manualshive.com logo in svg

Novell APPARMOR 2.0.1, Administration Manual, Page: 66 / 142

Share
Download
Novell APPARMOR 2.0.1 Administration Manual Download Page 66

the child process. This option introduces a security vulnerability that could be used
to exploit AppArmor. Only use it as a last resort.

mmap (m)

This permission denotes that the program running under the profile can access the
resource using the mmap system call with the flag

PROT_EXEC

. This means that

the data mapped in it can be executed. You are prompted to include this permission
if it is requested during a profiling run.

In the following example, the

/usr/bin/mail

mail client is being profiled and aa-

logprof has discovered that

/usr/bin/mail

executes

/usr/bin/less

as a helper

application to “page” long mail messages. Consequently, it presents this prompt:

/usr/bin/nail -> /usr/bin/less

(I)nherit / (P)rofile / (U)nconfined / (D)eny

TIP

The actual executable file for

/usr/bin/mail

turns out to be

/usr/bin/

nail

, which is not a typographical error.

The program

/usr/bin/less

appears to be a simple one for scrolling through text

that is more than one screen long and that is in fact what

/usr/bin/mail

is using

it for. However, less is actually a large and powerful program that makes use of many
other helper applications, such as tar and rpm.

TIP

Run

less

on a tar file or an RPM file and it shows you the inventory of these

containers.

You do not want to automatically run rpm when reading mail messages (that leads di-
rectly to a Microsoft* Outlook–style virus attack, because rpm has the power to install
and modify system programs) and so, in this case, the best choice is to use Inherit. This
results in the less program executed from this context running under the profile for

/usr/bin/mail

. This has two consequences:

• You need to add all of the basic file accesses for

/usr/bin/less

to the profile

for

/usr/bin/mail

.

66

Novell AppArmor Administration Guide

Summary of Contents for APPARMOR 2.0.1

Page 1: ...Novell AppArmor www novell com 2 0 1 November 29 2006 Novell AppArmor Administration Guide ...

Page 2: ...GNU Free Documentation License Novell the Novell logo the N logo openSUSE SUSE and the SUSE geeko logo are registered trademarks of Novell Inc in the United States and other countries Linux is a registered trademark of Linus Torvalds All other third party trademarks are the property of their respective owners All information found in this book has been compiled with utmost attention to detail Howe...

Page 3: ...3 Capability Entries POSIX 1e 22 3 Building and Managing Profiles With YaST 23 3 1 Adding a Profile Using the Wizard 25 3 2 Manually Adding a Profile 32 3 3 Editing Profiles 33 3 4 Deleting a Profile 38 3 5 Updating Profiles from Log Entries 39 3 6 Managing Novell AppArmor and Security Event Status 40 4 Building Profiles via the Command Line 45 4 1 Checking the AppArmor Module Status 45 4 2 Buildi...

Page 4: ...87 6 1 Monitoring Your Secured Applications 87 6 2 Configuring Security Event Notification 88 6 3 Configuring Reports 91 6 4 Reacting to Security Event Rejections 110 6 5 Maintaining Your Security Profiles 111 7 Support 113 7 1 Updating Novell AppArmor Online 113 7 2 Using the Man Pages 113 7 3 For More Information 115 7 4 Troubleshooting 116 7 5 Reporting Bugs for AppArmor 117 A Background Inform...

Page 5: ...okup and user authentication A tool suite for developing and enhancing AppArmor profiles so that you can change the existing profiles to suit your needs and create new profiles for your own local and custom applications Several specially modified applications that are AppArmor enabled to provide en hanced security in the form of unique subprocess confinement including Apache and Tomcat The Novell ...

Page 6: ...dicates support options for this product Glossary Provides a list of terms and their definitions 1 Feedback We want to hear your comments and suggestions about this manual and the other doc umentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation and enter your comments there 2 Documentation Conventions The following typograp...

Page 7: ...icly available To download the source code proceed as outlined under http www novell com products suselinux source_code html If requested we send you the source code on a DVD We need to charge a 15 or 15 fee for creation handling and postage To request a DVD of the source code send an e mail to sourcedvd suse de mailto sourcedvd suse de or mail the request to SUSE Linux Products GmbH Product Manag...

Page 8: ......

Page 9: ... Profiles With YaST page 23 or Chapter 4 Building Profiles via the Command Line page 45 if you are ready to build and manage Novell AppArmor profiles Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read write and execute This ensures that each program does what it is supposed to do and nothing else Novell AppArmor quaran...

Page 10: ...tools interact in the building and enforcement of AppArmor profiles and policies aa unconfined aa unconfined detects any application running on your system that listens for net work connections and is not protected by an AppArmor profile Refer to Section aa unconfined Identifying Unprotected Processes page 67 for detailed infor mation on this tool aa autodep aa autodep creates a basic skeleton of ...

Page 11: ...mode of an AppArmor profile form complain to enforce Exceptions to rules set in a profile are logged but not permitted the profile is enforced Refer to Section aa enforce Entering Enforce Mode page 54 for detailed information on this tool Once a profile has been built and is loaded there are two ways in which it can get pro cessed complain In complain mode violations of AppArmor profile rules such...

Page 12: ... a Web browser including CGI Perl scripts PHP pages and more complex Web applications For instructions for finding these types of programs refer to Section 1 4 1 Immunizing Web Applications page 15 Network Agents Programs servers and clients that have open network ports User clients such as mail clients and Web browsers mediate privilege These programs run with the privilege to write to the user s...

Page 13: ...unizing Network Applications An automated method for finding network server daemons that should be profiled is to use the aa unconfined tool You can also simply view a report of this information in the YaST module refer to Section Application Audit Report page 97 for instruc tions The aa unconfined tool uses the command netstat nlp to inspect your open ports from inside your computer detect the pr...

Page 14: ...nconfined does not distinguish between one network interface and another so it reports all unconfined processes even those that might be listening to an internal LAN interface Finding user network client applications is dependent on your user preferences The aa unconfined tool detects and reports network ports opened by client applications but only those client applications that are running at the...

Page 15: ...rofile Wizard to create profiles for them Refer to Section 3 1 Adding a Profile Using the Wizard page 25 Because CGI programs are executed by the Apache Web server the profile for Apache itself usr sbin httpd2 prefork for Apache2 on openSUSE must be modified to add execute permissions to each of these programs For instance adding the line srv www cgi bin my_hit_counter pl rpx grants Apache permiss...

Page 16: ...might not be the URI depending on how Apache has been configured for where to look for module scripts If you have configured your Apache to place scripts in a different place the dif ferent names appear in log file when Novell AppArmor complains about access violations See Chapter 6 Managing Profiled Applications page 87 For mod_perl and mod_php scripts this is the name of the Perl script or the P...

Page 17: ...sider the programs that are answering on those ports and provide profiles for as many of those programs as possible If you provide profiles for all programs with open network ports an attacker cannot get to the file system on your machine without passing through a Novell AppArmor profile policy Scan your server for open network ports manually from outside the machine using a scanner such as nmap o...

Page 18: ......

Page 19: ... profile components are called Novell AppArmor rules Currently there are two main types of Novell AppArmor rules path entries and capability entries Path entries specify what the process can access in the file system and capability entries provide a more fine grained control over what a confined process is allowed to do through other system calls that require privileges Includes are a type of meta...

Page 20: ...d The curly braces serve as a container for include statements of other profiles as well as for path and capability entries This directive pulls in components of Novell AppArmor profiles to simplify pro files Capability entry statements enable each of the 29 POSIX 1e draft capabilities The curly braces make this rule apply to the path both with and without the content enclosed by the braces A path...

Page 21: ... in addition to the native Linux access controls Example To gain the capability CAP_CHOWN the program must have both access to CAP_CHOWN under conventional Linux access controls typically be a root owned process and have the capability chown in its profile Similarly to be able to write to the file foo bar the program must have both the correct user ID and mode bits set in the files attributes see ...

Page 22: ...equirements and system accounting Files listed in these abstractions are specific to the named task Programs that require one of these files usually require some of the other files listed in the abstraction file depending on the local configuration as well as the specific requirements of the program Find abstractions in etc apparmor d abstractions 2 2 2 Program Chunks The program chunks directory ...

Page 23: ...pArmor offers the same functionality as the graphical interface while consuming less resources and bandwidth It is not described separately since it works similar as the graphical interface A general introduction into use and navigation of the YaST ncurses interface can be found in Chapter 4 YaST in Text Mode Reference AppArmor Command Line AppArmor offers a purely command line based interface whi...

Page 24: ...em without the help of the wizard For detailed steps refer to Section 3 2 Manually Adding a Profile page 32 Edit Profile Edits an existing Novell AppArmor profile on your system For detailed steps refer to Section 3 3 Editing Profiles page 33 Delete Profile Deletes an existing Novell AppArmor profile from your system For detailed steps refer to Section 3 4 Deleting a Profile page 38 Update Profile...

Page 25: ...le and aa logprof Update Profiles from Learning Mode Log File For more information about these tools refer to Section 4 6 3 Summary of Profiling Tools page 52 1 Stop the application before profiling it to ensure that the application start up is included in the profile To do this make sure that the application or daemon is not running For example enter etc init d PROGRAM stop in a terminal window w...

Page 26: ...formation about learning mode refer to Section aa complain Entering Complain or Learning Mode page 53 5 Run the application to profile 6 Perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access to function properly Be sure to include restarting and stopping the program in the exercised functions AppArmor needs ...

Page 27: ...transition has not been defined see Figure 3 2 Learning Mode Exception Defining Execute Permissions for an Entry page 28 Define execute permissions for an entry Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program into the profile The following two figures show an example of each case Subsequent steps describe your optio...

Page 28: ...n Defining Execute Permissions for an Entry 8 The Add Profile Wizard begins suggesting directory path entries that have been accessed by the application you are profiling as seen in Figure 3 1 Learning Mode Exception Controlling Access to Specific Resources page 28 or re 28 Novell AppArmor Administration Guide ...

Page 29: ...duce the size of a profile It is good practice to select includes when suggested Globbed Version Accessed by clicking Glob For information about globbing syntax refer to Section 4 7 Pathnames and Globbing page 68 Actual Pathname Literal path that the program needs to access to run properly After you select a directory path process it as an entry into the Novell App Armor profile by clicking Allow ...

Page 30: ...with the ext extension When you double click it access is granted to all files with the particular extension and subdirectories beneath the one shown Edit Edit the highlighted line The new edited line appears at the bottom of the list Abort Abort aa logprof losing all rule changes entered so far and leaving all profiles unmodified Finish Close aa logprof saving all rule changes entered so far and ...

Page 31: ... secure sanitized option Unconfined Execute the program without a security profile When prompted let AppArmor sanitize the environment to avoid adding security risks by inheriting certain environment variables from the parent process WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArmor Deny Click Deny...

Page 32: ...Start YaST and select Novell AppArmor Manually Add Profile 2 Browse your system to find the application for which to create a profile 3 When you find the application select it and click Open A basic empty profile appears in the Novell AppArmor Profile Dialog window 4 In the AppArmor Profile Dialog window you can add edit or delete Novell AppArmor profile entries by clicking the corresponding butto...

Page 33: ... profiles by adding editing or deleting entries To edit a profile proceed as follows 1 Start YaST and select Novell AppArmor Edit Profile 2 From the list of profiled applications select the profile to edit 3 Click Next The AppArmor Profile Dialog window displays the profile Building and Managing Profiles With YaST 33 ...

Page 34: ...ou are finished click Done 6 In the pop up that appears click Yes to confirm your changes to the profile and reload the AppArmor profile set TIP Syntax Checking in AppArmor AppArmor contains a syntax check that will notify you of any syntax errors in profiles you are trying to process with the YaST AppArmor tools Should an error occur edit the respective profile manually as root and reload the pro...

Page 35: ...finished click OK You can use globbing if necessary For globbing information refer to Section 4 7 Pathnames and Globbing page 68 For file access permission information refer to Section 4 8 File Permission Access Modes page 69 Directory In the pop up window specify the absolute path of a directory including the type of access permitted You can use globbing if necessary When finished click OK For gl...

Page 36: ...ese are statements that enable each of the 32 POSIX 1e capabilities Refer to Section 2 1 Breaking a Novell AppArmor Profile into Its Parts page 19 for more information about capabilities When finished making your selections click OK 36 Novell AppArmor Administration Guide ...

Page 37: ...2 include Statements page 21 Hat In the pop up window specify the name of the subprofile hat to add to your current profile and click Create Hat For more information refer to Chapter 5 Profiling Your Web Applications Using ChangeHat page 75 3 3 2 Editing an Entry When you select Edit Entry the file browser pop up window opens From here you can edit the selected entry Building and Managing Profiles...

Page 38: ... File Permission Access Modes page 69 3 3 3 Deleting an Entry To delete an entry in a given profile select Delete Entry Novell AppArmor removes the selected profile entry 3 4 Deleting a Profile Novell AppArmor enables you to delete a Novell AppArmor profile manually Simply select the application for which to delete a profile then delete it as follows 1 Start YaST and select Novell AppArmor Delete ...

Page 39: ...e profiled application that is outside of the profile definition for the program You can add the new behavior to the relevant profile by selecting the suggested profile entry 1 Start YaST and select Novell AppArmor Update Profile Wizard Running Update Profile Wizard aa logprof parses the learning mode log files This generates a series of questions that you must answer to guide aa logprof to genera...

Page 40: ...n Disabling Novell AppArmor even if your profiles have been set up removes protection from your system You can determine how and when you are notified when system security events occur NOTE For event notification to work you must set up a mail server on your system that can send outgoing mail using the single mail transfer protocol SMTP such as postfix or exim To configure event notification or ch...

Page 41: ...dividual profiles continue as described in Sec tion 3 6 2 Changing the Mode of Individual Profiles page 42 To configure security event notification continue as described in Section 6 2 Configuring Security Event Notification page 88 3 6 1 Changing Novell AppArmor Status When you change the status of Novell AppArmor set it to enabled or disabled When Novell AppArmor is enabled it is installed runni...

Page 42: ...files and is used by the AppArmor tools for generating profiles Loading a profile in enforce mode enforces the policy defined in the profile as well as reports policy violation attempts to syslogd YaST s Profile Mode dialog allows you to view and edit the mode of currently loaded AppArmor profiles This feature is useful to determine the status of your system during profile development During the c...

Page 43: ... Set All to Complain TIP Listing the Profiles Available By default only active profiles are listed i e any profile that has a matching application installed on your system Should you want to set up a profile before installing the respective application click Show All Profiles and select the profile you want to configure from the list that appears Building and Managing Profiles With YaST 43 ...

Page 44: ......

Page 45: ...Information Before starting to manage your profiles using the AppArmor command line tools check out the general introduction to AppArmor given in Chapter 1 Immunizing Programs page 9 and Chapter 2 Profile Components and Syntax page 19 4 1 Checking the AppArmor Module Status The AppArmor module can be in any one of three states Unloaded The AppArmor module is not loaded into the kernel Running The ...

Page 46: ... causes the module to rescan the Novell AppArmor profiles usually found in etc apparmor d and puts the module in the running state If the module was already running start reports a warning and takes no action rcapparmor stop Stops the AppArmor module if it was running by removing all profiles from kernel memory effectively disabling all access controls putting the module into the stopped state If ...

Page 47: ...ectory as plain text files For a detailed description of the syntax of these files refer to Chapter 2 Profile Components and Syntax page 19 All files in the etc apparmor d directory are interpreted as profiles and are loaded as such Renaming files in that directory is not an effective way of preventing profiles from being loaded You must remove profiles from this directory to effectively prevent t...

Page 48: ...ot enter su in a terminal window 2 Enter the root password when prompted 3 Go to the profile directory with cd etc apparmor d 4 Enter ls to view all profiles currently installed 5 Open the profile to edit in a text editor such as vim 6 Make the necessary changes then save the profile 7 Restart Novell AppArmor by entering rcapparmor restart in a terminal window 4 5 Deleting a Novell AppArmor Profil...

Page 49: ...d Alone Profiling A method suitable for profiling small applications that have a finite run time such as user client applications like mail clients For more information refer to Sec tion 4 6 1 Stand Alone Profiling page 50 Systemic Profiling A method suitable for profiling large numbers of programs all at once and for profiling applications that may run for days weeks or continuously across reboot...

Page 50: ...Novell AppArmor profile for a group of applications as follows 1 Create profiles for the individual programs that make up your application Although this approach is systemic Novell AppArmor only monitors those pro grams with profiles and their children To get Novell AppArmor to consider a program you must at least have aa autodep create an approximate profile for it To create this approximate prof...

Page 51: ...maller data sets that can be trained and reloaded into the policy engine Subsequent iterations generate fewer messages and run faster 6 Edit the profiles You might want to review the profiles that have been gen erated You can open and edit the profiles in etc apparmor d using vim 7 Return to enforce mode This is when the system goes back to enforcing the rules of the profiles not just logging info...

Page 52: ...utodep finds by searching your shell s path variable or it can be a fully qualified path The program itself can be of any type ELF binary shell script Perl script etc aa autodep generates an approx imate profile to improve through the dynamic profiling that follows The resulting approximate profile is written to the etc apparmor d directory using the Novell AppArmor profile naming convention of na...

Page 53: ...cts violations of Novell App Armor profile rules such as the profiled program accessing files not permitted by the profile The violations are permitted but also logged To improve the profile turn complain mode on run the program through a suite of tests to generate log events that characterize the program s access needs then postprocess the log with the Novell AppArmor tools to transform log event...

Page 54: ... Mode The enforce mode detects violations of Novell AppArmor profile rules such as the profiled program accessing files not permitted by the profile The violations are logged and not permitted The default is for enforce mode to be enabled To log the violations only but still permit them use complain mode Enforce toggles with complain mode Manually activating enforce mode using the command line add...

Page 55: ...or refer ence aa genprof Generating Profiles aa genprof is Novell AppArmor s profile generating utility It runs aa autodep on the specified program creating an approximate profile if a profile does not already exist for it sets it to complain mode reloads it into Novell AppArmor marks the log and prompts the user to execute the program and exercise its functionality Its syntax is as follows aa gen...

Page 56: ...623407 898 449 PERMITTING r access to usr lib apache2 mod_setenvif so httpd2 prefork 5425 profile usr sbin httpd2 prefork active usr sbin httpd2 prefork Marks the log with a beginning marker of log events to consider For example Sep 13 17 48 52 figwit root GenProf e2ff78636296f16d0b5301209a04430d 3 When prompted by the tool run the application to profile in another terminal window and perform as m...

Page 57: ...e Subsequent steps describe your options in answering these questions Dealing with execute accesses is complex You must decide how to proceed with this entry regarding which execute permission type to grant to this entry Example 4 1 Learning Mode Exception Controlling Access to Specific Resources Reading log entries from var log audit audit log Updating AppArmor profiles in etc apparmor d Profile ...

Page 58: ...rmor profile applied to the executed resource Choose the unconfined with clean exec Ux option to scrub the environ ment of environment variables that could modify execution behavior when passed on to the child process This option introduces a security vulnerability that could be used to exploit AppArmor Only use it as a last resort mmap m This permission denotes that the program running under the ...

Page 59: ...names or includes By entering the option number select from one or more of the options then proceed to the next step NOTE All of these options are not always presented in the Novell AppArmor menu include This is the section of a Novell AppArmor profile that refers to an include file which procures access permissions for programs By using an in clude you can give the program access to directory pat...

Page 60: ...ion Access Modes page 69 Deny Prevents the program from accessing the specified directory path entries Novell AppArmor then moves on to the next event New Prompts you to enter your own rule for this event allowing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy the event that prompted the question in the first place Novell AppArmor ...

Page 61: ...active tool used to review the learning or complain mode output found in the log entries under var log audit audit log or var log messages if auditd is not running and generate new entries in Novell AppArmor security profiles When you run aa logprof it begins to scan the log files produced in learning or complain mode and if there are new security events that are not covered by the existing profil...

Page 62: ...he log file is not located in the default directory var log audit audit log or var log messages if auditd is not running aa logprof m string marker in logfile Marks the starting point for aa logprof to look in the system log aa logprof ignores all events in the system log before the specified mark If the mark contains spaces it must be surrounded by quotes to work correctly For example aa logprof ...

Page 63: ...y profiles Profile usr sbin httpd2 prefork Path etc group New Mode r 1 include abstractions nameservice 2 etc group A llow D eny N ew G lob Glob w E xt Abo r t F inish Select one of the following responses Select Enter Allows access to the selected directory path Allow Allows access to the specified directory path entries Novell AppArmor suggests file permission access For more information about t...

Page 64: ...ar and leaving all profiles unmodified Finish Closes aa logprof saving all rule changes entered so far and modifying all profiles aa logprof Example 2 In an example from profiling vsftpd see this question Profile usr sbin vsftpd Path y2k jpg New Mode r 1 y2k jpg A llow D eny N ew G lob Glob w E xt Abo r t F inish Several items of interest appear in this question First note that vsftpd is asking fo...

Page 65: ...s useful when a confined program needs to call another confined program without gaining the permissions of the target s profile or losing the permis sions of the current profile This mode is often used when the child program is a helper application such as the usr bin mail client using the less program as a pager or the Mozilla Web browser using the Acrobat program to display PDF files profile px ...

Page 66: ...l turns out to be usr bin nail which is not a typographical error The program usr bin less appears to be a simple one for scrolling through text that is more than one screen long and that is in fact what usr bin mail is using it for However less is actually a large and powerful program that makes use of many other helper applications such as tar and rpm TIP Run less on a tar file or an RPM file an...

Page 67: ... into the parent profile so that when the child runs it runs without any Novell AppArmor profile being applied at all but the environment is cleaned of some environment variables which can alter execution behavior before the child inherits it Running unconfined means running with no protection and should only be used when absolutely required aa unconfined Identifying Unprotected Processes The aa u...

Page 68: ... syntax similar to that used by popular shells such as csh bash and zsh Substitutes for any number of characters except Example An arbitrary number of path elements including entire directories Substitutes for any number of characters includ ing Example an arbitrary number of path elements including entire directories Substitutes for any single character except Substitutes for the single character...

Page 69: ...e mode px Discrete profile execute mode clean exec Px Unconstrained execute mode ux Unconstrained execute mode clean exec Ux Inherit execute mode ix Allow PROT_EXEC with mmap 2 calls m Link mode l Read Mode r Allows the program to have read access to the resource Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attac...

Page 70: ...ams See ld so 8 for some information about setuid and setgid environment scrubbing Incompatible with Ux ux px and ix Unconstrained Execute Mode ux Allows the program to execute the resource without any Novell AppArmor profile applied to the executed resource Requires listing execute mode as well This mode is useful when a confined program needs to be able to perform a privi leged operation such as...

Page 71: ...atible with ux px Px and ix Inherit Execute Mode ix ix prevents the normal AppArmor domain transition on execve 2 when the profiled program executes the named program Instead the executed resource in herits the current profile This mode is useful when a confined program needs to call another confined pro gram without gaining the permissions of the target s profile or losing the permissions of the ...

Page 72: ... of the Ux or Px file permission access modes take into account that the following environment variables are removed from the environment before the child process inherits it As a consequence applications or processes relying on any of these variables do not work anymore if the profile applied to them carries Ux or Px flags GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DY...

Page 73: ...s sys kernel security apparmor profiles Virtualized file representing the currently loaded set of profiles etc apparmor Location of AppArmor configuration files etc apparmor d Location of profiles named with the convention of replacing the in pathnames with not for the root so profiles are easier to manage For example the profile for the program usr sbin ntpd is named usr sbin ntpd etc apparmor d ...

Page 74: ...nt Check this file to review the confinement status of a process and the profile that is used to confine the process The ps auxZ command retrieves this information automatically 74 Novell AppArmor Administration Guide ...

Page 75: ...he process This feature requires that each application be made ChangeHat aware meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution Two examples for ChangeHat aware applications are the Apache Web server and Tomcat A profile can have an arbitrary number of subprofiles but there are only two levels...

Page 76: ...y adding the following line to your Apache configuration file LoadModule change_hat_module modules mod_change_hat so 5 1 1 Managing ChangeHat Aware Applications As with most of the Novell AppArmor tools you can use two methods for managing ChangeHat YaST or the command line interface Manage ChangeHat aware applications is much more flexible at the command line but the process is also more complica...

Page 77: ...y container that encompasses all the processing on the server that occurs when the phpsysinfo dev URI is passed to the Apache Web server The URI runs the application phpsysinfo refer to http phpsysinfo sourceforge net for more information The phpsysinfo dev package is assumed to be installed in srv www htdocs phpsysinfo dev in a clean new install of openSUSE and AppArmor 1 Once phpsysinfo dev is i...

Page 78: ... data in your browser refresh the page To do this click the browser Refresh button to make sure that Apache processes the re quest for the phpsysinfo dev URI 6 Click Scan System Log for Entries to Add to Profiles Novell AppArmor launches the aa logprof tool which scans the information learned in the previous step It begins to prompt you with profile questions 7 aa logprof first prompts with Add Re...

Page 79: ...that the script executed You can specify that the program should run confined by the phpsys info dev hat choose Inherit confined by a separate profile choose Profile or that it should run unconfined or without any security profile choose Unconfined For the case of the Profile option a new profile is created for the program if one does not already exist NOTE Security Considerations Selecting Unconf...

Page 80: ...prompt you to generate new hats and add entries to your profile and its hats The process of adding entries to profiles is covered in detail in the Section 3 1 Adding a Profile Using the Wizard page 25 When all profiling questions are answered click Finish to save your changes and exit the wizard The following is an example phpsysinfo dev hat 80 Novell AppArmor Administration Guide ...

Page 81: ...ysinfo dev is only valid in the context of a process running under the parent profile httpd2 prefork 5 1 2 Adding Hats and Entries to Hats When you use the Edit Profile dialog for instructions refer to Section 3 3 Editing Profiles page 33 or when you add a new profile using Manually Add Profile for instructions refer to Section 3 2 Manually Adding a Profile page 32 you are given the option of addi...

Page 82: ...x opens 2 Enter the name of the hat to add to the Novell AppArmor profile The name is the URI that when accessed receives the permissions set in the hat 3 Click Create Hat You are returned to the AppArmor Profile Dialog screen 4 After adding the new hat click Done 82 Novell AppArmor Administration Guide ...

Page 83: ... or that refer to a nonexistent file in an existing direc tory are accepted or rejected For Apache documentation on virtual host directives refer to http httpd apache org docs 2 2 mod core html virtualhost The ChangeHat specific configuration keyword is AADefaultHatName It is used similarly to AAHatName for example AADefaultHatName My_Funky_Default_Hat The configuration option is actually based on...

Page 84: ...AHatName MY_HAT_NAME Location This tries to use MY_HAT_NAME for any URI beginning with foo foo foo bar foo cgi path blah_blah blah etc The directory directive works similarly to the location directive except it refers to a path in the file system as in the following example Directory srv www www immunix com docs Note lack of trailing slash AAHatName immunix com Directory Example The program phpsys...

Page 85: ...og w var run utmp r 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root 4 Restart Apache by entering rcapache2 restart at a terminal window as root 5 Enter http hostname sysinfo into a browser to receive the system information that phpsysinfo delivers 6 Locate configuration errors by going to var log audit audit log or running dmesg and looking for any rej...

Page 86: ......

Page 87: ...Monitoring Your Secured Applications Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their specified profile These messages can be monitored by event notification periodic report generation or integration into a third party reporting mechanism For reporting and alerting AppArmor uses a userspace daemon...

Page 88: ... following notification types Terse Terse notification summarizes the total number of system events without providing details For example sun example com has had 29 security events since Mon May 22 16 32 38 2006 Summary Notification Summary notification displays the logged Novell AppArmor security events and lists the number of individual occurrences including the date of the last occurrence For e...

Page 89: ... or exim for event notification to work 1 In the Enable Security Event Notification section of the AppArmor Configuration window click Configure 2 In the Security Event Notification window enable Terse Summary or Verbose event notification a In each applicable notification type section enter the e mail addresses of those who should receive notification in the field provided If notification is enab...

Page 90: ...nterval is 1 day the notification is sent daily if security events occur NOTE Severity Levels Novell AppArmor sends out event messages for things that are in the severity database and above the level that you select Severity levels are numbered 1 through 10 10 being the most severe security incident The etc severity db file defines the severity level of potential security events The severity level...

Page 91: ...ts you can read important Novell AppArmor security events reported in the log files without manually sifting through the messages only useful to the aa logprof tool Narrow down the size of the report by filtering by date range or program name You can also export an html or csv file The following are the three types of reports available in Novell AppArmor Executive Security Summary A combined repor...

Page 92: ... Report page 98 To use the Novell AppArmor reporting features proceed with the following steps 1 Open YaST Novell AppArmor 2 In Novell AppArmor click AppArmor Reports The AppArmor Security Event Reports window appears From the Reports window select an option and proceed to the respective section for instructions View Archive Displays all reports that have been run and stored in var log apparmor re...

Page 93: ...port Delete Deletes a scheduled security incident report All stock or canned reports cannot be deleted Back Returns you to the Novell AppArmor main screen Abort Returns you to the Novell AppArmor main screen Next Performs the same function as the Run Now button 6 3 1 Viewing Archived Reports View Reports enables you to specify the location of a cumulation of reports from one or more systems includ...

Page 94: ... the current directory or select Browse to find a new report location The default directory is var log apparmor reports archived 4 To view all the reports in the archive select View All To view a specific report select a report file listed in the Report field then select View 5 For Application Audit and Executive Security Summary reports proceed to Step 9 page 96 6 The Report Configuration Dialog ...

Page 95: ...that matches the name of the bi nary executable of the program of interest the report displays security events that have occurred for a specific program Profile Name When you enter the name of the profile the report displays the security events that are generated for the specified profile You can use this to see what is being confined by a specific profile PID Number PID number is a number that un...

Page 96: ...port a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications You can enter a path for your exported report by typing the full path in the field pro vided Location to Store Log Enables you to change the location at which to store the exported report The default location...

Page 97: ...ng and whether they are confined by AppArmor The following fields are provided in an application audit report Host The machine protected by AppArmor for which the security events are reported Date The date during which security events occurred Program The name and path of the executing process Profile The absolute name of the security profile that is applied to the process Managing Profiled Applic...

Page 98: ...ns for locally confined applications during the specified time period It also reports policy exceptions and policy engine state changes These two types of security events are defined as follows Policy Exceptions When an application requests a resource that is not defined within its profile a se curity event is triggered A report is generated that displays security events of interest to an administ...

Page 99: ...ecurity profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Severity Severity levels of events are reported from the severity database The severity database defines the importance of potential security events and numbers them 1 through 10 10 being the most severe security ...

Page 100: ...port the resources to which the profile prevents access Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Executive Security Summary A combined report consisting of one or more high level reports from one or more ma chines This report can provide a single view of security events on multiple machines if each mac...

Page 101: ...ven Unknown severities are disregarded in this figure High Sev This is the severity of the highest severity event reported in the date range given 6 3 2 Run Now Running On Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events If you need help navigating to the main report screen see Sec...

Page 102: ...gram Name When you enter a program name or pattern that matches the name of the bi nary executable for the program of interest the report displays security events that have occurred for the specified program only Profile Name When you enter the name of the profile the report displays the security events that are generated for the specified profile You can use this to see what is confined by a spec...

Page 103: ...ma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications Enter a path for your exported report by typing in the full path in the field provided Location to Store Log Enables you to change the location that the exported report is stored The default location is var log apparmor re...

Page 104: ...hly or hourly report to run for a specified pe riod You can set the report to display rejections for certain severity levels or to filter by program name profile name severity level or denied resources This report can be exported to an HTML Hypertext Markup Language or CSV Comma Separated Values file format NOTE Return to the beginning of this section if you need help navigating to the main report...

Page 105: ...selected the report runs daily at the specified time E Mail Target You have the ability to send the scheduled security incident report via e mail to up to three recipients Just enter the e mail addresses for those who require the security incident information Export Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log ent...

Page 106: ...ents You can use this to see what is being confined by a specific profile PID Number A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Detail A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent access...

Page 107: ...Editing Reports From the AppArmor Reports screen you can select and edit a report The three precon figured reports stock reports cannot be edited or deleted NOTE Return to the beginning of this section if you need help navigating to the main report screen see Section 6 3 Configuring Reports page 91 Perform the following steps to modify a report from the list of reports 1 From the list of reports i...

Page 108: ...he ability to send the scheduled security incident report via e mail to up to three recipients Just enter the e mail addresses for those who require the security incident information Export Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table orient...

Page 109: ... this to see what is being confined by a specific profile PID Number Process ID number is a number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Detail A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent a...

Page 110: ...e 2 From the confirmation pop up select Cancel if you do not want to delete the selected report If you are sure you want to remove the report permanently from the list of reports select Delete 6 4 Reacting to Security Event Rejections When you receive a security event rejection examine the access violation and determine if that event indicated a threat or was part of normal application behavior Ap...

Page 111: ...g the backed up files Back up profiles by copying the profile files to a specified directory 1 You should first archive the files into one file To do this open a terminal window and enter the following as root tar zclpf profiles tgz etc apparmor d The simplest method to ensure that your security policy files are regularly backed up is to include the directory etc apparmor d in the list of director...

Page 112: ... instructions refer to Section 3 1 Adding a Profile Using the Wizard page 25 Run aa genprof by typing aa genprof in a terminal while logged in as root For detailed instructions refer to Section aa genprof Generating Profiles page 55 If you intend to deploy a patch or upgrade directly into a production environment the best method for updating your profiles is one of the following Monitor the system...

Page 113: ...cement requests for Novell AppArmor following the instructions in this chapter 7 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for openSUSE Retrieve and apply them exactly like for any other package that ships as part of openSUSE 7 2 Using the Man Pages There are man pages available for your use In a terminal enter man appar...

Page 114: ...h level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 describes the exit C library function The Novell AppArmor man pages are unconfined 8 autodep 1 complain 1 enforce 1 genprof 1 logprof 1 change_hat 2 logprof conf 5 114 Novell AppArmor Administration Guide ...

Page 115: ...ell com mailto apparmor general forge novell com This is a mailing list for end users of AppArmor It is a good place for questions about how to use AppArmor to protect your applications apparmor dev forge novell com mailto apparmor dev forge novell com This is a developer mailing list for AppArmor developers and community members This list is for questions about development of core AppArmor featur...

Page 116: ...r service without AppArmor protection re move the application s profile from etc apparmor d or move it to another location Issues with Apache Apache is not starting properly or it is not serving Web pages and you just installed a new module or made a configuration change When you install additional Apache modules like apache2 mod apparmor or make configuration changes to Apache you should profile ...

Page 117: ...d character h Profile etc apparmor d usr sbin squid failed to load failed Using the AppArmor YaST tools you get a graphical error message indicating which profile contained the error and requesting you to fix it To fix a syntax error log in to a terminal window as root open the respective profile and correct the syntax Reload the profile set by using the rcapparmor reload command 7 5 Reporting Bug...

Page 118: ...d keyword or use the Advanced Search 4 If your problem has already been reported check this bug report and add extra information to it if necessary 5 If your problem has not been reported yet select New from the top navigation bar and proceed to the Enter Bug page 6 Select the product against which to file the bug In your case this would be your product s release Click Submit 7 Select the product ...

Page 119: ...ew Orleans LA This paper is now out of date describing syntax and features that are different from the current Novell AppArmor product This paper should be used only for scientific background and not for technical documentation Defcon Capture the Flag Defending Vulnerable Code from Intense Attack by Crispin Cowan Seth Arnold Steve Beattie Chris Wright and John Viega A good guide to strategic and t...

Page 120: ......

Page 121: ... allowed B 1 1 Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whos...

Page 122: ...ce code And you must show them these terms so they know their rights We protect your rights with two steps 1 copyright the software and 2 offer you this license which gives you legal permission to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the software is...

Page 123: ...s contents constitute a work based on the Program independent of having been made by running the Program Whether that is true depends on what the Program does 1 You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep...

Page 124: ...f a whole which is a work based on the Program the distri bution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to co...

Page 125: ...o copy the source code from the same place counts as distribution of the source code even though third parties are not com pelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as ex pressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically termina...

Page 126: ... infringe any patents or other prop erty right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that...

Page 127: ...FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY AP PLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IM PLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUAL...

Page 128: ... your option any later version This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this program if not write to the Free Software Foundation Inc 5...

Page 129: ...h the library If this is what you want to do use the GNU Lesser General Public License http www fsf org licenses lgpl html instead of this License B 2 GNU Free Documentation License Version 1 2 November 2002 Copyright C 2000 2001 2002 Free Software Foundation Inc 59 Temple Place Suite 330 Boston MA 02111 1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document...

Page 130: ...ou accept the license if you copy modify or distribute the work in a way re quiring permission under copyright law A Modified Version of the Document means any work containing the Document or a portion of it either copied verbatim or with modifications and or translated into an other language A Secondary Section is a named appendix or a front matter section of the Document that deals exclusively w...

Page 131: ...ndard conforming simple HTML PostScript or PDF designed for human modification Examples of transparent image formats include PNG XCF and JPG Opaque formats include proprietary formats that can be read and edited only by proprietary word processors SGML or XML for which the DTD and or processing tools are not generally available and the machine generated HTML PostScript or PDF produced by some word...

Page 132: ...hat commonly have printed covers of the Document numbering more than 100 and the Document s license notice requires Cover Texts you must enclose the copies in covers that carry clearly and legibly all these Cover Texts Front Cover Texts on the front cover and Back Cover Texts on the back cover Both covers must also clearly and legibly identify you as the publisher of these copies The front cover m...

Page 133: ...tion and modification of the Modified Version to whoever possesses a copy of it In addition you must do these things in the Modified Version A Use in the Title Page and on the covers if any a title distinct from that of the Document and from those of previous versions which should if there were any be listed in the History section of the Document You may use the same title as a previous version if...

Page 134: ...lf or if the original publisher of the version it refers to gives permission K For any section Entitled Acknowledgements or Dedications Preserve the Title of the section and preserve in the section all the substance and tone of each of the contributor acknowledgements and or dedications given therein L Preserve all the Invariant Sections of the Document unaltered in their text and in their titles ...

Page 135: ... B 2 6 COMBINING DOCUMENTS You may combine the Document with other documents released under this License under the terms defined in section 4 above for modified versions provided that you include in the combination all of the Invariant Sections of all of the original documents unmodified and list them all as Invariant Sections of your combined work in its license notice and that you preserve all t...

Page 136: ... what the individual works permit When the Document is included in an aggregate this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document If the Cover Text requirement of section 3 is applicable to these copies of the Document then if the Document is less than one half of the entire aggregate the Document s Cover Texts may be placed o...

Page 137: ...m you under this License will not have their licenses terminated so long as such parties remain in full compliance B 2 11 FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new revised versions of the GNU Free Documentation License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns...

Page 138: ...py of the license is included in the section entitled GNU Free Documentation License If you have Invariant Sections Front Cover Texts and Back Cover Texts replace the with Texts line with this with the Invariant Sections being LIST THEIR TITLES with the Front Cover Texts being LIST and with the Back Cover Texts being LIST If you have Invariant Sections without Cover Texts or some other combination...

Page 139: ...ally malicious activity By not relying on attack signatures Novell AppArmor provides proactive instead of reactive defense from attacks This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks GUI Graphical user interface Refers to a software front end meant to ...

Page 140: ...d access control Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read write and execute This ensures that each program does what it is supposed to do and nothing else URI Universal resource identifier The generic term for all types of names and addresses that refer to objects on the World Wide Web A URL is one kind of UR...

Page 141: ...weaknesses or flaws in hardware firmware or software If ex ploited a vulnerability could lead to an unacceptable impact in the form of unau thorized access to information or disruption of critical processing Glossary 141 ...

Page 142: ......

Reviews:

No comments