Servers Tip of the Trade: AppArmor

Tip of the Trade: AppArmor

The traditional Unix file and ownership permissions have weathered the test of decades of use and are simple to understand and use. But they’re showing their age in this modern, connected world, and it is now time to look for something stronger. SELinux has been the unchallenged champion of super-secure Linux systems, until the recent emergence of AppArmor. Both use Mandatory Access Controls (MAC), which are stronger than Unix’s Discretionary Access Controls (DAC). SELinux has already been discussed; today is AppArmor’s turn.

SELinux has long reigned as the unchallenged champion of super-secure Linux systems. The emergence of AppArmor is changing this, as it simplifies the permissions management process.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary


The biggest complaint against SELinux is its complexity, and that’s a valid point. Any security tool that is too difficult to learn and use is not a good security tool. SELinux wants to touch every file on your system. But is this necessary?

AppArmor takes a different approach and is applied more selectively. It operates on individual applications by limiting their access to essential libraries and files, rather than trying to control the entire system. It ensures applications have only the privileges they need to do their jobs, and no more. This foils privilege escalation, which is usually the primary goal of an attacker, because they require root privileges to do anything significant.

The first step is to figure out where the largest risks lie and apply AppArmor to those. For example, these days, the biggest security risks for Linux are in Internet-facing Web and application servers because of their complexity and inexperienced and sloppy scripting. If you’re running a public Web site or application server, hardening it with AppArmor is a logical first step. Then, you can look at other services that face untrusted networks and AppArmor them.

AppArmor uses profiles that control what it does and to what. The best way to get started with it is to get a Linux distribution that includes a prefab AppArmor setup, like Ubuntu Gutsy or OpenSUSE. OpenSUSE has the most mature AppArmor development. Visit Novell AppArmor to find all kinds of helpful information.

Latest Posts

Compare HP’s iLo & Dell’s iDRAC Server Management Tools

Most servers shipped from the major manufacturers today come with some type of out-of-band management tool or baseboard management controller (BMC). Two of the...

Get-MsolUser PowerShell Attributes & Properties

This article has been updated for 2020. Please note that WAAD was retired in 2018, but the cmdlets listed in this article are still...

Microsoft Azure PowerShell Scripts and Commands

Using PowerShell scripts and commands for quickly executing tasks in Windows operating systems offers a number of benefits over traditional scripting languages, such as...

Microsoft Hyper V Review

Microsoft Hyper-V: The Bottom line Microsoft Hyper-V lagged behind VMware's virtualization tool, one of the most popular tools in the space, when it was first...

Best Cloud Based Services & Companies

Any company that’s delayed introducing cloud-based software into their infrastructure needs to consider leveraging these new technologies to reap all the benefits cloud computing...

Related Stories