I have my feed on Ubuntu Forum yesterday. I'm in the security discussion threads and I happen to come across the sticky for apparmor by the ubuntuguru. I like what I'm reading and the article is enjoining ubuntu users to take advantage of apparmor.
Apparmor is an alternative to Selinux. What it does is use application profiles to confine applications to only do what those profiles allow. It can run in complain mode or enforce mode. In complain mode, it basically learns to abide by the profile. The profile itself can be modified when running in complain mode. The user can allow or deny a particular behavior and incorporate that into the new profile. In the enforce mode, applications may proceed as before or be restricted to do a function according to the set profile. What apparmor does is prevent rogue applications from getting increased priveleges and thereby wreak havoc to the system.
Apparmor protects against zero-day attacks. Zero-day attacks are dangerous because the malware is as yet unknown and unclassified. We don't know what they are going to do. There is simply no patch for it. The vulnerability might be known but not fixed yet. Or it is unknown entirely. If an attacker uses an unknown malware to take over an application, that application is prevented by its apparmor profile from doing something worse to the system.
It is a very nice security discussion.
Comments