Novell APPARMOR 1.2 Скачать руководство пользователя страница 105 | Manualshive

Страница: 105 / 130

Novell APPARMOR 1.2 Скачать руководство пользователя страница 105

5

Profiling Your Web Applications
Using ChangeHat Apache

A Novell® AppArmor profile represents security policy for an individual program in-
stance or process. It applies to an executable program, but if a portion of the program
needs different access permissions than other portions, the program can “change hats”
to use a different security context, distinctive from the access of the main program.
This is known as a hat or subprofile.

ChangeHat enables programs to change to or from a hat within a Novell AppArmor
profile. It enables you to define security at a finer level than the process.

This feature requires that each application be made “changehat aware,” meaning that
it is modified to make a request to the Novell AppArmor module to switch security
domains at arbitrary times during the application execution.

A profile can have an arbitrary number of subprofiles, but there are only two levels: a
subprofile cannot have further sub-subprofiles. A subprofile is written as a separate
profile and named as the containing profile followed by the subprofile name, separated
by a

^

. Subprofiles must be stored in the same file as the parent profile.

NOTE

For more information see the

change_hat

man page.

Profiling Your Web Applications Using ChangeHat Apache

105

«
...
103
104
105
106
107
...
»

Содержание APPARMOR 1.2

Страница 1: ...Novell AppArmor Powered by Immunix Administration Guide www novell com 1 2 09 29 2005...

Страница 2: ...ns or the laws of the country in which you reside Copyright 2000 2004 2005 Novell Inc All rights reserved No part of this publication may be reproduced photocopied stored on a retrieval system or tran...

Страница 3: ...PURPOSE ARE DISCLAIMED IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSE QUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBS...

Страница 4: ......

Страница 5: ...3 3 Building Novell AppArmor Profiles with the YaST GUI 26 3 4 Building Novell AppArmor Profiles Using the Command Line Interface 49 3 5 Two Methods of Profiling 54 3 6 Pathnames and Globbing 73 3 7...

Страница 6: ...change_hat 113 6 Support 117 6 1 Updating Novell AppArmor Online 117 6 2 Using the Man Pages 117 6 3 For More Information 119 6 4 Troubleshooting 119 6 5 Support for SUSE Linux 121 6 6 Reporting Bugs...

Страница 7: ...eeded for common application activities such as DNS lookup and user authentication A tool suite for developing and enhancing AppArmor profiles so that you can change the existing profiles to suit your...

Страница 8: ...ample 1 Command Environment To use ls to view the contents in the current directory enter ls in a terminal window Filename Filenames directory names paths and RPM package names are represented this wa...

Страница 9: ...nix Selecting Programs to Immunize Describes the types of programs that should have Novell AppArmor profiles created for them Building Novell AppArmor Profiles Describes how to use the Novell AppArmor...

Страница 10: ...ST Using YaST you can launch the Novell AppArmor interface This is the recommended method for a novice Linux user For the other available methods refer to Section 3 2 Building and Managing Novell AppA...

Страница 11: ...of the following locations in this guide Add Profile Wizard For detailed steps refer to Section 3 3 1 Adding a Profile Using the Wizard page 27 AppArmor Reports For detailed steps refer to Section 4...

Страница 12: ...Profile Delete an existing Novell AppArmor profile from your system For detailed steps refer to Section 3 3 4 Deleting a Profile page 41 Manually Add Profile Add a Novell AppArmor profile for an appli...

Страница 13: ...zing programs Proceed to Chapter 3 Building Novell AppArmor Profiles page 21 if you are ready to build and manage Novell AppArmor profiles Novell AppArmor provides streamlined access control for netwo...

Страница 14: ......

Страница 15: ...hat the person using the program does not have so they grant the privilege to the user when used cron jobs Programs that are run periodically by cron Such programs read input from a variety of sources...

Страница 16: ...s profile can read and write 2 2 Inspect Open Ports to Immunize Programs An automated method for finding network server daemons that should be profiled is to use the unconfined tool You can also simpl...

Страница 17: ...ports network ports opened by client applications but only those client applications that are running at the time the unconfined analysis is performed This is a problem because network services tend t...

Страница 18: ...ver is highly configurable and Web applications can be stored in many directories depending on your local configuration SUSE Linux by default stores Web applications in srv www cgi bin To the maximum...

Страница 19: ...add a profile in YaST or at the command line To take advantage of the subprocess confinement refer to Section 5 1 Apache ChangeHat page 106 Profiling Web applications that use mod_perl and mod_php re...

Страница 20: ...ripts served by Apache a good approach is to edit the DEFAULT_URI subprofile 2 2 3 Immunizing Network Agents To find network server daemons that should be profiled you should inspect the open ports on...

Страница 21: ...le into Its Parts Novell AppArmor profile components are called Novell AppArmor rules Currently there are two main types of Novell AppArmor rules path entries and capability entries Path entries speci...

Страница 22: ...ss modes r for read w for write and x for execute A white space of any kind spaces or tabs can precede pathnames or separate the pathname from the access modes White space between the access mode and...

Страница 23: ...ctions are includes that are grouped by common application tasks These tasks include access to authentication mechanisms access to name service routines common graphics requirements and system account...

Страница 24: ...ities 7 man page 3 2 Building and Managing Novell AppArmor Profiles There are three ways you can build and manage Novell AppArmor profiles depending on the type of computer environment you prefer You...

Страница 25: ...to Section 3 4 Building Novell AppArmor Profiles Using the Command Line Interface page 49 The command line interface offers access to a few tools that are not available using the other Novell AppArmor...

Страница 26: ...ng a terminal window logging in as root and entering yast2 In the right frame you see several Novell AppArmor option icons If Novell AppArmor does not display in the left frame of the YaST window or i...

Страница 27: ...o Section 3 3 5 Updating Profiles from Syslog Entries page 42 AppArmor Reports For detailed steps refer to Section 4 3 Reports page 81 AppArmor Control Panel For detailed steps refer to Section 3 3 6...

Страница 28: ...ll AppArmor Add Profile Wizard 3 Enter the name of the application or browse to the location of the program 4 Click Create This runs a Novell AppArmor tool named autodep which performs a static analys...

Страница 29: ...log the files and directories to which the program requires access to function properly 7 Click Scan System Log for Entries to Add to Profile to parse the learning mode log files This generates a ser...

Страница 30: ...gure 3 2 Learning Mode Exception Defining Execute Permissions for an Entry page 31 The learning mode exception requires you to define execute permissions for an entry Each of these cases results in a...

Страница 31: ...e Exception Controlling Access to Specific Resources From the following options select the one that satisfies the re quest for access which could be a suggested include a particular globbed version of...

Страница 32: ...ned Executes the program without a security profile WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArm...

Страница 33: ...sterisk in place of the file name This allows the program to access all files in the suggested directories that end with the ext extension When you double click it access is granted to all files with...

Страница 34: ...ntries into the profile You simply need to select the application for which to create a profile then add entries 1 To add a profile open YaST Novell AppArmor The Novell AppArmor interface opens 2 In N...

Страница 35: ...click Done Adding an Entry This section explains the Add Entry option that can be found in Section 3 3 2 Manu ally Adding a Profile page 34 or Section 3 3 3 Editing a Profile page 39 When you select A...

Страница 36: ...Permission Access Modes page 74 Directory In the pop up window specify the absolute path of a directory including the type of access permitted You can use globbing if necessary When fin ished click OK...

Страница 37: ...r Profile into Its Parts page 21 for more information about capabilities When finished making your selections click OK Include In the pop up window browse to the files to use as includes Includes are...

Страница 38: ...file browser pop up window opens From here you can edit the selected entry In the pop up window specify the absolute path of a file including the type of access permitted You can use globbing if neces...

Страница 39: ...removes the profile entry that you have selected 3 3 3 Editing a Profile Novell AppArmor enables you to manually edit Novell AppArmor profiles by adding editing or deleting entries You simply need to...

Страница 40: ...3 From the list of profiled programs select the profile to edit 4 Click Next The AppArmor Profile Dialog window displays the profile 40...

Страница 41: ...pop up that appears click Yes to confirm your changes to the profile 3 3 4 Deleting a Profile Novell AppArmor enables you to delete a Novell AppArmor profile manually You simply need to select the ap...

Страница 42: ...avior of the profiled application that is outside of the profile definition for the program You can add the new behavior to the relevant profile by selecting the suggested profile entry 1 Open YaST No...

Страница 43: ...fined see Figure 3 5 Learning Mode Exception Defining Execute Permissions for an Entry page 44 Each of these cases results in a question that you must answer that enables you to add the resource or pr...

Страница 44: ...ing Mode Exception Controlling Access to Specific Resources page 43 From the following options select the one that satis fies the request for access which could be a suggested include a particular glo...

Страница 45: ...program executed without a security profile WARNING Unless absolutely necessary do not run unconfined Choosing the Unconfined option executes the new program without any protection from AppArmor 4 Af...

Страница 46: ...ng the wild card asterisk in place of the filename This allows the program to access all files in the suggested directories that end with the ext extension When you double click it access is granted t...

Страница 47: ...pArmor protects your system from potential program exploitation Dis abling Novell AppArmor even if your profiles have been set up removes protection from your system Configuring Event Notification You...

Страница 48: ...fication continue as described in Sec tion 4 2 2 Configuring Security Event Notification page 79 Changing Novell AppArmor Status When you change the status of Novell AppArmor you set it to enable or d...

Страница 49: ...pArmor by selecting Disable Then click OK 5 Click Done in the AppArmor Configuration window 6 Click File Quit in the YaST Control Center 3 4 Building Novell AppArmor Profiles Using the Command Line In...

Страница 50: ...mmands such as modprobe insmod lsmod and rmmod but this approach is not recommended Instead it is recommended to manage Novell AppArmor through the script rcsubdomain which can perform the following o...

Страница 51: ...SUSE Linux to regain control To prevent such a problem always ensure that you have a running uncon fined root login on the machine being configured when you restart the SubDomain module If you damage...

Страница 52: ...coloring refer to Section Subdomain vim page 71 NOTE After making changes to a profile use the rcsubdomain restart command described in the previous section This command causes the Novell AppArmor to...

Страница 53: ...o view all profiles currently installed 5 Open the profile to edit in a text editor such as vim 6 Make the necessary changes then save the profile 7 Restart Novell AppArmor by entering rcsubdomain res...

Страница 54: ...fer to Sec tion 3 5 1 Stand Alone Profiling page 54 Systemic Profiling A method suitable for profiling large numbers of programs all at once and for profiling applications that may run for days weeks...

Страница 55: ...monitors those programs with profiles and their children Thus to get Novell AppArmor to consider a program you must at least have autodep create an approximate profile for it To create this approximat...

Страница 56: ...subdomain d using vim For help using vim to its fullest capacity refer to Section Subdomain vim page 71 7 Return to enforce mode This is when the system goes back to enforcing the rules of the profile...

Страница 57: ...te profile to be improved through the dynamic profiling that follows The resulting approximate profile is written to the etc subdomain d directory using the Novell AppArmor profile naming convention o...

Страница 58: ...so logged To improve the profile turn complain mode on run the program through a suite of tests to generate log events that characterize the program s access needs then postprocess the log with the No...

Страница 59: ...ed on Turn complain mode on when you want the Novell AppArmor profiles to control the access of the program that is profiled Enforce toggles with complain mode Manually activating enforce mode using t...

Страница 60: ...omplain mode reloads it into Novell AppArmor marks the syslog and prompts the user to execute the program and exercise its functionality Its syntax is as follows genprof d path to profiles program If...

Страница 61: ...n to profile in another terminal window and perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access in order to...

Страница 62: ...file usr sbin xinetd Execute usr sbin vsftpd I nherit P rofile U nconfined D eny Abo r t F inish Dealing with execute accesses is complex You must decide which of the three kinds of execute permission...

Страница 63: ...or more pathnames or includes By clicking the option number select from one or more of the following options then proceed to the next step NOTE All of these options are not always presented in the No...

Страница 64: ...ny Prevents the program from accessing the specified directory path entries Novell AppArmor then moves on to the next event New Prompts you to enter your own rule for this event allowing you to specif...

Страница 65: ...page 71 logprof logprof is an interactive tool used to review the learning or complain mode output found in the syslog entries then generate new entries in Novell AppArmor security profiles When you r...

Страница 66: ...system log logprof ignores all events in the system log before the specified mark is seen If the mark contains spaces it must be surrounded with quotes to work correctly Example logprof m e2ff78636296...

Страница 67: ...to the specified directory path entries Novell AppArmor suggests file permission access For more information about this refer to Section 3 7 File Permission Access Modes page 74 Deny Prevents the prog...

Страница 68: ...prof Example 2 In an example from profiling vsftpd we see this question Profile usr sbin vsftpd Path y2k jpg New Mode r 1 y2k jpg A llow D eny N ew G lob Glob w E xt Abo r t F inish Several items of i...

Страница 69: ...fined program without gaining the permissions of the target s profile or losing the permis sions of the current profile This mode is often used when the child program is a helper application such as t...

Страница 70: ...ce is to use Inherit This results in the less program executed from this context running under the profile for usr bin mail This has two consequences You need to add all of the basic file accesses for...

Страница 71: ...ofiles with color highlighting Use vim to view and edit your profile by typing vim at a terminal window To enable the syntax coloring when you edit a Novell AppArmor profile in vim use the commands sy...

Страница 72: ...on your system and reports network services that do not have Novell AppArmor profiles It requires root privilege and that it not be confined by a Novell AppArmor profile unconfined must be run as roo...

Страница 73: ...o strategic and tactical use of Novell AppArmor to solve severe se curity problems in a very short period of time Published in the Proceedings of the DARPA Information Survivability Conference and Exp...

Страница 74: ...a c Expand to one rule to match ab and one rule to match cd ab cd Example A rule that matches usr www pages to grant access to Web pages in both usr pages and www pages 3 7 File Permission Access Mode...

Страница 75: ...d Execute Mode Allows the program to execute the resource without any Novell AppArmor profile being applied to the executed resource Requires listing execute mode as well Incompatible with inherit and...

Страница 76: ...ions of the current profile This mode is infrequently used 3 7 6 Link Mode The link mode mediates access to symlinks and hardlinks and the privilege to unlink or delete files When a link is created th...

Страница 77: ...struc tions for performing each of these tasks are available Section 4 1 Monitoring Your Secured Applications page 77 Section 4 5 Maintaining Your Security Profiles page 103 4 1 Monitoring Your Secure...

Страница 78: ...er of individual occurrences including the date of the last occur rence For example SubDomain PERMITTING access to capability setgid httpd2 prefork 6347 profile usr sbin httpd2 prefork active usr sbin...

Страница 79: ...y events The severity levels are determined by the importance of different security events such as certain resources accessed or services denied 4 2 2 Configuring Security Event Notification Security...

Страница 80: ...n type pref erence 3 In each applicable notification type section enter the e mail addresses of those who should receive notification in the field provided If notification is enabled you must enter an...

Страница 81: ...er to Section 4 2 1 Severity Level Notification page 79 for more information about severity levels 6 Click OK 7 Click Done in the Novell AppArmor Configuration window 8 Click File Quit in the YaST Con...

Страница 82: ...to Section Executive Security Summary page 91 Application Audit Report An auditing tool that reports which application servers are running and whether the applications are confined by AppArmor Applic...

Страница 83: ...rts window appears From the Reports window select an option and proceed to the section for instructions View Archive Displays all reports that have been run and stored in var log apparmor reports arch...

Страница 84: ...ding New Reports page 95 Edit Edits a scheduled security incident report Delete Deletes a scheduled security incident report All stock or canned reports cannot be deleted Back Returns you to the Novel...

Страница 85: ...se the current directory or select Browse to find a new report location The default directory is var log apparmor reports archived 4 To view all the reports in the archive select View All To view a sp...

Страница 86: ...me or pattern that matches the name of the bi nary executable of the program of interest the report displays security events that have occurred for a specific program Profile Name When you enter the n...

Страница 87: ...parated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications You can enter a pathname fo...

Страница 88: ...e the application audit report ran the name and path of the unconfined program or application server the suggested profile or a placeholder for a profile for an unconfined program the process ID numbe...

Страница 89: ...that displays security events of interest to an administrator The SIR reports policy violations for locally confined applications during the specified time period The SIR reports policy exceptions and...

Страница 90: ...ty events are being re ported Date The date during which security events occurred Program The name of the executing process Profile The absolute name of the security profile that is applied to the pro...

Страница 91: ...ources to which the profile prevents access Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Executive Security...

Страница 92: ...ty events are reported End Date The last date in a range of dates during which security events are reported Num of Rejects In the date range given the total number of security events that are rejected...

Страница 93: ...need help navigating to the main report screen see Section 4 3 Reports page 81 Perform the following steps to run a report from the list of reports 1 Select the report to run instantly from the list...

Страница 94: ...rofile You can use this to see what is being confined by a specific profile PID Number Process ID number is a number that uniquely identifies one specific process or running program this number is val...

Страница 95: ...on audit report refer to Section Application Audit Report page 88 For the recurity incident report refer to Section Security Incident Report page 89 For the executive summary report refer to Section E...

Страница 96: ...n the fields with the following filtering information as necessary Report Name Specify the name of the report Use names that easily discern one report from the next Day of Month Select any day of the...

Страница 97: ...export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications You c...

Страница 98: ...and files You can use this field to create a report of resources to which profiles prevent access Severity Select the lowest severity level of security events to include in the report The selected sev...

Страница 99: ...sary Day of Month Select any day of the month to activate monthly filtering in reports If you select All monthly filtering is not performed Day of Week Select the day of the week on which to schedule...

Страница 100: ...by typing the full path name in the field provided Location to Store Log Enables you to change the location where the exported report is stored The default location is var log apparmor reports export...

Страница 101: ...erity level and above are included in the reports Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Mode The mod...

Страница 102: ...ss violation and determine if that event indicated a threat or was part of normal application behavior Application specific knowledge is required to make the determination If the rejection represents...

Страница 103: ...ause you take the time to make profiles it makes sense to back them up Backing up profiles might save you from having to reprofile all your programs after a disk crash Also if profiles are changed you...

Страница 104: ...is one of the following Run the profiling wizard by selecting Add Profile Wizard in YaST This updates your application profile set with the current productions using minimal effort For step by step in...

Страница 105: ...es you to define security at a finer level than the process This feature requires that each application be made changehat aware meaning that it is modified to make a request to the Novell AppArmor mod...

Страница 106: ...tically installed with Novell AppArmor as well as added to the Apache configu ration Apache 1 3 is not supported NOTE If you install mod_change_hat without Novell AppArmor you need to make sure the Ap...

Страница 107: ...e create a new hat for the URI phpsysinfo dev and its subsequent accesses Using the profiling utilities we delegate what is added to this new hat The resulting hat becomes a tight security container t...

Страница 108: ...age and system information NOTE To ensure that this request is processed by the server and you do not review cached data in your browser you should refresh the page To do this click the browser Refres...

Страница 109: ...this application In the next screen Novell AppArmor displays an external program that the script executed You can specify that the program should run confined by the phpsys info dev hat choose Inheri...

Страница 110: ...prompt you to generate new hats and add entries to your profile and its hats The process of adding entries to profiles is covered in detail in the section Section 3 3 1 Adding a Profile Using the Wiza...

Страница 111: ...in the context of a process run ning under the parent profile httpd2 prefork 5 1 2 Adding Hats and Entries to Hats When you use the Edit Profile dialog for instructions refer to Section 3 3 3 Editing...

Страница 112: ...at Name dialog box opens 2 Enter the name of the hat to add to the Novell AppArmor profile The name is the URI that when accessed receives the permissions set in the hat 3 Click Create Hat You are ret...

Страница 113: ...nt file in an existing directory is ac cepted or rejected For Apache documentation on virtual host directives refer to http httpd apache org docs 2 0 mod core html virtualhost The change_hat specific...

Страница 114: ...location mod_change_hat should use a specific hat Location foo ImmHatName MY_HAT_NAME Location This tries to use MY_HAT_NAME for any URI beginning with foo foo foo bar foo cgi path blah_blah blah etc...

Страница 115: ...ci ids r var log apache2 access error _log w var run utmp r 3 Reload Novell AppArmor profiles by entering rcsubdomain restart at a terminal window as root 4 Restart Apache by entering rcapache2 restar...

Страница 116: ......

Страница 117: ...et an overview of the support options provided with your copy of SUSE Linux 6 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages will be provided through YOU YaST Online Update Ret...

Страница 118: ...mats 5 Games 6 High level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 descr...

Страница 119: ...roubleshooting The following section lists the most common problems and error messages that may occur using Novell AppArmor SUSE Linux is installed but AppArmor does not appear in the YaST menu AppArm...

Страница 120: ...vers have a default hard limit for e mail size This limitation can impede AppArmor s ability to send e mails that are generated for reporting purposes If your mail is not arriving this could be why Us...

Страница 121: ...tax errors in your profiles you see error results like this localhost etc init d subdomain start Loading SubDomain profiles Subdomain parser error line 2 Found unexpected character h Profile etc subdo...

Страница 122: ...x Monday Friday from 09 00 a m to 06 00 p m EST or 06 00 a m to 03 00 p m PST All other countries Phone 44 1344 326 666 Price 46 including VAT Monday Friday 12 00 18 00 CET One incident covers up to t...

Страница 123: ...t installed packages the vital HOWTOs and info pages You can access the latest Support Database articles online at http www novell com usersupport By means of the Support Database which is one of the...

Страница 124: ...hanging the jumper setting Configuration of a supported PCI ethernet card for LAN access with either DHCP client or static IP This does not include the configuration of the LAN or any other computers...

Страница 125: ...0 Monday through Friday from 12 00 p m to 6 00 p m EST or 09 00 a m to 03 00 p m PST France Phone 33 1 55 62 50 50 Monday through Friday from 13 00 to 17 00 CET Spain Phone 34 0 91 375 3057 Monday thr...

Страница 126: ...il inquiries Contact Recommendations Misspelled commands links or directory names often cause frustrating problems and are particularly common during phone conversations To help prevent this problem p...

Страница 127: ...ted check this bug report and add extra information to it if necessary 5 If your problem has not been reported yet select New from the top navigation bar and proceed to the Enter Bug page 6 Select the...

Страница 128: ......

Страница 129: ...reactive defense from attacks This is better because there is no window of vulnerabilty where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures...

Страница 130: ...do and nothing else URI Universal Resource Identifiers The generic term for all types of names and address es that refer to objects on the World Wide Web A URL is one kind of URI URL Uniform Resource...

Отзывы:

Нет отзывов