Enhancing Linux Security with AppArmor and Wazuh: Mandatory Access Control with Real-Time Monitoring#

Introduction#

Linux systems face increasingly sophisticated threats, from privilege escalation attacks to unauthorized data access. While traditional Discretionary Access Control (DAC) provides basic security, it has a critical weakness: compromised processes inherit their user’s permissions, potentially accessing sensitive resources.

This guide demonstrates how to implement Mandatory Access Control (MAC) using AppArmor and monitor violations in real-time with Wazuh. By combining kernel-enforced security policies with centralized monitoring, we create a robust defense system that:

🛡️ Enforces strict process restrictions at the kernel level
🔍 Detects policy violations in real-time
📊 Provides centralized visibility across your infrastructure
🚨 Enables automated incident response

Understanding Linux Security Models#

DAC vs MAC: Why You Need Both#

1
flowchart LR
2
    subgraph "Discretionary Access Control (DAC)"
3
        U1[User] --> F1[File Permissions]
4
        F1 --> P1[Process]
5
        P1 --> R1[Resources]
6
        style F1 fill:#ffd43b
7
    end
8

9
    subgraph "Mandatory Access Control (MAC)"
10
        K1[Kernel] --> PP1[Policy Profile]
11
        PP1 --> P2[Process]
12
        P2 -->|Restricted| R2[Resources]
13
        style K1 fill:#ff6b6b
14
        style PP1 fill:#51cf66
15
    end
16

17
    subgraph "Combined Security"
18
        DAC --> C1[First Layer]
19
        MAC --> C2[Second Layer]
20
        C1 --> C3[Defense in Depth]
21
        C2 --> C3
22
        style C3 fill:#4dabf7
23
    end

DAC Limitations:

User-controlled permissions
Inherited privileges in compromised processes
No protection against insider threats
Limited audit capabilities

MAC Advantages:

Kernel-enforced policies
Granular process restrictions
Protection even from root
Comprehensive audit trail

Architecture Overview#

1
flowchart TB
2
    subgraph "Linux Kernel"
3
        L1[LSM Framework]
4
        L2[AppArmor Module]
5
        L3[Security Policies]
6
        L1 --> L2
7
        L2 --> L3
8
    end
9

10
    subgraph "Application Layer"
11
        A1[Process] -->|System Call| L1
12
        L3 -->|Allow/Deny| A1
13
        A1 --> A2[Audit Log]
14
    end
15

16
    subgraph "Wazuh Monitoring"
17
        A2 --> W1[Wazuh Agent]
18
        W1 --> W2[Log Collection]
19
        W2 --> W3[Real-time Analysis]
20
        W3 --> W4[Security Alerts]
21

22
        P1[Profile Directory] --> F1[FIM Module]
23
        F1 --> W1
24
    end
25

26
    subgraph "Security Operations"
27
        W4 --> S1[SOC Dashboard]
28
        W4 --> S2[Incident Response]
29
        W4 --> S3[Compliance Reports]
30
    end
31

32
    style L2 fill:#51cf66
33
    style W3 fill:#4dabf7
34
    style S1 fill:#ffd43b

Infrastructure Setup#

Prerequisites#

Wazuh Server (OVA 4.12.0):
- Wazuh manager, indexer, and dashboard
- Minimum 8GB RAM, 4 CPUs
Ubuntu 24.04 Endpoint:
- Wazuh agent 4.12.0 installed
- AppArmor utilities
- GCC compiler for demo app

Implementation Guide#

Step 1: Configure Wazuh File Integrity Monitoring#

Monitor AppArmor profiles for unauthorized changes:

1
<!-- Add to /var/ossec/etc/ossec.conf -->
2
<ossec_config>
3
  <syscheck>
4
    <directories realtime="yes" report_changes="yes">/etc/apparmor.d</directories>
5
  </syscheck>
6
</ossec_config>

Restart the Wazuh agent:

1
sudo systemctl restart wazuh-agent

Step 2: Create Custom Detection Rules#

Add to Wazuh rules (apparmor_fim_rules.xml):

1
<group name="syscheck,apparmor">
2
  <!-- Profile Addition -->
3
  <rule id="100601" level="3">
4
    <if_sid>554</if_sid>
5
    <field name="file">/etc/apparmor.d/</field>
6
    <description>AppArmor profile added: $(file)</description>
7
    <group>apparmor_change,</group>
8
  </rule>
9

10
  <!-- Profile Modification -->
11
  <rule id="100602" level="5">
12
    <if_sid>550</if_sid>
13
    <field name="file">/etc/apparmor.d/</field>
14
    <description>AppArmor profile modified: $(file)</description>
15
    <mitre>
16
      <id>T1562.001</id>
17
    </mitre>
18
    <group>apparmor_change,defense_evasion,</group>
19
  </rule>
20

21
  <!-- Profile Deletion -->
22
  <rule id="100603" level="7">
23
    <if_sid>553</if_sid>
24
    <field name="file">/etc/apparmor.d/</field>
25
    <description>AppArmor profile deleted: $(file)</description>
26
    <mitre>
27
      <id>T1562.001</id>
28
    </mitre>
29
    <group>apparmor_change,defense_evasion,</group>
30
  </rule>
31
</group>

Step 3: Create Demo Application#

Create a test application that attempts various security-sensitive operations:

1
// Save as ~/test-app.c
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <unistd.h>
5
#include <fcntl.h>
6
#include <sys/syscall.h>
7
#include <sys/ptrace.h>
8
#include <netinet/in.h>
9
#include <string.h>
10
#include <arpa/inet.h>
11

12
// Attempt file write
13
void write_to_file() {
14
    FILE *fp = fopen("/tmp/demo_output.txt", "w");
15
    if (fp) {
16
        fprintf(fp, "This is a sample output.\n");
17
        fclose(fp);
18
        printf("[+] write_to_file - Wrote to /tmp/demo_output.txt\n");
19
    } else {
20
        perror("[-] write_to_file - Failed to write to file");
21
    }
22
}
23

24
// Attempt to read sensitive file
25
void read_sensitive_file() {
26
    FILE *fp = fopen("/etc/shadow", "r");
27
    if (fp) {
28
        printf("[+] read_sensitive_file - Able to read /etc/shadow\n");
29
        fclose(fp);
30
    } else {
31
        perror("[-] read_sensitive_file - Failed to read /etc/shadow");
32
    }
33
}
34

35
// Make system call
36
void make_syscall() {
37
    pid_t pid = syscall(SYS_getpid);
38
    printf("[+] make_syscall - Syscall SYS_getpid returned: %d\n", pid);
39
}
40

41
// Attempt network connection
42
void use_network() {
43
    int sock = socket(AF_INET, SOCK_STREAM, 0);
44
    if (sock < 0) {
45
        perror("[-] use_network - Socket creation failed");
46
        return;
47
    }
48

49
    struct sockaddr_in target;
50
    target.sin_family = AF_INET;
51
    target.sin_port = htons(80);
52
    inet_pton(AF_INET, "1.1.1.1", &target.sin_addr);
53

54
    if (connect(sock, (struct sockaddr *)&target, sizeof(target)) == 0) {
55
        printf("[+] use_network - Network connection established to 1.1.1.1:80\n");
56
    } else {
57
        perror("[-] use_network - Network connection failed");
58
    }
59
    close(sock);
60
}
61

62
// Attempt ptrace
63
void use_ptrace() {
64
    long ret = ptrace(PTRACE_TRACEME, 0, NULL, NULL);
65
    if (ret == 0) {
66
        printf("[+] use_ptrace - ptrace(PTRACE_TRACEME) succeeded\n");
67
    } else {
68
        perror("[-] use_ptrace - ptrace failed");
69
    }
70
}
71

72
int main() {
73
    printf("=== Demo App Starting ===\n");
74
    write_to_file();
75
    read_sensitive_file();
76
    make_syscall();
77
    use_network();
78
    use_ptrace();
79
    printf("=== Demo App Completed ===\n");
80
    return 0;
81
}

Compile and install:

1
# Install compiler
2
sudo apt install gcc
3

4
# Compile application
5
gcc ~/test-app.c -o /usr/local/bin/test-app
6

7
# Make executable
8
sudo chmod +x /usr/local/bin/test-app

Step 4: Install and Configure AppArmor#

1
# Install AppArmor
2
sudo apt install apparmor apparmor-utils
3

4
# Create initial profile in complain mode
5
sudo aa-autodep /usr/local/bin/test-app
6

7
# Load profile
8
sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.test-app

Step 5: Test Application Behavior#

Complain Mode (Learning)#

1
# Check profile status
2
sudo aa-status
3

4
# Run application - all actions allowed but logged
5
/usr/local/bin/test-app

Expected output:

1
=== Demo App Starting ===
2
[+] write_to_file - Wrote to /tmp/demo_output.txt
3
[+] read_sensitive_file - Able to read /etc/shadow
4
[+] make_syscall - Syscall SYS_getpid returned: 4467
5
[+] use_network - Network connection established to 1.1.1.1:80
6
[+] use_ptrace - ptrace(PTRACE_TRACEME) succeeded
7
=== Demo App Completed ===

Enforce Mode (Restricted)#

1
# Switch to enforce mode
2
sudo aa-enforce /usr/local/bin/test-app
3

4
# Run application - unauthorized actions blocked
5
/usr/local/bin/test-app

Expected output:

1
=== Demo App Starting ===
2
[-] write_to_file - Failed to write to file: Permission denied
3
[-] read_sensitive_file - Failed to read /etc/shadow: Permission denied
4
[+] make_syscall - Syscall SYS_getpid returned: 4500
5
[-] use_network - Socket creation failed: Permission denied
6
[+] use_ptrace - ptrace(PTRACE_TRACEME) succeeded
7
=== Demo App Completed ===

Step 6: Fine-Tune AppArmor Profile#

Edit /etc/apparmor.d/usr.local.bin.test-app:

1
#include <tunables/global>
2

3
/usr/local/bin/test-app {
4
  #include <abstractions/base>
5

6
  # Binary execution
7
  /usr/local/bin/test-app mr,
8

9
  # Allow specific file write
10
  owner /tmp/demo_output.txt w,
11

12
  # Allow network access (TCP over IPv4)
13
  network inet tcp,
14

15
  # Deny sensitive file access (implicit)
16
  # deny /etc/shadow r,
17
}

Reload profile:

1
sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.test-app

Advanced AppArmor Profiles#

Web Application Profile#

1
#include <tunables/global>
2

3
/usr/local/bin/webapp {
4
  #include <abstractions/base>
5
  #include <abstractions/nameservice>
6

7
  # Binary and libraries
8
  /usr/local/bin/webapp mr,
9
  /usr/lib/x86_64-linux-gnu/** mr,
10

11
  # Web root access
12
  /var/www/html/** r,
13
  /var/www/html/uploads/** rw,
14

15
  # Logs
16
  /var/log/webapp/** rw,
17

18
  # Network
19
  network inet tcp,
20
  network inet6 tcp,
21

22
  # Capabilities
23
  capability setuid,
24
  capability setgid,
25

26
  # Deny system access
27
  deny /etc/shadow r,
28
  deny /etc/gshadow r,
29
  deny /boot/** rwx,
30
  deny /sys/** w,
31
}

Database Service Profile#

1
#include <tunables/global>
2

3
/usr/sbin/database-server {
4
  #include <abstractions/base>
5
  #include <abstractions/mysql>
6

7
  # Binary
8
  /usr/sbin/database-server mr,
9

10
  # Data directory
11
  /var/lib/database/** rwk,
12

13
  # Configuration
14
  /etc/database/my.cnf r,
15

16
  # Sockets
17
  /var/run/database/mysqld.sock rw,
18

19
  # Network - local only
20
  network inet tcp,
21
  bind 127.0.0.1,
22

23
  # Capabilities
24
  capability dac_override,
25
  capability sys_resource,
26

27
  # Deny outbound connections
28
  deny network inet tcp connect,
29
}

Monitoring with Wazuh#

Real-Time Violation Detection#

Configure Wazuh to parse AppArmor logs:

1
<!-- Add to /var/ossec/etc/rules/local_rules.xml -->
2
<group name="apparmor,">
3
  <!-- AppArmor denial detection -->
4
  <rule id="100700" level="7">
5
    <decoded_as>apparmor</decoded_as>
6
    <match>DENIED</match>
7
    <description>AppArmor denied operation: $(apparmor.operation) on $(apparmor.name)</description>
8
    <group>access_denied,</group>
9
  </rule>
10

11
  <!-- Critical file access attempts -->
12
  <rule id="100701" level="10">
13
    <if_sid>100700</if_sid>
14
    <field name="apparmor.name">/etc/shadow|/etc/passwd|/etc/sudoers</field>
15
    <description>AppArmor blocked access to critical file: $(apparmor.name)</description>
16
    <mitre>
17
      <id>T1003.008</id>
18
    </mitre>
19
    <group>credential_access,</group>
20
  </rule>
21

22
  <!-- Network violation -->
23
  <rule id="100702" level="8">
24
    <if_sid>100700</if_sid>
25
    <field name="apparmor.operation">connect|bind|listen</field>
26
    <description>AppArmor blocked network operation: $(apparmor.operation)</description>
27
    <mitre>
28
      <id>T1071</id>
29
    </mitre>
30
    <group>network_violation,</group>
31
  </rule>
32

33
  <!-- Capability violation -->
34
  <rule id="100703" level="9">
35
    <if_sid>100700</if_sid>
36
    <field name="apparmor.capability">^cap_</field>
37
    <description>AppArmor blocked capability: $(apparmor.capability)</description>
38
    <mitre>
39
      <id>T1548</id>
40
    </mitre>
41
    <group>privilege_escalation,</group>
42
  </rule>
43
</group>

Dashboard Visualization#

Create custom Wazuh dashboards to monitor:

AppArmor Violations Overview
- Total denials by profile
- Top denied operations
- Violation trends
Profile Change Monitoring
- Profile modifications
- New profiles added
- Deleted profiles
Security Metrics
- Blocked privilege escalations
- Prevented data access
- Network restriction effectiveness

Query Examples#

1
# All AppArmor denials
2
rule.groups: apparmor AND data.audit.type: "APPARMOR_DENIED"
3

4
# Profile modifications
5
rule.id: (100601 OR 100602 OR 100603)
6

7
# Critical file access attempts
8
rule.id: 100701
9

10
# Network violations by process
11
rule.id: 100702 | stats count by data.audit.exe

Best Practices#

1. Profile Development Workflow#

1
flowchart LR
2
    A[Create Profile] --> B[Complain Mode]
3
    B --> C[Test Application]
4
    C --> D[Analyze Logs]
5
    D --> E[Refine Profile]
6
    E --> F{Ready?}
7
    F -->|No| C
8
    F -->|Yes| G[Enforce Mode]
9
    G --> H[Production]
10
    H --> I[Monitor]
11
    I --> J[Maintain]

2. Security Hardening Checklist#

Enable AppArmor for all network-facing services
Create profiles for custom applications
Monitor profile changes with FIM
Set up real-time alerting for violations
Regular profile audits and updates
Document all profile exceptions

3. Profile Templates#

1
# Generate profile template
2
sudo aa-genprof /path/to/application
3

4
# Use existing abstractions
5
#include <abstractions/apache2-common>
6
#include <abstractions/php>
7
#include <abstractions/ssl_keys>

4. Testing Strategy#

1
#!/bin/bash
2
# AppArmor profile testing script
3

4
APP="/usr/local/bin/test-app"
5
PROFILE="/etc/apparmor.d/usr.local.bin.test-app"
6

7
echo "1. Setting profile to complain mode..."
8
aa-complain $APP
9

10
echo "2. Running application tests..."
11
$APP > /tmp/app-test.log 2>&1
12

13
echo "3. Checking for denials..."
14
dmesg | grep -i apparmor | grep -i denied
15

16
echo "4. Generating profile suggestions..."
17
aa-logprof
18

19
echo "5. Enforcing profile..."
20
aa-enforce $APP
21

22
echo "6. Final validation..."
23
$APP

Troubleshooting#

Common Issues and Solutions#

1. Application Fails After Enforcement#

1
# Check denials
2
sudo dmesg | grep -i apparmor
3

4
# Review audit log
5
sudo ausearch -m AVC -ts recent
6

7
# Temporarily disable
8
sudo aa-disable /path/to/profile

2. Profile Not Loading#

1
# Check syntax
2
sudo apparmor_parser -d /etc/apparmor.d/profile
3

4
# Verify includes
5
ls -la /etc/apparmor.d/abstractions/
6

7
# Force reload
8
sudo systemctl restart apparmor

3. Missing Capabilities#

1
# Identify required capabilities
2
sudo aa-logprof
3

4
# Add to profile
5
capability sys_admin,
6
capability net_admin,

Advanced Integration#

Automated Response#

1
#!/usr/bin/env python3
2
import subprocess
3
import json
4
from datetime import datetime
5

6
def analyze_violations():
7
    """Analyze AppArmor violations and take action"""
8

9
    # Get recent violations
10
    cmd = "journalctl -u apparmor -n 100 --output=json"
11
    result = subprocess.run(cmd.split(), capture_output=True, text=True)
12

13
    violations = []
14
    for line in result.stdout.strip().split('\n'):
15
        if line:
16
            log = json.loads(line)
17
            if 'DENIED' in log.get('MESSAGE', ''):
18
                violations.append(log)
19

20
    # Process violations
21
    for violation in violations:
22
        if '/etc/shadow' in violation['MESSAGE']:
23
            # Critical violation - immediate action
24
            alert_security_team(violation)
25
            block_process(violation)
26
        elif 'network' in violation['MESSAGE']:
27
            # Network violation - investigate
28
            log_suspicious_activity(violation)
29

30
    return violations
31

32
def block_process(violation):
33
    """Block process with suspicious behavior"""
34
    # Extract process info and take action
35
    # Implementation depends on your security policies
36
    pass
37

38
def alert_security_team(violation):
39
    """Send immediate alert to security team"""
40
    alert = {
41
        'severity': 'CRITICAL',
42
        'timestamp': datetime.now().isoformat(),
43
        'violation': violation,
44
        'action_required': 'Immediate investigation'
45
    }
46
    # Send to SIEM, Slack, PagerDuty, etc.
47
    print(f"SECURITY ALERT: {json.dumps(alert, indent=2)}")
48

49
if __name__ == "__main__":
50
    violations = analyze_violations()
51
    print(f"Processed {len(violations)} violations")

CI/CD Integration#

1
# .gitlab-ci.yml - AppArmor profile validation
2
apparmor_validate:
3
  stage: security
4
  script:
5
    - apparmor_parser -Q -d profiles/
6
    - aa-logprof --json profiles/ > profile_report.json
7
  artifacts:
8
    reports:
9
      junit: profile_report.json

Performance Considerations#

Profile Optimization#

1
# Efficient file matching
2
/var/log/app-*.log rw,          # Good - uses glob
3
/var/log/** rw,                 # Bad - too broad
4

5
# Minimize regex usage
6
owner /home/*/.config/app/** r, # Good - simple glob
7
owner /home/[^/]+/.config/app/** r, # Bad - regex overhead

Monitoring Impact#

1
# Check AppArmor overhead
2
time for i in {1..1000}; do
3
    /usr/local/bin/test-app > /dev/null 2>&1
4
done
5

6
# Compare with profile disabled
7
aa-disable /usr/local/bin/test-app
8
time for i in {1..1000}; do
9
    /usr/local/bin/test-app > /dev/null 2>&1
10
done

Compliance and Reporting#

Generate Compliance Reports#

1
-- Wazuh database query for compliance report
2
SELECT
3
    agent.name as hostname,
4
    rule.description,
5
    COUNT(*) as violation_count,
6
    DATE(timestamp) as date
7
FROM
8
    alerts
9
WHERE
10
    rule.groups LIKE '%apparmor%'
11
    AND timestamp > DATE_SUB(NOW(), INTERVAL 30 DAY)
12
GROUP BY
13
    hostname, rule.description, date
14
ORDER BY
15
    violation_count DESC;

Audit Trail#

1
#!/bin/bash
2
# Generate AppArmor audit report
3

4
echo "AppArmor Security Audit Report"
5
echo "Generated: $(date)"
6
echo "================================"
7

8
echo -e "\nActive Profiles:"
9
aa-status | grep "profiles are in enforce mode" -A 20
10

11
echo -e "\nRecent Violations (Last 24h):"
12
journalctl -u apparmor --since="24 hours ago" | grep DENIED | tail -20
13

14
echo -e "\nProfile Changes (Last 7 days):"
15
find /etc/apparmor.d -type f -mtime -7 -ls
16

17
echo -e "\nHigh Severity Alerts:"
18
grep "level=\"10\"" /var/ossec/logs/alerts/alerts.json | tail -10

Conclusion#

Combining AppArmor’s Mandatory Access Control with Wazuh’s real-time monitoring creates a powerful security framework that:

✅ Enforces least-privilege at the kernel level
📊 Provides comprehensive visibility into security violations
🚨 Enables rapid incident response
📝 Maintains compliance audit trails

This integration transforms Linux security from reactive to proactive, catching threats before they can cause damage while maintaining operational visibility.

Next Steps#

Phase 1: Deploy AppArmor profiles for critical services
Phase 2: Integrate Wazuh monitoring
Phase 3: Tune profiles based on violation data
Phase 4: Automate response procedures
Phase 5: Expand to entire infrastructure

Resources#

Enforcing security at the kernel level, monitoring it in real-time. Defense in depth! 🛡️