Tuesday, July 26, 2011

AppArmor and Server Security

I was tasked recently at work to create a new instance of MySQL in a server where there were two (2) instances already existing and running. This task should have been a breeze and done in no time. Unfortunately, I was working on a GNU/Linux distribution, okay Ubuntu, with AppArmor activated with security profile for MySQL, and I figuratively banged my head on the wall for almost a week why the steps I follow doesn't work, I already stripped the config file to the minimum and the setup still won't work. Turns out AppArmor is in my way in it's objective to secure the system it runs on.

Meet AppArmor
First we have to verify if there's an AppArmor profile for the server, in this case, the MySQL server. We execute the command on the shell:

sudo apparmor_status

If we see something similar to below, it means there is a profile for MySQL:
We have to edit the profile in /etc/apparmor.d/ as defined in this resource:

In our setup, we edit the file /etc/apparmor.d/usr.sbin.mysqld as append the following then save:

MySQL Configuration File Fiasco
After this step, we can now edit the file /etc/mysql/my.cnf as discussed in the following resources:

To illustrated the change made, please see below:

We can also simply copy the entry for mysql1 or mysql2 instance into the new instance, then reload the AppArmor as per instruction of the aforementioned AppArmor resource (in this case the profile is named usr.sbin.mysqld):

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld

and restart the MySQL daemon as follows:

Critique of AppArmor
I used to appreciate hard rock music, but my recent bout with Linux, MySQL and AppArmor gave a new meaning to head banging and it wasn't a pleasurable one because AppArmor was getting in my way. Frankly, AppArmor in my opinion gives a false sense of security and further reinforces my stand that Linux is Frankenstein-tech.

In the first place, server intrusion should have been difficult in the first place. We can focus on the entry points for starters: open ports, security hole of running applications and services, and source level security factors. Arguably, only OpenBSD has exerted effort to design, develop and share a security-focused, cryptography-integrated, source audited core system, along with pragmatic approach to system security, resulting in a system that may not have all the bells and whistles of any popular GNU/Linux distribution, but being plain vanilla is more flexible, secure and stable.

Second, AppArmor, as of this writing, is maintained by Novell, most likely designed specifically for Novell and Novell-centric products and services. Granted AppArmor is implemented in Ubuntu, and could be ubiquitous across various GNU/Linux distribution, but a tack-on or holeplugging security facility in systems is basically cosmetic than comprehensive security facility.

Finally, the access to AppArmor configuration (pro)files are accessible nonetheless, requiring another security layer to protect those should server intrusion occur. In summary, AppArmor only complicated the security facility, not to mention the system administration inconvenience, while at the same time, offer little to no server intrusion prevention guarantee.

1 comment: