{"id":145738,"date":"2023-10-17T22:39:54","date_gmt":"2023-10-17T19:39:54","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=145738"},"modified":"2024-04-25T16:53:29","modified_gmt":"2024-04-25T13:53:29","slug":"apparmor-cheat-sheet-for-linux-system-administrators","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/apparmor-cheat-sheet-for-linux-system-administrators\/","title":{"rendered":"AppArmor Cheat Sheet for Linux System Administrators"},"content":{"rendered":"\n
Many of you have probably heard of AppArmor when working with Debian-based systems more so Ubuntu. However, since it is not an app that shows in the GUI, some users might not be familiar with it.<\/p>\n\n\n\n
Application Armor <\/strong>abbreviated as AppArmor <\/em>is a security module on Linux systems. It is a Mandatory Access Control (MAC) system used by the Linux kernel to restrict the capabilities of a program as configured on program profiles. These profiles can allow or deny capabilities such as network access, raw socket access, read, write and execute permissions on files etc. These profiles are usually loaded to the Kernel on system boot. The AppArmor profiles exist in two modes, these are enforcement<\/em> and complain<\/em>. The enforcement mode<\/strong> enforces the policy defined in the profile and also reports any policy violation attempts either using syslog or audits. The complain mode <\/strong>on the other hand does not enforce the policy but only reports the policy violation attempts.<\/p>\n\n\n\n
The AppArmor technology has been around for some time. It was first seen in Immunix and later integrated into Novell\/SUSE, Mandriva and Ubuntu systems. AppArmor is considered to be a drop in replacement to SELinux, which is at times considered difficult for setup and maintain. In contrast to SELinux, which works by applying labels to files, AppArmor works with file paths. The exponents of AppArmor argue that it is less complex and easier to configure than SELinux.<\/p>\n\n\n\n
In today’s article, we will learn the AppArmor Cheat Sheet for Linux System Administrators.<\/p>\n\n\n\n
1. Check AppArmor Status<\/h2>\n\n\n\n
AppArmor is installed by default on Ubuntu systems and loads automatically on system boot. To check the status, issue the below command:<\/p>\n\n\n\n
The above output shows the loaded profiles and the AppArmor mode.<\/p>\n\n\n\n
2. View AppArmor Profiles<\/h2>\n\n\n\n
AppArmor has several preloaded profiles which are located in the “\/etc\/apparmor.d\/<\/em>” directory. Some of the profiles are disabled and others are active.<\/p>\n\n\n\n
To check all the profiles, you can issue:<\/p>\n\n\n\n
$ ls \/etc\/apparmor.d\/*<\/mark>\n\/etc\/apparmor.d\/lsb_release\n\/etc\/apparmor.d\/nvidia_modprobe\n\/etc\/apparmor.d\/sbin.dhclient\n\/etc\/apparmor.d\/usr.bin.evince\n\/etc\/apparmor.d\/usr.bin.man\n....\n\/etc\/apparmor.d\/disable:\nusr.sbin.rsyslogd\n\n\/etc\/apparmor.d\/force-complain:\n\n\/etc\/apparmor.d\/local:\nlsb_release usr.bin.tcpdump usr.sbin.cups-browsed\nnvidia_modprobe usr.lib.libreoffice.program.oosplash usr.sbin.cupsd\nREADME usr.lib.libreoffice.program.senddoc usr.sbin.mysqld\nsbin.dhclient usr.lib.libreoffice.program.soffice.bin usr.sbin.rsyslogd\nusr.bin.evince usr.lib.libreoffice.program.xpdfimport\nusr.bin.man usr.lib.snapd.snap-confine.real\n\n\/etc\/apparmor.d\/tunables:\nalias etc home.d multiarch.d securityfs xdg-user-dirs\napparmorfs global kernelvars proc share xdg-user-dirs.d\ndovecot home multiarch run sys<\/code><\/pre>\n\n\n\n
The profiles here have a naming syntax. For example, a profile for \/usr\/bin\/man<\/em> will be located in \/etc\/apparmor.d\/usr.bin.man<\/em>.<\/p>\n\n\n\n
The disabled profiles are located under the “\/etc\/apparmor.d\/disable”<\/p>\n\n\n\n
$ ls \/etc\/apparmor.d\/disable\/*<\/mark>\n\/etc\/apparmor.d\/disable\/usr.sbin.rsyslogd<\/code><\/pre>\n\n\n\n
While AppArmor allows you to have multiple profiles, they are individually enabled or disabled. To enable or disable a profile, you need to install apparmor-utils<\/code><\/p>\n\n\n\n
First update and upgrade your system to avoid “Segmentation fault” errors.<\/p>\n\n\n\n
AppArmor allows users to create their custom profiles to protect apps. The profile usually has several configurations and variables for your application. AppArmor eliminates the tussle by allowing you to start from a template or interactively. <\/p>\n\n\n\n
For the interactive method, it inspects the actions performed by the binary and lets you decide the actions you like, whether to deny or allow.<\/p>\n\n\n\n
To achieve that, you issue a command with the below syntax:<\/p>\n\n\n\n
Updating AppArmor profiles in \/etc\/apparmor.d.\nWriting updated profile for \/usr\/bin\/scp.\nSetting \/usr\/bin\/scp to complain mode.\n\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttps://gitlab.com\/apparmor\/apparmor\/wikis\/Profiles\n\nProfiling: \/usr\/bin\/scp\n\nPlease start the application to be profiled in\nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" option below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied.\n\n[(S)can system log for AppArmor events] \/ (F)inish<\/code><\/pre>\n\n\n\n
Now open a separate terminal and perform all the actions the binary can perform. For example:<\/p>\n\n\n\n
After performing the task, press S<\/strong> on the AppArmor profiling window. In the recorded actions, set whether to ignore, allow, etc. <\/p>\n\n\n\n
[(S)can system log for AppArmor events] \/ (F)inish\nReading log entries from \/var\/log\/syslog.\n\nProfile: \/usr\/bin\/scp\nExecute: \/usr\/bin\/ssh\nSeverity: unknown\n\n(I)nherit \/ (C)hild \/ (P)rofile \/ (N)amed \/ (U)nconfined \/ (X) ix On \/ (D)eny \/ Abo(r)t \/ (F)inish<\/code><\/pre>\n\n\n\n
Once complete, press “S” to save the changes.<\/p>\n\n\n\n
The following local profiles were changed. Would you like to save them?\n\n [1 - \/usr\/bin\/scp]\n(S)ave Changes \/ Save Selec(t)ed Profile \/ [(V)iew Changes] \/ View Changes b\/w (C)lean profiles \/ Abo(r)t<\/code><\/pre>\n\n\n\n
Now press “f” and you will have the profile saved as \/etc\/apparmor.d\/path.to.binary<\/strong><\/em>. (\/etc\/apparmor.d\/usr.bin.scp fo this case)<\/p>\n\n\n\n
# vim:syntax=apparmor\n# AppArmor policy for binary\n# ###AUTHOR###\n# ###COPYRIGHT###\n# ###COMMENT###\n\n#include <tunables\/global>\n\n# No template variables specified\n\n\"\/path\/to\/binary\" {\n #include <abstractions\/base>\n\n # No abstractions specified\n\n # No policy groups specified\n\n # No read paths specified\n\n # No write paths specified\n}<\/code><\/pre>\n\n\n\n
You can then proceed and edit the profile as desired. <\/p>\n\n\n\n
To enforce the profile, use:<\/p>\n\n\n\n
sudo apparmor_parser -a \/etc\/apparmor.d\/profile.name<\/mark><\/code><\/pre>\n\n\n\n
There are many other command to manage AppArmor profiles:<\/p>\n\n\n\n
#Load a new profile in complain mode\nsudo apparmor_parser -C \/etc\/apparmor.d\/profile.name \n\n#Replace existing profile\nsudo apparmor_parser -r \/etc\/apparmor.d\/profile.name \n\n #Remove profile\nsudo apparmor_parser -R \/etc\/apparmor.d\/profile.name<\/code><\/pre>\n\n\n\n
5. Modifying a Profile from Logs<\/h2>\n\n\n\n
It is also possible to modify a profile from logs. The tool reads the logs and ask if you want to permit some of the forbidden actions. To achieve that, use:<\/p>\n\n\n\n
sudo aa-logprof<\/code><\/pre>\n\n\n\n
You can then navigate using arrow keys and select the desired profile.<\/p>\n\n\n\n<\/figure>\n\n\n\n
6. View Logs<\/h2>\n\n\n\n
You can view the AUDIT and DENIED logs from \/var\/log\/audit\/audit.log. Install the required package:<\/p>\n\n\n\n
There are other options you can use, check with the command:<\/p>\n\n\n\n
$ aa-notify -h<\/mark>\nUSAGE: aa-notify [OPTIONS]\n\nDisplay AppArmor notifications or messages for DENIED entries.\n\nOPTIONS:\n -p, --poll\t\t\tpoll AppArmor logs and display notifications\n --display $DISPLAY\t\tset the DISPLAY environment variable to $DISPLAY\n\t\t\t\t(might be needed if sudo resets $DISPLAY)\n -f FILE, --file=FILE\t\tsearch FILE for AppArmor messages\n -l, --since-last\t\tdisplay stats since last login\n -s NUM, --since-days=NUM\tshow stats for last NUM days (can be used alone\n\t\t\t\tor with -p)\n -v, --verbose\t\t\tshow messages with stats\n -h, --help\t\t\tdisplay this help\n -u USER, --user=USER\t\tuser to drop privileges to when not using sudo\n -w NUM, --wait=NUM\t\twait NUM seconds before displaying\n\t\t\t\tnotifications (with -p)<\/code><\/pre>\n\n\n\n
7. Manage AppArmor Service<\/h2>\n\n\n\n
Tha AppArmor service can be managed just like any other system service. To stop the service run:<\/p>\n\n\n\n
That marks the end of this guide on the AppArmor Cheat Sheet for Linux System Administrators. There are several other commands and cheat sheets not covered here, please feel free to share them in the comments below.<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/09\/AppArmor-Cheat-Sheet-for-Linux-System-Administrators.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/09\/AppArmor-Cheat-Sheet-for-Linux-System-Administrators-1-1024x299.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/09\/AppArmor-Cheat-Sheet-for-Linux-System-Administrators-2.png\" "\\"\\"")
<\/figure>\n\n\n\n