Admin Guide
Novell AppArmor
Powered by Immunix
Страница 1: ...Admin Guide Novell AppArmor Powered by Immunix...
Страница 2: ...How to Build AppArmor Profiles 16 Profile Components and Syntax 16 Breaking Down the AppArmor Profile Into Its Parts 16 include 18 Capability Entries POSIX 1e 19 Choosing the YaST GUI YaST ncurses Co...
Страница 3: ...69 Creating Reports 70 Maintaining Your Security Profiles 73 Backing Up Your Security Profiles 74 Changing Your Security Profiles 74 Introducing New Software Into Your Environment 74 Profiling Your W...
Страница 4: ...library of Novell AppArmor profiles for common Linux applications describing what files the program needs to access A library of Novell AppArmor profile foundation classes profile building blocks need...
Страница 5: ...y This style should indicate to you that you can type the word or phrase on the command line and press Enter to invoke a command Example To use ls to view the contents in the current directory you wou...
Страница 6: ...own programs and 3rd party programs that you may have installed on your SuSe Linux It also helps you to add edit or delete profiles that have been created for your applications Chapter 5 Managing Pro...
Страница 7: ...he YaST GUI The SuSE LINUX Enterprise Server 9 offers the SUSE utility Yet Another Setup Tool YaST Using YaST you can launch the Novell AppArmor interface This is the recommended method for a novice L...
Страница 8: ...zard o np a g e2 4 Edit Profile Edits an existing Novell AppArmor profile on your sys t e m F o r d e t a i l e ds t e p s r e f e r t o Editing a Novell AppArmor Profile on page 29 Delete Profile Del...
Страница 9: ...view Novell AppArmor Security Events For detailed steps r e f e r t o Creating Reports o np a g e7 4 Novell AppArmor Control Panel F o r d e t a i l e ds t e p s r e f e r t o Man aging Novell AppArmo...
Страница 10: ...troduces you to the philosophy of Immunizing programs Proceed to Chapter 4 How to Build Novell AppArmor Profiles i f y o u r er e a d y t ob u i l da n dma n a g e Novell AppArmor profiles How To Immu...
Страница 11: ...e slocate database up to date with sufficient privilege to read the name of every file in the system For instructions on using Novell AppArmor for this type of program refer to Immunizing Cron Jobs o...
Страница 12: ...tab e a n d l i s t r o o t s c r o nt a s k s w i t h crontab l Y o umu s t b er o o t f o r t h e s et o work Immunizing Web Applications To find web applications you should investigate your web ser...
Страница 13: ...e which is appropriate if you do not want to write individual pro files for each Python script Note If you want the Sub process confinement module mod_change_hat functionality when web applications ha...
Страница 14: ...r as many of those programs as possible If you provide profiles for all programs with open network ports then for all possible network threats the attacker cannot get to the file system on your machin...
Страница 15: ...ppAr mor profile associated with each program or reports none if the pro gram is not confined Note If you create a new profile you must restart the program that has been profiled in order for unconfin...
Страница 16: ...rk client applications tend to only be running when the user is interested in them Applying Novell AppArmor profiles to user network client applications is a l s od e p e n d e n t o nu s e r s p r e...
Страница 17: ...i n g t h i s s y n t a x i s p r e s e n t e d o n Breaking Down the Novell AppArmor Profile Into Its Parts o np a g e1 7 Breaking Down the Novell AppArmor Profile Into Its Parts Novell AppArmor pro...
Страница 18: ...eral forms include directives that pull in components of Novell AppArmor profiles to simplify profiles Capability Entries statements that enable each of the 32 POSIX 1e capabilities Path Entries in wh...
Страница 19: ...mage that the attacker can do to the set of files permitted by Novell AppArmor include includes are directives that pull in components of other Novell AppAr mor profiles to simplify profiles Include f...
Страница 20: ...in the program chunks are typically very liberal and are designed to allow your users access to their files in the least intrusive way possible while still allowing system resources to be pro tected A...
Страница 21: ...Armor profiles and is better suited for users with limited bandwidth connections to their server Access the YaST ncurses con sole by typing yast2 while logged into a terminal window as root The YaST n...
Страница 22: ...es back to enforce mode and the system begins enforcing the rules of the profiles not just logging information For mo r ei n f o r ma t i o no nt h i s t o o l r e f e r t o Enforce Mode o np a g e5 5...
Страница 23: ...Novell AppArmor Click one of the following Novell AppArmor icons and proceed to the section referenced below A d dP r o f i l eWi z a r d F o r d e t a i l e ds t e p s r e f e r t o Using the Add Pro...
Страница 24: ...e Novell AppArmor profiling tools GenProf Generate Profile and LogProf Update Profiles From Learning Mode L o gF i l e F o r mo r ei n f o r ma t i o na b o u t t h e s et o o l s r e f e r t o Summar...
Страница 25: ...AppArmor also sets the profile to learn i n gmo d e F o r mo r ei n f o r ma t i o no nl e a r n i n gmo d e r e f e r t o Com plain or Learning Mode o np a g e5 4 6 Execute the application that is b...
Страница 26: ...ition has not been defined see Figure 2 below Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program into the profile The fo...
Страница 27: ...icular globbed version of the path or the actual path name All of these options are not always available include An include is the section of a Novell AppArmor pro file that refers to an include file...
Страница 28: ...ermission access For more information on t h i s r e f e r t o File Permission Access Modes o np a g e6 9 Deny Click the Deny button to prevent the program from access ing the specified directory path...
Страница 29: ...dialog box which saves the profile to disk and loads it into the Novell AppArmor module 13 The previous steps can be repeated if you need to execute more functionality of your application 14 When you...
Страница 30: ...e r sG u i d e 30 2 From Novell AppArmor click the Edit Profile icon The Edit Profile Choose Profile to Edit window displays 3 From the list of profiled programs select the profile you would like to e...
Страница 31: ...AppArmor profile entries by clicking the corre s p o n d i n gb u t t o n s a n dr e f e r r i n gt ot h ef o l l o w i n gs e c t i o n s Add Entry o np a g e4 0 Edit Entry o np a g e4 3 o r Delete...
Страница 32: ...dl i k et od e l e t e a profile for then delete it as follows 1 To delete a profile open the YaST GUI and click Novell AppAr mor The Novell AppArmor interface displays 2 From Novell AppArmor click th...
Страница 33: ...n that is outside of the profile defini tion for the program You can add the new behavior to the relevant profile by selecting the suggested profile entry 1 To update a profile from syslog entries ope...
Страница 34: ...curity domain transition has not been defined see Figure 2 below Each of these cases will result in a question that you must answer that enables you to add the resource or program into the profile The...
Страница 35: ...bbed version of the path or the actual path name All of these options are not always available include An include is the section of a Novell AppArmor pro file that refers to an include file Include fi...
Страница 36: ...e s s F o r mo r ei n f o r ma t i o no nt h i s r e f e r t o File Per mission Access Modes o np a g e6 9 Deny Click the Deny button to prevent the program from access ing the specified directory pa...
Страница 37: ...r of learning mode entries corresponds to the com plexity of the application 6 When completed click the Finish button which saves the profile to disk and loads it into the Novell AppArmor module Manua...
Страница 38: ...the Manually Add a Novell AppArmor Profile icon The Select a File to Generate Profile for window dis plays 3 From the Select a File to Generate Profile for window browse your system to find the applic...
Страница 39: ...om the Novell AppArmor Profile Dialog window You can Add Edit or Delete Novell AppArmor profile entries by clicking the corre s p o n d i n gb u t t o n s a n dr e f e r r i n gt ot h ef o l l o w i n...
Страница 40: ...ist select one of the following File In the pop up window specify the absolute path of a file including the type of access permitted When finished click the OK button You can use globbing if necessary...
Страница 41: ...n finished click the OK button For globbing information refer to Path Names and Regular Expression Matching o np a g e6 9 For file access permission infor mation refer to File Permission Access Modes...
Страница 42: ...finished making your selections click the OK button Include In the pop up window browse to the files you would like to use as includes Includes are directives that pull in components of other Novell...
Страница 43: ...ission information refer to File Permission Access Modes o np a g e6 9 Delete Entry When you click the Delete Entry button Novell AppArmor removes the Novell AppArmor profile entry that is highlighted...
Страница 44: ...con the Novell AppArmor Configuration window displays as shown below 2 From the Novell AppArmor Configuration screen determine whether Novell AppArmor and Security Event Notification are run ning by l...
Страница 45: ...or you set it to enable or disable When Novell AppArmor is enabled it is installed running and enforcing the Novell AppArmor security policies 1 To enable Novell AppArmor open the YaST GUI and click N...
Страница 46: ...e GUI to manage and configure your system security Checking the SubDomain Module Status The SubDomain module can be in one of three states Unloaded The SubDomain module is not loaded into the kernel R...
Страница 47: ...e stopped state If the SubDomain module was either unloaded or already stopped then stop tries to unload the pro files again but nothing happens etc init d subdomain restart Causes SubDomain module to...
Страница 48: ...ain detailed steps for build ing profiles Add or Create Novell AppArmor Profiles R e f e r t o Add or Create a Novell AppArmor Profile o np a g e4 9 Edit Novell AppArmor Profile R e f e r t o Edit Nov...
Страница 49: ...r s a n dma i l s e r v e r s Sys temic Profiling o np a g e5 1 Edit Novell AppArmor Profile The following steps tell you what you need to do in order to edit a Nov ell AppArmor profile To better unde...
Страница 50: ...f o r mo r ei n f o r ma t i o n r e f e r t o Standalone Profiling o np a g e5 0 s u i t a b l ef o r p r o f i l i n gs ma l l a p p l i c a t i o n s t h a t have a finite run time such as user cl...
Страница 51: ...ding a Novell AppArmor profile for a group of applications is as fol lows 1 Create profiles for the individual programs that make up your application Even though this approach is systemic Novell AppAr...
Страница 52: ...ssages and run faster 6 Edit the Profiles You may wish to review the profiles that have been generated You can open and edit the profiles in etc subdo main d using vim For help using vim to its fulles...
Страница 53: ...a n be a fully qualified path The program itself can be of any kind ELF binary shell script PERL script etc and autodep will still generate an approximate profile to be improved through the dynamic p...
Страница 54: ...ofiled program accessing files not permitted by the profile The violations are permitted but also logged To improve the profile turn complain mode on run the pro gram through a suite of tests to gener...
Страница 55: ...accessing files not permitted by the profile The violations are logged and NOT permit ted Turn complain mode on when you want the Novell AppArmor pro files to control the access of the program that is...
Страница 56: ...p r o f o r G e n e r a t eP r o f i l e i s N o v e l l A p p A r mo r s p r o f i l eg e n e r a t i n g utility It Autodeps the specified program creating an approximate pro file if a profile does...
Страница 57: ...s the pro gram requires access to in order to function properly For example in a new terminal window type etc init d apache2 start 4 You are given the following menu choices which can be used after yo...
Страница 58: ...ess controls as the parent This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target s profile or losing the permis sions of the...
Страница 59: ...All of these options are not always presented in the Novell AppArmor menu include An include is the section of a Novell AppArmor profile that refers to an include file Include files procure access per...
Страница 60: ...ur own rule for this event allow ing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy the event that prompted the question in the first...
Страница 61: ...with sugges tions for modifying the profile The learning complain mode traces pro gram behavior and enters it in syslog Logprof uses this information to observe program behavior If a confined program...
Страница 62: ...mor rules that could be added by pressing the number of the item on the list By default logprof looks for profiles in etc subdomain d and scans the log in var log messages so in many cases just runnin...
Страница 63: ...on to the next event N e w Prompts you to enter your own rule for this event allow ing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy...
Страница 64: ...2 In an example from profiling vsftpd we see this question Several items of interest appear in this question First note that vsftpd is asking for a path entry at the top of the tree even though vsftp...
Страница 65: ...o call another confined program without gain ing the permissions of the target s profile or losing the permissions of the current profile This mode is often used when the child program is a h e l p e...
Страница 66: ...mail profile so that when usr bin mail runs usr bin mail less in this context the less program is far less dangerous than it would be without Novell AppArmor protection I no t h e r c i r c u ms t a n...
Страница 67: ...l c o l o r t h el i n e s o f t h ep r o f i l ef o r y o u blue include lines that pull in other Novell AppArmor rules and comments that begin with white ordinary read access lines brown capability...
Страница 68: ...more information on the science and security of Novell AppArmor refer to the following papers S u b D o ma i n P a r s i mo n i o u s S e r v e r S e c u r i t y C r i s p i nC o w a n S t e v e Beat...
Страница 69: ...ary number of path elements including entire directories Can substitute for any single character except abc This will substitute for the single character a b or c For example a rule that matches home...
Страница 70: ...without any Novell AppAr mor profile being applied to the executed resource Requires listing execute mode as well Incompatible with Inherit and Discrete Profile execute entries This mode is useful wh...
Страница 71: ...gram to be able to create and remove a link with this name including symlinks When a link is created the file that is being linked to MUST have the same access permissions as the link being created wi...
Страница 72: ...Your Secured Applications Applications that are confined by Novell AppArmor security profiles will generate messages when applications execute in unexpected ways or outside of their specified profile...
Страница 73: ...new line in the Verbose log These security events include the date and time the event occurred when the appli cation profile permits access as well as rejects access and the type of file permission ac...
Страница 74: ...filtering by date range or program name You can also export an html or text file 1 To run reports open the YaST GUI and click Novell AppArmor The Novell AppArmor interface displays 2 From Novell AppA...
Страница 75: ...pertain to the program you specify Export Report Enables you to export a CSV comma separated values or html file The CSV file separates pieces of data in the log entries with commas using a standard d...
Страница 76: ...duction enviroment you should plan on maintaining profiles for all of the deployed applications The security policies are an integral part of your deployment You should plan on taking steps to backup...
Страница 77: ...or on another PC Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications To c h a n...
Страница 78: ...nt the your best method for updating your profiles is to do one of the following Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed us...
Страница 79: ...ll AppArmor module to switch security domains at arbitrary times during the application execution A profile can have an arbitrary number of subprofiles but there are only 2 levels a subprofile cannot...
Страница 80: ...i c a t e d T h e y both allow you to manage the hats for your application and populate them with profile entries In the following steps we walk you through a demo that will add Hats to an Apache pro...
Страница 81: ...ping etc init d apache2 stop and then etc init d apache2 start in a terminal window while logged in as root Note Any program you are profiling you would restart at this point 5 Type http localhost php...
Страница 82: ...b o u t t h e s c r i p t s a c t i o n s w i l l b e a d d e d t o t h e n e w l y created hat rather than the default hat for this application In the next screen Novell AppArmor displays an externa...
Страница 83: ...ons will prompt you to generate new hats and add entries to your profile and its hats The process of adding e n t r i e s t op r o f i l e s i s c o v e r e di nd e t a i l i nt h es e c t i o n Using...
Страница 84: ...ly Add Novell AppArmor Profile f o r i n s t r u c t i o n s r e f e r t o Manually Adding a Profile o n page 37 you are given the option of adding Hats subprofiles to your Novell AppArmor profiles ph...
Страница 85: ...g window 1 From the Novell AppArmor Profile Dialog window click Add Entry then select Hat The Enter Hat Name dialog box displays 2 Enter the name of the hat you would like to add to the Novell AppArmo...
Страница 86: ...or mod_change_hat Apache has configuration files that customize the way Apache func tions Apache is configured by placing directives in plain text configuration files The main configuration file is us...
Страница 87: ...osts are con sidered internally within apache to be seperate servers so you can set a default hat name for the default server as well as one for each virtual host if desired When a request comes in to...
Страница 88: ...it refers to a pathname in the filesystem as seen in the following exam ple Example The program phpsysinfo is used to illustrate a Location directive in the following example The tarball can be downlo...
Страница 89: ...che2 restart into a terminal window while logged in as root 5 Enter http hostname sysinfo into a browser to receive the system information that phpsysinfo delivers Location sysinfo ImmHatName sysinfo...
Страница 90: ...U s e r sG u i d e 90 6 Track down configuration errors by going to the var log syslog or running dmesg and looking for any rejections in the output...
Страница 91: ...or a variety of reasons including not having all of the required devtools packages installed having a Linux kernel source tree that does not match your running kernel and not having a Linux kernel sou...
Страница 92: ...uted in sections The sections are numbered 1 through 8 Each section is specific to a category of documentation section 1 is user commands section 2 is system calls section 3 is library functions secti...
Страница 93: ...Running genprof as a non root user produces a similar result Again run genprof only as root You must also run the subdomain start and subdomain stop scripts as root Running them as a non root user pr...
Страница 94: ...ailing list at Novell AppArmor users mail wirex com You can subscribe to this list at http mail wirex com mailman listinfo immunix users The announcement list is for announcements only the email for i...
Страница 95: ...software pack ages See http www rpm org for more information SSH Secure Shell A service that allows you to access your server from a remote computer and issue text commands through a secure connection...
Страница 96: ...ed to users and to files and other objects The controls are mandatory in the sense that they cannot be modified by users or their programs Application firewalling SubDomain contains applications and l...
