AppArmor (Application Armor) is a Linux security module that provides mandatory access control (MAC) for programs, allowing administrators to confine programs to a limited set of resources. It is an excellent way to enhance security by enforcing restrictive policies on applications, preventing them from performing unauthorized actions even if compromised.

In this article, we’ll cover how to set up AppArmor on Debian-based systems, with a specific example of configuring it to secure an Apache2 web server with a document root located in /opt/website.

1. Installing and enabling AppArmor

First, ensure that AppArmor is installed and enabled on your Debian-based system. By default, AppArmor is included in most Debian distributions, but you can install the necessary tools with the following commands:

sudo apt update
sudo apt install apparmor apparmor-utils apparmor-profiles

After installation, check if AppArmor is enabled:

sudo aa-status

If AppArmor is running, you should see something like:

apparmor module is loaded.

If it’s not enabled, you may need to reboot your system or modify the GRUB configuration to enable it:

1. Edit the GRUB configuration: sudo nano /etc/default/grub
2. Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT and add apparmor=1 security=apparmor to it: GRUB_CMDLINE_LINUX_DEFAULT="quiet splash apparmor=1 security=apparmor"
3. Update GRUB and reboot: sudo update-grub sudo reboot

2. Creating an AppArmor profile for Apache2

Apache2 comes with a default AppArmor profile, but we need to customize it to allow access to a document root in /opt/website.

2.1. Locate the Default Apache2 Profile

The default profile for Apache2 is located in /etc/apparmor.d/usr.sbin.apache2. We will create a new local profile to override the default one without modifying the original.

2.2. Create a local override file

Create a directory for the new profile if it doesn’t exist:

sudo mkdir -p /etc/apparmor.d/local

Now create a local override file for Apache2:

sudo nano /etc/apparmor.d/local/usr.sbin.apache2

2.3. Add permissions for the new document root

Add the following lines to grant Apache2 the necessary permissions to access the new document root:

/opt/website/ r,
/opt/website/** r,

This configuration allows Apache2 to read from the /opt/website directory and its contents.

2.4. Apply the changes

To apply the changes, reload the AppArmor profiles:

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

You can also restart Apache2 to ensure everything is working correctly:

sudo systemctl restart apache2

3. Verifying AppArmor enforcement

After applying the new profile, you should verify that AppArmor is enforcing the restrictions correctly.

3.1. Check AppArmor status

To check the status of AppArmor and see which profiles are loaded, use:

sudo aa-status

You should see the Apache2 profile listed under “profiles are in enforce mode.”

3.2. Test access to the document root

To ensure the profile works as expected, try accessing files within the document root from your browser or via curl:

curl http://localhost/index.html

If AppArmor is configured correctly, Apache2 should be able to serve files from /opt/website.

3.3. Review AppArmor logs

If something isn’t working as expected, you can check the AppArmor logs for denied actions:

sudo journalctl -e | grep apparmor

This log will help you diagnose and adjust your AppArmor profiles as necessary.

4. Tuning and troubleshooting

4.1. Debugging profile issues

If your application isn’t working correctly under AppArmor, you can put the profile in complain mode instead of enforce mode. This mode allows all actions but logs any that would have been denied:

sudo aa-complain /etc/apparmor.d/usr.sbin.apache2

In complain mode, you can gather information about what actions are being restricted and adjust the profile accordingly.

4.2. Moving back to enforce mode

Once you’ve tuned the profile, you can switch it back to enforce mode:

sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2

Conclusion

AppArmor is a powerful tool for securing your applications on Debian-based systems. By following the steps in this guide, you can set up and configure AppArmor to protect an Apache2 web server with a custom document root. While this guide covers a specific example, the same principles can be applied to any application you wish to secure with AppArmor. With careful tuning and monitoring, AppArmor can be a key part of your system’s defense-in-depth strategy.