Novell APPARMOR 1.2 Administration Manual Download Page 111

Page: 111 / 130

Example 5.1

Example phpsysinfo-dev Hat

^phpsysinfo {

#include <program-chunks/base-files>

/bin/df ix,

/bin/bash ix,

/dev/tty rw,

/etc/SuSE-release r,

/etc/fstab r,

/etc/hosts r,

/etc/mtab r,

/proc/** r,

/sbin/lspci ix,

/srv/www/htdocs/sysinfo/** r,

/sys/bus/pci/devices r,

/sys/devices/** r,

/usr/bin/who ix,

/usr/share/pci.ids r,

/var/log/apache2/{access,error}_log w,

/var/run/utmp r,

}

NOTE

The profile,

^phpsysinfo-dev

, is only valid in the context of a process run-

ning under the parent profile

httpd2-prefork

5.1.2 Adding Hats and Entries to Hats

When you use the Edit Profile dialog (for instructions, refer to

Section 3.3.3, “Editing

a Profile”

(page 39)) or when you add a new profile using Manually Add Novell App-

Armor Profile (for instructions, refer to

Section 3.3.2, “Manually Adding a Profile”

(page 34)), you are given the option of adding hats (subprofiles) to your Novell App-
Armor profiles.

You can add a ChangeHat subprofile from the AppArmor Profile Dialog window.

Profiling Your Web Applications Using ChangeHat Apache

111

Summary of Contents for APPARMOR 1.2

Page 1: ...Novell AppArmor Powered by Immunix Administration Guide www novell com 1 2 09 29 2005...

Page 2: ...ns or the laws of the country in which you reside Copyright 2000 2004 2005 Novell Inc All rights reserved No part of this publication may be reproduced photocopied stored on a retrieval system or tran...

Page 3: ...PURPOSE ARE DISCLAIMED IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSE QUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBS...

Page 4: ......

Page 5: ...3 3 Building Novell AppArmor Profiles with the YaST GUI 26 3 4 Building Novell AppArmor Profiles Using the Command Line Interface 49 3 5 Two Methods of Profiling 54 3 6 Pathnames and Globbing 73 3 7...

Page 6: ...change_hat 113 6 Support 117 6 1 Updating Novell AppArmor Online 117 6 2 Using the Man Pages 117 6 3 For More Information 119 6 4 Troubleshooting 119 6 5 Support for SUSE Linux 121 6 6 Reporting Bugs...

Page 7: ...eeded for common application activities such as DNS lookup and user authentication A tool suite for developing and enhancing AppArmor profiles so that you can change the existing profiles to suit your...

Page 8: ...ample 1 Command Environment To use ls to view the contents in the current directory enter ls in a terminal window Filename Filenames directory names paths and RPM package names are represented this wa...

Page 9: ...nix Selecting Programs to Immunize Describes the types of programs that should have Novell AppArmor profiles created for them Building Novell AppArmor Profiles Describes how to use the Novell AppArmor...

Page 10: ...ST Using YaST you can launch the Novell AppArmor interface This is the recommended method for a novice Linux user For the other available methods refer to Section 3 2 Building and Managing Novell AppA...

Page 11: ...of the following locations in this guide Add Profile Wizard For detailed steps refer to Section 3 3 1 Adding a Profile Using the Wizard page 27 AppArmor Reports For detailed steps refer to Section 4...

Page 12: ...Profile Delete an existing Novell AppArmor profile from your system For detailed steps refer to Section 3 3 4 Deleting a Profile page 41 Manually Add Profile Add a Novell AppArmor profile for an appli...

Page 13: ...zing programs Proceed to Chapter 3 Building Novell AppArmor Profiles page 21 if you are ready to build and manage Novell AppArmor profiles Novell AppArmor provides streamlined access control for netwo...

Page 14: ......

Page 15: ...hat the person using the program does not have so they grant the privilege to the user when used cron jobs Programs that are run periodically by cron Such programs read input from a variety of sources...

Page 16: ...s profile can read and write 2 2 Inspect Open Ports to Immunize Programs An automated method for finding network server daemons that should be profiled is to use the unconfined tool You can also simpl...

Page 17: ...ports network ports opened by client applications but only those client applications that are running at the time the unconfined analysis is performed This is a problem because network services tend t...

Page 18: ...ver is highly configurable and Web applications can be stored in many directories depending on your local configuration SUSE Linux by default stores Web applications in srv www cgi bin To the maximum...

Page 19: ...add a profile in YaST or at the command line To take advantage of the subprocess confinement refer to Section 5 1 Apache ChangeHat page 106 Profiling Web applications that use mod_perl and mod_php re...

Page 20: ...ripts served by Apache a good approach is to edit the DEFAULT_URI subprofile 2 2 3 Immunizing Network Agents To find network server daemons that should be profiled you should inspect the open ports on...

Page 21: ...le into Its Parts Novell AppArmor profile components are called Novell AppArmor rules Currently there are two main types of Novell AppArmor rules path entries and capability entries Path entries speci...

Page 22: ...ss modes r for read w for write and x for execute A white space of any kind spaces or tabs can precede pathnames or separate the pathname from the access modes White space between the access mode and...

Page 23: ...ctions are includes that are grouped by common application tasks These tasks include access to authentication mechanisms access to name service routines common graphics requirements and system account...

Page 24: ...ities 7 man page 3 2 Building and Managing Novell AppArmor Profiles There are three ways you can build and manage Novell AppArmor profiles depending on the type of computer environment you prefer You...

Page 25: ...to Section 3 4 Building Novell AppArmor Profiles Using the Command Line Interface page 49 The command line interface offers access to a few tools that are not available using the other Novell AppArmor...

Page 26: ...ng a terminal window logging in as root and entering yast2 In the right frame you see several Novell AppArmor option icons If Novell AppArmor does not display in the left frame of the YaST window or i...

Page 27: ...o Section 3 3 5 Updating Profiles from Syslog Entries page 42 AppArmor Reports For detailed steps refer to Section 4 3 Reports page 81 AppArmor Control Panel For detailed steps refer to Section 3 3 6...

Page 28: ...ll AppArmor Add Profile Wizard 3 Enter the name of the application or browse to the location of the program 4 Click Create This runs a Novell AppArmor tool named autodep which performs a static analys...

Page 29: ...log the files and directories to which the program requires access to function properly 7 Click Scan System Log for Entries to Add to Profile to parse the learning mode log files This generates a ser...

Page 30: ...gure 3 2 Learning Mode Exception Defining Execute Permissions for an Entry page 31 The learning mode exception requires you to define execute permissions for an entry Each of these cases results in a...

Page 31: ...e Exception Controlling Access to Specific Resources From the following options select the one that satisfies the re quest for access which could be a suggested include a particular globbed version of...

Page 32: ...ned Executes the program without a security profile WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArm...

Page 33: ...sterisk in place of the file name This allows the program to access all files in the suggested directories that end with the ext extension When you double click it access is granted to all files with...

Page 34: ...ntries into the profile You simply need to select the application for which to create a profile then add entries 1 To add a profile open YaST Novell AppArmor The Novell AppArmor interface opens 2 In N...

Page 35: ...click Done Adding an Entry This section explains the Add Entry option that can be found in Section 3 3 2 Manu ally Adding a Profile page 34 or Section 3 3 3 Editing a Profile page 39 When you select A...

Page 36: ...Permission Access Modes page 74 Directory In the pop up window specify the absolute path of a directory including the type of access permitted You can use globbing if necessary When fin ished click OK...

Page 37: ...r Profile into Its Parts page 21 for more information about capabilities When finished making your selections click OK Include In the pop up window browse to the files to use as includes Includes are...

Page 38: ...file browser pop up window opens From here you can edit the selected entry In the pop up window specify the absolute path of a file including the type of access permitted You can use globbing if neces...

Page 39: ...removes the profile entry that you have selected 3 3 3 Editing a Profile Novell AppArmor enables you to manually edit Novell AppArmor profiles by adding editing or deleting entries You simply need to...

Page 40: ...3 From the list of profiled programs select the profile to edit 4 Click Next The AppArmor Profile Dialog window displays the profile 40...

Page 41: ...pop up that appears click Yes to confirm your changes to the profile 3 3 4 Deleting a Profile Novell AppArmor enables you to delete a Novell AppArmor profile manually You simply need to select the ap...

Page 42: ...avior of the profiled application that is outside of the profile definition for the program You can add the new behavior to the relevant profile by selecting the suggested profile entry 1 Open YaST No...

Page 43: ...fined see Figure 3 5 Learning Mode Exception Defining Execute Permissions for an Entry page 44 Each of these cases results in a question that you must answer that enables you to add the resource or pr...

Page 44: ...ing Mode Exception Controlling Access to Specific Resources page 43 From the following options select the one that satis fies the request for access which could be a suggested include a particular glo...

Page 45: ...program executed without a security profile WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArmor 4 Af...

Page 46: ...ng the wild card asterisk in place of the filename This allows the program to access all files in the suggested directories that end with the ext extension When you double click it access is granted t...

Page 47: ...pArmor protects your system from potential program exploitation Dis abling Novell AppArmor even if your profiles have been set up removes protection from your system Configuring Event Notification You...

Page 48: ...fication continue as described in Sec tion 4 2 2 Configuring Security Event Notification page 79 Changing Novell AppArmor Status When you change the status of Novell AppArmor you set it to enable or d...

Page 49: ...pArmor by selecting Disable Then click OK 5 Click Done in the AppArmor Configuration window 6 Click File Quit in the YaST Control Center 3 4 Building Novell AppArmor Profiles Using the Command Line In...

Page 50: ...mmands such as modprobe insmod lsmod and rmmod but this approach is not recommended Instead it is recommended to manage Novell AppArmor through the script rcsubdomain which can perform the following o...

Page 51: ...SUSE Linux to regain control To prevent such a problem always ensure that you have a running uncon fined root login on the machine being configured when you restart the SubDomain module If you damage...

Page 52: ...coloring refer to Section Subdomain vim page 71 NOTE After making changes to a profile use the rcsubdomain restart command described in the previous section This command causes the Novell AppArmor to...

Page 53: ...o view all profiles currently installed 5 Open the profile to edit in a text editor such as vim 6 Make the necessary changes then save the profile 7 Restart Novell AppArmor by entering rcsubdomain res...

Page 54: ...fer to Sec tion 3 5 1 Stand Alone Profiling page 54 Systemic Profiling A method suitable for profiling large numbers of programs all at once and for profiling applications that may run for days weeks...

Page 55: ...monitors those programs with profiles and their children Thus to get Novell AppArmor to consider a program you must at least have autodep create an approximate profile for it To create this approximat...

Page 56: ...subdomain d using vim For help using vim to its fullest capacity refer to Section Subdomain vim page 71 7 Return to enforce mode This is when the system goes back to enforcing the rules of the profile...

Page 57: ...te profile to be improved through the dynamic profiling that follows The resulting approximate profile is written to the etc subdomain d directory using the Novell AppArmor profile naming convention o...

Page 58: ...so logged To improve the profile turn complain mode on run the program through a suite of tests to generate log events that characterize the program s access needs then postprocess the log with the No...

Page 59: ...ed on Turn complain mode on when you want the Novell AppArmor profiles to control the access of the program that is profiled Enforce toggles with complain mode Manually activating enforce mode using t...

Page 60: ...omplain mode reloads it into Novell AppArmor marks the syslog and prompts the user to execute the program and exercise its functionality Its syntax is as follows genprof d path to profiles program If...

Page 61: ...n to profile in another terminal window and perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access in order to...

Page 62: ...file usr sbin xinetd Execute usr sbin vsftpd I nherit P rofile U nconfined D eny Abo r t F inish Dealing with execute accesses is complex You must decide which of the three kinds of execute permission...

Page 63: ...or more pathnames or includes By clicking the option number select from one or more of the following options then proceed to the next step NOTE All of these options are not always presented in the No...

Page 64: ...ny Prevents the program from accessing the specified directory path entries Novell AppArmor then moves on to the next event New Prompts you to enter your own rule for this event allowing you to specif...

Page 65: ...page 71 logprof logprof is an interactive tool used to review the learning or complain mode output found in the syslog entries then generate new entries in Novell AppArmor security profiles When you r...

Page 66: ...system log logprof ignores all events in the system log before the specified mark is seen If the mark contains spaces it must be surrounded with quotes to work correctly Example logprof m e2ff78636296...

Page 67: ...to the specified directory path entries Novell AppArmor suggests file permission access For more information about this refer to Section 3 7 File Permission Access Modes page 74 Deny Prevents the prog...

Page 68: ...prof Example 2 In an example from profiling vsftpd we see this question Profile usr sbin vsftpd Path y2k jpg New Mode r 1 y2k jpg A llow D eny N ew G lob Glob w E xt Abo r t F inish Several items of i...

Page 69: ...fined program without gaining the permissions of the target s profile or losing the permis sions of the current profile This mode is often used when the child program is a helper application such as t...

Page 70: ...ce is to use Inherit This results in the less program executed from this context running under the profile for usr bin mail This has two consequences You need to add all of the basic file accesses for...

Page 71: ...ofiles with color highlighting Use vim to view and edit your profile by typing vim at a terminal window To enable the syntax coloring when you edit a Novell AppArmor profile in vim use the commands sy...

Page 72: ...on your system and reports network services that do not have Novell AppArmor profiles It requires root privilege and that it not be confined by a Novell AppArmor profile unconfined must be run as roo...

Page 73: ...o strategic and tactical use of Novell AppArmor to solve severe se curity problems in a very short period of time Published in the Proceedings of the DARPA Information Survivability Conference and Exp...

Page 74: ...a c Expand to one rule to match ab and one rule to match cd ab cd Example A rule that matches usr www pages to grant access to Web pages in both usr pages and www pages 3 7 File Permission Access Mode...

Page 75: ...d Execute Mode Allows the program to execute the resource without any Novell AppArmor profile being applied to the executed resource Requires listing execute mode as well Incompatible with inherit and...

Page 76: ...ions of the current profile This mode is infrequently used 3 7 6 Link Mode The link mode mediates access to symlinks and hardlinks and the privilege to unlink or delete files When a link is created th...

Page 77: ...struc tions for performing each of these tasks are available Section 4 1 Monitoring Your Secured Applications page 77 Section 4 5 Maintaining Your Security Profiles page 103 4 1 Monitoring Your Secure...

Page 78: ...er of individual occurrences including the date of the last occur rence For example SubDomain PERMITTING access to capability setgid httpd2 prefork 6347 profile usr sbin httpd2 prefork active usr sbin...

Page 79: ...y events The severity levels are determined by the importance of different security events such as certain resources accessed or services denied 4 2 2 Configuring Security Event Notification Security...

Page 80: ...n type pref erence 3 In each applicable notification type section enter the e mail addresses of those who should receive notification in the field provided If notification is enabled you must enter an...

Page 81: ...er to Section 4 2 1 Severity Level Notification page 79 for more information about severity levels 6 Click OK 7 Click Done in the Novell AppArmor Configuration window 8 Click File Quit in the YaST Con...

Page 82: ...to Section Executive Security Summary page 91 Application Audit Report An auditing tool that reports which application servers are running and whether the applications are confined by AppArmor Applic...

Page 83: ...rts window appears From the Reports window select an option and proceed to the section for instructions View Archive Displays all reports that have been run and stored in var log apparmor reports arch...

Page 84: ...ding New Reports page 95 Edit Edits a scheduled security incident report Delete Deletes a scheduled security incident report All stock or canned reports cannot be deleted Back Returns you to the Novel...

Page 85: ...se the current directory or select Browse to find a new report location The default directory is var log apparmor reports archived 4 To view all the reports in the archive select View All To view a sp...

Page 86: ...me or pattern that matches the name of the bi nary executable of the program of interest the report displays security events that have occurred for a specific program Profile Name When you enter the n...

Page 87: ...parated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications You can enter a pathname fo...

Page 88: ...e the application audit report ran the name and path of the unconfined program or application server the suggested profile or a placeholder for a profile for an unconfined program the process ID numbe...

Page 89: ...that displays security events of interest to an administrator The SIR reports policy violations for locally confined applications during the specified time period The SIR reports policy exceptions and...

Page 90: ...ty events are being re ported Date The date during which security events occurred Program The name of the executing process Profile The absolute name of the security profile that is applied to the pro...

Page 91: ...ources to which the profile prevents access Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Executive Security...

Page 92: ...ty events are reported End Date The last date in a range of dates during which security events are reported Num of Rejects In the date range given the total number of security events that are rejected...

Page 93: ...need help navigating to the main report screen see Section 4 3 Reports page 81 Perform the following steps to run a report from the list of reports 1 Select the report to run instantly from the list...

Page 94: ...rofile You can use this to see what is being confined by a specific profile PID Number Process ID number is a number that uniquely identifies one specific process or running program this number is val...

Page 95: ...on audit report refer to Section Application Audit Report page 88 For the recurity incident report refer to Section Security Incident Report page 89 For the executive summary report refer to Section E...

Page 96: ...n the fields with the following filtering information as necessary Report Name Specify the name of the report Use names that easily discern one report from the next Day of Month Select any day of the...

Page 97: ...export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications You c...

Page 98: ...and files You can use this field to create a report of resources to which profiles prevent access Severity Select the lowest severity level of security events to include in the report The selected sev...

Page 99: ...sary Day of Month Select any day of the month to activate monthly filtering in reports If you select All monthly filtering is not performed Day of Week Select the day of the week on which to schedule...

Page 100: ...by typing the full path name in the field provided Location to Store Log Enables you to change the location where the exported report is stored The default location is var log apparmor reports export...

Page 101: ...erity level and above are included in the reports Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Mode The mod...

Page 102: ...ss violation and determine if that event indicated a threat or was part of normal application behavior Application specific knowledge is required to make the determination If the rejection represents...

Page 103: ...ause you take the time to make profiles it makes sense to back them up Backing up profiles might save you from having to reprofile all your programs after a disk crash Also if profiles are changed you...

Page 104: ...is one of the following Run the profiling wizard by selecting Add Profile Wizard in YaST This updates your application profile set with the current productions using minimal effort For step by step in...

Page 105: ...es you to define security at a finer level than the process This feature requires that each application be made changehat aware meaning that it is modified to make a request to the Novell AppArmor mod...

Page 106: ...tically installed with Novell AppArmor as well as added to the Apache configu ration Apache 1 3 is not supported NOTE If you install mod_change_hat without Novell AppArmor you need to make sure the Ap...

Page 107: ...e create a new hat for the URI phpsysinfo dev and its subsequent accesses Using the profiling utilities we delegate what is added to this new hat The resulting hat becomes a tight security container t...

Page 108: ...age and system information NOTE To ensure that this request is processed by the server and you do not review cached data in your browser you should refresh the page To do this click the browser Refres...

Page 109: ...this application In the next screen Novell AppArmor displays an external program that the script executed You can specify that the program should run confined by the phpsys info dev hat choose Inheri...

Page 110: ...prompt you to generate new hats and add entries to your profile and its hats The process of adding entries to profiles is covered in detail in the section Section 3 3 1 Adding a Profile Using the Wiza...

Page 111: ...in the context of a process run ning under the parent profile httpd2 prefork 5 1 2 Adding Hats and Entries to Hats When you use the Edit Profile dialog for instructions refer to Section 3 3 3 Editing...

Page 112: ...at Name dialog box opens 2 Enter the name of the hat to add to the Novell AppArmor profile The name is the URI that when accessed receives the permissions set in the hat 3 Click Create Hat You are ret...

Page 113: ...nt file in an existing directory is ac cepted or rejected For Apache documentation on virtual host directives refer to http httpd apache org docs 2 0 mod core html virtualhost The change_hat specific...

Page 114: ...location mod_change_hat should use a specific hat Location foo ImmHatName MY_HAT_NAME Location This tries to use MY_HAT_NAME for any URI beginning with foo foo foo bar foo cgi path blah_blah blah etc...

Page 115: ...ci ids r var log apache2 access error _log w var run utmp r 3 Reload Novell AppArmor profiles by entering rcsubdomain restart at a terminal window as root 4 Restart Apache by entering rcapache2 restar...

Page 116: ......

Page 117: ...et an overview of the support options provided with your copy of SUSE Linux 6 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages will be provided through YOU YaST Online Update Ret...

Page 118: ...mats 5 Games 6 High level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 descr...

Page 119: ...roubleshooting The following section lists the most common problems and error messages that may occur using Novell AppArmor SUSE Linux is installed but AppArmor does not appear in the YaST menu AppArm...

Page 120: ...vers have a default hard limit for e mail size This limitation can impede AppArmor s ability to send e mails that are generated for reporting purposes If your mail is not arriving this could be why Us...

Page 121: ...tax errors in your profiles you see error results like this localhost etc init d subdomain start Loading SubDomain profiles Subdomain parser error line 2 Found unexpected character h Profile etc subdo...

Page 122: ...x Monday Friday from 09 00 a m to 06 00 p m EST or 06 00 a m to 03 00 p m PST All other countries Phone 44 1344 326 666 Price 46 including VAT Monday Friday 12 00 18 00 CET One incident covers up to t...

Page 123: ...t installed packages the vital HOWTOs and info pages You can access the latest Support Database articles online at http www novell com usersupport By means of the Support Database which is one of the...

Page 124: ...hanging the jumper setting Configuration of a supported PCI ethernet card for LAN access with either DHCP client or static IP This does not include the configuration of the LAN or any other computers...

Page 125: ...0 Monday through Friday from 12 00 p m to 6 00 p m EST or 09 00 a m to 03 00 p m PST France Phone 33 1 55 62 50 50 Monday through Friday from 13 00 to 17 00 CET Spain Phone 34 0 91 375 3057 Monday thr...

Page 126: ...il inquiries Contact Recommendations Misspelled commands links or directory names often cause frustrating problems and are particularly common during phone conversations To help prevent this problem p...

Page 127: ...ted check this bug report and add extra information to it if necessary 5 If your problem has not been reported yet select New from the top navigation bar and proceed to the Enter Bug page 6 Select the...

Page 128: ......

Page 129: ...reactive defense from attacks This is better because there is no window of vulnerabilty where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures...

Page 130: ...do and nothing else URI Universal Resource Identifiers The generic term for all types of names and address es that refer to objects on the World Wide Web A URL is one kind of URI URL Uniform Resource...

Search results

Summary of Contents for APPARMOR 1.2

Reviews:

Novell APPARMOR 1.2, Administration Manual, Page: 111 / 130

Search results

Summary of Contents for APPARMOR 1.2

Reviews: