SlideShare une entreprise Scribd logo

Getting started with AppArmor

Francesco Pira
Francesco Pira

An introduction and base commands to get started with AppArmor, the application sandboxing tool built-in Ubuntu Linux

Logiciels
1  sur  14
Télécharger pour lire hors ligne
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-defined files
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notifications
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Official wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!

Recommandé

Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 
Design Pattern - Singleton Pattern
Design Pattern - Singleton PatternDesign Pattern - Singleton Pattern
Design Pattern - Singleton PatternMudasir Qazi
 
Linux Advantages and Disadvantages
Linux Advantages and DisadvantagesLinux Advantages and Disadvantages
Linux Advantages and DisadvantagesSHUBHA CHATURVEDI
 
Appium Presentation
Appium Presentation Appium Presentation
Appium Presentation OmarUsman6
 
Automation Testing With Appium
Automation Testing With AppiumAutomation Testing With Appium
Automation Testing With AppiumKnoldus Inc.
 
Appium
AppiumAppium
AppiumKeshav Kashyap
 
Software testing
Software testingSoftware testing
Software testingsuneeth kumar
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 

Recommandé

Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 
Design Pattern - Singleton Pattern
Design Pattern - Singleton PatternDesign Pattern - Singleton Pattern
Design Pattern - Singleton PatternMudasir Qazi
 
Linux Advantages and Disadvantages
Linux Advantages and DisadvantagesLinux Advantages and Disadvantages
Linux Advantages and DisadvantagesSHUBHA CHATURVEDI
 
Appium Presentation
Appium Presentation Appium Presentation
Appium Presentation OmarUsman6
 
Automation Testing With Appium
Automation Testing With AppiumAutomation Testing With Appium
Automation Testing With AppiumKnoldus Inc.
 
Appium
AppiumAppium
AppiumKeshav Kashyap
 
Software testing
Software testingSoftware testing
Software testingsuneeth kumar
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Component Based Software Engineering
Component Based Software EngineeringComponent Based Software Engineering
Component Based Software EngineeringSatishDabhi1
 
Non Functional Testing
Non Functional TestingNon Functional Testing
Non Functional TestingNishant Worah
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap uipkslide28
 
Testing methodology
Testing methodologyTesting methodology
Testing methodologyDina Hanbazazah
 
Bootcamp linux commands
Bootcamp linux commandsBootcamp linux commands
Bootcamp linux commandsNexThoughts Technologies
 
Unit 2
Unit 2Unit 2
Unit 2Jignesh Kariya
 
Software development process models
Software development process modelsSoftware development process models
Software development process modelsMuhammed Afsal Villan
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Requirement Engineering
Requirement EngineeringRequirement Engineering
Requirement EngineeringSlideshare
 
Why to choose HP UFT: Automation testing tool
Why to choose HP UFT: Automation testing toolWhy to choose HP UFT: Automation testing tool
Why to choose HP UFT: Automation testing toolBugRaptors
 
Software requirement and specification
Software requirement and specificationSoftware requirement and specification
Software requirement and specificationAman Adhikari
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
Incremental model
Incremental modelIncremental model
Incremental modelSajid Ali Laghari
 
Appium ppt
Appium pptAppium ppt
Appium pptnatashasweety7
 
Test Levels & Techniques
Test Levels & TechniquesTest Levels & Techniques
Test Levels & TechniquesDhanasekaran Nagarajan
 
Linux history & features
Linux history & featuresLinux history & features
Linux history & featuresRohit Kumar
 
Android & iOS Automation Using Appium
Android & iOS Automation Using AppiumAndroid & iOS Automation Using Appium
Android & iOS Automation Using AppiumMindfire Solutions
 
Software testing and test environment​
Software testing and test environment​Software testing and test environment​
Software testing and test environment​adhirasable
 
Process Models IN software Engineering
Process Models IN software EngineeringProcess Models IN software Engineering
Process Models IN software EngineeringArid Agriculture university rawalpindi
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux Harish R
 
161110
161110161110
161110robo_lab
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 

Contenu connexe

Tendances

Component Based Software Engineering
Component Based Software EngineeringComponent Based Software Engineering
Component Based Software EngineeringSatishDabhi1
 
Non Functional Testing
Non Functional TestingNon Functional Testing
Non Functional TestingNishant Worah
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap uipkslide28
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Requirement Engineering
Requirement EngineeringRequirement Engineering
Requirement EngineeringSlideshare
 
Why to choose HP UFT: Automation testing tool
Why to choose HP UFT: Automation testing toolWhy to choose HP UFT: Automation testing tool
Why to choose HP UFT: Automation testing toolBugRaptors
 
Software requirement and specification
Software requirement and specificationSoftware requirement and specification
Software requirement and specificationAman Adhikari
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
Linux history & features
Linux history & featuresLinux history & features
Linux history & featuresRohit Kumar
 
Android & iOS Automation Using Appium
Android & iOS Automation Using AppiumAndroid & iOS Automation Using Appium
Android & iOS Automation Using AppiumMindfire Solutions
 
Software testing and test environment​
Software testing and test environment​Software testing and test environment​
Software testing and test environment​adhirasable
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux Harish R
 

Tendances (20)

Component Based Software Engineering
Component Based Software EngineeringComponent Based Software Engineering
Component Based Software Engineering
 
Non Functional Testing
Non Functional TestingNon Functional Testing
Non Functional Testing
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap ui
 
Testing methodology
Testing methodologyTesting methodology
Testing methodology
 
Bootcamp linux commands
Bootcamp linux commandsBootcamp linux commands
Bootcamp linux commands
 
Unit 2
Unit 2Unit 2
Unit 2
 
Software development process models
Software development process modelsSoftware development process models
Software development process models
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Requirement Engineering
Requirement EngineeringRequirement Engineering
Requirement Engineering
 
Why to choose HP UFT: Automation testing tool
Why to choose HP UFT: Automation testing toolWhy to choose HP UFT: Automation testing tool
Why to choose HP UFT: Automation testing tool
 
Software requirement and specification
Software requirement and specificationSoftware requirement and specification
Software requirement and specification
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Incremental model
Incremental modelIncremental model
Incremental model
 
Appium ppt
Appium pptAppium ppt
Appium ppt
 
Test Levels & Techniques
Test Levels & TechniquesTest Levels & Techniques
Test Levels & Techniques
 
Linux history & features
Linux history & featuresLinux history & features
Linux history & features
 
Android & iOS Automation Using Appium
Android & iOS Automation Using AppiumAndroid & iOS Automation Using Appium
Android & iOS Automation Using Appium
 
Software testing and test environment​
Software testing and test environment​Software testing and test environment​
Software testing and test environment​
 
Process Models IN software Engineering
Process Models IN software EngineeringProcess Models IN software Engineering
Process Models IN software Engineering
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux
 

Similaire à Getting started with AppArmor

Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 
HowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuHowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuA Jorge Garcia
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next levelAlessandro Franceschi
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Chris Tankersley
 
Go profiling introduction
Go profiling introductionGo profiling introduction
Go profiling introductionWilliam Lin
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurityFrancesco Pira
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineNick Anderson
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsAppZero
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解Rex Tsai
 

Similaire à Getting started with AppArmor (20)

161110
161110161110
161110
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher case
 
HowTo Install openMPI on Ubuntu
HowTo Install openMPI on UbuntuHowTo Install openMPI on Ubuntu
HowTo Install openMPI on Ubuntu
 
Flatpak
FlatpakFlatpak
Flatpak
 
161117
161117161117
161117
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next level
 
Python on exadata
Python on exadataPython on exadata
Python on exadata
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
 
Go profiling introduction
Go profiling introductionGo profiling introduction
Go profiling introduction
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurity
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngine
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解
 

Dernier

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 

Dernier (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

Getting started with AppArmor

  • 1. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) AppArmor App sandboxing comes standard in Ubuntu Linux
  • 2. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) What is • it’s not a proper MAC tool • just meant for app sandboxing • can’t defend against root privilege escalation • module of LSM • apparmor-utils • init scripts, log parser for learning mode, policy generator
  • 3. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Development timeline • 1998 born from WireX as subdomain • 2005 bought by Novell and renamed as AppArmor • 2007 Novell stops development • Ubuntu 7.10 released! • 2009 Canonical takes over Novell, it reborn • 2016 still in development as open-source project
  • 4. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Features • enforce is not default. no policy means unconfined! • policy split in profiles: one profile per executable • policy can be modified by hand in text editors • loads all profiles at startup (both complain and enforce) • path-based ACL (for loaded profiles) • notifications to the user via aa-notify
  • 5. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) How it works • uses LSM • path-based profiles (save in /etc/apparmor.d) • each profile manages… • accessible paths (permissions) • system capabilities the executable has • complain mode to log (…and then learn) • again: enforce is not default. no policy means unconfined!
  • 6. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Out of the box • Comes preinstalled and active since Ubuntu 7.10 • By default some profiles are already in enforcing mode, others in complain root@vm1:/home/francesco# aa-status apparmor module is loaded. 21 profiles are loaded. 21 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/ubuntu-core-launcher /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ippusbxd /usr/sbin/tcpdump webbrowser-app webbrowser-app//oxide_helper 0 profiles are in complain mode. 0 processes are unconfined but have a profile defined. defaults in Ubuntu 16.04 after installation
  • 7. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Installation • sudo apt-get install … • apparmor, the system itself • apparmor-utils, managing utilities • apparmor-profiles, for additional profiles • (optional) apparmor-notify, to get desktop notification upon attempted violation • auditd, not part of but needed for logs
  • 8. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Usage • aa-status to see what’s active, what’s not • aa-genprof to scaffold a (empty) policy • aa-logprof to generate policy out of log (learning mode) • (e.g.) aa-logprof -f /var/log/audit/audit.log • aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name) • aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name) • apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile • apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile
  • 9. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Policy example (for vsftpd) #include <tunables/global> /usr/sbin/vsftpd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> /dev/urandom r, /etc/fstab r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, /etc/vsftpd/* r, /usr/sbin/vsftpd rmix, /var/log/vsftpd.log w, /var/log/xferlog w, # anon chroots / r, /pub r, /pub/** r, @{HOMEDIRS} r, @{HOME}/** rwl, } wildcards path and relative permissions including rules in other pre-defined files
  • 10. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Permissions • r read • w write • ux unconfined execute • Ux unconfined execute - scrub environment • px discrete profile execute • Px discrete profile execute - scrub environment • i ineherit execute • m allow PROT_EXEC with mmap calls • l link
  • 11. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The good • friendly management tools • policies easy to maintain • using audit.log and aa-logprof • integrates with audit • decent logs • integrates with Ubuntu system notifications
  • 12. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) The bad • basic enforcing (e.g. can’t limit access to range of tcp ports) • useless against root privilege escalation (can be disabled or removed!) • no memory protection • bugged utilities (learning mode often not working)
  • 13. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Resources • Official wiki (wiki.apparmor.net/) • Ubuntu wiki (wiki.ubuntu.com/AppArmor/) • Debian wiki (https://wiki.debian.org/AppArmor/HowToUse) • Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor) • irc.oftc.net #apparmor • Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)
  • 14. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!