Lesson 13

Date: 7/3/2017
Application security and Intrusion detection
Linux System Administration


Exercises with AppArmor on Ubuntu

To create a security profile for an application, we need to know what the application is doing. A recommended approach is to analyze the logs at the run time and compose the profile with aa-genprof.

  • On testub VM, stop denyhosts service and remove the desktop IP address from /etc/hosts.deny file.
  • On testub VM, install packages with AppArmor profiles and utilities:
    apt-get install apparmor-utils apparmor-profiles
    
  • Enable AppArmor:
    systemctl enable apparmor
    systemctl start apparmor
    
    Check out the loaded profiles:
    aa-status
    
  • Create shell script mem2.sh with the content below:
    #!/bin/bash
    # Checks memory status through cron
    
    echo 'enter output directory:'
    read DIR
    
    of=$DIR/mem.out
    dt=$(date)
    
    echo "Memory status (in MB) on $dt:" >> $of 
    free -m >> $of
    echo "------------------" >> $of 
    

    Assign it the executable permission:
    chmod a+x mem2.sh
    

  • Below we create an AppArmor profile for script mem2.sh, that allows to write output file, mem.out, only in /tmp directory.
    Have two terminals open for testub VM: one can be the virsh console, the other can be an ssh session.

    In one terminal, start creating a profile with aa-genprof command:
    sudo aa-genprof mem2.sh
    

    In the other terminal, start running mem2.sh as user hostadm:
    ./mem2.sh
    
    When prompted for the output directory, put /tmp.

    In the first terminal, accept all the rules prompted in aa-genprof.

    Place the profile in the 'enforce' mode:
    aa-enforce mem.sh
    

    See the created profile:
    less /etc/apparmor.d/home.hostadm.mem2.sh
    
    Verify that the profile for mem2.sh is loaded in AppArmor:
    aa-status
    
    You should see the list of the profiles in enforce mode, including /home/hostadm/mem2.sh

  • Now we can see how the AppArmor works for the scripts:
    run ./mem2.sh as root and put /home/hostadm for the output directory.
    The script should be denied writing the output into /home/hostadm .

  • Modify the profile based on the logs:
    aa-logprof mem2.sh
    
    Accept the output into /home/hostadm/mem.out.
    Try running mem2.sh again, and give /home/hostadm when propmted. Now the script should be able to write into /home/hostadm.
    Check out the updated profile:
    less /etc/apparmor.d/home.hostadm.mem2.sh
    





  • Take me to the Course Website