180 likes | 296 Vues
Doug Stanley 07/17/2010 An overview of AppArmor. An overview of AppArmor. Application Security System Mandatory Access Control Makes sure that applications behave as expected Can protect against zero day and unknown flaws. What is it?. Originally created by Immunix
E N D
Doug Stanley07/17/2010 An overview of AppArmor An overview of AppArmor
Application Security System Mandatory Access Control Makes sure that applications behave as expected Can protect against zero day and unknown flaws What is it?
Originally created by Immunix Immunix acquired by Novell in 2005 In 2007, Novell laid off the AppArmor staff Currently seems to be maintained by the community Brief History
Discretionary access control is not enough Hard to make applications 100% secure Define what "good" application behavior is. It's relatively easy to use Why AppArmor?
Implemented as an LSM Protects individual applications More precisely, protects system from applications Profiles define appropriate behavior Uses Posix Capabilites So, how does it work?
Automated tools for created profiles are available Profiles are human readable text files Path based restrictions Filesystem neutral Ability to "include" profiles in other profiles Allows for having both enforced and complain profiles Can also restrict network operations Tamperproof Some features of AppArmor
Path based restrictions Too "easy"? Not truly complete mediation Only protects applications for which a profile exists Some drawbacks of AppArmor
Path based vs Label based How they're integrated in the system Managed differently AppArmor vs SELinux
Sample profile for tcpdump from the Ubuntu wiki [1]#include <tunables/global>/usr/sbin/tcpdump {#include <abstractions/base>#include <abstractions/nameservice>#include <abstractions/user-tmp>capability net_raw,capability setuid,capability setgid,capability dac_override,network raw,network packet, Anatomy of a profile
# for -Dcapability sys_module,@{PROC}/bus/usb/ r,@{PROC}/bus/usb/** r,# for -F and -waudit deny @{HOME}/.* mrwkl,audit deny @{HOME}/.*/ rw,audit deny @{HOME}/.*/** mrwkl,audit deny @{HOME}/bin/ rw,audit deny @{HOME}/bin/** mrwkl,@{HOME}/ r,@{HOME}/** rw,/usr/sbin/tcpdump r,}For a complete list of capabilities, see [18] Anatomy of a profile continued
Least Privilege Fail-Safe Defaults Complete Mediation For protected applications Defense in Depth Open Design Privilege Separation Psychological Accpetance Principles of Secure Design
Psychologically acceptable Good balance of ease of use and security Not overly confusing Application developers can create profiles for users Effective Conclusion
https://wiki.ubuntu.com/AppArmor http://en.wikipedia.org/wiki/AppArmor http://www.linux-magazine.com/Issues/2006/69/COUNTERPOINT http://developer.novell.com/wiki/index.php/Apparmor_FAQ http://www.novell.com/linux/security/apparmor/selinux_comparison.html http://developer.novell.com/wiki/index.php/Apparmor_FAQ https://help.ubuntu.com/9.10/serverguide/C/apparmor.html http://www.nuxified.org/blog/novells_comparison_of_apparmor_and_selinux https://apparmor.wiki.kernel.org/index.php/Documentation http://en.wikipedia.org/wiki/SELinux http://en.wikipedia.org/wiki/Linux_Security_Modules http://en.wikipedia.org/wiki/Immunix http://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-cowan.pdf http://www.linux-magazine.com/w3/issue/69/AppArmor_vs_SELinux.pdf http://www.ratliff.net/blog/2007/10/03/security-design-principles/ http://selinuxproject.org/page/FAQ http://manpages.ubuntu.com/manpages/karmic/en/man7/apparmor.7.html http://manpages.ubuntu.com/manpages/karmic/en/man7/capabilities.7.html References