Thursday, February 14, 2013

AppArmor in Ubuntu

AppArmor is the most important security feature in Ubuntu which has been included since Ubuntu 7.10. We are not aware of this security feature because it’s a background process. As it is runs in the background silently we couldn’t identify what it is and what it’s doing.
AppArmor locks down vulnerable processes and restrict the damage that vulnerable process can cause thus providing a good security. AppArmor is similar to SELinux which is included by default in Fedora and RedHat. Both provide “mandatory access control” security. But AppArmor also allows Ubuntu’s developers to restrict the actions, processes can take.
For example, one application that is restricted in Ubuntu’s default configuration is the Evince PDF viewer. When Evince runs as a user account, it can only take specific actions. Evince only has the permission to run the PDF documents. If Evince discovered and opened a malicious document, AppArmor would protect the damage that Evince could do. So AppArmor gives the particular actions to be run by the applications or the process that user can access for restricting the exploitation of the software.
Viewing AppArmor’s Status:-
 We can view the AppArmor’s status by running the following command:
           sudo apparmor_status

We can see the AppArmor profiles that are installed, the confined and enforced process that are running.
AppArmor Profiles:-
In AppArmor, the restriction put in the processes are done by the profiles. We can see the list in the AppArmor status, the profiles that are installed on the system which comes with Ubuntu. You can also install other profiles by installing the apparmor-profiles package. You also can create your own AppArmor profiles to restrict the software.
As we saw in the status, that profiles run in the “complain mode” or “enforce mode”. In enforce mode, the default setting for the profiles that come with the Ubuntu - AppArmor prevents the applications from taking restricted actions. In complain mode it does the same and also it creates a log entry complaining about this. Complain mode is ideal for testing the AppArmor before enabling it in enforce mode so that we can see the error’s that would occur in the enforce mode.
Profiles are stored in the /etc/apparmor.d directory. These profiles are plain-text files that can contain comments.
You can also lock down the Mozilla FireFox for the increased security, but it doesn’t do this by default. The /etc/apparmor.d/disable folder contains a link that shows it’s disabled. You can see the Firefox profile i.e. usr.bin.firefox in the /etc/apparmor.d directory.
To enable it and confine Firefox profile with AppArmor, run the following commands:
        sudo rm /etc/apparmor.d/disable/usr.bin.firefox
        cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a
After you run these commands, run the sudo apparmor_status command again, and now we will see that the Firefox profiles are also added.
We can also disable this Firefox profile, run the following commands:
       sudo ls -s /etc/apparmor.d/ usr.bin.firefox /etc/apparmor.d/disable/
       sudo apparmor_parser –R /etc/apparmor.d/ usr.bin.firefox