How To Use AppArmor to Lock Down Linux ApplicationsHow To Use AppArmor to Lock Down Linux Applications

The video tutorial by Grant Knoetze introduces AppArmor, a Linux security module that restricts application behavior. It explains how to check, install, configure, and manage AppArmor. The tutorial also covers creating and enforcing profiles to control application permissions and switching between enforce and complain modes for better application security management.

The transcript below has been edited for clarity and length.

Subscribe to ITPro Today’s YouTube channel for Linux tutorials and more.

Transcript:

Grant Knoetze: Today, we're exploring a powerful tool for enhancing Linux security: AppArmor.

AppArmor can be a game-changer if you're looking to secure applications and minimize the impact of potential vulnerabilities. We will cover what AppArmor is, how it works, and how to set up AppArmor on your Linux environment in just a few simple steps. Let's go ahead and get started.

What Is AppArmor?

Per the AppArmor webpage, AppArmor is a Linux security module that helps enforce restrictions on how applications interact with the operating system. Think of it as a security fence. It limits what applications can and can't do, reducing the risk of a compromised app causing systemwide issues.

AppArmor uses profiles to control the permissions of individual applications. These profiles specify the resources (like files, networks, and processes) an app can access. It can even block an app from executing specific commands.

Related:How To Secure SSH Access on Ubuntu Servers (Video Tutorial)

Check If AppArmor Is Installed

One of the first things to do is check if AppArmor exists on the system already. Most Linux distributions like Ubuntu come with AppArmor preinstalled, but let's ensure it's running. I'm going to run this command in my Ubuntu terminal:

sudo apparmor_status

We can see that AppArmor is installed and running.

Install AppArmor

Installing AppArmor is easy if it is not on your system. Since we're on a Debian-based system, I will use apt as the package manager. If you are using a Red Hat-based system, you use yum.

We will type:

sudo apt install apparmor

This command will update AppArmor since it's already on my system. However, if AppArmor weren't installed, the command would install AppArmor for you.

Configure AppArmor

Now that we know AppArmor is already running, we can check that it starts automatically whenever the system boots up. You're going to use systemctl for these commands:

sudo systemctl enable apparmor

Hit Enter. We can see that it's busy synchronizing and enabling AppArmor.

After enabling AppArmor, I can start it using the start command:

sudo systemctl start apparmor

Okay, AppArmor has started. We can go ahead and verify this using the status command:

Related:Linux UFW (Uncomplicated Firewall) Configuration Made Easy

sudo systemctl status apparmor

What Are AppArmor Profiles?

Let's discuss profiles now that we know AppArmor is installed and running.

Profiles are like specific security rules for each application. They define which application is allowed to do what.

Let's see a profile. You can use this command:

ls /etc/apparmor.d/

Hit Enter. Profiles are stored in /etc/apparmor.d. You'll see profiles here for standard applications.

You can set profiles in either "complain" or "enforce" mode. Complain mode logs policy violations without blocking them, while enforce mode actively blocks anything not allowed by the profile.

Create and Enforce Profiles

Let's discuss creating and enforcing profiles. We will create a profile for an application and set it to enforce mode. In this example, we will call the profile “myapp.” I've already made a directory called /myapp. We will type:

sudo aa-genprof /usr/bin/myapp

Hit Enter. We can see that Apparmor is working. It's updating AppArmor profiles, writing updated profiles for usr/bin/myapp, and setting /usr/bin/myapp to complain mode.

So, I will type F for “Finish” here. It has created a profile for myapp. The default is to set it to complain mode.

Now, let's put this app into enforce mode:

sudo aa-enforce etc/apparmor.d/usr.bin.myapp

We hit Enter. It has set AppArmor to enforce mode. AppArmor will now restrict the app according to the rules we've defined.

Related:10 Ways To Harden Your Linux Containers Against Attacks

Switch a Profile to Complain Mode

If you're unsure how an app should behave, you might want to switch back to complain mode to collect information without blocking it. Here's how.

To change an existing profile, open it in your favorite editor. Profiles use a straightforward syntax that specifies file permissions, network access, and more. Let's open a configuration file. I love the Nano command-line text editor and will use it for this.

sudo nano /etc/apparmor.d/usr..bin/myapp

Hit Enter. The configuration file has been opened inside Nano. We can change rules directly from within here. Press CTRL + X to get out.

Conclusion

That's it. You have set up AppArmor, created a profile, and learned to switch between complain and enforce modes.

AppArmor is a powerful tool that adds an extra layer of security to your Linux environment. With a bit of customization, you can tailor it to any application.

Thanks for watching. Give a thumbs up and consider subscribing for more Linux security tips if this video helps you secure your Linux environment.