Protecting Postfix with AppArmor
If you are using Postfix on a server that supports AppArmor like Suse, Debian, Ubuntu, etc., you can use AppArmor to protect Postfix. AppArmor attempts to protect processes on the server or desktop from security threats. AppArmor enforces limits on what processes can access on the system. It attempts to restrict processes to those resources that the process requires to function only. AppArmor will not only define the system resources a program can access , it will also determine the privileges with which it can access those resources. To protect applications you will need to set up a security profile for each application that you want to protect.
When you have many software applications on a system you have the risk of hosting software flaws that you are not aware of. These software flaws provide avenues of access for attackers to compromise your system. Exploits that are discovered and on the same day that they are used to crack a system by an attacker are called zero-day exploits. AppArmor provides protection against these kinds of attacks by protecting against known and unknown vulnerabilities.
Install AppArmor
There is no need to install AppArmor on a distro like Ubuntu as it is installed by default. The real issue is that the install has so little protection that it is not very helpful, so you will need to change that. Even in the new Ibex version cups, bind, mysql and slapd are the only processes protected by AppArmor. The Ibex desktop includes the Xsession for gdm.
Check the status of AppArmor
When you check the status as root you will see active profiles. There are several modes that you may notice. Complain mode will help you learn what will happen if there were violations without hindering activity. It is like a warning only mode. Enforce mode means that the kernel will enforce the AppArmor protection for that process.
sudo apparmor_status
# apparmor_status
apparmor module is loaded.
5 profiles are loaded.
0 profiles are in enforce mode.
5 profiles are in complain mode.
/usr/sbin/mysqld
/usr/sbin/slapd
/usr/sbin/cupsd
/usr/sbin/named
/usr/lib/cups/backend/cups-pdf
3 processes have profiles defined.
0 processes are in enforce mode :
3 processes are in complain mode.
/usr/sbin/cupsd (4613)
/usr/sbin/named (4398)
/usr/sbin/mysqld (4518)
0 processes are unconfined but have a profile defined.
Create a New Profile
In order to provide the protection that you need you will be required to create a profile for each application you want to protect. So for Postfix this will require creating profiles for each application that is needed by Postfix to function correctly.
The aa-genprof command is used to create a new profile. From a terminal, as root, use the command aa-genprof:
sudo aa-genprof executable
The first question you will be asked when you begin the creation of a profile is if you want to connect to the repository. This repository which was hosted by Suse, saves profiles created by many different users and distros, which means it probably is not a good idea to enable this, create your own profile.
The second question will look like this:
[(S)can system log for SubDomain events] / (F)inish
At this point you need to have a working Postfix, including your Spam protection and anti-virus protection. AppArmor will scan the whole server to see what processes use Postfix so you can create the profile. Run Postfix by sending mail through it so AppArmor can detect all of the programs needed for the profile. The select “S” to scan for changes. Do this several times and note that you may be asked to accept additions to the profile as it is created. Once you have answered all of the questions then choose finish to complete the profile.
sudo aa-genprof /usr/sbin/postfix
Repository: http://apparmor.test.opensuse.org/backend/api
Would you like to enable access to the
profile repository?
(E)nable Repository / (D)isable Repository / Ask Me (L)ater
Writing updated profile for /usr/sbin/postfix.
Setting /usr/sbin/postfix to complain mode.
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
Profiling: /usr/sbin/postfix
[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Profiling: /usr/sbin/postfix
[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Profiling: /usr/sbin/postfix
[(S)can system log for SubDomain events] / (F)inish
Here is an example of the basic Postfix profile (found in /etc/apparmor.d), note this is just the start.
# Last Modified: Wed Oct 8 17:42:02 2008
#include <tunables/global>
/usr/sbin/postfix {
#include <abstractions/base>
/usr/sbin/postfix mr,
}
Create the profile in complain mode so that you can test. It can be changed once you are sure it works correctly.
sudo aa-complain /usr/sbin/postfix
You can change the mode to enforce with this command:
sudo aa-enforce /usr/sbin/postfix
Basic Commands
Each of these commands must be run as root.
aa-autodep create a minimal profile
aa-enforce enforce the profile created
aa-complain violations logged but not enforced
aa-audit check the profile
aa-logprof look for error messages, provide a severity level and then give you the option to accept a correction or not.
aa-unconfined list all the network applications that are not protected
Profiles are saved in /etc/apparmor.d.
This is only a start and is an incomplete process until you protect each application that is related to Postfix. Be sure to check out the poston user per-built profiles.
