Novell APPARMOR 2.0 Administration Manual Download | Manualshive

Page: 33 / 126

background image

When you are done, click Finish. In the following pop-up, click Yes to exit the
Profile Creation Wizard. The profile is saved and loaded into the Novell App-
Armor module.

3.3.2 Manually Adding a Profile

Novell AppArmor enables you to create a Novell AppArmor profile by manually adding
entries into the profile. Select the application for which to create a profile then add en-
tries.

1

To add a profile, open YaST → Novell AppArmor. The Novell AppArmor cate-
gory opens.

2

In Novell AppArmor, click Manually Add Profile.

3

Browse your system to find the application for which to create a profile.

4

When you find the application, select it and click Open. A basic, empty profile
appears in the Novell AppArmor Profile Dialog window.

5

In the AppArmor Profile Dialog window, you can add, edit, or delete Novell
AppArmor profile entries by clicking the corresponding buttons and referring to

Building Novell AppArmor Profiles

33

«
...
31
32
33
34
35
...
»

Summary of Contents for APPARMOR 2.0

Page 1: ...Novell AppArmor www novell com 2 0 August 28 2006 Novell AppArmor 2 0 Administration Guide ...

Page 2: ...und in this book has been compiled with utmost attention to detail However this does not guarantee complete accuracy Neither SUSE LINUX GmbH the authors nor the translators shall be held liable for possible errors or the consequences thereof Novell the Novell logo the N logo and SUSE are registered trademarks of Novell Inc in the United States and other countries Linux is a registered trademark of...

Page 3: ...lding Novell AppArmor Profiles with the YaST GUI 24 3 4 Building Novell AppArmor Profiles Using the Command Line Interface 47 3 5 Two Methods of Profiling 51 3 6 Pathnames and Globbing 69 3 7 File Permission Access Modes 71 4 Managing Profiled Applications 77 4 1 Monitoring Your Secured Applications 77 4 2 Setting Up Event Notification 78 4 3 Reports 81 4 4 Reacting to Security Events 102 4 5 Main...

Page 4: ...parmor 113 6 Support 117 6 1 Updating Novell AppArmor Online 117 6 2 Using the Man Pages 117 6 3 For More Information 119 6 4 Troubleshooting 120 6 5 Reporting Bugs for AppArmor 121 A Background Information on AppArmor Profiling 123 Glossary 125 ...

Page 5: ...p and user authentication A tool suite for developing and enhancing AppArmor profiles so that you can change the existing profiles to suit your needs and create new profiles for your own local and custom applications Several specially modified applications that are AppArmor enabled to provide en hanced security in the form of unique subprocess confinement including Apache The Novell AppArmor loada...

Page 6: ...rms and their definitions NOTE Novell AppArmor ships with any SUSE Linux based Novell operating system Text references to SUSE Linux apply to SUSE Linux OSS the SUSE Linux retail product and the SUSE Linux Enterprise product family 1 Feedback We want to hear your comments and suggestions about this manual and the other doc umentation included with this product Please use the User Comments feature ...

Page 7: ...meters user users or groups Alt Alt F1 a key to press or a key combination keys are shown in uppercase as on a keyboard File File Save As menu items buttons Dancing Penguins Chapter Penguins Reference This is a reference to a chapter in another book About This Guide vii ...

Page 8: ......

Page 9: ...ing programs Proceed to Chapter 3 Building Novell AppArmor Profiles page 19 if you are ready to build and manage Novell AppArmor profiles Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read write and execute This ensures that each program does what it is supposed to do and nothing else Novell AppArmor is host intrusion ...

Page 10: ...mation for Novell AppArmor To get a more in depth overview of AppArmor and the overall concept behind it refer to Appendix A Background Information on AppArmor Profiling page 123 10 Novell AppArmor 2 0 Administration Guide ...

Page 11: ...that the person using the program does not have so they grant the privilege to the user when used cron jobs Programs that are run periodically by cron Such programs read input from a variety of sources and can run with special privileges sometimes with as much as root privilege For example cron can run usr bin updatedb daily to keep the locate database up to date with sufficient privilege to read ...

Page 12: ...cript s profile can read and write 2 2 Inspect Open Ports to Immunize Programs An automated method for finding network server daemons that should be profiled is to use the aa unconfined tool You can also simply view a report of this information in the YaST GUI refer to Section Application Audit Report page 87 for instructions The aa unconfined tool uses the command netstat nlp to inspect your open...

Page 13: ...erface Finding user network client applications is dependent on your user preferences The aa unconfined tool detects and reports network ports opened by client applications but only those client applications that are running at the time the aa unconfined analysis is performed This is a problem because network services tend to be running all the time while network client applications tend only to b...

Page 14: ...cron daily etc cron hourly etc cron monthly etc cron weekly For root s cron jobs edit the tasks with crontab e and list root s cron tasks with crontab l You must be root for these to work Once you find these programs you can use the Add Profile Wizard to create profiles for them Refer to Section 3 3 1 Adding a Profile Using the Wizard page 26 2 2 2 Immunizing Web Applications To find Web applicati...

Page 15: ...of CGI scripts For instance adding the line srv www cgi bin pl py pyc rix allows Apache to execute all files in srv www cgi bin ending in pl Perl scripts and py or pyc Python scripts As above the ix part of the rule causes Python scripts to inherit the Apache profile which is appropriate if you do not want to write individual profiles for each Python script NOTE If you want the subprocess confinem...

Page 16: ... has been defined the Novell AppArmor version of Apache applies the DEFAULT_URI hat This subprofile is basically sufficient to display an HTML Web page The DEFAULT_URI hat that Novell AppArmor provides by default is the follow ing usr sbin suexec2 ixr var log apache2 rwl home public_html r srv www htdocs r srv www icons gif jpg png r usr share apache2 r To use a single Novell AppArmor profile for ...

Page 17: ...rk ports manually from outside the machine using a scanner such as nmap or from inside the machine using the netstat inet n p command Then inspect the machine to determine which programs are answering on the discovered open ports TIP Refer to the man page of the netstat command for a detailed reference of all possible options Selecting Programs to Immunize 17 ...

Page 18: ......

Page 19: ...AppArmor Profile into Its Parts Novell AppArmor profile components are called Novell AppArmor rules Currently there are two main types of Novell AppArmor rules path entries and capability entries Path entries specify what the process can access in the file system and capability entries provide a more fine grained control over what a confined process is allowed to do through other system calls that...

Page 20: ...e comments like this with the sign This loads a file containing variable definitions The absolute path to the program that is confined The curly braces serve as a container for include statements of other profiles as well as for path and capability entries This directive pulls in components of Novell AppArmor profiles to simplify pro files Capability entry statements enable each of the 29 POSIX 1e...

Page 21: ...ese restrictions are in addition to the native Linux access controls Example To gain the capability CAP_CHOWN the program must have both access to CAP_CHOWN under conventional Linux access controls typically be a root owned process and have the capability chown in its profile Similarly to be able to write to the file foo bar the program must have both the correct user ID and mode bits set in the f...

Page 22: ...irements and system accounting Files listed in these abstractions are specific to the named task Programs that require one of these files usually require some of the other files listed in the abstraction file depending on the local configuration as well as the specific requirements of the program Find abstractions in etc apparmor d abstractions Program Chunks The program chunks directory etc appar...

Page 23: ... 3 3 Building Novell AppArmor Profiles with the YaST GUI page 24 3 2 2 Using YaST ncurses YaST ncurses can be used for building and managing Novell AppArmor profiles and is better suited for users with limited bandwidth connections to the server Access YaST ncurses by typing yast while logged in to a terminal window or console as root YaST ncurses has the same features as the YaST GUI Refer to the...

Page 24: ...of the profiles instead of just logging information For more information about this tool refer to Section aa enforce Entering Enforce Mode page 56 aa unconfined Performs a server audit to find processes that are running and listening for network connections then reports whether they are profiled aa autodep Generates a profile skeleton for a program and loads it into the Novell AppArmor module in c...

Page 25: ... without the help of the wizard For detailed steps refer to Section 3 3 2 Manually Adding a Profile page 33 Edit Profile Edits an existing Novell AppArmor profile on your system For detailed steps refer to Section 3 3 3 Editing a Profile page 37 Delete Profile Deletes an existing Novell AppArmor profile from your system For detailed steps refer to Section 3 3 4 Deleting a Profile page 39 Update Pr...

Page 26: ...pdate Profiles from Learning Mode Log File For more information about these tools refer to Section 3 5 3 Summary of Profiling Tools page 54 1 Stop the application before profiling it to ensure that the application start up is included in the profile To do this make sure that the application or daemon is not running For example enter etc init d PROGRAM stop in a terminal window while logged in as r...

Page 27: ...nformation about learning mode refer to Section aa complain Entering Complain or Learning Mode page 55 5 Run the application to profile 6 Perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access to function properly Be sure to include restarting and stopping the program in the exercised functions AppArmor needs...

Page 28: ...ain transition has not been defined see Figure 3 2 Learning Mode Exception Defining Execute Permissions for an Entry page 29 Define execute permissions for an entry Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program into the profile The following two figures show an example of each case Subsequent steps describe your o...

Page 29: ...on Defining Execute Permissions for an Entry 8 The Add Profile Wizard begins suggesting directory path entries that have been accessed by the application you are profiling as seen in Figure 3 1 Learning Mode Exception Controlling Access to Specific Resources page 29 or re Building Novell AppArmor Profiles 29 ...

Page 30: ...educe the size of a profile It is good practice to select includes when suggested Globbed Version Accessed by clicking Glob For information about globbing syntax refer to Section 3 6 Pathnames and Globbing page 69 Actual Pathname Literal path that the program needs to access to run properly After you select a directory path process it as an entry into the Novell AppArmor profile by clicking Allow ...

Page 31: ... with the ext extension When you double click it access is granted to all files with the particular extension and sub directories beneath the one shown Edit Edit the highlighted line The new edited line appears at the bottom of the list Abort Abort aa logprof losing all rule changes entered so far and leaving all profiles unmodified Finish Close aa logprof saving all rule changes entered so far an...

Page 32: ...e secure sanitized option Unconfined Execute the program without a security profile When prompted let AppArmor sanitize the environment to avoid adding security risks by inheriting certain environment variables from the parent process WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArmor Deny Click Den...

Page 33: ...profile then add en tries 1 To add a profile open YaST Novell AppArmor The Novell AppArmor cate gory opens 2 In Novell AppArmor click Manually Add Profile 3 Browse your system to find the application for which to create a profile 4 When you find the application select it and click Open A basic empty profile appears in the Novell AppArmor Profile Dialog window 5 In the AppArmor Profile Dialog windo...

Page 34: ...ofile From the list select one of the following File In the pop up window specify the absolute path of a file including the type of ac cess permitted When finished click OK You can use globbing if necessary For globbing information refer to Section 3 6 Pathnames and Globbing page 69 For file access permission information refer to Section 3 7 File Permission Access Modes page 71 Directory In the po...

Page 35: ...ess Modes page 71 Capability In the pop up window select the appropriate capabilities These are statements that enable each of the 32 POSIX 1e capabilities Refer to Section 3 1 1 Breaking a Novell AppArmor Profile into Its Parts page 19 for more information about capabilities When finished making your selections click OK Building Novell AppArmor Profiles 35 ...

Page 36: ... of the subprofile hat to add to your current profile and click Create Hat For more information refer to Chapter 5 Profiling Your Web Applications Using ChangeHat Apache page 105 Editing an Entry The Edit Entry option can be found in Section 3 3 2 Manually Adding a Profile page 33 or Section 3 3 3 Editing a Profile page 37 When you select Edit Entry the file browser pop up window opens From here y...

Page 37: ...d in Section 3 3 2 Manually Adding a Profile page 33 or Section 3 3 3 Editing a Profile page 37 When you select an entry then select Delete Entry Novell AppArmor removes the selected profile entry 3 3 3 Editing a Profile Novell AppArmor enables you to manually edit Novell AppArmor profiles by adding editing or deleting entries Simply select the profile then add edit or delete entries To edit a pro...

Page 38: ...4 Click Next The AppArmor Profile Dialog window displays the profile 5 In the AppArmor Profile Dialog window you can add edit or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to 38 Novell AppArmor 2 0 Administration Guide ...

Page 39: ...delete 4 Click Next 5 In the pop up that opens click Yes to delete the profile and reload the AppArmor profile set 3 3 5 Updating Profiles from Log Entries The Novell AppArmor profile wizard uses aa logprof the tool that scans log files and enables you to update profiles aa logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system The...

Page 40: ...ted by the profiled program and the security domain transition has not been defined see Figure 3 4 Learning Mode Exception Defining Execute Permissions for an Entry page 41 Each of these cases results in a question that you must answer to add the resource or program into the profile The following two figures show an example of each case Subsequent steps describe your options in answering these que...

Page 41: ...on Defining Execute Permissions for an Entry 3 aa logprof begins suggesting directory path entries that have been accessed by the application profiled as seen in Figure 3 3 Learning Mode Exception Controlling Access to Specific Resources page 41 or requiring you to define Building Novell AppArmor Profiles 41 ...

Page 42: ...le It is good practice to select includes when suggested Globbed Version Accessed by clicking Glob For information about globbing syntax refer to Section 3 6 Pathnames and Globbing page 69 Actual Pathname This is the literal path to which the program needs access so that it can run properly After you select a directory path process it as an entry into the Novell AppArmor profile by clicking Allow ...

Page 43: ... click it access is granted to all files with the particular extension and subdi rectories beneath the one shown Edit Enable editing of the highlighted line The new edited line appears at the bottom of the list Abort Abort aa logprof losing all rule changes entered so far and leaving all profiles unmodified Finish Close aa logprof saving all rule changes entered so far and modifying all profiles C...

Page 44: ...onfined Execute the program without a security profile When prompted let AppArmor sanitize the environment to avoid adding security risks by inheriting certain environment variables from the parent process WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArmor Deny Prevent the program from accessing the...

Page 45: ...isabling Novell AppArmor even if your profiles have been set up removes protection from your system You can determine how and when you are notified when system security events occur NOTE For event notification to work you must set up a mail server on your SUSE Linux server that can send outgoing mail using the single mail transfer protocol SMTP such as postfix or exim To configure event notificati...

Page 46: ...nue as described in Sec tion 4 2 2 Configuring Security Event Notification page 79 Changing Novell AppArmor Status When you change the status of Novell AppArmor set it to enabled or disabled When Novell AppArmor is enabled it is installed running and enforcing the Novell AppArmor security policies 1 Start YaST Novell AppArmor 2 In the Novell AppArmor main menu click AppArmor Control Panel 3 In the...

Page 47: ...d configure your system security 3 4 1 Checking the AppArmor Module Status The AppArmor module can be in any one of three states Unloaded The AppArmor module is not loaded into the kernel Running The AppArmor module is loaded into the kernel and is enforcing Novell AppArmor program policies Stopped The AppArmor module is loaded into the kernel but no policies are enforced Detect the state of the A...

Page 48: ...module if it was running by removing all profiles from kernel memory effectively disabling all access controls putting the module into the stopped state If the AppArmor module was either unloaded or already stopped stop tries to unload the profiles again but nothing happens rcapparmor restart Causes AppArmor module to rescan the profiles in etc apparmor d without unconfining running processes Fres...

Page 49: ... preventing profiles from being loaded You must remove profiles from this di rectory to manage them effectively You can use a text editor such as vim to access and make changes to these profiles The following options contain detailed steps for building profiles Adding or Creating Novell AppArmor Profiles Refer to Section 3 4 3 Adding or Creating a Novell AppArmor Profile page 50 Editing Novell App...

Page 50: ...ently logged in as root enter su in a terminal window 2 Enter the root password when prompted 3 Go to the profile directory with cd etc apparmor d 4 Enter ls to view all profiles currently installed 5 Open the profile to edit in a text editor such as vim 6 Make the necessary changes then save the profile 7 Restart Novell AppArmor by entering rcapparmor restart in a terminal window 3 4 5 Deleting a...

Page 51: ...suitable for profiling small applications that have a finite run time such as user client applications like mail clients For more information refer to Sec tion 3 5 1 Stand Alone Profiling page 52 Systemic Profiling A method suitable for profiling large numbers of programs all at once and for profiling applications that may run for days weeks or continuously across reboots such as network server ap...

Page 52: ...es after rebooting or a large number of programs all at once Build a Novell AppArmor profile for a group of applications as follows 1 Create profiles for the individual programs that make up your application Although this approach is systemic Novell AppArmor only monitors those pro grams with profiles and their children To get Novell AppArmor to consider a program you must at least have aa autodep...

Page 53: ...teps 3 4 This generates optimum profiles An iterative approach captures smaller data sets that can be trained and reloaded into the policy engine Subsequent iterations generate fewer messages and run faster 6 Edit the profiles You might want to review the profiles that have been gen erated You can open and edit the profiles in etc apparmor d using vim 7 Return to enforce mode This is when the syst...

Page 54: ...name of the program which aa autodep finds by searching your shell s path variable or it can be a fully qualified path The program itself can be of any type ELF binary shell script Perl script etc and aa autodep generates an ap proximate profile to improve through the dynamic profiling that follows The resulting approximate profile is written to the etc apparmor d directory using the Novell AppArm...

Page 55: ...tects violations of Novell App Armor profile rules such as the profiled program accessing files not permitted by the profile The violations are permitted but also logged To improve the profile turn complain mode on run the program through a suite of tests to generate log events that characterize the program s access needs then postprocess the log with the Novell AppArmor tools to transform log eve...

Page 56: ...rmitted The default is for enforce mode to be enabled To log the violations only but still permit them use complain mode Enforce toggles with complain mode Manually activating enforce mode using the command line adds a flag to the top of the profile so that bin foo becomes bin foo flags enforce To use enforce mode open a terminal window and enter one of the following lines as root If the example p...

Page 57: ...path to profiles program If you were to create a profile for the the Apache Web server program httpd2 prefork you would do the following as root 1 Enter rcapache2 stop 2 Next enter aa genprof httpd2 prefork Now aa genprof does the following Resolves the full path of httpd2 prefork based on your shell s path variables You can also specify a full path On SUSE Linux the default full path is usr sbin ...

Page 58: ...che2 mod_setenvif so httpd2 prefork 5425 profile usr sbin httpd2 prefork active usr sbin httpd2 prefork Marks the log with a beginning marker of log events to consider For example Sep 13 17 48 52 figwit root GenProf e2ff78636296f16d0b5301209a04430d 3 When prompted by the tool run the application to profile in another terminal window and perform as many of the application functions as possible so l...

Page 59: ...e Subsequent steps describe your options in answering these questions Example 3 1 Learning Mode Exception Controlling Access to Specific Resources Reading log entries from var log audit audit log Updating AppArmor profiles in etc apparmor d Profile usr sbin xinetd Program xinetd Execute usr lib cups daemon cups lpd Severity unknown I nherit P rofile U nconfined D eny Abo r t F inish Dealing with e...

Page 60: ...he unconfined with clean exec Ux option to scrub the environment of environment variables that could modify execution behavior when passed on to the child process This option introduces a security vulnerability that could be used to exploit AppArmor Only use it as a last resort mmap m This permission denotes that the program running under the profile can access the resource using the mmap system c...

Page 61: ...eed to the next step NOTE All of these options are not always presented in the Novell AppArmor menu include This is the section of a Novell AppArmor profile that refers to an include file which procures access permissions for programs By using an include you can give the program access to directory paths or files that are also re quired by other programs Using includes can reduce the size of a pro...

Page 62: ...owing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy the event that prompted the question in the first place Novell AppArmor asks you for confirmation and lets you reenter the expression Glob Select either a specific path or create a general rule using wild cards that match a broader set of pathnames To select any of the offered pa...

Page 63: ...gram behavior and enters it in the log aa logprof uses this information to observe program behavior If a confined program forks and executes another program aa logprof sees this and asks the user which execution mode should be used when launching the child process The execution modes ix px Px ux and Ux are options for starting the child process If a separate profile exists for the child process th...

Page 64: ...numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list By default aa logprof looks for profiles in etc apparmor d and scans the log in var log messages In many cases running aa logprof as root is enough to create the profile However there might be times when you need to search archived log files such as if the program exercise period exceeds the log...

Page 65: ...Permission Access Modes page 71 Deny Prevents the program from accessing the specified directory path entries Novell AppArmor then moves on to the next event New Prompts you to enter your own rule for this event allowing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy the event that prompted the question in the first place Novell Ap...

Page 66: ...es FTP files from srv ftp by default This is because httpd2 prefork uses chroot and for the portion of the code inside the chroot jail Novell AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path The second item of interest is that you might want to grant FTP read access to all JPEG files in the directory so you could use Glob w Ext and use the suggest...

Page 67: ...ttempts to execute the child fail with permission denied This is most useful if the parent program is invoking a global service such as DNS lookups or sending mail via your system s MTA Choose the profile with clean exec Px option to scrub the environment of environ ment variables that could modify execution behavior when passed on to the child process unconfined ux The child runs completely uncon...

Page 68: ... containers You do not want to automatically run rpm when reading mail messages that leads di rectly to a Microsoft Outlook style virus attack because rpm has the power to install and modify system programs and so in this case the best choice is to use Inherit This results in the less program executed from this context running under the profile for usr bin mail This has two consequences You need t...

Page 69: ...ares that to the set of profiles loaded on your system and reports network services that do not have Novell AppArmor profiles It requires root privilege and that it not be confined by a Novell AppArmor profile aa unconfined must be run as root to retrieve the process executable link from the proc file system This program is susceptible to the following race conditions An unlinked executable is mis...

Page 70: ...tes for any single character except Substitutes for the single character a b or c abc Example a rule that matches home 01 plan allows a program to access plan files for users in both home0 and home1 Substitutes for the single character a b or c a c Expand to one rule to match ab and one rule to match cd ab cd Example a rule that matches usr www pages to grant access to Web pages in both usr pages ...

Page 71: ... resource Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace 2 ptrace 2 is used by utilities such as strace 1 ltrace 1 and gdb 1 Write Mode w Allows the program to have write access to the resource Files must have this per mission if they are to be unlinked removed Discrete Profile Execute Mode ...

Page 72: ...ful when a confined program needs to be able to perform a privi leged operation such as rebooting the machine By placing the privileged section in another executable and granting unconstrained execution rights it is possible to bypass the mandatory constraints imposed on all confined processes For more in formation about what is constrained see the apparmor 7 man page WARNING Using Unconstrained E...

Page 73: ...ined pro gram without gaining the permissions of the target s profile or losing the permissions of the current profile There is no version to scrub the environment because ix executions do not change privileges Incompatible with Ux ux Px and px Implies m Allow Executable Mapping m This mode allows a file to be mapped into memory using mmap 2 s PROT_EXEC flag This flag marks the pages executable It...

Page 74: ...nce applications or processes relying on any of these variables do not work anymore if the profile applied to them carries Ux or Px flags GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NLSPATH RESOLV_HOST_CONF 74 Novell AppArmor 2 0 Administratio...

Page 75: ... RES_OPTIONS TMPDIR TZDIR Building Novell AppArmor Profiles 75 ...

Page 76: ......

Page 77: ...essages when applications execute in unexpected ways or outside of their specified profile These messages can be monitored by event notification periodic report generation or integration into a third party reporting mechanism For reporting and alerting AppArmor uses a userspace daemon usr sbin aa eventd This daemon monitors log traffic sends out notifications and runs scheduled reports It does not...

Page 78: ... has had 29 security events since Mon May 22 16 32 38 2006 Summary Notification Summary notification displays the logged Novell AppArmor security events and lists the number of individual occurrences including the date of the last occurrence For example AppArmor PERMITTING access to capability setgid httpd2 prefork 6347 profile usr sbin httpd2 prefork active usr sbin httpd2 prefork 2 times the lat...

Page 79: ...security incident The severity db file defines the severity level of potential security events The severity levels are determined by the importance of different security events such as certain resources accessed or services denied 4 2 2 Configuring Security Event Notification Security event notification is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs Whe...

Page 80: ...l addresses of those who should receive notification in the field provided If notification is enabled you must enter an e mail address Separate multiple e mail ad dresses with commas b For each notification type enabled select the frequency of notification Select a notification frequency from the following options Disabled 1 minute 5 minutes 10 minutes 15 minutes 30 minutes 80 Novell AppArmor 2 0 ...

Page 81: ...els 3 Click OK 4 Click Done in the Novell AppArmor Configuration window 5 Click File Quit in the YaST Control Center 4 3 Reports Novell AppArmor s reporting feature adds flexibility by enhancing the way users can view security event data The reporting tool performs the following Creates on demand reports Exports reports Schedules periodic reports for archiving E mails periodic reports Filters repo...

Page 82: ...AppArmor Application servers are applications that accept incoming network connections For more details refer to Section Ap plication Audit Report page 87 Security Incident Report A report that displays application security for a single host It reports policy viola tions for locally confined applications during a specific time period You can edit and customize this report or add new versions For m...

Page 83: ...ected report type If you select a secu rity incident report it can be further filtered in various ways For Run Now instructions proceed to Section 4 3 2 Run Now Running On Demand Reports page 93 Add Creates a scheduled security incident report For Add instructions proceed to Section 4 3 3 Adding New Reports page 95 Edit Edits a scheduled security incident report Delete Deletes a scheduled security...

Page 84: ...n of a cumulation of reports from one or more systems including the ability to filter by date or names of programs accessed and display them all together in one report 1 From the AppArmor Security Event Report window select View Archive 2 Select the report type to view Toggle between the different types SIR Security Incident Report App Aud Application Audit and ESS Executive Security Summary 84 No...

Page 85: ...rt file listed in the Report field then select View 5 For Application Audit and Executive Security Summary reports proceed to Step 9 page 87 6 The Report Configuration Dialog opens for Security Incident reports 7 The Report Configuration dialog enables you to filter the reports selected in the previous screen Enter the desired filter details The fields are Date Range To display reports for a certa...

Page 86: ...ve are then included in the reports Detail A source to which the profile has denied access This includes capabilities and files You can use this field to report the resources to which profiles prevent access Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Mode The Mode is the permission that the profile grant...

Page 87: ...ummary report refer to Section Executive Security Summary page 91 Application Audit Report An application audit report is an auditing tool that reports which application servers are running and whether they are confined by AppArmor Application servers are ap plications that accept incoming network connections This report provides the host machine s IP address the date the application audit report ...

Page 88: ... executing process Profile The absolute name of the security profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process State This field reveals whether the program listed in the program field is confined If it is not confined you might consider creating a profile for it 88 Novel...

Page 89: ... events are defined as follows Policy Exceptions When an application requests a resource that is not defined within its profile a se curity event is triggered A report is generated that displays security events of interest to an administrator The SIR reports policy violations for locally confined applica tions during the specified time period The SIR reports policy exceptions and policy engine sta...

Page 90: ...ty profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Severity Severity levels of events are reported from the severity database The severity database defines the importance of potential security events and numbers them 1 through 10 10 being the most severe security incid...

Page 91: ...security event The options are PERMITTING REJECTING or AUDITING Executive Security Summary A combined report consisting of one or more high level reports from one or more ma chines This report can provide a single view of security events on multiple machines if each machine s data is copied to the report archive directory which is var log apparmor reports archived This report provides the host mac...

Page 92: ...The last date in a range of dates during which security events are reported Num Rejects In the date range given the total number of security events that are rejected access attempts Num Events In the date range given the total number of security events Ave Sev This is the average of the severity levels reported in the date range given Unknown severities are disregarded in this figure 92 Novell App...

Page 93: ...g to the main report screen see Section 4 3 Reports page 81 Perform the following steps to run a report from the list of reports 1 Select the report to run instantly from the list of reports in the Schedule Reports window 2 Select Run Now or Next The next screen depends on which report you selected in the previous step For Application Audit and Executive Security Summary re ports proceed to Step 6...

Page 94: ...ile You can use this to see what is confined by a specific profile PID Number A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Severity Select the lowest severity level for security events to include in the report The selected severity level and above are included in the reports Detail A source to which the prof...

Page 95: ...t report refer to Section Application Audit Report page 87 For the security incident report refer to Section Security Incident Report page 89 For the executive summary report refer to Section Executive Security Summary page 91 4 3 3 Adding New Reports Adding new reports enables you to create a scheduled security incident report that dis plays Novell AppArmor security events according to your prese...

Page 96: ...the following filtering information as necessary Report Name Specify the name of the report Use names that easily distinguish different reports Day of Month Select any day of the month to activate monthly filtering in reports If you select All monthly filtering is not performed Day of Week Select the day of the week on which to schedule weekly reports if desired If you select ALL weekly filtering ...

Page 97: ...es you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications Enter a path for your exported report by typing in the full path in the field provided Location to Store Log Enables you to change the location that the exported report is stored The default locat...

Page 98: ...ld to create a report of resources to which profiles prevent access Severity Select the lowest severity level of security events to include in the report The selected severity level and above are included in the reports Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Mode The mode is the permission that the p...

Page 99: ...ssary Day of Month Select any day of the month to activate monthly filtering in reports If you select All monthly filtering is not performed Day of Week Select the day of the week on which to schedule the weekly reports If you select All weekly filtering is not performed If monthly reporting is selected this defaults to All Hour and Minute Select the time This specifies the hour and minute that yo...

Page 100: ...h in the field pro vided Location to Store Log Enables you to change the location where the exported report is stored The default location is var log apparmor reports exported When you change this location select Accept Select Browse to browse the file system 4 Click Next to proceed to the next Edit Scheduled SIR page The second page of Edit Scheduled Reports opens 5 Modify the fields with the fol...

Page 101: ...verity level and above are included in the reports Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Mode The mode is the permission that the profile grants to the program or process to which it is applied The options are r read w write l link and x execute 6 Select Save to save the changes to this report Novel...

Page 102: ...nning aa logprof at the command line or the Update Profile Wizard in Novell AppArmor allows you to iterate through all reject messages By se lecting the one that matches the specific reject you can automatically update your profile If the rejection is not part of normal application behavior this access should be consid ered a possible intrusion attempt that was prevented and this notification shou...

Page 103: ...cy files are regularly backed up is to include the directory etc apparmor d in the list of directories that your backup system archives 2 You can also use scp or a file manager like Konqueror or Nautilus to store the files on some kind of storage media the network or another computer 4 5 2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that yo...

Page 104: ... root For detailed instructions refer to Section aa genprof Generating Profiles page 57 If you intend to deploy a patch or upgrade directly into a production environment the best method for updating your profiles is one of the following Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed using aa logprof For detailed instructions ref...

Page 105: ...o define security at a finer level than the process This feature requires that each application be made ChangeHat aware meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution A profile can have an arbitrary number of subprofiles but there are only two levels a subprofile cannot have further sub subp...

Page 106: ...e following line to your Apache configuration file LoadModule change_hat_module modules mod_change_hat so 5 1 1 Tools for Managing ChangeHat Aware Applications As with most of the Novell AppArmor tools you can use two methods for managing ChangeHat YaST or the command line interface Manage ChangeHat aware applications much more flexibly at the command line but the process is also more complicated ...

Page 107: ... container that encompasses all the processing on the server that occurs when the phpsysinfo dev URI is passed to the Apache Web server The URI runs the application phpsysinfo refer to http phpsysinfo sourceforge net for more information The phpsysinfo dev package is assumed to be installed in srv www htdocs phpsysinfo dev in a clean new install of Novell AppArmor 1 Once phpsysinfo dev is installe...

Page 108: ...ta in your browser refresh the page To do this click the browser Refresh button to make sure that Apache processes the re quest for the phpsysinfo dev URI 6 Click Scan System Log for Entries to Add to Profiles Novell AppArmor launches the aa logprof tool which scans the information learned in the previous step It begins to prompt you with profile questions 7 aa logprof first prompts with Add Reque...

Page 109: ...ript executed You can specify that the program should run confined by the phpsys info dev hat choose Inherit confined by a separate profile choose Profile or that it should run unconfined or without any security profile choose Unconfined For the case of the Profile option a new profile is created for the program if one does not already exist NOTE Security Considerations Selecting Unconfined can cr...

Page 110: ...mpt you to generate new hats and add entries to your profile and its hats The process of adding entries to profiles is covered in detail in the Section 3 3 1 Adding a Profile Using the Wizard page 26 When all profiling questions are answered click Finish to save your changes and exit the wizard The following is an example phpsyinfo dev hat 110 Novell AppArmor 2 0 Administration Guide ...

Page 111: ...ly valid in the context of a process running under the parent profile httpd2 prefork 5 1 2 Adding Hats and Entries to Hats When you use the Edit Profile dialog for instructions refer to Section 3 3 3 Editing a Profile page 37 or when you add a new profile using Manually Add Novell App Armor Profile for instructions refer to Section 3 3 2 Manually Adding a Profile page 33 you are given the option o...

Page 112: ...pens 2 Enter the name of the hat to add to the Novell AppArmor profile The name is the URI that when accessed receives the permissions set in the hat 3 Click Create Hat You are returned to the AppArmor Profile Dialog screen 4 After adding the new hat click Done 112 Novell AppArmor 2 0 Administration Guide ...

Page 113: ...r that refer to a nonexistent file in an existing direc tory are accepted or rejected For Apache documentation on virtual host directives refer to http httpd apache org docs 2 0 mod core html virtualhost The ChangeHat specific configuration keyword is AADefaultHatName It is used similarly to AAHatName for example AADefaultHatName My_Funky_Default_Hat The configuration option is actually based on a...

Page 114: ...AAHatName MY_HAT_NAME Location This tries to use MY_HAT_NAME for any URI beginning with foo foo foo bar foo cgi path blah_blah blah etc The directory directive works similarly to the location directive except it refers to a path in the file system as in the following example Directory srv www www immunix com docs Note lack of trailing slash AAHatName immunix com Directory Example The program phpsy...

Page 115: ... var run utmp r 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root 4 Restart Apache by entering rcapache2 restart at a terminal window as root 5 Enter http hostname sysinfo into a browser to receive the system information that phpsysinfo delivers 6 Locate configuration errors by going to var log audit audit log or running dmesg and looking for any rejecti...

Page 116: ......

Page 117: ...or Novell AppArmor following the instructions in this chapter 6 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux based products Retrieve and apply them exactly like for any other package that ships as part of a SUSE Linux based product 6 2 Using the Man Pages There are man pages available for your use In a termin...

Page 118: ...level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 describes the exit C library function The Novell AppArmor man pages are unconfined 8 autodep 1 complain 1 enforce 1 genprof 1 logprof 1 change_hat 2 logprof conf 5 118 Novell AppArmor 2 0 Administration Guide ...

Page 119: ...ell com mailto apparmor general forge novell com This is a mailing list for end users of AppArmor It is a good place for questions about how to use AppArmor to protect your applications apparmor dev forge novell com mailto apparmor dev forge novell com This is a developer mailing list for AppArmor developers and community members This list is for questions about development of core AppArmor featur...

Page 120: ... service without AppArmor protection re move the application s profile from etc apparmor d or move it to another location Issues with Apache Apache is not starting properly or it is not serving Web pages and you just installed a new module or made a configuration change When you install additional Apache modules like apache2 mod apparmor or make configuration changes to Apache you should profile A...

Page 121: ...led 6 5 Reporting Bugs for AppArmor The developers of AppArmor and SUSE Linux are eager to deliver products of the highest quality Your feedback and your bug reports help us keep the quality high Whenever you encounter a bug in AppArmor file a bug report against this product 1 Use your Web browser to go to https bugzilla novell com index cgi 2 Enter the account data of your Novell account and clic...

Page 122: ... and proceed to the Enter Bug page 6 Select the product against which to file the bug In your case this would be your product s release Click Submit 7 Select the product version component AppArmor in this case hardware plat form and severity 8 Enter a brief headline describing your problem and add a more elaborate descrip tion including log files You may create attachments to your bug report for s...

Page 123: ...ew Orleans LA This paper is now out of date describing syntax and features that are different from the current Novell AppArmor product This paper should be used only for scientific background and not for technical documentation Defcon Capture the Flag Defending Vulnerable Code from Intense Attack by Crispin Cowan Seth Arnold Steve Beattie Chris Wright and John Viega A good guide to strategic and t...

Page 124: ......

Page 125: ...active defense from attacks This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks GUI Graphical user interface Refers to a software front end meant to provide an attrac tive and easy to use interface between a computer user and application Its elements includ...

Page 126: ...e URI Universal resource identifier The generic term for all types of names and addresses that refer to objects on the World Wide Web A URL is one kind of URI URL Uniform Resource Locator The global address of documents and other resources on the World Wide Web The first part of the address indicates what protocol to use and the second part specifies the IP address or the domain name where the res...

Reviews:

No comments

Related manuals for APPARMOR 2.0

COLDFUSION MX 7.0.2-USING COLDFUSION MX WITH FLEX...

Brand: MACROMEDIA Pages: 90

Brand: CSSN Pages: 8

Veriteq viewLinc 4.0

Brand: Vaisala Pages: 168

Brand: Juniper Pages: 772

Brand: FARONICS Pages: 80

LINUX ENTERPRISE DESKTOP 10 SP1 -

Brand: Linux Pages: 76

Brand: Creative Pages: 84

CERTIFICATE 8.0 RELEASE NOTES

Brand: Red Hat Pages: 34

Brand: JETWAY Pages: 43

Brand: Draytek Pages: 73

Doctor Pro TM-2430-13

Brand: A&D Pages: 69

Brand: GRASS VALLEY Pages: 24

Brand: ACT Pages: 124

Brand: GRASS VALLEY Pages: 1

DiskRescue 2009

Brand: UNIBLUE Pages: 26

Brand: FieldServer Pages: 8

Brand: Yamaha Pages: 24

DREAMWEAVER 8-GETTING STARTED WITH...

Brand: MACROMEDIA Pages: 326

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands