12.2 Ensure the Apache AppArmor Profile Is Configured Properly

Information

AppArmor includes customizable profiles that may be used to confine the Apache web server to enforce least privileges so that the server has only the minimal access to specified directories, files and network ports. Access is controlled by a profile defined for the apache2 process. The default AppArmor profile is typically a very permissive profile that allows read-write access to all system files. Therefore, it's important that the default profile be customized to enforce least privileges. The AppArmor utilities such as aa-autodep, aa-complain, and aa-logprof can be used to generate an initial profile based on actual usage. However thorough testing, review and customization will be necessary to ensure that the Apache profile restrictions allow necessary functionality while implementing least privilege.

Rationale:

With the proper implementation of AppArmor profile, vulnerabilities in the web application may be prevented from being exploited due to the additional restrictions. For example, a vulnerability that allows an attacker to read an inappropriate system files may be prevented from execution by AppArmor because the inappropriate files are not allowed by the profile. Likewise writing to an unexpected directory or execution of unexpected content can be prevented by similar mandatory security controls enforced by AppArmor.

Solution

Perform the following to implement the recommended state:

Stop the Apache server

# service apache2 stop

Create a mostly empty apache2 profile based on program dependencies.

# aa-autodep apache2
Writing updated profile for /usr/sbin/apache2.

Set the apache2 profile in complain mode so that access violations will be allowed and logged.

# aa-complain apache2
Setting /usr/sbin/apache2 to complain mode.

Start the apache2 service

# service apache2 start

Thoroughly test the web application attempting to exercise all intended functionality so that AppArmor will generate the necessary logs of all resources accessed. The logs are sent via the system syslog utility and are typically found in either the /var/log/syslog or /var/log/messages files. Also stop and restart the web server as part of the testing process.

Use aa-logprof to update the profile based on logs generated during the testing. The tool will prompt for suggested modifications to the profile, based on the logs. The logs may also be reviewed manually in order to update the profile.

# aa-logprof

Review and edit the profile, removing any inappropriate content, and adding appropriate access rules. Directories with multiple files accessed with the same permission can be simplified with the usage of wild-cards when appropriate. Reload the updated profile using the apparmor_parser command.

# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

Test the new updated profile again and check for any new AppArmor denied logs generated. Update and reload the profile as necessary. Repeat the application tests, until no new AppArmor deny logs are created, except for access which should be prohibited.

# tail -f /var/log/syslog

Set the apache2 profile to enforce mode, reload AppArmor, and then test the web site functionality again.

# aa-enforce /usr/sbin/apache2
# /etc/init.d/apparmor reload

Default Value:

The default Apache profile is very permissive.

See Also

https://workbench.cisecurity.org/files/3021