application execution prevention

[LMHmedchem]

Hello,

Sorry if this is the wrong place but I couldn't find a forum that seemed like it was quite right. This is more or less a firewall question so I am trying here.

When possible, I have always used application execution management software.

If you haven't used this, in it's simplest form, this is just software that requests permission for any file to execute. A whitelist is kept of files that have been authorized with various methods of determining if the file has changed since permission was authorized. There is generally also a blacklist and any unclassified file is on the asklist. Pay internet security packages like ZoneAlarm and Comodo and even free Privatefirewall always contained some version of these functions.

I have always thought that this was one of the simplest and most effective ways of preventing infections. Any software that is new has to ask for permission to execute. That same goes for software that has changed. Anything can be defeated but I think this is a simple baseline that I have found to be very effective over the years.

All of the above mentioned tools are for windows. Are there any such applications available for Linux?

A search shows the package, fapolicyd,
https://github.com/linux-application-wh ... /fapolicyd

but I have never used this. The package comes up under RHEL so I don't know if there is a Debian friendly version or not.

Thank you for the advice,

LMHmedchem

[ruwolf]

BTW: Do you know standard POSIX permissions?

In Debian, there is also fapolicyd.

[LMHmedchem]

BTW: Do you know standard POSIX permissions?

Yes, but this is a different issue. The idea with application execution control is to have a kernel based (generally) system that checks each application against a whitelist before it is allowed to execute. Often, there is a checksum calculated and checked against a database to confirm that the binary has not changed since authorization was allowed. Even if the file has execute permissions in the POSIX sense, it is still blocked from running if it's not on the whitelist. With the tools I have used before, by default, all files are classified as "ask" so anything new that appears on the system (intentionally or otherwise) will need to ask for permission if it tries to run. This is an essential part of the effectiveness of the system.

In Debian, there is also fapolicyd.

This is good to know since I have only seen the Fedora packages.

LMHmedchem

[Aki]

Hello,

[..] in it's simplest form, this is just software that requests permission for any file to execute. A whitelist is kept of files that have been authorized [..]
There is generally also a blacklist and any unclassified file is on the asklist.
[..]

The default application usually installed with Debian for this purpose is apparmor:

• Package: apparmor
• Debian Wiki - AppArmor

From the description of the apparmor package:

apparmor provides the system initialization scripts needed to use the AppArmor Mandatory Access Control system, including the AppArmor Parser which is required to convert AppArmor text profiles into machine-readable policies that are loaded into the kernel for use with the AppArmor Linux Security Module.

A third part git repository (program currently not in Debian repositories) is available for a GUI to interact with apparmor:

• AppAnvil - A graphical user interface for the AppArmor access control system

• libappanvil

The AppAnvil Project
By default, AppArmor is not easy to configure, running silently in the background. Currently, it is only accessible through the command-line, and requires some specialized knowledge to configure.
The AppAnvil project aims to create an intuitive graphical interface for monitoring and configuring AppArmor. In particular, we want it to be easy to monitor and deploy profiles, change a profile’s permissions, and to parse system logs.
Currently, this project is in-progress and not feature complete. There is still some work to do before it is ready for a general audience.

Hope this help. Please let me know.

---
note: how to build AppAnvil:

Code: Select all

sudo apt install git
sudo apt install pkg-config cmake clang bison flex libfl-dev
git clone https://github.com/jack-ullery/libappanvil
cd libappanvil
cmake .
make
sudo make install

sudo apt install libgtkmm-3.0-dev libjsoncpp-dev libapparmor-dev apparmor-utils
sudo apt install pkg-config cmake clang
git clone https://github.com/jack-ullery/AppAnvil
cd ../AppAnvil/
cmake .
make
sudo make install

[LMHmedchem]

Sorry for the long delay. I have been installing Debian 12.6 in a VM for testing and ended up having to abandon virtualbox and switch to virt-manager. For reasons that no one can explain to me, I am only occasionally able to log into the virtualbox forums. This is now managed by Oracle and simply doesn't work very well. If I haven't logged in recently, it seems my profile has vanished and I have to recreate it. Even then, the login doesn't work. About 1 time in 3 I am not able to get guest additions to install in the guest and that makes the VM almost useless. Without a support forum to help troubleshoot I am dead in the water. Virt-manager doesn't seem to have a help fourm but users here are knowledgeable and have been very helpful.

I have Debian 12.6 running in virt-manager now. I do have some issues still with the host/guest interface but I will be changing hosts soon so it works good enough for now. I have the opensnitch firewall and gui installed and running. I am now moving on to application execution prevention. If I understand the AppArmor explanation, it controls the files that a given application has access to. That is helpful, but what I am looking for is software that controls which applications are allowed to execute at all. In the old privatefirewall, you could just set an application to "block" and it wasn't able to run. "Block" or "ask" were the defaults for all new software. Is my understanding of AppArmor correct or do I have that wrong? AppArmor was installed with the basic install and is running, though I don't know what it is doing.

I have tried installing the Debian package for fapolicyd (fapolicyd_1.1.7-5_amd64.deb) since that seems to be more of what I am looking for. I have not been able to find a Debian package for the ui (fapolicy-analyzer). I tried converting the .rpm with alien. This gave me a .deb package with no errors from alien. I installed the .deb package but then the OS would not longer boot with many errors during boot up. I have rolled back the VM and will try again by installing fapolicyd by itself to see if it was fapolicyd or the ui that caused the boot failure. Based on what the application does, it seems as if it would need a basic policy included in installation or there may be allot things that won't run.

LMHmedchem

[peter_irich]

Sorry, if I not understand the problems, but you can use acl to allow to execute program only to determinated users,
man setfacl.