Novell LINUX ENTERPRISE DESKTOP 11, Manual, Page: 257 / 450

Share

Page: 257 / 450

Novell LINUX ENTERPRISE DESKTOP 11 Manual Download Page 257

21.2.5 Change rules

AppArmor provides

change_hat

and

change_profile

rules that control domain

transitioning.

change_hat

are specified by defining hats in a profile, while

change_profile

rules refer to another profile and start with the keyword

change_profile

:

change_profile /usr/bin/foobar,

Both

change_hat

and

change_profile

provide for an application directed profile

transition, without having to launch a separate application.

change_profile

provides

a generic one way transition between any of the loaded profiles.

change_hat

provides

for a returnable parent child transition where an application can switch from the parent
profile to the hat profile and if it provides the correct secret key return to the parent
profile at a later time.

change_profile

is best used in situations where an application goes through a

trusted setup phase and then can lower its privilege level. Any resources mapped or
opened during the start-up phase may still be accessible after the profile change, but
the new profile will restrict the opening of new resources, and will even limit some of
the resources opened before the switch. Specifically memory resources will still be
available while capability and file resources (as long as they are not memory mapped)
can be limited.

change_hat

is best used in situations where an applications runs a virtual machine

or an interpreter that does not provide direct access to the applications resources (e.g.
Apache's

mod_php

). Since

change_hat

stores the return secret key in the applica-

tion's memory the phase of reduced privilege should not have direct access to memory.
It is also important that file access is properly separated, since the hat can restrict ac-
cesses to a file handle but does not close it. If an application does buffering and provides
access to the open files with buffering, the accesses to these files may not be seen by
the kernel and hence not restricted by the new profile.

WARNING: Safety of Domain Transitions

The

change_hat

and

change_profile

domain transitions are less secure

than a domain transition done through an exec because they do not affect a
processes memory mappings, nor do they close resources that have already
been opened.

Profile Components and Syntax

243

«
...
255
256
257
258
259
...
»

Summary of Contents for LINUX ENTERPRISE DESKTOP 11

Page 1: ...SUSE Linux Enterprise Server www novell com 11 March 17 2009 Security Guide...

Page 2: ...at this manual specifically for the printed format is reproduced and or distributed for noncommercial use only The express authorization of Novell Inc must be obtained prior to any other use of any ma...

Page 3: ...AM Configuration File 18 2 2 The PAM Configuration of sshd 20 2 3 Configuration of PAM Modules 22 2 4 Configuring PAM Using pam config 24 2 5 For More Information 26 3 Using NIS 27 3 1 Configuring NIS...

Page 4: ...y 82 6 2 How Kerberos Works 83 6 3 Users View of Kerberos 86 6 4 Installing and Administering Kerberos 87 6 5 For More Information 108 7 Using the Fingerprint Reader 109 7 1 Supported Applications and...

Page 5: ...ing Certificates 152 13 Intrusion Detection with AIDE 153 13 1 Setting Up a AIDE Database 153 13 2 Local AIDE Checks 156 13 3 System Independent Checking 157 13 4 For More Information 158 Part III Net...

Page 6: ...d Information on AppArmor Profiling 218 19 Getting Started 219 19 1 Installing Novell AppArmor 220 19 2 Enabling and Disabling Novell AppArmor 220 19 3 Choosing the Applications to Profile 221 19 4 Bu...

Page 7: ...om Log Entries 281 23 6 Managing Novell AppArmor and Security Event Status 283 24 Building Profiles from the Command Line 287 24 1 Checking the AppArmor Module Status 287 24 2 Building AppArmor Profil...

Page 8: ...387 30 5 Understanding the Audit Logs and Generating Reports 391 30 6 Querying the Audit Daemon Logs with ausearch 403 30 7 Analyzing Processes with autrace 407 30 8 Visualizing Audit Data 408 31 Set...

Page 9: ...32 7 Managing Audit Event Records Using Keys 433 33 Useful Resources 435...

Page 10: ......

Page 11: ...mentation resources This includes additional documentation that is available on the system as well as documen tation available on the Internet For an overview of the documentation available for your p...

Page 12: ...Administration Guide Provides information about how to manage storage devices on a SUSE Linux En terprise Server In addition to the comprehensive manuals several quick start guides are available Inst...

Page 13: ...se use the User Comments feature at the bottom of each page of the online documentation and enter your comments there 3 Documentation Conventions The following typographical conventions are used in th...

Page 14: ...ph is only relevant for the specified architectures The arrows mark the beginning and the end of the text block Dancing Penguins Chapter Penguins Another Manual This is a reference to a chapter in ano...

Page 15: ...nteed Data security was already an important issue even before computers could be linked through networks Just like today the most im portant concern was the ability to keep data available in spite of...

Page 16: ...ioning known bits and pieces to win the confidence of that person by using clever rhetoric The victim could be led to reveal gradually more information maybe without even becoming aware of it Among ha...

Page 17: ...ns or the identity of another This is a general rule to be observed but it is especially true for the user root who holds the supreme power on the system root can take on the identity of any other loc...

Page 18: ...the following safe password TNotRbUE9 In contrast passwords like beerbud dy or jasmine76 are easily guessed even by someone who has only some casual knowledge about you 1 1 3 The Boot Procedure Confi...

Page 19: ...issions such as world writable directories or for files the setuser ID bit programs with the setuser ID bit set do not run with the permissions of the user that has launched it but with the permission...

Page 20: ...been given to a local account Many of the bugs that have been reported can also be exploited over a network link Accordingly buffer overflows and format string bugs should be classified as being relev...

Page 21: ...f UNIX operating systems can make use of this feature in an impressive way With X it is basically no problem to log in at a remote host and start a graphical program that is then sent over the network...

Page 22: ...e found in Chapter 14 SSH Secure Network Op erations page 161 WARNING If you do not consider the host where you log in to be a secure host do not use X forwarding With X forwarding enabled an attacker...

Page 23: ...r who puts himself between the communicating hosts is called a man in the middle attack What almost all types of man in the middle attacks have in common is that the victim is usually not aware that t...

Page 24: ...e of the trust relationships among hosts to disguise itself as one of the trusted hosts Usually the attacker analyzes some packets received from the server to get the necessary information The attacke...

Page 25: ...o discuss any security issues of interest Subscribe to it on the same Web page bugtraq securityfocus com is one of the best known security mailing lists worldwide Reading this list which receives betw...

Page 26: ...t An excellent program for this job is nmap which not only checks out the ports of your machine but also draws some conclusions as to which services are waiting behind them However port scanning may b...

Page 27: ...is is not exactly a trivial task In the end only you can know which entries are unusual and which are not Use tcp_wrapper to restrict access to the individual services running on your machine so you h...

Page 28: ...problem and the version number of the package concerned SUSE will try to send a reply as soon as possible You are encouraged to pgp encrypt your e mail messages SUSE s pgp key is ID 3D25D3D9 1999 03...

Page 29: ...Part I Authentication...

Page 30: ......

Page 31: ...prone One way to avoid these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules Whenever a newly required authentication...

Page 32: ...a PAM configuration file contains a maximum of four columns Type of module Control flag Module path Options PAM modules are processed as stacks Different types of modules have different pur poses for...

Page 33: ...o further modules are processed In case of success other modules are subsequently processed just like any modules with the required flag The requisite flag can be used as a basic filter checking for t...

Page 34: ...include common account password include common password session required pam_loginuid so session include common session Enable the following line to get resmgr support for ssh sessions see usr share...

Page 35: ...n has succeeded Given that all modules of the stack have the required control flag they must all be processed successfully before sshd receives a message about the positive result If one of the module...

Page 36: ...5 Default Configuration for the session Section session required pam_limits so session required pam_unix2 so session optional pam_umask so As the final step the modules of the session type bundled in...

Page 37: ...ple 2 6 pam_env conf REMOTEHOST DEFAULT localhost OVERRIDE PAM_RHOST DISPLAY DEFAULT REMOTEHOST 0 0 OVERRIDE DISPLAY The first line sets the value of the REMOTEHOST variable to localhost which is used...

Page 38: ...nfig The pam config tool helps you configure the global PAM configuration files under etc pam d common pc as well as several selected application configurations For a list of supported modules use the...

Page 39: ...e options for the queried PAM module 5 Remove the debug options Finally remove the debug option from your setup when you are entirely satisfied with the performance of it The pam config delete ldap de...

Page 40: ...lain text The Linux PAM Module Writers Manual This document summarizes the topic from the developer s point of view with in formation about how to write standard compliant PAM modules It is available...

Page 41: ...etc group across networks NIS can also be used for other purposes making the contents of files like etc hosts or etc services available for example but this is beyond the scope of this introduction P...

Page 42: ...If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers select Install and Set Up NIS Master Server YaST installs the required packages...

Page 43: ...users can also change their names and address settings with the command ypchfn SHELL allows users to change their default shell with the command ypchsh for example to switch from bash to sh The new s...

Page 44: ...ck OK to confirm your settings and return to the previous screen Figure 3 3 Changing the Directory and Synchronizing Files for a NIS Server 4 If you previously enabled Active Slave NIS Server Exists e...

Page 45: ...ton Specify from which networks requests can be sent to the NIS server Normally this is your internal network In this case there should be the following two entries 255 0 0 0 127 0 0 0 0 0 0 0 0 0 0 0...

Page 46: ...ed as follows 1 Start YaST Network Services NIS Server 2 Select Install and Set Up NIS Slave Server and click Next TIP If NIS server software is already installed on your machine initiate the creation...

Page 47: ...T module NIS Client to configure a workstation to use NIS Select whether the host has a static IP address or receives one issued by DHCP DHCP can also provide the NIS domain and the NIS server For inf...

Page 48: ...g By checking Broken Server the client is enabled to receive replies from a server communicating through an unprivileged port For further information see man ypbind After you have made your settings c...

Page 49: ...rver keeps the data in a directory and distributes it to all clients using a certain protocol The data is structured in a way that allows a wide range of applications to access it That way it is not n...

Page 50: ...x system administrator traditionally uses the NIS service for name resolution and data distribution in a network The configuration data contained in the files in etc and the directories group hosts ma...

Page 51: ...n LDAP directory tree and provides the basic terminology used in an LDAP context Skip this introductory section if you already have some LDAP background knowledge and just want to learn how to set up...

Page 52: ...The object class deter mines what attributes the concerned object must or can be assigned The Schema therefore must contain definitions of all object classes and attributes used in the desired applica...

Page 53: ...2 DESC RFC2256 organizational unit this object belongs to 3 SUP name 4 objectclass 2 5 6 5 NAME organizationalUnit 5 DESC RFC2256 an organizational unit 6 SUP top STRUCTURAL 7 MUST ou 8 MAY userPasswo...

Page 54: ...ject class is not subordinate to another object class Line 7 starting with MUST lists all attribute types that must be used in conjunction with an object of the type organizationalUnit Line 8 starting...

Page 55: ...Figure 4 2 YaST LDAP Server Configuration LDAP A Directory Service 41...

Page 56: ...d as follows 1 Log in as root 2 Start YaST and select Network Services LDAP Server to invoke the configura tion wizard 3 Configure the Global Settings of your LDAP server you can change these settings...

Page 57: ...4 page 45 5 Confirm Basic Database Settings with entering an LDAP Administrator Password and then clicking Next see Figure 4 2 YaST LDAP Server Configuration page 41 6 Check the LDAP Server Configurat...

Page 58: ...nd When Credentials Not Empty Normally the LDAP server denies any authentication attempts with empty credentials DN or password Enabling this option however makes it pos sible to connect with a passwo...

Page 59: ...not been created during installation go for Launch CA Management Module first for more information see Sec tion 17 2 YaST Modules for CA Management page 202 Add Schema files to be included in the serv...

Page 60: ...the left part of the dialog 2 Click Add Database to add the new database 3 Enter the requested data Base DN Enter the base DN of your LDAP server Administrator DN Enter the DN of the administrator in...

Page 61: ...i ronment is sensitive to security issues because the Locked Account error message provides security sensitive information that can be exploited by a potential attacker 4d Enter the DN of the default...

Page 62: ...you opt for Only Accept Checked Passwords only those pass words that pass the quality tests are accepted as valid 4 Configure the password aging policies 4a Determine the minimum password age the time...

Page 63: ...n the dymanic configuration of OpenLDAP see the OpenLDAP Administration Guide 4 4 Configuring an LDAP Client with YaST YaST includes a module to set up LDAP based user management If you did not enable...

Page 64: ...trol Center in the installed system Figure 4 6 YaST LDAP Client Configuration To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP proceed as follow...

Page 65: ...f the LDAP server still uses LDAPv2 explicitly enable the use of this protocol version by selecting LDAP Version 2 6 Select Start Automounter to mount remote directories on your client such as a remot...

Page 66: ...base DN enter these different naming contexts in User Map Password Map and Group Map 1b Specify the password change protocol The standard method to use whenever a password is changed is crypt meaning...

Page 67: ...Directories on This Machine 2e Use the Password Policy section to select add delete or modify the password policy settings to use The configuration of password policies with YaST is part of the LDAP...

Page 68: ...tion Figure 4 8 YaST Module Configuration page 54 allows the creation of new modules selection and modification of existing configuration modules and design and modification of templates for such modu...

Page 69: ...ressing Edit and entering the new value Rename a module by simply changing the cn attribute of the module Clicking Delete deletes the currently selected module 5 After you click OK the new module is a...

Page 70: ...ault values for an attribute can be created from other attributes by using a variable instead of an absolute value For example when creating a new user cn sn givenName is created automatically from th...

Page 71: ...a Specify username login and password in the User Data tab 3b Check the Details tab for the group membership login shell and home di rectory of the new user If necessary change the default to values t...

Page 72: ...m of user administration offers LDAP Options This gives the pos sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups b...

Page 73: ...to read and write the data stored on the server Alternatively choose Anonymous Access and do not provide the password to gain read access to the directory The LDAP Tree tab displays the content of the...

Page 74: ...fi guration anymore YaST uses OpenLDAP s dynamic configuration database back config to store the LDAP server s configuration For details about the dy namic configuration backend please see the slapd c...

Page 75: ...tration Guide can be used to have the server started and stopped automatically on boot and halt of the system It is also possible to create the corresponding links to the start and stop scripts with t...

Page 76: ...example The organizational unit development devel dn ou devel dc example dc com objectClass organizationalUnit ou devel The organizational unit documentation doc dn ou doc dc example dc com objectCla...

Page 77: ...bjectClass inetOrgPerson cn Tux Linux givenName Tux sn Linux mail tux example com uid tux telephoneNumber 49 1234 567 8 An LDIF file can contain an arbitrary number of objects It is possible to pass e...

Page 78: ...g with the syntax in the order presented below dn cn Tux Linux ou devel dc example dc com changetype modify replace telephoneNumber telephoneNumber 49 1234 567 10 Find detailed information about ldapm...

Page 79: ...Linux ou devel dc example dc com 4 9 For More Information More complex subjects like SASL configuration or establishment of a replicating LDAP server that distributes the workload among multiple slav...

Page 80: ...html Understanding LDAP A detailed general introduction to the basic principles of LDAP http www redbooks ibm com redbooks pdfs sg244986 pdf Printed literature about LDAP LDAP System Administration by...

Page 81: ...ndows environ ment 5 1 Integrating Linux and AD Environments With a Linux client configured as an Active Directory client that is joined to an existing Active Directory domain benefit from various fea...

Page 82: ...ssages and accept your input You can even use the Linux passwd command to set Windows passwords Single Sign On through Kerberized Applications Many applications of both desktops are Kerberos enabled k...

Page 83: ...pam_mkhomedir pam_unix2 To communicate with the directory service the client needs to share at least two proto cols with the server LDAP LDAP is a protocol optimized for managing directory information...

Page 84: ...for AD users is done by the pam_winbind module The creation of user homes for the AD users on the Linux client is handled by pam _mkhomedir The pam_winbind module directly interacts with winbindd To...

Page 85: ...the handling of AD domain login Users can choose to log in to the primary domain the machine has joined or to one of the trusted domains with which the domain controller of the primary domain has esta...

Page 86: ...ux Enterprise Server machine is not in that list a message appears that this user cannot log in from this workstation Invalid logon hours When a user is only allowed to log in during working hours and...

Page 87: ...chine extensive caching was integrated into the winbind daemon The winbind daemon enforces password policies even in the offline state It tracks the number of failed login attempts and reacts accordin...

Page 88: ...e details about using active directory for time synchronization see Joining an AD Domain page 75 DHCP If your client uses dynamic network configuration with DHCP configure DHCP to provide the same IP...

Page 89: ...ot and start YaST 2 Start Network Services Windows Domain Membership 3 Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen see Figure 5 2 Determining Windows Domain...

Page 90: ...ve a network connection 7 Select Expert Settings if you want to change the UID and GID ranges for the Samba users and groups Let DHCP retrieve the WINS server only if you need it This is the case when...

Page 91: ...irectory and you have a valid Windows user identity you can log in to your machine using the AD credentials Login is supported for both desktop environments GNOME and KDE the console SSH and any other...

Page 92: ...login of each AD authenticated user This allows you to benefit from the AD support of SUSE Linux Enterprise Server while still having a completely capable Linux machine at your disposal 5 4 2 Console...

Page 93: ...c cessfully satisfied Feedback about the password status is given both through the display managers and the console GDM and KDM provide feedback about password expiration and prompt for new passwords...

Page 94: ...nd confirm the new password 6 Leave the dialog with Close to apply your settings To change your Windows password from the KDE desktop proceed as follows 1 Select Personal Settings from the main menu 2...

Page 95: ...ity for each desired service and make sure that no one can take the identity of someone else Make sure that each network server also proves its identity Otherwise an attacker might be able to imperson...

Page 96: ...e client s name the workstation s IP address and the current workstation s time all encrypted with the session key only known to the client and the server from which it is re questing a service An aut...

Page 97: ...client s identity Kerberos keeps a database of all its users and their private keys To ensure Kerberos is worth all the trust put in it run both the authentication and ticket granting server on a dedi...

Page 98: ...e ticket used to obtain other tickets does not expire your workstation can prove your identity 6 2 2 Requesting a Service To request a service from any server in the network the client application nee...

Page 99: ...r s authenticity and they both start cooperating 6 2 4 Ticket Granting Contacting All Servers Tickets are designed to be used for one server at a time This implies that you have to get a new ticket ea...

Page 100: ...5 Because SUSE Linux Enterprise Server uses the MIT implementation of Kerberos 5 find useful infor mation and guidance in the MIT documentation See Section 6 5 For More Information page 108 6 3 Users...

Page 101: ...justed to the new situation Simply copying tickets between workstations is not sufficient because the ticket contains workstation specific information the IP address XDM GDM and KDM offer Kerberos sup...

Page 102: ...9 Enabling PAM Support for Kerberos page 103 To configure SSH or LDAP with Kerberos authentication proceed as outlined in Section 6 4 10 Configuring SSH for Kerberos Authentication page 104 and Sectio...

Page 103: ...e routing between the two subnets 192 168 1 0 24 and 192 168 2 0 24 Refer to Section Configuring Routing Chapter 18 Basic Networking Administration Guide for more information on configuring routing wi...

Page 104: ...g Up the KDC Hardware The first thing required to use Kerberos is a machine that acts as the key distribution center or KDC for short This machine holds the entire Kerberos user database with password...

Page 105: ...o its tickets A server receiving a ticket with a time stamp that differs from the current time rejects the ticket Kerberos allows a certain leeway when comparing time stamps However computer clocks ca...

Page 106: ...b kerberos krb5kdc kdc conf must be adjusted for your scenario These files contain all information on the KDC 3 Create the Kerberos Database Kerberos keeps a database of all principal identifiers and...

Page 107: ...dom page When you make tape backups of the Kerberos database var lib kerberos krb5kdc principal do not back up the stash file which is in var lib kerberos krb5kdc k5 EXAMPLE COM Otherwise everyone abl...

Page 108: ...e basically completely different accounts with similar names Starting the KDC Start the KDC daemon and the kadmin daemon To start the daemons manually enter rckrb5kdc start and rckadmind start Also ma...

Page 109: ...issues OpenSSH support time synchronization and extended PAM configurations 4 To configure a static Kerberos client proceed as follows 4a Set Default Domain Default Realm and KDC Server Address to the...

Page 110: ...authenticate with the SSH server Exclude a range of user accounts from using Kerberos authentication by providing a value for the Minimum UID that a user of this feature must have For instance you may...

Page 111: ...C services using DNS records With static configuration add the hostnames of your KDC server to krb5 conf and update the file whenever you move the KDC or reconfigure your realm in other ways DNS based...

Page 112: ...the default realm for Kerberos applications If you have several realms just add additional statements to the realms section Also add a statement to this file that tells applications how to map hostnam...

Page 113: ...rt of load balancing among servers of equal priority You probably do not need any of this so it is okay to set these to zero MIT Kerberos currently looks up the following names when looking for servic...

Page 114: ...ration server which principals are allowed to do what Do this by editing the file var lib kerberos krb5kdc kadm5 acl The ACL access control list file allows you to specify privileges with a fine degre...

Page 115: ...bc mode with CRC 32 no salt Attributes Policy none kadmin modify_principal maxlife 8 hours newbie Principal newbie EXAMPLE COM modified kadmin getprinc joe Principal newbie EXAMPLE COM Expiration date...

Page 116: ...ors are Service Service Descriptor Telnet RSH SSH host NFSv4 with Kerberos support nfs HTTP with Kerberos authentication HTTP IMAP imap POP3 pop LDAP ldap Service principals are similar to user princi...

Page 117: ...le etc krb5 keytab This file is owned by the superuser so you must be root to execute the next command in the kadmin shell kadmin ktadd host jupiter example com Entry for principal host jupiter exampl...

Page 118: ...y anymore but relies on GSSAPI the General Security Services API This is a programming interface that is not specific to Kerberos it was designed to hide the peculiarities of the underlying authentica...

Page 119: ...ntation is cyrus sasl which supports a number of different authen tication flavors Kerberos authentication is performed through GSSAPI General Secu rity Services API By default the SASL plug in for GS...

Page 120: ...p example com EXAMPLE COM Then on the shell run chown ldap ldap etc openldap ldap keytab chmod 600 etc openldap ldap keytab To tell OpenLDAP to use a different keytab file change the following variabl...

Page 121: ...of their LDAP user record Assuming you have a schema where the LDAP entry of user joe is located at uid joe ou people dc example dc com set up the following access controls in etc openldap slapd conf...

Page 122: ...tory structure or a schema in which the username is not part of the DN you can even use search expressions to map the SASL DN to the user DN 6 5 For More Information The official site of the MIT Kerbe...

Page 123: ...rint wiki Supported_devices If the hardware check detects the fingerprint reader integrated with your laptop or connected to your system the packages libfprint pam_fp and yast2 fingerprint reader are...

Page 124: ...PAM is configured accordingly Usually this is done automatically during installation of the packages when the hardware check detects a supported fingerprint reader If not manually enable the fingerpri...

Page 125: ...ot entry and register a fingerprint for root as described above 7 After you have registered fingerprints for the desired users click Finish to close the administration dialog and to save the changes A...

Page 126: ......

Page 127: ...Part II Local Security...

Page 128: ......

Page 129: ...y Overview displays a comprehensive list of the most important security settings for your system The security status of each entry in the list is clearly visible A green check mark indicates a secure...

Page 130: ...affect all the settings available in the Local Security module Each configuration can be modified to your needs using the dialogs available from the right pane Choose between the following sets Home W...

Page 131: ...be used Check New Passwords By activating this option a warning will be issued if new passwords appear in a dictionary or if they are proper names proper nouns Test for Complicated Passwords When thi...

Page 132: ...ecify how Ctrl Alt Del will be interpreted 8 5 Login Settings This dialog lets you configure security related login settings Delay after Incorrect Login Attempt In order to make it difficult to guess...

Page 133: ...or standalone machines This settings allows regular users for example to read most system files See the file etc permissions easy for the complete configuration The Secure file permissions are designe...

Page 134: ...e trojan horse current directory ls is executed when entering ls In order to start a program in the current directory the command must be prefixed with When activating these options the current direct...

Page 135: ...no or needs authentication Unlike classical privilege authorization programs such as sudo PolicyKit does not grant root permissions to an entire process following the least privilege concept 9 1 Avai...

Page 136: ...er PolicyKit gives depends on the policy defined for this process It can be yes no or authentication needed By default a policy contains implicit privileges which automatically apply to all users It i...

Page 137: ...only once 9 2 2 Explicit Privileges Explicit privileges can be granted to specific users They can either be granted without limitations or when using constraints limited to an active session and or a...

Page 138: ...pressing Alt F2 and entering polkit gnome authorization TIP Using the Authorizations tool in non GNOME environments Authorizations is a GNOME tool and therefore not installed when the GNOME desktop en...

Page 139: ...ers or Block users In both cases choose a user and a Constraint Users with a UID of less than 1000 are only shown when Show System Users is checked To delete an authorization choose it from the list a...

Page 140: ...for a given action to the defaults However polkit action always operates on the upstream defaults so it is not possible to list or restore the defaults shipped with SUSE Linux Enterprise Server Refer...

Page 141: ...e run the command polkit action The following values are valid for the session parameters yes grant privilege no block auth_self user needs to authenticate with own password every time the privilege i...

Page 142: ...tended Regular Expressions are allowed as attribute values user USER Specify one or more login names Separate multiple names by the symbol action policy Specify a policy by it s unique identifier To g...

Page 143: ...te file A statement granting the user tux the privilege to update packages via PackageKit without having to authorize Withdraw privileges for all PolicyKit related policies from the users tux and wilb...

Page 144: ...owever set_polkit_default_privs will only reset policies that are set to the upstream defaults To reset all policies to the upstream defaults first and then apply the SUSE Linux Enterprise Server defa...

Page 145: ...hapter follows these two standards as well They can be viewed at http wt xpilot org publications posix 1e 10 1 Traditional File Permissions Find detailed information about the traditional file permiss...

Page 146: ...the group to which the direc tory belongs Consider the following example directory drwxrws 2 tux archive 48 Nov 19 17 12 backup You can see the s that denotes that the setgid bit is set for the group...

Page 147: ...realized without implementing complex permission models on the application level The advantages of ACLs are evident if you want to replace a Windows server with a Linux server Some of the connected wo...

Page 148: ...h named group entry defines the permissions of the group specified in the entry s qualifier field Only the named user and named group entries have a qualifier field that is not empty The other entry d...

Page 149: ...CL ACL Entries Compared to Permission Bits page 136 and Figure 10 2 Extended ACL ACL Entries Compared to Permission Bits page 136 illustrate the two cases of a minimum ACL and an extended ACL The figu...

Page 150: ...d to the mask entry This is shown in Figure 10 2 Extended ACL ACL Entries Compared to Permission Bits page 136 Figure 10 2 Extended ACL ACL Entries Compared to Permission Bits This mapping approach en...

Page 151: ...This gives information like file mydir owner tux group project3 user rwx group r x other The first three output lines display the name owner and owning group of the directory The next three lines cont...

Page 152: ...that there is an ex tended ACL for this item According to the output of the ls command the permissions for the mask entry include write access Traditionally such permission bits would mean that the ow...

Page 153: ...ault ACL affects both subdirectories and files Effects of a Default ACL There are two ways in which the permissions of a directory s default ACL are passed to the files and subdirectories A subdirecto...

Page 154: ...s rwx mask rwx other default user rwx default group r x default group mascots r x default mask r x default other getfacl returns both the access ACL and the default ACL The default ACL is formed by al...

Page 155: ...wn to its subordinate objects is also the same 3 Use touch to create a file in the mydir directory for example touch mydir myfile ls l mydir myfile then shows rw r tux project3 mydir myfile The output...

Page 156: ...s randomly selected from the suitable entries with the required permissions It is irrelevant which of the entries triggers the final result access granted Likewise if none of the suitable group entrie...

Page 157: ...there are currently no backup applica tions that preserve ACLs 10 6 For More Information Detailed information about ACLs is available at http acl bestbits at Also see the man pages for getfacl 1 acl 5...

Page 158: ......

Page 159: ...encryption Encrypting a Hard Disk Partition You can create an encrypted partition with YaST during installation or in an already installed system Refer to Section 11 1 1 Creating an Encrypted Partiti...

Page 160: ...system from being compromised After the encrypted medium is successfully mounted everybody with appropriate permissions has access to it However encrypted media are useful in case of loss or theft of...

Page 161: ...the Encrypt file system check box 6 If the encrypted file system should only be mounted when necessary enable Do Not Mount at System Start up in the Fstab Options 7 Click OK You will be prompted for...

Page 162: ...of the procedure is the same as described in Section 11 1 1 Creating an En crypted Partition during Installation page 147 11 1 3 Creating an Encrypted File as a Container Instead of using a partition...

Page 163: ...file system other than FAT change the ownership explicitly for users other than root to enable these users to read or write files on the device 11 2 Using Encrypted Home Directories To protect data in...

Page 164: ...because these may contain temporary images of critical data You can encrypt swap tmp and var tmp with the YaST partitioner as de scribed in Section 11 1 1 Creating an Encrypted Partition during Insta...

Page 165: ...oment Other applications that use certificates as well are not covered but may be in the future If you have such an application you can continue to use its private separate configuration 12 1 Activati...

Page 166: ...ficate into the certificate store do the following 1 Start Firefox 2 Open the dialog from Edit Preferences Change to Advanced Encryption and click on View Certificates 3 Import your certificate depend...

Page 167: ...lay changes in configuration files and you will have to do some filtering to detect important changes An additional problem to the method with rpm is that an intelligent attacker will modify rpm itsel...

Page 168: ...he respective checking options are used in the files section Important options include the following Table 13 1 Important AIDE Checking Options Description Option Check for the file permissions of the...

Page 169: ...similar to the selection with but defines which files not to use A configuration that checks for all files in sbin with the options defined in Binlib but omits the directory sbin conf d would look lik...

Page 170: ...ne with the command mv var lib aide aide db new var lib aide aide db After any configuration change you always have to reinitialize the AIDE database and subsequently move the newly generated database...

Page 171: ...IDE binary from a trusted source This excludes the risk that some attacker also modified the aide binary to hide his traces To accomplish this task aide must be run from a rescue system that is indepe...

Page 172: ...g architecture rpm Replace ftp_server version_string and architecture with the values used on your system 4 Restart the server that should go through an AIDE check with the Rescue system from your DVD...

Page 173: ...Part III Network Security...

Page 174: ......

Page 175: ...unprotected communication channels like the traditional FTP protocol and some remote copying programs The SSH suite provides the necessary protection by encrypting the authentication strings usually...

Page 176: ...e program output is displayed on the local terminal of the host jupiter ssh otherplanet uptime mkdir tmp Password 1 21pm up 2 17 9 users load average 0 15 0 04 0 02 Quotation marks are necessary here...

Page 177: ...running in the background listening for connections on TCP IP port 22 The daemon generates three key pairs when starting for the first time Each key pair consists of a private and a public key Therefo...

Page 178: ...t the session key using its private keys This initial connection phase can be watched closely by turning on the verbose debugging option v of the SSH client The client stores all public host keys in s...

Page 179: ...it to ssh authorized_keys You will be asked to authenticate yourself with your passphrase the next time you establish a connection If this does not occur verify the location and contents of these fil...

Page 180: ...with this method cannot be intercepted by unautho rized individuals By adding the option A the ssh agent authentication mechanism is carried over to the next machine This way you can work from differ...

Page 181: ...Multiple ports are allowed To add a new port click Add enter the port number and click OK To delete port select it in the table click Delete and confirm 2 On the General tab select the features the ss...

Page 182: ...pecifies whether pure RSA authentication is allowed This option applies to SSH protocol version 1 only Public Key Authentication specifies whether public key authentication is allowed This option appl...

Page 183: ...5 1 Packet Filtering with iptables The components netfilter and iptables are responsible for the filtering and manipulation of network packets as well as for network address translation NAT The filter...

Page 184: ...tself POSTROUTING This chain is applied to all outgoing packets Figure 15 1 iptables A Packet s Possible Paths page 171 illustrates the paths along which a network packet may travel on a given system...

Page 185: ...ssible Paths Routing Routing in the local system Processes outgoing packet incoming packet filter nat mangle POSTROUTING PREROUTING nat mangle FORWARD mangle filter INPUT mangle filter OUTPUT nat mang...

Page 186: ...oadcast address and the netmask are the same for all local hosts Failing to do so prevents packets from being routed properly As mentioned whenever one of the LAN hosts sends a packet destined for an...

Page 187: ...re intended to compromise a CGI program on your Web server the packet filter would still let them through A more effective but more complex mechanism is the combination of several types of systems suc...

Page 188: ...tarized Zone DMZ While hosts located in this zone can be reached both from the external and the in ternal network they cannot access the internal network themselves This setup can be used to put an ad...

Page 189: ...ed directly from the tree structure on the left side Start Up Set the start up behavior in this dialog In a default installation SuSEfirewall2 is started automatically You can also start and stop the...

Page 190: ...each other and so generate many packets that are not accepted IPsec Support Configure whether the IPsec service should be available to the external network in this dialog Configure which packets are t...

Page 191: ...to to use the in terface that corresponds to the default route FW_DEV_INT firewall masquerading The device linked to the internal private network such as eth0 Leave this blank if there is no internal...

Page 192: ...lable to the outside The services that use UDP include include DNS servers IPsec TFTP DHCP and others In that case enter the UDP ports to use FW_SERVICES_ACCEPT_EXT firewall List services to allow fro...

Page 193: ...net for example from an external host to see whether the connection is actually denied After that review var log messages where you should see something like this Mar 15 13 21 38 linux kernel SFW2 INe...

Page 194: ......

Page 195: ...PN and some relevant terminology 16 1 1 Scenarios with VPN There are many packages and even more combinations that enable the setting up and building of a VPN connection This chapter focuses on OpenVP...

Page 196: ...ows file shares across the VPN without setting up a Samba or WINS server Bridged VPN is also needed if you want to use non IP protocols such as IPX or applications relying on network broadcasts Howeve...

Page 197: ...Figure 16 2 Scenario 2 Figure 16 3 Scenario 3 Configuring VPN Server 183...

Page 198: ...el A tunnel can use a so called tun or tap device They are virtual network kernel drivers which implement the transmission of ethernet frames or ip frames packets tun device A tun device simulates a p...

Page 199: ...to your needs but make sure you select adresses which are not used to minimize problems with IP address or subnet conflicts WARNING Use It Only For Testing This scenario is only useful for testing and...

Page 200: ...e that will later become your VPN client 2 Create the file etc openvpn server conf with the following content remote IP_OF_SERVER dev tun ifconfig 10 23 8 2 10 23 8 1 secret secret key Replace the pla...

Page 201: ...for the server and each client and a master certificate authority CA The general overview of this process involves these steps which are explained in the following subsections 1 Build your public key...

Page 202: ...n easy ca 3 Edit the default values in the file vars Change the variables KEY_COUNTRY KEY_PROVINCE KEY_CITY KEY_ORG and KEY_EMAIL 4 Initialize the PKI source vars clean all build ca 5 Enter the respec...

Page 203: ...allowed to connect to the VPN server Make sure you use a different name other than client and an appropriate Common Name because this parameter has to be unique for each client After this procedure t...

Page 204: ...proto udp dev tun0 Security ca ssl ca crt cert ssl server crt key ssl server key dh ssl dh1024 pem server 10 8 0 0 255 255 255 0 ifconfig pool persist var run openvpn ipp txt Privleges user nobody gro...

Page 205: ...a good idea to run the OpenVPN daemon with reduced privileges For this reason the group and user nobody is used Several other configurations see comment in the original configuration from usr share d...

Page 206: ...ings as on the server Replace the placeholder IP_OR_HOSTNAME with the respective hostname or IP address of your VPN server After the hostname the port of the server is given You can have multiple line...

Page 207: ...installed the package NetworkManager openvpn kde4 and have resolved all dependencies 2 Right click on a widget of your panel and select Panel Options Add Wid gets 3 Select Networks 4 Right click on t...

Page 208: ...have finished this step you are reverted back to the Network Settings dialog 9 Finish with Ok 10 Enable the connection with your Network manager applet 16 4 2 GNOME To setup a OpenVPN connection in G...

Page 209: ...ou have selected Password with Certificates TLS Username The password for the user only available when you have selected Password with Certificates TLS Password etc openvpn ssl client1 crt User Certif...

Page 210: ......

Page 211: ...modules for certification which offer basic management functions for digital X 509 certificates The following sections explain the basics of digital certi fication and how to use YaST to create and a...

Page 212: ...l of certificates An infras tructure of this kind is generally referred to as a public key infrastructure or PKI One familiar PKI is the OpenPGP standard in which users publish their certificates them...

Page 213: ...to be able to evaluate an extension if it is identified as critical If an application does not recognize a critical extension it must reject the certificate Some extensions are only useful for a spec...

Page 214: ...d using a certificate revocation list CRL These lists are supplied by the CA to public CRL distribution points CDPs at regular intervals The CDP can optionally be named as an extension in the certific...

Page 215: ...age 35 Chapter 28 The Apache HTTP Server Administration Guide contains information about the HTTP server 17 1 5 Proprietary PKI YaST contains modules for the basic management of X 509 certificates Thi...

Page 216: ...eating a Root CA The first step when setting up a PKI is to create a root CA Do the following 1 Start YaST and go to Security and Users CA Management 2 Click Create Root CA 3 Enter the basic data for...

Page 217: ...using the CA when creating a sub CA or generating certificates The text fields have the following meaning Key Length Key Length contains a meaningful default and does not generally need to be changed...

Page 218: ...2 Changing Password If you need to change your password for your CA proceed as follows 1 Start YaST and open the CA module 2 Select the required root CA and click Enter CA 3 Enter the password if you...

Page 219: ...ormation in the tab Description see Figure 17 2 Figure 17 2 YaST CA Module Using a CA 4 Click Advanced and select Create SubCA This opens the same dialog as for creating a root CA 5 Proceed as describ...

Page 220: ...d for e mail signature the e mail address of the sender the private key owner should be contained in the certificate to enable the e mail program to assign the correct certifi cate For certificate ass...

Page 221: ...nwanted certificates do the following 1 Start YaST and open the CA module 2 Select the required root CA and click Enter CA 3 Enter the password if entering a CA the first time YaST displays the CA key...

Page 222: ...icate These settings have been given rational defaults for every certificate type and do not normally need to be changed However it may be that you have special requirements for these extensions In th...

Page 223: ...int Already existing CAs and certificates remain unchanged 17 2 6 Creating CRLs If compromised or otherwise unwanted certificates should be excluded from further use they must first be revoked The pro...

Page 224: ...s you must publish this CRL NOTE Applications that evaluate CRLs reject every certificate if CRL is not available or expired As a PKI provider it is your duty always to create and publish a new CRL be...

Page 225: ...eparate tree with the attribute caCertificate Exporting a Certificate to LDAP Enter the CA containing the certificate to export then select Certificates Select the required certificate from the certif...

Page 226: ...or selecting the required output format and entering the password and filename The certificate is stored at the required location after clicking OK For CRLs click Export select Export to file choose t...

Page 227: ...in the file system This op tion can also be used to import certificates from a transport medium such as a USB stick To import a common server certificate do the following 1 Start YaST and open Common...

Page 228: ......

Page 229: ...Part IV Confining Privileges with Novell AppArmor...

Page 230: ......

Page 231: ...secures applications by enforcing good application behavior without relying on attack signatures so it can prevent attacks even if they are exploiting previously unknown vulnerabilities Novell AppArm...

Page 232: ...be used only for scientific background and not for technical documentation Defcon Capture the Flag Defending Vulnerable Code from Intense Attack by Crispin Cowan Seth Arnold Steve Beattie Chris Wright...

Page 233: ...19 4 Building and Modifying Profiles page 222 Check the results and adjust the profiles when necessary 3 Keep track of what is happening on your system by running AppArmor reports and dealing with sec...

Page 234: ...any fresh installation of SUSE Linux Enterprise Server There are two ways of toggling the status of AppArmor Using YaST System Services Runlevel Disable or enable AppArmor by removing or adding its bo...

Page 235: ...abling it Toggle the status of AppArmor in a running system by using the AppArmor Control Panel These changes take effect as soon as you apply them and survive a reboot of the system To toggle AppArmo...

Page 236: ...he the right applications to profile refer to Section 20 2 Determining Programs to Immunize page 230 19 4 Building and Modifying Profiles Novell AppArmor on SUSE Linux Enterprise Server ships with a p...

Page 237: ...lobbing 4 Depending on the complexity of your application it might be necessary to repeat Step 2 page 223 and Step 3 page 223 Confine the application exercise it under the confined conditions and proc...

Page 238: ...ofiles with YaST page 265 and Chapter 24 Building Profiles from the Command Line page 287 19 5 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor s...

Page 239: ...eed as follows 1 Start YaST Select Novell AppArmor AppArmor Reports 2 Select the type of report to examine or configure from Executive Security Sum mary Applications Audit and Security Incident Report...

Page 240: ...efinition can also be addressed using the Update Profile Wizard To update your profile set proceed as follows 1 Start YaST and choose Novell AppArmor Update Profile Wizard 2 Adjust access or execute r...

Page 241: ...ll AppArmor is referred to as immunizing Administrators only need to care about the applications that are vulnerable to attacks and generate profiles for these Hardening a system thus comes down to bu...

Page 242: ...rvers largely do not permit users to log in but instead provide a variety of network services for users such as Web mail file and print servers Novell AppArmor controls the access given to network ser...

Page 243: ...riggered during the application s execution After the profile has been generated it is loaded and put into enforce mode Refer to Section aa genprof Generating Profiles page 297 for detailed informatio...

Page 244: ...he viola tions only but still permit them use complain mode Enforce toggles with complain mode 20 2 Determining Programs to Immunize Now that you have familiarized yourself with AppArmor start selecti...

Page 245: ...cp program to copy a file Because cp does not have its own profile it inherits the profile of the parent shell script so can copy any files that the parent shell script s profile can read and write 2...

Page 246: ...not confined NOTE If you create a new profile you must restart the program that has been profiled to have it be effectively confined by AppArmor Below is a sample aa unconfined output 2325 sbin portm...

Page 247: ...confine desktop applications the aa unconfined command supports a paranoid option which reports all processes running and the corresponding App Armor profiles that might or might not be associated wi...

Page 248: ...es that there be a dedicated profile for my_hit_counter pl If my_hit_counter pl does not have a dedicated profile associated with it the rule should say srv www cgi bin my_hit_counter pl rix to cause...

Page 249: ...e Chapter 27 Managing Profiled Applications page 329 For mod_perl and mod_php scripts this is the name of the Perl script or the PHP page requested For example adding this subprofile allows the localt...

Page 250: ...de profiles for as many of those programs as possible If you provide profiles for all programs with open network ports an attacker cannot get to the file system on your machine without passing through...

Page 251: ...ed range of activities changes AppArmor offers intuitive tools to handle profile updates or modifications You are ready to build Novell AppArmor profiles after you select the programs to profile To do...

Page 252: ...ion s resource limits For help determining the programs to profile refer to Section 20 2 Determining Pro grams to Immunize page 230 To start building AppArmor profiles with YaST proceed to Chapter 23...

Page 253: ...obar r foo s hat bar bar15 lib ld so mr usr bin bar px var spool rwl This loads a file containing variable definitions The normalized path to the program that is confined The curly braces serve as a c...

Page 254: ...er to Section 21 7 7 Owner Conditional Rules page 251 for more information 12 This entry defines a transition to the local profile usr bin foobar Find a comprehensive overview of the available execute...

Page 255: ...children profiles embedded inside of a parent profile used to provide tighter or alternate confine ment for a subtask of an application 21 2 1 Standard Profiles The default AppArmor profile is attach...

Page 256: ...Local profiles provide a convenient way to provide specialized confinement for utility programs launched by a confined application They are specified just like standard profiles except they are embedd...

Page 257: ...restrict the opening of new resources and will even limit some of the resources opened before the switch Specifically memory resources will still be available while capability and file resources as lo...

Page 258: ...es 21 3 1 Abstractions Abstractions are includes that are grouped by common application tasks These tasks include access to authentication mechanisms access to name service routines common graphics re...

Page 259: ...dress type and family The following illustrates the network access rule syntax network domain type protocol Supported domains inet ax25 ipx appletalk netrom bridge x25 inet6 rose netbeui security key...

Page 260: ...21 6 Paths and Globbing AppArmor explicitly distinguishes directory path names from file path names Use a trailing for any directory path that needs to be explicitly distinguished some random example...

Page 261: ...c abc Example a rule that matches home 01 plan allows a program to access plan files for users in both home0 and home1 Substitutes for the single character a b or c a c Expands to one rule to match ab...

Page 262: ...chrooted applications CHROOT_BASE var lib dev log w CHROOT_BASE var log w NOTE With the current AppArmor tools variables can only be used when manually editing and maintaining a profile 21 6 2 Alias...

Page 263: ...d other interpreted content and determines if an executing process can core dump 21 7 2 Write Mode w Allows the program to have write access to the resource Files must have this permission if they are...

Page 264: ...issions as the link created with the exception that the desti nation does not need link access 21 7 6 Link Pair The link mode grants permission to create links to arbitrary files provided the link has...

Page 265: ...h a deny rule Such a reject will also not show up in the audit logs when denied keeping the log files lean If this is not desired prepend the deny entry with the keyword audit It is also possible to u...

Page 266: ...r domain transition If there is no profile defined the access is denied WARNING Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD As a result th...

Page 267: ...armor 7 man page WARNING Using Unconstrained Execute Mode ux Use ux only in very special cases It enables the designated child processes to be run without any AppArmor protection ux does not scrub the...

Page 268: ...te exploit attempts AppArmor uses this mode to limit which files a well behaved program or all programs on architectures that enforce non executable memory access controls may use as libraries to limi...

Page 269: ...ransitions The px and cx transitions specify a hard dependency if the specified profile does not exist the exec will fail With the inheritance fallback the execution will succeed but inherit the curre...

Page 270: ...LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NLSPATH RESOLV_HOST_CONF RES_OPTI...

Page 271: ...profile has the ability to further reduce the applications rlimits AppArmor s rlimit rules will also provide mediation of setting an applications hard limits should it try to raise them The applicatio...

Page 272: ...e with a text editor The tools will still work with profiles containing rlimit rules and will not remove them so it is safe to use the tools to update profiles containing them 21 10 Auditing Rules App...

Page 273: ...pability rule allows to apply capabilities to multiple programs running under a specific profile by using ix transitions For security reasons set capability rules will not be inherited so once a progr...

Page 274: ......

Page 275: ...vell and other AppArmor users as well as uploading your own Find the profile repository at http apparmor opensuse org 22 1 Using the Local Repository The AppArmor tools both YaST and aa genprof and aa...

Page 276: ...f necessary 22 2 1 Setting up Profile Repository Support Once properly configured both the YaST and the command line tools support the use of an external profile repository The initial configuration t...

Page 277: ...to be able to upload your own profiles enabled is set to yes while upload is set to no repository enabled yes upload yes user tux pass XXXXX Once initially configured through the AppArmor tools the c...

Page 278: ...has been changed or that a new one has been created If your system is configured to upload profiles to the repository you are prompted to provide a ChangeLog to document your changes before the change...

Page 279: ...faces have differing appearances they offer the same functionality in similar ways Another alternative is to use AppArmor commands which can control AppArmor from a terminal window or through remote c...

Page 280: ...an application on your system without the help of the wizard For detailed steps refer to Section 23 2 Manually Adding a Profile page 275 Edit Profile Edits an existing Novell AppArmor profile on your...

Page 281: ...profiling tools aa genprof generate profile and aa logprof update profiles from learning mode log file For more information about these tools refer to Section 24 6 3 Summary of Profiling Tools page 29...

Page 282: ...r in the local profile repository see Section 22 1 Using the Local Repository page 261 or in the external profile repository see Section 22 2 Using the External Repository page 262 or whether it does...

Page 283: ...load in a next step In case you want to postpone the decision select Ask Me Later and proceed directly to Step 7 page 269 6b Provide username and password for your account on the profile repository se...

Page 284: ...ecute permissions for an entry Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program to the profile For an ex ample of each...

Page 285: ...ing Mode Exception Controlling Access to Specific Resources Select the option that satisfies the request for access which could be a suggested include a particular globbed version of the path or the a...

Page 286: ...to Section 21 7 File Permission Access Modes page 249 Deny Click Deny to prevent the program from accessing the specified paths Glob Clicking this modifies the directory path using wild cards to incl...

Page 287: ...for an Entry From the following options select the one that satisfies the request for access For detailed information about the options available refer to Section 21 7 File Permission Access Modes pa...

Page 288: ...g all rule changes entered so far and modifying all profiles 11 Repeat the previous steps if you need to execute more functionality of the application When you are done click Finish Choose to apply yo...

Page 289: ...basic empty profile appears in the AppArmor Profile Dialog window 4 In AppArmor Profile Dialog add edit or delete AppArmor profile entries by clicking the corresponding buttons and referring to Sectio...

Page 290: ...rofile to edit 3 Click Next The AppArmor Profile Dialog window displays the profile 4 In the AppArmor Profile Dialog window add edit or delete Novell AppArmor profile entries by clicking the correspon...

Page 291: ...e profile set with rcapparmor reload 23 3 1 Adding an Entry The Add Entry option can be found in Section 23 2 Manually Adding a Profile page 275 or Section 23 3 Editing Profiles page 275 When you sele...

Page 292: ...OK For globbing information refer to Section 21 6 Paths and Globbing page 246 For file access permission information refer to Section 21 7 File Permission Access Modes page 249 Network Rule In the po...

Page 293: ...1e page 245 for more information about capabilities When finished making your selections click OK Include In the pop up window browse to the files to use as includes Includes are directives that pull...

Page 294: ...25 Profiling Your Web Applications Using ChangeHat page 315 23 3 2 Editing an Entry When you select Edit Entry the file browser pop up window opens From here edit the selected entry In the pop up wind...

Page 295: ...rmor Delete Profile 2 Select the profile to delete 3 Click Next 4 In the pop up that opens click Yes to delete the profile and reload the AppArmor profile set 23 5 Updating Profiles from Log Entries T...

Page 296: ...1 Adding a Profile Using the Wizard page 267 1 Start YaST and select Novell AppArmor Update Profile Wizard Running Update Profile Wizard aa logprof parses the learning mode log files This generates a...

Page 297: ...ur NOTE For event notification to work you must set up a mail server on your system that can send outgoing mail using the single mail transfer protocol SMTP such as postfix or exim To configure event...

Page 298: ...art YaST and select Novell AppArmor AppArmor Control Panel 2 Enable AppArmor by checking Enable AppArmor or disable AppArmor by des electing it 3 Click Done in the AppArmor Configuration window 4 Clic...

Page 299: ...AppArmor Control Panel 2 In the Configure Profile Modes section select Configure 3 Select the profile for which to change the mode 4 Select Toggle Mode to set this profile to complain mode or to enfor...

Page 300: ......

Page 301: ...rmation Before starting to manage your profiles using the AppArmor command line tools check out the general introduction to AppArmor given in Chapter 20 Immunizing Programs page 227 and Chapter 21 Pro...

Page 302: ...ts the module in the running state If the module is already running start reports a warning and takes no action rcapparmor stop Stops the AppArmor module if it is running by removing all profiles from...

Page 303: ...e etc apparmor d di rectory as plain text files For a detailed description of the syntax of these files refer to Chapter 21 Profile Components and Syntax page 237 All files in the etc apparmor d direc...

Page 304: ...erminal window 2 Enter the root password when prompted 3 Go to the profile directory with cd etc apparmor d 4 Enter ls to view all profiles currently installed 5 Open the profile to edit in a text edi...

Page 305: ...ng small applications that have a finite run time such as user client applications like mail clients For more information refer to Sec tion 24 6 1 Stand Alone Profiling page 292 Systemic Profiling A m...

Page 306: ...se behavior continues after rebooting or a large number of programs all at once Build an AppArmor profile for a group of applications as follows 1 Create profiles for the individual programs that make...

Page 307: ...ogprof is aa logprof d path to profiles f path to logfile Refer to Section aa logprof Scanning the System Log page 306 for more information about using aa logprof 5 Repeat Step 3 page 293 and Step 4 p...

Page 308: ...confined by AppArmor The minimum aa autodep approximate profile has at least a base include directive which contains basic profile entries needed by most programs For certain types of programs aa aut...

Page 309: ...programs and run the aa autodep for each one If the programs are in your path aa autodep finds them for you If they are not in your path the standard Linux command find might be helpful in finding you...

Page 310: ...tance aa complain usr sbin finds profiles associ ated with all of the programs in usr sbin and puts them into complain mode aa complain etc apparmor d puts all of the profiles in etc apparmor d into c...

Page 311: ...bove commands activates the enforce mode for the profiles and programs listed If you do not enter the program or profile names you are prompted to enter one path to profiles overrides the default loca...

Page 312: ...ling Tools page 294 3 Puts the profile for this program into learning or complain mode so that profile violations are logged but are permitted to proceed A log event looks like this see var log audit...

Page 313: ...re it was marked when aa genprof was started and reloads the profile If system events exist in the log AppArmor parses the learning mode log files This generates a series of questions that you must an...

Page 314: ...herit P rofile U nconfined D eny Abo r t F inish Inherit ix The child inherits the parent s profile running with the same access controls as the parent This mode is useful when a confined program need...

Page 315: ...means that the data mapped in it can be executed You are prompted to include this permission if it is requested during a profiling run Deny Prevents the program from accessing the specified directory...

Page 316: ...u can give the program access to directory paths or files that are also required by other programs Using includes can reduce the size of a profile It is good practice to select includes when suggested...

Page 317: ...h or create a general rule using wild cards that match a broader set of paths To select any of the offered paths enter the number that is printed in front of the path then decide how to proceed with t...

Page 318: ...rofile for usr bin opera V iew Profile U se Profile C reate New Profile Abo r t F inish 2 If you want to just use this profile hit U Use Profile and follow the profile generation procedure outlined ab...

Page 319: ...mine whether you want to use the profile downloaded from the server or whether you would just like to review it Profile usr bin opera 1 novell V iew Profile U se Profile C reate New Profile Abo r t F...

Page 320: ...e exists for the child process the default selection is px If one does not exist the profile defaults to ix Child processes with separate profiles have aa autodep run on them and are loaded into AppAr...

Page 321: ...resents a numbered list of AppArmor rules that can be added by pressing the number of the item on the list By default aa logprof looks for profiles in etc apparmor d and scans the log in var log messa...

Page 322: ...ation about this refer to Section 21 7 File Per mission Access Modes page 249 Deny Prevents the program from accessing the specified directory path entries AppArmor then continues to the next event Ne...

Page 323: ...the tree even though vsftpd on SUSE Linux Enterprise Server serves FTP files from srv ftp by default This is because httpd2 prefork uses chroot and for the portion of the code inside the chroot jail...

Page 324: ...for usr bin mail turns out to be usr bin nail which is not a typographical error The program usr bin less appears to be a simple one for scrolling through text that is more than one screen long and t...

Page 325: ...efault selection is profile If a profile does not exist the default is inherit The inherit option or ix is described in Section 21 7 File Permission Access Modes page 249 The profile option indicates...

Page 326: ...he proc file system This program is susceptible to the following race conditions An unlinked executable is mishandled A process that dies between netstat 8 and further checks is mishandled NOTE This p...

Page 327: ...the root so profiles are easier to manage For example the profile for the program usr sbin ntpd is named usr sbin ntpd etc apparmor d abstractions Location of abstractions etc apparmor d program chunk...

Page 328: ......

Page 329: ...ons are the Apache Web server and Tomcat A profile can have an arbitrary number of subprofiles but there are only two levels a subprofile cannot have further sub subprofiles A subprofile is written as...

Page 330: ...es a mod_apparmor module package apache2 mod apparmor for the Apache program only included in SUSE Linux Enterprise Server This module makes the Apache Web server ChangeHat aware Install it along with...

Page 331: ...ng or otherwise does not represent a significant security risk safely select Use Default Hat to process this URI in the default hat which is the default security profile This example creates a new hat...

Page 332: ...ched data in your browser refresh the page To do this click the browser Refresh button to make sure that Apache processes the re quest for the phpsysinfo URI 6 Click Scan System Log for Entries to Add...

Page 333: ...ofile option a new profile is created for the program if one does not already exist NOTE Security Considerations Selecting Unconfined can create a significant security hole and should be done with cau...

Page 334: ...ase r etc ld so cache r etc lsb release r etc lsb release d r lib ld 2 6 1 so ixr proc r sbin lspci ixr srv www htdocs phpsysinfo r sys bus pci r sys bus scsi devices r sys devices r usr bin cut ixr u...

Page 335: ...files page 275 or when you add a new profile using Manually Add Profile for instructions refer to Section 23 2 Manually Adding a Profile page 275 you are given the option of adding hats subprofiles to...

Page 336: ...n text configuration files The main configuration file is usually httpd conf When you compile Apache you can indicate the location of this file Directives can be placed in any of these configuration f...

Page 337: ...location or directory hat as specified by the AAHatName keyword 2 A hat named by the entire URI path 3 A default server hat as specified by the AADefaultHatName keyword 4 DEFAULT_URI if none of those...

Page 338: ...ownloading the tarball install it into srv www htdocs phpsysinfo 2 Create etc apache2 conf d phpsysinfo conf and add the following text to it Location phpsysinfo AAHatName phpsysinfo Location The foll...

Page 339: ...sb ids r var log apache2 access_log w var run utmp kr 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root 4 Restart Apache by entering rcapache2 restart at a...

Page 340: ......

Page 341: ...r may not installed by default you may need to install it using YaST or zypper Details about how to set up and configure pam_apparmor can be found in usr share doc packages pam_apparmor README after t...

Page 342: ......

Page 343: ...ues 27 1 Monitoring Your Secured Applications Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their spe...

Page 344: ...3 for details 27 2 Configuring Security Event Notification Security event notification is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs Activate it by select...

Page 345: ...ion aa logprof Scanning the System Log page 306 uses to interpret profiles For example type APPARMOR_DENIED msg audit 1189428793 218 2880 operation file_permission requested_mask w denied_mask w fsuid...

Page 346: ...type select the lowest severity level for which a notification should be sent Security events are logged and the notifications are sent at the time indicated by the interval when events are equal to...

Page 347: ...lity by enhancing the way users can view security event data The reporting tool performs the following Creates on demand reports Exports reports Schedules periodic reports for archiving E mails period...

Page 348: ...For more details refer to Section Ap plication Audit Report page 339 Security Incident Report A report that displays application security for a single host It reports policy viola tions for locally c...

Page 349: ...ted report type If you select a secu rity incident report it can be further filtered in various ways For Run Now instructions proceed to Section 27 3 2 Run Now Running On Demand Reports page 344 Add C...

Page 350: ...the location of a collection of reports from one or more systems including the ability to filter by date or names of programs accessed and display them all together in one report 1 From the AppArmor...

Page 351: ...file listed in the Report field then select View 5 For Application Audit and Executive Security Summary reports proceed to Step 9 page 339 6 The Report Configuration Dialog opens for Security Inciden...

Page 352: ...vel and above are then included in the reports Detail A source to which the profile has denied access This includes capabilities and files You can use this field to report the resources to which profi...

Page 353: ...to the following sections for detailed information about each type of report For the application audit report refer to Section Application Audit Report page 339 For the security incident report refer...

Page 354: ...ath of the executing process Profile The absolute name of the security profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number...

Page 355: ...o types of security events are defined as follows Policy Exceptions When an application requests a resource that is not defined within its profile a se curity event is triggered A report is generated...

Page 356: ...the security profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Severit...

Page 357: ...ng of one or more high level reports from one or more ma chines This report can provide a single view of security events on multiple machines if each machine s data is copied to the report archive dir...

Page 358: ...ell AppArmor event logs without waiting for scheduled events If you need help navigating to the main report screen see Section 27 3 Configuring Reports page 333 Perform the following steps to run a re...

Page 359: ...rofile You can use this to see what is confined by a specific profile PID Number A number that uniquely identifies one specific process or running program this number is valid only during the lifetime...

Page 360: ...audit report refer to Section Application Audit Report page 339 For the security incident report refer to Section Security Incident Report page 341 For the executive summary report refer to Section Ex...

Page 361: ...ields with the following filtering information as necessary Report Name Specify the name of the report Use names that easily distinguish different reports Day of Month Select any day of the month to a...

Page 362: ...nt information Export Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format...

Page 363: ...il A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent access Severity Select the lowe...

Page 364: ...chedule Reports window select the report to edit This example assumes that you have selected a security incident report 2 Click Edit to edit the security incident report The first page of the Edit Sch...

Page 365: ...rt Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into...

Page 366: ...Detail A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent access Severity Select the...

Page 367: ...ktop Monitor applet is one example of an application that gathers AppArmor events via dbus To configure audit to use the dbus dispatcher just set the dispatcher in your audit configuration in etc audi...

Page 368: ...Profiles In a production environment you should plan on maintaining profiles for all of the de ployed applications The security policies are an integral part of your deployment You should plan on tak...

Page 369: ...e the profile to fit your needs You have several options that depend on your company s software deployment strategy You can deploy your patches and upgrades into a test or production environment The f...

Page 370: ...For detailed instructions refer to Section aa logprof Scanning the System Log page 306 Run the YaST Update Profile Wizard to learn the new behavior high security risk as all accesses are allowed and...

Page 371: ...ovell AppArmor following the instructions in this chapter 28 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux Ente...

Page 372: ...mats 5 Games 6 High level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 descr...

Page 373: ...rge novell com mailto apparmor general forge novell com This is a mailing list for end users of AppArmor It is a good place for questions about how to use AppArmor to protect your applications apparmo...

Page 374: ...oo closely restricted by AppArmor update your profile to properly handle your use case of the application Do this with the Update Profile Profile Wizard in YaST as described in Section 23 5 Updating P...

Page 375: ...rk Access Control page 245 might cause application misbehavior or even stop applications from working If you notice a network related application behaving strangely check the log file under var log au...

Page 376: ...the directory but not give access to files or directories under the directory e g proc net dir foo would be matched by the asterisk but as foo is a file or directory under dir it cannot be accessed p...

Page 377: ...cond rule would match nothing in the old profile syntax but matches directories only in the new syntax The last rule matches explicitly matches a file called bar under proc net foo Using the old synta...

Page 378: ...t possible to confine KDE applications to the same extent as any other application due to the way KDE manages its processes If you want to confine KDE applications choose one of the following approach...

Page 379: ...apparmor or make configuration changes to Apache you should profile Apache again to catch any additional rules that need to be added to the profile 28 4 5 Why are the Reports not Sent by E Mail When t...

Page 380: ...aa logprof f path_to_logfile 28 4 8 How to Spot and fix AppArmor Syntax Errors Manually editing Novell AppArmor profiles can introduce syntax errors If you attempt to start or restart AppArmor with s...

Page 381: ...help us keep the quality high Whenever you encounter a bug in AppArmor file a bug report against this product 1 Use your Web browser to go to https bugzilla novell com index cgi 2 Enter the account d...

Page 382: ...been reported yet select New from the top navigation bar and proceed to the Enter Bug page 6 Select the product against which to file the bug In your case this would be your product s release Click S...

Page 383: ...ivity that signals a possible virus or hacker attack Intrusion detection systems might use attack signatures to distinguish between le gitimate and potentially malicious activity By not relying on att...

Page 384: ...ging system available for anyone to use It works on Red Hat Linux SUSE Linux Enterprise Server and other Linux and UNIX systems It is capable of installing uninstalling verifying querying and updating...

Page 385: ...rk that leaves it open to attack Characteristics of computer systems that allow an individual to keep it from correctly operating or that allows unauthorized users to take control of the system Design...

Page 386: ......

Page 387: ...Part V The Linux Audit Framework...

Page 388: ......

Page 389: ...of any IT product they intend to deploy in mission critical setups Common Criteria security evaluations have two sets of evaluation requirements func tional and assurance requirements Functional requi...

Page 390: ...t enables you to do the following Associate Users with Processes Audit maps processes to the user ID that started them This makes it possible for the administrator or security officer to exactly trace...

Page 391: ...e audit logs Prevent Audit Data Loss If the kernel runs out of memory the audit daemon s backlog is exceeded or its rate limit is exceeded audit can trigger a shutdown of the system to keep events fro...

Page 392: ...hile dashed arrows rep resent lines of control between components auditd The audit daemon is responsible for writing the audit messages to disk that were generated through the audit kernel interface a...

Page 393: ...esults For more information about aureport refer to Section 30 5 Understanding the Audit Logs and Generating Reports page 391 ausearch The ausearch utility can search the audit log file for certain ev...

Page 394: ...file determines how the audit system functions once the daemon has been started For most use cases the default settings shipped with SUSE Linux Enterprise Server should suffice For CAPP environments m...

Page 395: ...iterally or by the groups ID NOTE CAPP Environment In a CAPP environment have the audit log reside on its own partition By doing so you can be sure that the space detection of the audit daemon is accu...

Page 396: ...g its start The audit daemon relays the audit messages to the application specified in dispatcher This appli cation must be a highly trusted one because it needs to run as root disp_qos determines whe...

Page 397: ...emaining disk space that triggers a configurable action by the audit daemon The action is specified in space_left_action Possible values for this parameter are ignore syslog email exec suspend single...

Page 398: ...ace_left_action NOTE CAPP Environment Set admin_space_left to a value that would just allow the administra tor s actions to be recorded The action should be set to single disk_full_action Specify whic...

Page 399: ...after which this will happen with tcp_client_max_idle Keep in mind that this setting is valid for all clients and therefore should be higher than any individual client heartbeat setting preferably by...

Page 400: ...tl s or change the status flag with auditctl eflag a status messages including information on each of the above mentioned parameters is output The following example highlights the typical audit status...

Page 401: ...individually from the shell using auditctl or batch read from a file using auditctl R This second method is used by the init scripts to load rules from the file etc audit audit rules after the audit...

Page 402: ...e failure flag to use See Table 30 1 Audit Status Flags page 386 for possible values Specify the maximum number of messages per second that may be issued by the kernel See Table 30 1 Audit Status Flag...

Page 403: ...he k option allows you to specify a key to use to filter the audit logs for this particular event later e g with ausearch You may use the same key on different rules in order to be able to group rules...

Page 404: ...AND operator meaning that this rule applies to all tasks that carry the audit ID of 501 have changed to run as root and have wheel as the group A process is given an audit ID on user login This ID is...

Page 405: ...Listing Rules with auditctl l LIST_RULES exit always watch etc perm rx LIST_RULES exit always watch etc passwd perm rwxa key fk_passwd LIST_RULES exit always watch etc shadow perm rwxa LIST_RULES entr...

Page 406: ...e three messages to the log All of them are closely linked together and you would not be able to make sense of one of them without the others The first message reveals the following information type T...

Page 407: ...mple this is the file descriptor number This varies by system call a0 to a3 The first four arguments to the system call in numeric form The values of these are totally system call dependent In this ex...

Page 408: ...process egid sgid fsgid Effective group ID set group ID and file system group ID of the user that started the process tty The terminal from which the application is started In this case a pseudotermin...

Page 409: ...path argument such as a cp or mv command an additional PATH event would have been logged for the second path argument name Refers to the pathname passed as an argument to the less or open call inode R...

Page 410: ...cred acct root exe usr sbin sshd hostname jupiter example com addr 192 168 2 100 terminal dev pts 0 res success type LOGIN msg audit 1234877011 799 7734 login pid 26125 uid 0 old auid 4294967295 new a...

Page 411: ...e When the audit logs have moved to another machine or when you want to analyze the logs of a number of machines on your local machine without wanting to connect to each of these individually move the...

Page 412: ...into a human readable text format add the i option to your aureport command Create a Rough Summary Report If you are just interested in the current audit statistics events logins processes etc run au...

Page 413: ...roups or roles 0 Number of logins 6 Number of failed logins 0 Number of authentications 7 Number of failed authentications 0 Number of users 1 Number of terminals 7 Number of host names 3 Number of ex...

Page 414: ...4 21 15 7719 USER_AUTH 1 yes 7 17 02 09 14 21 15 7720 USER_ACCT 1 yes 8 17 02 09 14 21 15 7721 CRED_ACQ 1 yes 9 17 02 09 14 21 15 7722 LOGIN 0 yes 10 17 02 09 14 21 15 7723 USER_START 0 yes 11 17 02 0...

Page 415: ...ble the terminal it is run in the host exe cuting it the audit ID and event number aureport x Executable Report date time exe term host auid event 1 13 02 09 15 08 26 usr sbin sshd sshd 192 168 2 100...

Page 416: ...elated events including date time audit ID host and terminal used name of the executable success or failure of the attempt and an event ID aureport l i Login Report date time auid host term exe succes...

Page 417: ...ne and adjust the date format to your locale specified in etc sysconfig audit under AUDITD_LANG default is en_US Specify the end date and time with the te option Any event that has a time stamp equal...

Page 418: ...h of these individually move the logs to a local file and have ausearch search them locally ausearch option if myfile Convert Numeric Results into Text Some information such as user IDs are printed in...

Page 419: ...SYSCALL and USER_LOGIN Running ausearch m without a message type displays a list of all message types Search by Login ID To view records associated with a particular login user ID use the ausearch ul...

Page 420: ...process ID with the ausearch p pid com mand for example ausearch p 13368 for all records related to this process ID Search by Event or System Call Success Value View records containing a certain syste...

Page 421: ...searches to a certain time frame The ts option is used to specify the start date and time and the te option is used to specify the end date and time These options can be combined with any of the above...

Page 422: ...ort output is formatted in columns and thus easily available to any sed perl or awk scripts that users might connect to the audit framework to visualize the audit data The visualization scripts see Se...

Page 423: ...d your au report output might contain an additional data column for AM PM on time stamps To avoid having this confuse your scripts precede your script calls with LC_ALL C to reset the locale and use t...

Page 424: ...ion script and transformed into a bar chart aureport e i summary mkbar events Figure 30 3 Bar Chart Common Event Types For background information about the visualization of audit data refer to the Web...

Page 425: ...libs and optionally audit libs python To use the log visualization as described in Section 31 6 Configuring Log Visualization page 420 install gnuplot and graphviz from the SUSE Linux Enterprise Serv...

Page 426: ...you want to use it Check the following rules of thumb to determine which use case best applies to you and your requirements If you require a full security audit for CAPP EAL certification enable full...

Page 427: ...tion SUSPEND disk_error_action SUSPEND tcp_listen_port tcp_listen_queue 5 tcp_client_ports 1024 65535 tcp_client_max_idle 0 The default settings work reasonably well for many setups Some values such a...

Page 428: ...ditd conf configuration parameters 31 3 Enabling Audit for System Calls A standard SUSE Linux Enterprise Server system has auditd running by default There are different levels of auditing activity ava...

Page 429: ...ze various system calls in detail if a broad analysis of your system is required A very detailed example configuration that includes most of the rules that are needed in a CAPP compliant environment i...

Page 430: ...data or data corruption Directory watches produce less verbose output than separate file watches for the files under these directories To get detailed logging for your system configuration in etc sys...

Page 431: ...vents do you want to monitor by generating regular reports Select the appropriate aureport command lines as described in Section 30 5 2 Generating Custom Audit Reports page 397 What do you want to do...

Page 432: ...Number of failed syscalls 994 Number of anomaly events 0 Number of responses to anomaly events 0 Number of crypto events 0 Number of keys 2 Number of process IDs 1238 Number of events 5435 2 Run a sum...

Page 433: ...NE 38 usr lib locale en_GB UTF 8 LC_ADDRESS 38 usr lib locale en_GB UTF 8 LC_NAME 38 usr lib locale en_GB UTF 8 LC_PAPER 38 usr lib locale en_GB UTF 8 LC_MESSAGES 38 usr lib locale en_GB UTF 8 LC_MONE...

Page 434: ...ty pts2 ses 1166 comm vim exe bin vim normal key null TIP Focusing on a Certain Time Frame If you are interested in events during a particular period of time trim down the reports by using start and e...

Page 435: ...example commands could look like the following Create a Summary of Events aureport e i summary mkbar events Create a Summary of File Events aureport f i summary mkbar files Create a Summary of Login E...

Page 436: ...s LC_ALL C aureport s i awk 0 9 print 4 6 sort uniq mkgraph syscall_vs_com System Calls versus Files LC_ALL C aureport s i awk 0 9 print 5 4 sort uniq mkgraph syscall_vs_file Graphs can also be combin...

Page 437: ...Configuration Parameters page 424 Watches on audit log files and configuration files see Section 32 2 Adding Watches on Audit Log Files and Configuration Files page 425 Monitoring operations on file s...

Page 438: ...asic Audit Configuration Parameters D b 8192 f 2 Delete any preexisting rules before starting to define new ones Set the number of buffers to take the audit messages Depending on the level of audit lo...

Page 439: ...Files and Configuration Files Adding watches on your audit configuration files and the log files themselves ensures that you can track any attempt to tamper with the configuration files or detect any...

Page 440: ...s Auditing system calls results in a high logging activity This activity in turn puts a heavy load on the kernel With a kernel less responsive than usual the system s backlog and rate limits might be...

Page 441: ...special device files Enable an audit context for any mount or umount operation For the x64_64 archi tecture disable the umount rule For the ia64 architecture disable the umount2 rule 32 4 Monitoring S...

Page 442: ...etc cron weekly p wa w etc crontab p wa w var spool cron root w etc group p wa w etc passwd p wa w etc shadow w etc login defs p wa w etc securetty w var log faillog w var log lastlog w etc hosts p wa...

Page 443: ...inittab and the etc init d directory Enable per file watches if you are interested in file events Set watches and labels for any changes to the linker configuration in etc ld so conf Set watches and...

Page 444: ...k tracking on the ia64 architecture comment the first rule and enable the second one Add an audit context to the umask system call Track attempts to change the system time adjtimex can be used to skew...

Page 445: ...the system call mode is 4 R_OK This rule filters for all access calls testing for sufficient write permissions to a file or file system object accessed by a user or process Audit the access system cal...

Page 446: ...g is set to filter for a0 5 as the first argument to socketcall which translates to the accept system call if you check usr include linux net h 64 bit platforms like x86_64 and ia64 do not use multipl...

Page 447: ...ing on ipc system calls For these platforms comment the first four rules and add the plain system call rules without argument filtering Audit system calls related to IPC SYSV shared memory In this cas...

Page 448: ...above rule now comes down to the following ausearch k CFG_audit rules time Thu Feb 19 09 09 54 2009 type PATH msg audit 1235030994 032 8649 item 3 name audit rules inode 370603 dev 08 06 mode 0100640...

Page 449: ...able and very detailed information auditd 8 The Linux Audit daemon auditd conf 5 The Linux Audit daemon configuration file auditctl 8 A utility to assist controlling the kernel s audit system autrace...

Page 450: ...ample rules files for different scenarios capp rules Controlled Access Protection Profile CAPP lspp rules Labeled Security Protection Profile LSPP nispom rules National Industrial Security Program Ope...

Reviews:

No comments