Immunizing Network Agents - Novell APPARMOR Admin Manual

U s e r ' s G u i d e
localtime.php page to execute and access the local system time:
/usr/sbin/httpd2-prefork^/cgi-bin/localtime.php {
/etc/localtime
/srv/www/cgi-bin/localtime.php
/usr/lib/locale/**
}
If no subprofile has been defined, then the Novell AppArmor version of
Apache applies the DEFAULT_URI hat. This subprofile is basically suf-
ficient to display an HTML web page. The DEFAULT_URI hat that is
provided by default is:
/usr/sbin/suexec2 ixr,
/var/log/apache2/** rwl,
/home/*/public_html/**
/srv/www/htdocs/**
/srv/www/icons/*.{gif,jpg,png}
/usr/share/apache2/**
If you want a single Novell AppArmor profile for all web pages and CGI
scripts served by Apache, then editing the DEFAULT_URI subprofile is
a good approach.

Immunizing Network Agents

To find network server daemons that should be profiled, you should
inspect the open ports on your machine, consider the programs that
are answering on those ports, and provide profiles for as many of those
programs as possible. If you provide profiles for all programs with open
network ports, then for all possible network threats, the attacker cannot
get to the file system on your machine without passing through an Nov-
ell AppArmor profile policy.
1. The name presented for the script to be executed may not be the URI, depending on how
Apache has been configured for where to look for module scripts. If you have configured
your Apache to place scripts in a different place, then the different names will show up in
Syslog when Novell AppArmor complains about access violations. S e e " Managing Profiled
Applications" o n p a g e7 2 .
14
r,
r,
r,
r,
r,
r,
r,