How do I enable deep monitoring for applications confined by AppArmor?

AppArmor is a mandatory access control system that restricts applications to a limited set of resources. For each confined application, a profile exists that specifies what operations the application is allowed to perform as well as the paths in the file system that the application is allowed to access. In order to enable deep monitoring of applications confined by AppArmor, a custom rule set for OneAgent must be included in the profiles of these applications.

The definition of a rule set, as well as a walkthrough for adding a rule set to an existing profile, is presented in the example below. In this example, we enable deep monitoring of an Apache Tomcat web server, for which the bootstrapper script is located under /usr/sbin/tomcat-sysd.

We assume that the directory structure for AppArmor is the following:

/etc/apparmor.d/
|--- usr.sbin.tomcat-sysd

Where usr.sbin.tomcat-sysd is the file that defines the AppArmor profile for Tomcat.

Create a new directory and a new rule set for OneAgent within this directory named agentinjection.

/etc/apparmor.d/
|--- usr.sbin.tomcat-sysd
|--- dynatrace-oneagent
     |--- agentinjection

The content of /etc/apparmor.d/dynatrace-oneagent/agentinjection should be as follows:

#include <abstractions/base>
#include <abstractions/nameservice>

# OneAgent process injection
/etc/ld.so.preload r,
/etc/oneagentproc/ld.so.preload r,

# Needed for OneAgent to determine whether specialized code snippet should be loaded and to calculate PGI ID
/proc/{[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}/{cgroup,cmdline,environ,mem,stat,maps} r,

# OneAgent directories   
/opt/dynatrace/oneagent/agent/** mr,
/opt/dynatrace/oneagent/agent/conf/runtime/** w,
/opt/dynatrace/oneagent/log/** rkw,
/var/lib/dynatrace/oneagent/** r,
/var/lib/dynatrace/oneagent/agent/config/{discovery_entry_point,ruxit_shm_v2} w,

# OSI ID calculation
/sys/class/net/ r,  
/sys/devices/*/*/net/** r,
/sys/devices/virtual/net/** r,

# Misc
/{,var/}run/utmp rk,
/sys/devices/system/cpu/ r,
/dev/random rw,
/tmp/** rw,
/proc/sys/kernel/hostname r,

Include the rule set in the Tomcat profile (/etc/apparmor.d/usr.sbin.tomcat-sysd).

/usr/sbin/tomcat-sysd {
  #include <dynatrace-oneagent/agentinjection>

 ... (rest of the rules that were already present in the profile)
}

Verify that the defined profile works correctly:

  1. Reload AppArmor service.
  2. Restart Tomcat.
  3. Verify on the Web UI that the deep monitoring is working for Tomcat process.
  4. Inspect audit logs to ensure that there are no AppArmor denials.

Please keep in mind that although the rule set provided in this example was extensively tested, it may need to be extended or modified due to environmental differences and the custom installation path for OneAgent is not supported.

In case you experience denials related to OneAgent for other processes in the system, add the following subset of rules to the profiles of these processes.

# Process injection
  /etc/ld.so.preload r,
  /etc/oneagentproc/ld.so.preload r,
  /opt/dynatrace/oneagent/log/process/* rkw,

Although this step is optional because failed injections of OneAgent to other processes won't affect the functionality of your applications. Still, it may be required if you are running an IDS or other automated system that reports warnings for access denials found in audit logs.