Implementing AppArmor for Enhanced Security on Armbian and Libre Computer's Le Potato SBC
Single Board Computers (SBCs) have been gaining popularity for their low power consumption and adequate performance in managing lightweight workloads. My recent experience migrating critical but lightweight workloads onto a Libre Computer Le Potato SBC has been highly positive. In this blog post, I share insights on running Armbian with AppArmor in enforced mode on this compact, stable and power-sipping board to enhance its security posture.
Why Opt for Libre Computer’s Le Potato?
I have already written a more detailed article going over the reasons that lead me to chose Le Potato as my go-to SBC, and they were mainly three:
- Low price and no supply chain issue
- Great, first-tier support from Armbian
- Same form factor as the Rpi 3B
If you want more details, head over to my previous post!
Essential Security Hardening Measures
Before diving into AppArmor, it’s worth noting other security measures that you can implement:
- Activate unattended security updates to ensure your system is always patched.
- Secure SSH access by disallowing root login, enforcing key-based authentication, and limiting login attempts.
- Employ
firewalldfor a dynamic firewall management system. - Use
fail2banto prevent brute-force attacks by monitoring log files and banning suspect IP addresses. - Implement remote monitoring with tools like
netdata. - Upon you initial setup, audit and disable unnecessary services for minimal attack surface.
- If utilizing Docker, consider running the Docker daemon in rootless mode to reduce privileges.
I have a personal preference for SELinux due to my daily use of Fedora and my deep dive into SELinux when preparing for the RHCSA certification. Nonetheless, given that Armbian is derived from Debian and comes with AppArmor out of the box, we’ll be leveraging AppArmor in this instance. Although my comfort zone lies with SELinux, AppArmor is a respectable and effective alternative for enforcing security policies, so let’s proceed with what’s readily available on our Armbian system. ;)
Focusing on AppArmor
To install AppArmor:
sudo apt install apparmor
Expect the following output during installation, showing success and completion:
[...]
Setting up apparmor (3.0.8-3) ...
Created symlink [...]
Reloading AppArmor profiles
[...]
Proceed to enable AppArmor at boot by editing the armbianEnv.txt:
sudo su
echo "extraargs=apparmor=1 security=apparmor" >> /boot/armbianEnv.txt
update-initramfs -u
The system will rebuild the initramfs, which may take a few moments. Once done:
update-initramfs: Generating /boot/initrd.img-[kernel_version]-current-meson64
[...]
update-initramfs: Armbian: done.
After a system reboot, verify that AppArmor is active with:
guillaume@bastion:~$ sudo systemctl status apparmor.service
[...]
Active: active (exited) since Sat 2023-12-16 12:45:24 +08;
[...]
For Docker users, ensure that the AppArmor profile for Docker is active:
guillaume@bastion:~$ docker info
[...]
Security Options:
apparmor
seccomp
[...]
Seeing apparmor listed under Security Options means that Docker is using AppArmor profiles, adding an additional layer of security.
Conclusion
Integrating AppArmor into your SBC hosted systems like the Libre Computer Le Potato exponentially increases your security capabilities. By following these steps and maintaining a secure environment, you can reap the benefits of SBCs without compromising on system integrity. Remember, security is an ongoing process, not a one-time setup, so always keep your systems monitored and updated.