AppArmor for Beginners presented at BSidesLuxembourg 2018

by Gyorgy Demarcsek,

Summary : In this workshop, we are going to explore how AppArmor can be used to sandbox processes on Linux in practice in order to limit attack surfaces and mitigate post-exploitation scenarios. There will be a short theoretical introduction after which we will cover the following practical tasks and topics:Checking AppArmor status and related kernel parametersLoading AppArmor and policies at boot timeChecking the security context of running processesCreating AppArmor profiles using automated tools (aa-autodep, aa-genprof, aa-logprof, etc.)Basics of the AppArmor profile languageUnderstanding and using common profile abstractions (/etc/apparmor.d/abstractions)Inspecting and interpreting AppArmor logs (for debugging and monitoring)Basic profile management tasks and utilities (aa-enforce, aa-complain, aa-disable, apparmor_parser, etc.)After completing these smaller exercises, we are going to write a profile for a Python web application that uses a vulnerable third-party CLI (ImageMagick/convert) tool. We will see how we can use AppArmor to immunize our web application to certain vulnerabilities in third-party components and inside the web service itself.We are going to learn how the AppArmor userspace API (aa_change_profile and aa_change_hat) can be used to implement privilege separation, further improving the security of our application.