1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

How to implement and activate AppArmor profiles in Ubuntu

Discussion in 'Linux and Unix' started by lotuseclat79, Apr 3, 2008.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    This is a short tutorial to show you what you have to do to instrument
    AppArmor on Ubuntu Gutsy Gibbon (7.10) - it comes installed in the kernel,
    and there are default profiles, but it is not activated, the profiles may not even
    be installed, and therefore are not protecting your system.

    The idea of AppArmor profiles is to monitor the applications (Internet facing
    are the ones to be the most concerned about), and log instances where the
    rules are in conflict with the execution of the application.

    Since Firefox, as probably the most important Internet facing application
    in use aside from email software, is a prime target for malware, this short
    tutuorial will guide you to instrumenting and activating an AppArmor profile
    (which you will create) for it, and guide you on how to install other already
    existing profiles.

    First, if you are running Ubuntu Gutsy Gibbon (7.10), you already have
    AppArmor installed in the kernel, but it is not activated, nor are any of
    the default profiles running. After following the guidelines herein, you
    will have a system that activates AppArmor on bootup, and has a new profile
    that further monitors Firefox and other executables.

    If you bring up Synaptic Package Manager and install apparmor-docs then
    you will be able to have access to a file named techdoc.pdf which if you
    follow its instructions will provide the same result as this thread post.
    Another way to accomplish the same thing is to bring up your browser
    and access the following web page which contains the same information:
    http://en.opensuse.org/AppArmor_Geeks. Do not be concerned that it is an
    OpenSuSe document which is irrelevant.

    First, issue the following command from the regular ubuntu user account:
    $ sudo apt-get update
    You may have to issue it again if you get error message output at the end.

    Second, crank up the Synaptic Package Manager and search for the package
    name apparmor. Mark for installation: apparmor-profiles and apparmor-docs.
    Click on Apply to download and install them automatically.

    Next, do the following operations as root, i.e. $ sudo -i gets you the
    # prompt for the root account.

    1) Mount the securityfs as a (rw) read, write file system:
    # mount securityfs -t securityfs /sys/kernel/security

    2) Copy and edit into a new file the very last firefox profile in either
    the techdoc.pdf file or the web page at AppArmor_Geeks (they are the same).
    The edit you need to make is to change the string /usr/lib/firefox/firefox.sh to
    /usr/lib/firefox/firefox. Name the firefox profile by the file name: usr.lib.firefox.firefox

    3) Place the usr.lib.firefox.firefox file into /etc/apparmor.d
    It should have about the same size and permissions as follows:
    -rw-r--r-- 1 root root 1307 2008-04-03 14:22 /etc/apparmor.d/usr.lib.firefox.firefox

    4) Start up AppArmor:
    # /etc/init.d/apparmor start

    5) To view the AppArmor profiles loaded into the kernel that are running:
    # cat /sys/kernel/security/apparmor/profiles

    6) Exit root account:
    # exit

    In order automatically have the system do the above steps automatically on
    boot up, you need to do the following two things from the root account:

    1) edit /etc/fstab and add an entry to mount securityfs.
    To know how to edit and understand /etc/fstab visit
    here.

    2) write a small script S99apparmor to activate all of the AppArmor profiles
    in /etc/apparmor.d on boot up and place the script in /etc/rc2.d. All the
    script needs to do is execute the command: /etc/init.d/apparmor start. The
    script is an executable file, not a symbolic link into /etc/init.d/apparmor.
    Lastly, make the script S99apparmor executable by issuing the command:
    # chmod +x S99apparmor

    Read the man pages for apparmor and the other associated man pages. You may
    find that the log messages are in one of two places: either /var/log/audit/audit.log
    or /var/log/messages, depending upon local configuration.

    Here are some other helpful links about AppArmor to help you instrumenting
    and using it for other applications like Apache:

    Apparmor FAQ.

    AppArmor Ubuntu Community Documentation.

    AppArmor (at Wikipedia).

    AppArmor Ubuntu Wiki.

    -- Tom
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/700135

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice