Tools For Managing Changehat Aware Applications - Novell APPARMOR Admin Manual
Hide thumbs
Also See for APPARMOR:
- Quick start manual (5 pages) ,
- Installation & quick start manual (4 pages) ,
- Quick start card (7 pages)
Table of Contents
Advertisement
U s e r ' s G u i d e
• DEFAULT_URI
• HANDLING_UNTRUSTED_INPUT
If you have the required Apache 2 on your system, the
mod_change_hat module will be automatically installed with Novell
AppArmor as well as added to the apache configuration. Apache 1.3 is
not supported.
Note:
Should you install mod_change_hat without Novell AppArmor,
you need to make sure the Apache load module has a command in the
config file that loads the mod_change_hat module by adding the follow-
ing line to your Apache configuration file:
LoadModule change_hat_module modules/mod_change_hat.so
Tools for Managing ChangeHat Aware Applications
As with most of the Novell AppArmor tools, you can use two methods
for managing ChangeHat, the YaST GUI interface or the command-line
interface. Managing ChangeHat-aware applications has much more
f l e x i b i l i t y a t t h e c o mma n d - l i n e , b u t i t ' s a l s o mo r e c o mp l i c a t e d . T h e y
both allow you to manage the hats for your application and populate
them with profile entries.
In the following steps, we walk you through a demo that will add Hats
to an Apache profile using the the YaST GUI. During the "Add Profile
Wizard," the profiling utilities will prompt you to create new Hats for dis-
tinct URI requests. Choosing to create a new Hat will allow you to cre-
ate individual profiles for each URI. This allows you to create very tight
rules for each request.
If the URI that is processed does not represent significant processing,
or otherwise doesn't represent a significant security risk, then you may
safely select "Use Default Hat" to just process this URI in the default
Hat, which is the default security profile.
In the demo, we create a new Hat for the URI phpsysinfo-dev and
its subsequent accesses. Using the profiling utilities, we delegate what
is added to this new hat. The resulting Hat becomes a tight-security
container that encompasses all the processing on the server that
occurs when the phpsysinfo-dev URI is passed to the Apache web
server.
80
Advertisement
Table of Contents
