Reference monitor with AppArmor

AppArmor ("Application Armor") is security software for Linux, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile which restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.

We created a AppArmor profile for thttpd (tinylittlewebserver :http://www.acme.com/software/thttpd/). By using this profile the thttpd only allow to websites containing extension .html.

Following are the steps we performed to create of AppArmor Profile.

1. We use Ubuntu 7.10 platform for our AppArmor Profile creation.

2. First we installed thttpd webserver on it. Then we create different html files like index.html,first.html, and place these files in /var/www which is the default folder for serving the webpages with default port which is port 80.

3. As we are using thttpd webserver and its purpose is to only allow *.html files and no other files so for this purpose we create a AppArmor Profile for thttpd server using the command aa-genprof on the terminal. Before creating AppArmor profile for any application that application must be stopso we first stop the thttpd server with command

~:# /etc/init.d/thttpd stop and also for double check we use the command ~:# killall thttpd to make sure that all processes of thttpd has been killed.

4. Now we run the command on terminal ~:# aa-genprof thttpd

The above command will put the profile for thttpd into learning or complain mode so that profile violations can be logged.

5. When prompted by the tool, we started the application i.e /etc/init.d/thttpd start in another terminal window and then we performed as many of this application functions so that learning mode can log the files and directories to which the program requires access in order to function properly.

6. After that we proceed to previous terminal window where we ran the command aa-genprof and we started scanning our log files with (S) option.

7. As our assignment is that only .html files are allowed so we allow only *.html files using the option (E)xt. By this option all files containing

extension .html will be allowed.

8. This profile is in complain mode which means that it will only log the violation. Now to restrict this profile not to run any file other then extension

.html we change this profile mode to enforce mode with command

~:# aa-enforce thttpd

9. Now we create a file test.txt and place it in /var/www and try to run from the browser but it will not execute this file and give us server error 500.

10.So we have restrict our application through AppArmor that only static pages with extension with .html will be serve from our webserver.