DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Docker Image Building Best Practices
  • Stop Using Spring Profiles Per Environment
  • Keep Your Application Secrets Secret
  • Container vs. VM Security: Which Is Better?

Trending

  • Immutable Secrets Management: A Zero-Trust Approach to Sensitive Data in Containers
  • Dropwizard vs. Micronaut: Unpacking the Best Framework for Microservices
  • Scaling DevOps With NGINX Caching: Reducing Latency and Backend Load
  • Building an AI/ML Data Lake With Apache Iceberg
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Advanced Docker Security with AppArmor

Advanced Docker Security with AppArmor

AppArmor when implemented properly, provides an enhanced level of security to the deployed containers at a program level.

By 
Sudip Sengupta user avatar
Sudip Sengupta
DZone Core CORE ·
Aug. 07, 20 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
8.2K Views

Join the DZone community and get the full member experience.

Join For Free

So you have your Docker Containers deployed, which in turn are hosting critical applications of your organization? Great! So far, so good!

For the interest of the organization, it remains extremely crucial to keep not only the Containers but also the hosted applications protected from security threats. By default, a deployed Docker originally remains secured through an auto-generated profile docker-default for its containers. This profile, however, provides moderate security on the application level, and thus it remains highly recommended to implement a security profile through AppArmor which works at the process/program level of an application.

What is AppArmor?

AppArmor (Application Armor) is a Linux Security Module that allows implementing security on a program/process level. Specifically developed security profiles through AppArmor can allow capabilities like folder access, network access, and permission (or not) to read, write, or execute files.

One of the beauties of AppArmor is that it allows a   Learning Mode which logs profile violations without preventing them proactively. The   Learning Mode Log eventually helps administrators to create a security profile which forms a much hardened security armor based on an application's process execution. Default Security policies when clubbed with Learning Mode Logs, help forming security policies for even very complex applications in quick turnaround.

AppArmor proactively protects the operating system and applications from external or internal threats and even zero-day attacks by enforcing a specific rule set on a per-application basis. Security policies completely define what system resources individual applications can access, and with what privileges. Access is denied by default if no profile says otherwise.

Installing and Enabling AppArmor

Though AppArmor comes inbuilt with all Linux Kernels, it is not by default the security profile loaded with every boot. Apparmor can be set as the default security profile on every boot by setting the following parameter on kernel:

apparmor=1 security=apparmor

CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y

To load all AppArmor security profiles on boot, enable apparmor.service.

Display AppArmor Loaded Profiles

The system default AppArmor comes with a number of security profiles, on top of which an administrator can add his own security profiles based on the Learning Mode. To check the list of AppArmor security profiles correctly loaded :

Shell
 




xxxxxxxxxx
1


 
1
$ aa-enabled 
2
------------ 
3
Yes


To display the current loaded status use apparmor_status:

Java
 




xxxxxxxxxx
1


 
1
# apparmor_statusapparmor module is loaded. 
2
29 profiles are loaded. 
3
29 profiles are in enforce mode.   
4
 ... 
5
0 profiles are in complain mode. 
6
0 processes have profiles defined. 
7
0 processes are in enforce mode. 
8
0 processes are in complain mode. 
9
0 processes are unconfined but have a profile defined.


Above you can see the loaded profiles and processes with their respective statuses.

Parsing AppArmor Profiles

AppArmor allows a number of options using apparmor_parser to parse either its default or custom generated profiles. apparmor_parser is widely used to load, unload, debug, remove, replace, cache and match-strings within profiles out of the other available options.

-a - Default Action to load a new profile in enforce mode.
-C - Loading a new profile in complain mode.
-r - Overwrite an existing profile.
-R - Remove an existing profile in the kernel.
-V - Display the profile version.
-h - Display reference guide.

Understanding AppArmor Profiles

AppArmor profiles are text files found under /etc/apparmor.d/. A quick look into a profile file explains its execution as shown below:

Shell
 




xxxxxxxxxx
1
13


 
1
/etc/apparmor.d/usr.bin.test
2
 
3
#include <tunables/global>  \
4
profile test /usr/lib/test/test_binary 
5
{
6
     #include <abstractions/base>
7
     # Main libraries and plugins
8
     /usr/share/TEST/** r,
9
     /usr/lib/TEST/** rm,
10
     # Configuration files and logs
11
     @{HOME}/.config/ r,
12
     @{HOME}/.config/TEST/** rw, 
13
}


Strings following the @ symbol are variables defined under abstractions (/etc/apparmor.d/abstractions/), tunables (/etc/apparmor.d/tunables/) or by the profile itself. #include includes other profile-files directly. Paths followed by a set of characters are access permissions while the Globbing Syntax helps with pattern matching.

Commonly used command options on profile files :

r - reading data
w - creating, deleting or write on an existing file
x - executing a file
m - memory mapping an executable file

Creating a New AppArmor Profile

Creating an AppArmor profile can be done through a Systemic or Stand-Alone method.

1) Stand-Alone Profile Creation

(aa-genprof): Used for creating a profile affecting single program/application which runs for a finite amount of time, such as a web browsing client, mail client, etc. Though a Stand-Alone profile is comparatively quicker and easier to be developed, it comes with its own limitations as such the profiling is lost on a reboot. A Stand-Alone profile can be created through AppArmor's aa-genprof profile generating utility. It runs aa-autodep on the specified program/application by creating an approximate profile, sets it to complain mode, reloads it into AppArmor, marks the log, and prompts the user to execute the program and exercise its functionality.

aa-genprof [ -d /path/to/profiles ]  PROGRAM

2) Systemic Profile Creation

(aa-autodep): Used for creating a profile affecting multiple programs and/or applications that runs indefinitely or continuously across reboots, such as network server applications like mail servers, security policies, etc. This method updates all of the profiles on the system at once, as opposed to one or few targeted by Stand-Alone profiling.

Steps to Create Systemic Profile for A Program:

  1. Run an initial aa-autodep to create an approximate profile for a program - this lets AppArmor consider the program for monitoring.
  2. Activate learning or complain mode for all profiled programs by entering aa-complain /etc/apparmor.d/*
  3. Run the application. Ensure that the running program gets to access each file representing its access needs. As a result, the execution might run for several days through multiple system reboots.
  4. Analyze the log with aa-logprof.
  5. Repeat Step 3 and Step 4 to generate an optimal Systemic profile. Subsequent iterations generate fewer messages and run faster.
  6. Edit the profiles in /etc/apparmor.d/ as required.
  7. Return to enforce mode using aa-enfore /etc/apparmor.d/* which eventually enforces the rules of the profiles.
  8. Rescan all kernel profiles to ensure no conflict.

Modifying an Existing AppArmor Profile

  • Monitor the system for AppArmor denials
  • dmesg, /var/log/kern.log, /var/log/messages, etc
  • aa-notify
  • Run aa-logprof to update the policy

Disabling AppArmor

In case you would like to disable AppArmor for the current session, you can do so by clearing out all AppArmor profiles for the current session by # aa-teardown

Additionally, to prevent the kernel from loading AppArmor profiles at the next boot disable apparmor.service and remove apparmor=1 security=apparmor from kernel parameters.


AppArmor when implemented properly, provides an enhanced level of security to the deployed containers at a program level. There are endless possibilities of creating varied profiles through Learning Mode, and hence makes it stand apart from the system generated docker-default profile.

This article was originally published on https://appfleet.com/blog/advanced-docker-security-with-apparmor/.

security Profile (engineering) Docker (software) operating system application

Published at DZone with permission of Sudip Sengupta. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Docker Image Building Best Practices
  • Stop Using Spring Profiles Per Environment
  • Keep Your Application Secrets Secret
  • Container vs. VM Security: Which Is Better?

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!