So you have your Docker Containers deployed, which in turn are hosting critical applications of your organization? Great! So far, so good! For the interest of the organization, it remains extremely crucial to keep not only the Containers but also the hosted applications protected from security threats. By default, a deployed Docker originally remains secured through an auto-generated profile docker-default for its containers. This profile, however, provides moderate security on the application level, and thus it remains highly recommended to implement a security profile through AppArmor which works at the process/program level of an application. What is AppArmor? AppArmor (Application Armor) is a Linux Security Module that allows implementing security on a program/process level. Specifically developed security profiles through AppArmor can allow capabilities like folder access, network access, and permission(or not) to read, write, or execute files. One of the beauties of AppArmor is that it allows a which logs profile violations without preventing them proactively. The Log eventually helps administrators to create a security profile which forms a much hardened security armor based on an application's process execution. Default Security policies when clubbed with Logs, help forming security policies for even very complex applications in quick turnaround. Learning Mode Learning Mode Learning Mode AppArmor proactively protects the operating system and applications from external or internal threats and even zero-day attacks by enforcing a specific rule set on a per-application basis. Security policies completely define what system resources individual applications can access, and with what privileges. Access is denied by default if no profile says otherwise. Installing and Enabling AppArmor Though AppArmor comes inbuilt with all Linux Kernels, it is not by default the security profile loaded with every boot. Apparmor can be set as the default security profile on every boot by setting the following parameter on kernel : apparmor= security=apparmor CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE= CONFIG_DEFAULT_SECURITY_APPARMOR=y 1 1 To load all AppArmor security profiles on boot, . enable apparmor.service Display AppArmor loaded profiles The system default AppArmor comes with a number of security profiles, on top of which an administrator can add his own security profiles based on the . To check the list of AppArmor security profiles correctly loaded : Learning Mode $ aa-enabled ------------ Yes To display the current loaded status use : apparmor_status 29 profiles are loaded. 29 profiles are enforce mode. ... 0 profiles are complain mode. 0 processes have profiles defined. 0 processes are enforce mode. 0 processes are complain mode. 0 processes are unconfined but have a profile defined. # apparmor_statusapparmor module is loaded. in in in in Above you can see the loaded profiles and processes with their respective statuses. Parsing AppArmor profiles AppArmor allows a number of options using to parse either its default or custom generated profiles. is widely used to load, unload, debug, remove, replace, cache and match-strings within profiles out of the other available options. apparmor_parser apparmor_parser - Default Action to load a new profile in enforce mode. - Loading a new profile in complain mode. - Overwrite an existing profile. - Remove an existing profile in the kernel. - Display the profile version. - Display reference guide. -a -C -r -R -V -h Understanding AppArmor profiles AppArmor profiles are text files found under . A quick look into a profile file explains its execution as shown below: /etc/apparmor.d/ /etc/apparmor.d/usr.bin.test profile /usr/lib/ /test_binary { /usr/share/TEST/** r, /usr/lib/TEST/** rm, @{HOME}/.config/ r, @{HOME}/.config/TEST/** rw, } #include <tunables/global> test test #include <abstractions/base> # Main libraries and plugins # Configuration files and logs Strings following the symbol are variables defined under abstractions ( ), tunables ( ) or by the profile itself. includes other profile-files directly. Paths followed by a set of characters are while the helps with pattern matching. @ /etc/apparmor.d/abstractions/ /etc/apparmor.d/tunables/ #include access permissions Globbing Syntax Commonly used command options on profile files : - reading data - creating, deleting or write on an existing file - executing a file - memory mapping an executable file r w x m Creating a new AppArmor profile Creating an AppArmor profile can be done through a or S method. Systemic tand-Alone 1) Stand-Alone Profile Creation ( ) : Used for creating a profile affecting single program/application which runs for a finite amount of time, such as a web browsing client, mail client, etc. Though a Stand-Alone profile is comparatively quicker and easier to be developed, it comes with its own limitations as such the profiling is lost on a reboot. A profile can be created through AppArmor's profile generating utility. It runs on the specified program/application by creating an approximate profile, sets it to complain mode, reloads it into AppArmor, marks the log, and prompts the user to execute the program and exercise its functionality. aa-genprof Stand-Alone aa-genprof aa-autodep aa-genprof [ -d /path/to/profiles ] PROGRAM 2) Systemic Profile Creation ( ): Used for creating a profile affecting multiple programs and/or applications that runs indefinitely or continuously across reboots, such as network server applications like mail servers, security policies, etc. This method updates all of the profiles on the system at once, as opposed to one or a few targeted by profiling. aa-autodep Stand-Alone Steps to create Systemic profile for a program : Run an initial to create an approximate profile for a program - this lets AppArmor consider the program for monitoring. aa-autodep Activate learning or complain mode for all profiled programs by entering aa-complain /etc/apparmor.d/* Run the application. Ensure that the running program gets to access each file representing its access needs. As a result, the execution might run for several days through multiple system reboots. Analyze the log with . aa-logprof Repeat Step 3 and Step 4 to generate an optimal profile. Subsequent iterations generate fewer messages and run faster. Systemic Edit the profiles in as required. /etc/apparmor.d/ Return to enforce mode using which eventually enforces the rules of the profiles. aa-enfore /etc/apparmor.d/* Rescan all kernel profiles to ensure no conflict. Modifying an existing AppArmor profile Monitor the system for AppArmor denials dmesg, /var/log/kern.log, /var/log/messages, etc aa-notify Run to update the policy aa-logprof Disabling AppArmor In case you would like to disable AppArmor for the current session, you can do so by clearing out all AppArmor profiles for the current session by # aa-teardown. Additionally, to prevent the kernel from loading AppArmor profiles at the next boot and from kernel parameters. disable apparmor.service remove apparmor=1 security=apparmor AppArmor when implemented properly, provides an enhanced level of security to the deployed containers at a program level. There are endless possibilities of creating varied profiles through , and hence makes it stand apart from the system generated profile. Learning Mode docker-default
