Part2: Kernel protection preventive mechanisms in Linux systems and methods for monitoring them
Background: In our previous article, I described one method to prevent or monitor harmful activities that can be carried out against the Linux kernel, focusing on the research of SELinux capabilities. In this article, we will take a deeper dive into another solution that is already built into some distributions, such as Ubuntu, Debian, and other Debian-based distros. This component is called AppArmor.
The purpose: The purpose of this solution is primarily to address Mandatory Access Control challenges that may arise from actions performed by users or system processes.
The usage: The purpose of this solution is primarily to address Mandatory Access Control challenges . The solution is installed by default on your distribution, that alone is not enough to fully leverage it. One important step is to install the necessary utilities to work with AppArmor, such as the apparmor-utils package. arise from actions performed by users or system processes.
apt-get install apparmor-utils
AppArmor operates using profiles. Profiles are essentially technical policies that the Linux Security Module checks before allowing interactions with the kernel and other system components. Depending on your distribution, keep in mind that there are several ways to deliver packages, such as Flatpak, Snap, or directly from the package repository. Before adding any rules, you should first identify the path where the application's profile is installed. For example, if an application was installed via Snap, its profile will be located in /var/lib/snapd/apparmor/profiles/. If it was installed in the usual way (for example, using the package manager), the profile can typically be found in /etc/apparmor.d/.
Let’s add a rule that will disallow the use of the whoami command after the profile has been created. After adding the rule, use the apparmor_parser utility on Linux to check the syntax of the rule or profile.
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.whoami
In the next step, you need to enforce the rule in your profile, after which the restriction will take effect.
sudo aa-enforce /etc/apparmor.d/usr.bin.whoami
After execution of whoami binary system will not handle it .
During that perioud we can check our syslogs and we can catch alert from the system
Conclusion: This method can be used to protect any kernel write process from components that may be vulnerable to specific zero-day attacks, such as those originating from browsers or other parts of the system where such threats might be introduced in the chain.