles

6) Exit root account:
# exit

In order automatically have the system do the above steps automatically on
boot up, you need to do the following two things from the root account:

1) edit /etc/fstab and add an entry to mount securityfs.
To know how to edit and understand /etc/fstab visit
here.

2) write a small script S99apparmor to activate all of the AppArmor profiles
in /etc/apparmor.d on boot up and place the script in /etc/rc2.d. All the
script needs to do is execute the command: /etc/init.d/apparmor start. The
script is an executable file, not a symbolic link into /etc/init.d/apparmor.
Lastly, make the script S99apparmor executable by issuing the command:
# chmod +x S99apparmor

Read the man pages for apparmor and the other associated man pages. You may
find that the log messages are in one of two places: either /var/log/audit/audit.log
or /var/log/messages, depending upon local configuration.

Here are some other helpful links about AppArmor to help you instrumenting
and using it for other applications like Apache:

Apparmor FAQ.

AppArmor Ubuntu Community Documentation.

AppArmor (at Wikipedia).

AppArmor Ubuntu Wiki.

-- Tom
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top