12.2 Ensure the Apache AppArmor Profile Is Configured Properly

Information

AppArmor includes customizable profiles that may be used to confine the Apache web server to enforce least privileges so the server has only the minimal access to specified directories, files, and network ports. Access is controlled by a profile defined for the apache2 process. The default AppArmor profile is typically a very permissive profile that allows read-write access to all system files. Therefore, it's important that the default profile be customized to enforce least privileges. The AppArmor utilities such as 'aa-autodep', 'aa-complain', and 'aa-logprof' can be used to generate an initial profile based on actual usage. However, thorough testing, review, and customization will be necessary to ensure the Apache profile restrictions allow the necessary functionality while implementing least privilege.

Rationale:

With the proper implementation of an AppArmor profile, vulnerabilities in the web application may be prevented from being exploited due to the additional restrictions. For example, a vulnerability that allows an attacker to read an inappropriate system files may be prevented from execution by AppArmor because the inappropriate files are not allowed by the profile. Likewise, writing to an unexpected directory or executing unexpected content can be prevented by similar mandatory security controls enforced by AppArmor.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following to implement the recommended state:

1. Stop the Apache server.

# service apache2 stop

2. Create a mostly empty apache2 profile based on program dependencies.

# aa-autodep apache2
Writing updated profile for /usr/sbin/apache2.

3. Set the apache2 profile in complain mode so access violations will be allowed and will be logged.

# aa-complain apache2
Setting /usr/sbin/apache2 to complain mode.

4. Start the apache2 service.

# service apache2 start

5. Thoroughly test the web application, attempting to exercise all intended functionality so AppArmor will generate the necessary logs of all resources accessed. The logs are sent via the system syslog utility and are typically found in either the '/var/log/syslog' or '/var/log/messages' files. Also stop and restart the web server as part of the testing process.
6. Use 'aa-logprof' to update the profile based on logs generated during the testing. The tool will prompt for suggested modifications to the profile, based on the logs. The logs may also be reviewed manually in order to update the profile.

# aa-logprof

7. Review and edit the profile, removing any inappropriate content and adding appropriate access rules. Directories with multiple files accessed with the same permission can be simplified with the usage of wild-cards when appropriate. Reload the updated profile using the 'apparmor_parser' command.

# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

8. Test the new updated profile again, checking for any new apparmor denied logs generated. Update and reload the profile as necessary. Repeat the application tests until no new apparmor deny logs are created, except for access which should be prohibited.

# tail -f /var/log/syslog

9. Set the apache2 profile to enforce mode, reload apparmor, and test the web site functionality again.

# aa-enforce /usr/sbin/apache2
# /etc/init.d/apparmor reload

See Also

https://workbench.cisecurity.org/files/2020