1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR 1.2
  6. Administration manual

Novell APPARMOR 1.2 Administration Manual

Hide thumbs Also See for APPARMOR 1.2:
Table of Contents

Advertisement

Quick Links

Download this manual
Novell AppArmor
Powered by
Immunix
Administration
Guide
www.novell.com
1.2
09/29/2005

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the APPARMOR 1.2 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell APPARMOR 1.2

Summary of Contents for Novell APPARMOR 1.2

  • Page 1 Novell AppArmor Powered by Immunix Administration Guide www.novell.com 09/29/2005...
  • Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Third-Party Materials All third-party trademarks are the property of their respective owners. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTIC- ULAR PURPOSE ARE DISCLAIMED.

  • Page 5: Table Of Contents

    Building and Managing Novell AppArmor Profiles ... Building Novell AppArmor Profiles with the YaST GUI ..Building Novell AppArmor Profiles Using the Command Line Interface . .
  • Page 6 6 Support Updating Novell AppArmor Online ....Using the Man Pages ..... . .

  • Page 7: Introduction To Novell Apparmor

    AppArmor Novell® AppArmor Powered by Immunix is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute.
  • Page 8 1 Documentation Conventions The following typographical conventions are used in this manual: Menu Items, Field Names, and Screen Titles in GUIs When using GUIs, field names, menu and screen titles, and field values are shown as File. Keys Key names are listed as they appear on your keyboard, as in Enter Command Linux commands (and other operating system commands, when used) are repre-...
  • Page 9 Mail backupfiles mail Trademarks A trademark symbol (®, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. 2 Understanding This Guide Immunizing Programs Describes operation of Novell AppArmor Powered by Immunix. Selecting Programs to Immunize Describes the types of programs that should have Novell AppArmor profiles created for them.
  • Page 10 3.1 Launching Novell AppArmor through the YaST GUI SUSE Linux offers the utility YaST. Using YaST, you can launch the Novell AppArmor interface. This is the recommended method for a novice Linux user. For the other available methods, refer to Section 3.2, “Building and Managing Novell AppArmor...
  • Page 11 In the YaST Control Center, click Novell AppArmor in the left pane. The right from then shows the different Novell AppArmor configuration option. Select the appropriate Novell AppArmor configuration option by clicking the corresponding icon. Depending on the configuration option you select, refer to one of the following locations...
  • Page 12 Section 3.3.4, “Deleting a Profile” (page 41). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Profile” (page 34).

  • Page 13: Immunizing Programs

    Web, mail, file, and print. Novell AppArmor controls the access given to network services and other programs to prevent weaknesses from being exploited.

  • Page 15: Selecting Programs To Immunize

    Selecting Programs to Immunize Novell® AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process. You should inspect your ports to see which pro- grams should be profiled (refer to Section 2.2, “Inspect Open Ports to Immunize Pro- grams”...

  • Page 16: Inspect Open Ports To Immunize Programs

    The unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. Unconfined then reports these programs along with the Novell AppArmor profile associated with each program, or reports “none”...
  • Page 17 The unconfined user can then decide whether each of these programs needs an AppArmor profile. Additional profiles can be traded with other users and with the Novell® security devel- opment team on the user mailing list at http://mail.wirex.com/mailman/...
  • Page 18 SUSE Linux, by default, stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile. Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them.
  • Page 19 Profiling Web applications that use mod_perl and mod_php require slightly different handling. In this case, the “program” is a script interpreted directly by the module within the Apache process, so no exec happens. Instead, the Novell AppArmor version of Apache calls change_hat() naming a subprofile (a “hat”) corresponding to the name of the URI requested.
  • Page 20 /srv/www/htdocs/** /srv/www/icons/*.{gif,jpg,png} /usr/share/apache2/** If you want a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile. 2.2.3 Immunizing Network Agents To find network server daemons that should be profiled, you should inspect the open ports on your machine, consider the programs that are answering on those ports, and provide profiles for as many of those programs as possible.

  • Page 21: Building Novell Apparmor Profiles

    Building Novell AppArmor Profiles This chapter explains how to build and manage Novell® AppArmor profiles. You are ready to build Novell AppArmor profiles after you select the programs to profile. For help with this, refer to Chapter 2, Selecting Programs to Immunize (page 15).
  • Page 22 (see the chmod and chown man pages) and have /foo/bar w in its profile. Attempts to violate Novell AppArmor rules are recorded in syslog. In many cases, Novell AppArmor rules prevent an attack from working because necessary files are not...
  • Page 23 Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor. 3.1.2 #include #include statements are directives that pull in components of other Novell AppArmor profiles to simplify profiles. Include files fetch access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.

  • Page 24: Building And Managing Novell Apparmor Profiles

    3.2.1 Using the YaST GUI To use the YaST GUI for building and managing Novell AppArmor profiles, refer to Section 3.3, “Building Novell AppArmor Profiles with the YaST GUI”...
  • Page 25 Performs a server audit to find processes that are running and listening for network connections then reports whether they are profiled. autodep Generates a profile skeleton for a program and loads it into the Novell AppArmor module in complain mode. Building Novell AppArmor Profiles...

  • Page 26: Building Novell Apparmor Profiles With The Yast Gui

    In the right frame, you see several Novell AppArmor option icons. If Novell AppArmor does not display in the left frame of the YaST window or if the Novell AppArmor icons do not display, you might want to reinstall Novell AppArmor. The following actions are available from Novell AppArmor.
  • Page 27 Section 3.3.1, “Adding a Profile Using the Wizard” (page 27). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Profile”...
  • Page 28 For example, enter /etc/init.d/PROGRAM stop in a terminal window while logged in as root, replacing PROGRAM is the name of the program to profile. 2 If you have not done so already, in the YaST GUI, click Novell AppArmor → Add Profile Wizard.
  • Page 29 In the background, Novell AppArmor also sets the profile to learning mode. For more information about learning mode, refer to Section “Complain or Learning Mode” (page 58). 5 Run the application that is being profiled. 6 Perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access to function properly.
  • Page 30 • A resource is requested by a profiled program that is not in the profile (see Figure 3.1, “Learning Mode Exception: Controlling Access to Specific Re- sources” (page 30)). The learning mode exception requires you to allow or deny access to a specific resource. •...
  • Page 31 #include The section of a Novell AppArmor profile that refers to an include file. Include files procure access permissions for programs. By using an in- clude, you can give the program access to directory paths or files that are also required by other programs.
  • Page 32 9 After you select a directory path, you need to process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 33 Finish Closes logprof, saving all rule changes entered so far and modifying all profiles. Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile. NOTE The number of learning mode entries corresponds to the complexity of the application.
  • Page 34 You simply need to select the application for which to create a profile, then add entries. 1 To add a profile, open YaST → Novell AppArmor. The Novell AppArmor interface opens. 2 In Novell AppArmor, click Manually Add Profile (see Figure 3.3, “Manually...
  • Page 35 5 In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to the following sections: Section “Adding an Entry” (page 35), Section “Editing an Entry” (page 38), or Section “Editing an Entry”...
  • Page 36 You can use globbing if necessary. For globbing information, refer to Sec- tion 3.6, “Pathnames and Globbing” (page 73). For file access permission information, refer to Section 3.7, “File Permission Access Modes” (page 74). Directory In the pop-up window, specify the absolute path of a directory, including the type of access permitted.
  • Page 37 When finished making your selections, click Include In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 3.1.2, “#include”...
  • Page 38 Editing an Entry This section explains the Edit Entry option that can be found in Section 3.3.2, “Manu- ally Adding a Profile” (page 34) or Section 3.3.3, “Editing a Profile” (page 39). When you select Edit Entry, the file browser pop-up window opens. From here, you can edit the selected entry.
  • Page 39 (page 34) or Section 3.3.3, “Editing a Profile” (page 39). When you select an entry then select Delete Entry, Novell AppArmor removes the profile entry that you have selected. 3.3.3 Editing a Profile Novell AppArmor enables you to manually edit Novell AppArmor profiles by adding, editing, or deleting entries.
  • Page 40 3 From the list of profiled programs, select the profile to edit. 4 Click Next. The AppArmor Profile Dialog window displays the profile.
  • Page 41 5 In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to the following sections: Section “Adding an Entry” (page 35), Section “Editing an Entry” (page 38), or Section “Deleting an Entry”...
  • Page 42 5 In the pop-up that opens, click Yes to delete the profile. 3.3.5 Updating Profiles from Syslog Entries The Novell AppArmor Profile wizard uses logprof, the tool that scans log files and enables you to update profiles. logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system.
  • Page 43 The following two figures show an example of each case. Subsequent steps describe your options in answering these questions. Figure 3.4 Learning Mode Exception: Controlling Access to Specific Resources Building Novell AppArmor Profiles...
  • Page 44 #include The section of a Novell AppArmor profile that refers to an include file. Include files fetch access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
  • Page 45 4 After you select a directory path, you need to process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 46 Finish Close logprof, saving all rule changes entered so far and modifying all pro- files. Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile. NOTE The number of learning mode entries corresponds to the complexity of...
  • Page 47 Changing Novell AppArmor Status You can change the status of Novell AppArmor by enabling or disabling it. Enabling Novell AppArmor protects your system from potential program exploitation. Dis- abling Novell AppArmor, even if your profiles have been set up, removes protection from your system.
  • Page 48 4.2.2, “Configuring Security Event Notification” (page 79). Changing Novell AppArmor Status When you change the status of Novell AppArmor, you set it to enable or disable. When Novell AppArmor is enabled, it is installed, running and enforcing the Novell AppArmor security policies.

  • Page 49: Building Novell Apparmor Profiles Using The Command Line Interface

    6 Click File → Quit in the YaST Control Center. 3.4 Building Novell AppArmor Profiles Using the Command Line Interface Novell AppArmor provides the ability to use a command line interface rather than the GUI to manage and configure your system security. Building Novell AppArmor Profiles...
  • Page 50 Unloaded The SubDomain module is not loaded into the kernel. Running The SubDomain module is loaded into the kernel and is enforcing Novell AppArmor program policies. Stopped The SubDomain module is loaded into the kernel, but there are no policies being enforced.
  • Page 51 NOTE Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from rescue media (such as CD 1 of SUSE Linux) to regain control.
  • Page 52 (page 21). 3.4.3 Adding or Creating a Novell AppArmor Profile To add or ceate a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs. Stand-Alone Profiling Suitable for profiling small applications that have a finite run time, such as user client applications like mail clients.
  • Page 53 2 Enter the root password when prompted. 3 To go to the Novell AppArmor directory, enter cd /etc/subdomain.d/. 4 Enter ls to view all the Novell AppArmor profiles that are currently installed. 5 Delete the profile exiting profile with rm profilename.

  • Page 54: Two Methods Of Profiling

    Syntax” (page 21), you could create profiles without using the tools. However, the effort involved would be substantial. To avoid such a hassle, use the Novell AppArmor tools to automate the creation and refinement of profiles. There are two ways to approach creating Novell AppArmor profiles, along with tools to support both methods.
  • Page 55 This method is suitable for profiling long-running applications whose behavior continues after rebooting or a large numbers of programs to profile all at once. Build a Novell AppArmor profile for a group of applications as follows: 1 Create profiles for the individual programs that make up your application.
  • Page 56 /etc/init.d/subdomain restart. 3.5.3 Summary of Profiling Tools All of the Novell AppArmor profiling utilities are provided by the subdomain-utils RPM package and most are stored in /usr/sbin. The following sections introduce each tool.
  • Page 57 Novell AppArmor. The minimum autodep approximate profile has at least a base include directive, which contains basic profile entries needed by most programs. For certain types of programs, autodep generates a more expanded profile.
  • Page 58 To improve the profile, turn complain mode on, run the program through a suite of tests to generate log events that characterize the program's access needs then postprocess the log with the Novell AppArmor tools to transform log events into improved profiles.
  • Page 59 The default is for enforce mode to be turned on. Turn complain mode on when you want the Novell AppArmor profiles to control the access of the program that is profiled. Enforce toggles with complain mode.
  • Page 60 (if a profile does not already exist for it), sets it to complain mode, reloads it into Novell AppArmor, marks the syslog, and prompts the user to execute the program and exercise its functionality.
  • Page 61 If system events exist in the log, Novell AppArmor parses the learning mode log files. This generates a series of questions that you must answer to guide genprof in generating the security profile.
  • Page 62 5 Answer two types of questions: • A resource is requested by a profiled program that is not in the profile (see Example 3.1, “Learning Mode Exception: Controlling Access to Specific Resources” (page 62)). • A program is executed by the profiled program and the security domain transition has not been defined (see Example 3.2, “Learning Mode Exception: Defining Execute Permissions for an Entry”...
  • Page 63 #include This is the section of a Novell AppArmor profile that refers to an include file, which procures access permissions for programs. By using an include, you can give the program access to directory paths or files that are also re- quired by other programs.
  • Page 64 6 After you select the pathname or include, you can process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 65 7 To view and edit your profile using vim, enter vim /etc/subdomain.d/profilename in a terminal window. To enable syntax coloring when you edit a Novell AppArmor profile in vim, use the commands :syntax on then :set syntax=subdomain. For more information about about vim and syntax coloring, refer to Section “Subdomain.vim”...
  • Page 66 -m e2ff78636296f16d0b5301209a04430d logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list. By default, logprof looks for profiles in /etc/subdomain.d/ and scans the log in /var/log/messages so, in many cases, running logprof as root is enough to create the profile.
  • Page 67 In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which pulls in a predefined set of Novell AppArmor rules. Selecting 1 to #include the name service package resolves all of...
  • Page 68 SUSE Linux serves FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, Novell AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path.
  • Page 69 This is most useful if the parent program is invoking a global service, such as DNS lookups or sending mail via your system's MTA. unconfined (ux) The child runs completely unconfined without any Novell AppArmor profile applied to the executed resource. In the following example, the /usr/bin/mail mail client is being profiled and logprof has discovered that /usr/bin/mail executes /usr/bin/less as a helper application to “page”...
  • Page 70 /usr/bin/mail runs /usr/bin/mail/ less in this context, the less program is far less dangerous than it would be without Novell AppArmor protection. In other circumstances, you might instead want to use the Profile option. This has two effects on logprof: •...
  • Page 71 Subdomain.vim A syntax coloring file for the vim text editor highlights various features of an Novell AppArmor profile with colors. Using vim and the Novell AppArmor syntax mode for vim, you can see the semantic implications of your profiles with color highlighting.
  • Page 72 The unconfined command examines open network ports on your system, compares that to the set of profiles loaded on your system, and reports network services that do not have Novell AppArmor profiles. It requires root privilege and that it not be confined by a Novell AppArmor profile.

  • Page 73: Pathnames And Globbing

    Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se- curity problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.

  • Page 74: File Permission Access Modes

    Substitutes for the single character a, b, or c [abc] Example: a rule that matches /home[01]/*/.plan allows a program to access .plan files for users in both /home0 and /home1. Substitutes for the single character a, b, or c. [a-c] Expand to one rule to match ab and one rule to {ab,cd} match cd.
  • Page 75 3.7.3 Discrete Profile Execute Mode This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. If there is no profile defined, the access is denied. Incompatible with inherit and unconstrained execute entries.
  • Page 76 This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target’s profile or losing the permissions of the current profile. This mode is infrequently used. 3.7.6 Link Mode The link mode mediates access to symlinks and hardlinks and the privilege to unlink (or delete) files.

  • Page 77: Managing Profiled Applications

    Managing Profiled Applications After creating profiles and immunizing your applications, SUSE Linux becomes more efficient and better protected if you perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. You can deal with common issues and concerns before they become a problem by setting up event notification by e-mail, running periodic reports, updating profiles from system log entries (which is essentially running the logprof tool through YaST), and dealing with maintenance issues.

  • Page 78: Setting Up Event Notification

    Novell AppArmor activity occurs. This feature is currently available via YaST. When you enter an e-mail address, you are notified via e-mail when Novell AppArmor security events occur. You can enable three types of notifications, which are:...
  • Page 79 (page 102). 4.2.1 Severity Level Notification You can set up Novell AppArmor to send you event messages for things that are in the severity database and above the level that you select.These are numbered one through ten, ten being the most severe security incident. The severity.db file defines the severity level of potential security events.
  • Page 80 Section 4.2.1, “Severity Level Notification” (page 79). To be sent a notification e-mail outlining recent Novell AppArmor security events, determine your notification type pref- erence. 3 In each applicable notification type section, enter the e-mail addresses of those who should receive notification in the field provided. If notification is enabled, you must enter an e-mail address.

  • Page 81: Reports

    7 Click Done in the Novell AppArmor Configuration window. 8 Click File → Quit in the YaST Control Center. 4.3 Reports Novell AppArmor's reporting feature adds flexibility by enhancing the way users can view security event data. The reporting tool performs the following: • Creates on-demand reports •...
  • Page 82 For more details, refer to Section “Security Incident Report” (page 89). To use the Novell AppArmor reporting features, proceed with the following steps: 1 To run reports, open YaST → Novell AppArmor. The Novell AppArmor interface opens.
  • Page 83 2 In Novell AppArmor, click AppArmor Reports. The AppArmor Security Event Reports window appears. From the Reports window, select an option and proceed to the section for instructions: View Archive Displays all reports that have been run and stored in /var/log/ apparmor/reports-archived/.
  • Page 84 Delete Deletes a scheduled security incident report. All stock or canned reports cannot be deleted. Back Returns you to the Novell AppArmor main screen. Abort Returns you to the Novell AppArmor main screen. Next Performs the same function as the Run Now button.
  • Page 85 2 Select the report type to view. Toggle between the different types (SIR (Security Incident Report), App Aud (Application Audit), and ESS (Executive Security Summary). 3 You can alter the directory location of the archived reports in Location of Archived Reports.
  • Page 86 7 The Report Configuration dialog enables you to filter the reports selected in the previous screen. Enter the desired filter details. The fields are: Date Range To display reports for a certain time period, select Filter By Date Range. Enter the start and end dates that define the scope of the report. Program Name When you enter a program name or pattern that matches the name of the bi- nary executable of the program of interest, the report displays security events...
  • Page 87 Severity Level Select the lowest severity level for security events to include in the report. The selected severity level and above are then included in the reports. Detail A source to which the profile has denied access. This includes capabilities and files.
  • Page 88 • For the executive summary report, refer to Section “Executive Security Summary” (page 91). Application Audit Report An auditing tool that reports which application servers are running and whether they are confined by AppArmor. Application servers are applications that accept incoming network connections.
  • Page 89 Date The date during which security events occurred. Program The name of the executing process. Profile The absolute name of the security profile that is applied to the process. Process ID number is a number that uniquely identifies one specific process or running program (this number is valid only during the lifetime of that process).
  • Page 90 The following screen represents an SIR report: The following are definitions for the fields in the SIR report: Host The machine protected by AppArmor for which the security events are being re- ported. Date The date during which security events occurred. Program The name of the executing process.
  • Page 91 Severity Severity levels of events are reported from the severity database. The severity database defines the importance of potential security events and numbers them one through ten, ten being the most severe security incident. The severity levels are determined by the threat or importance of different security events, such as certain resources accessed or services denied.
  • Page 92 The following are definitions for the fields in the executive security summary: Host The machine protected by AppArmor for which the security events are being re- ported. Start Date The first date in a range of dates during which security events are reported. End Date The last date in a range of dates during which security events are reported.
  • Page 93 The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. Return to the beginning of this section if you need help navigating to the main report screen (see Section 4.3, “Reports”...
  • Page 94 4 The Report Configuration Dialog enables you to filter the reports selected in the previous screen. Enter the desired filter details. The following filter options are available: Date Range To limit reports to a certain time period, select Filter By Date Range. Enter the start and end dates that determine the scope of the report.
  • Page 95 Adding new reports enables you to create a scheduled security incident report that dis- plays Novell AppArmor security events according to your preset filters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.
  • Page 96 NOTE Return to the beginning of this section if you need help navigating to the main report screen (see Section 4.3, “Reports” (page 81)). To add a new scheduled security incident report, proceed as follows: 1 Click Add to create a new security incident report. The first page of Add Scheduled SIR opens.
  • Page 97 Hour and Minute Select the time. This specifies the hour and minute that you would like the reports to run. If you do not change the time, selected reports runs at midnight. If neither month nor day of week are selected, the report runs daily at the secified time.
  • Page 98 The options are r (read), w (write), l (link), and x (execute). 5 Click Save to save this report. Novell AppArmor returns to the Scheduled Reports main window where the newly scheduled report appears in the list of reports.
  • Page 99 NOTE Return to the beginning of this section if you need help navigating to the main report screen (see Section 4.3, “Reports” (page 81)). Perform the following steps to run a report from the list of reports: 1 From the list of reports in the Schedule Reports window, select the report to edit. 2 Click Edit to edit the security incident report.
  • Page 100 E-Mail Target You have the ability to send the scheduled security incident report via e-mail to up to three recipients. Just enter the e-mail addresses for those who require the security incident information. Export Type This option enables you to export a CSV (comma separated values) or HTML file.
  • Page 101 The options are r (read), w (write), l (link), and x (execute). 6 Select Save to save the changes to this report. Novell AppArmor returns to the Scheduled Reports main window where the scheduled report appears in the list of reports.

  • Page 102: Reacting To Security Events

    If the rejection represents normal application behavior, running logprof at the command line or the Update Profile Wizard in Novell AppArmor allows you to iterate through all reject messages. By selecting the one that matches the specific reject, you can automatically update your profile.

  • Page 103: Maintaining Your Security Profiles

    4.5 Maintaining Your Security Profiles In a production enviroment, you should plan on maintaining profiles for all of the de- ployed applications. The security policies are an integral part of your deployment. You should plan on taking steps to backup and restore security policy files, plan for software changes, and allow any needed modification of security policies that your enviroment dictates.
  • Page 104 4.5.2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 3.3.3, “Editing a Profile”...

  • Page 105: Profiling Your Web Applications Using Changehat Apache

    It enables you to define security at a finer level than the process. This feature requires that each application be made “changehat aware,” meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution.

  • Page 106: Apache Changehat

    5.1.1 Tools for Managing ChangeHat-Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Manage ChangeHat-aware applications much more flexibly at the command line, but the process is also more complicated.
  • Page 107 In the following steps, we walk you through a demo that adds hats to an Apache profile using YaST. In the Add Profile Wizard, the Novell AppArmor profiling utilities prompt you to create new hats for distinct URI requests. Choosing to create a new hat allows you to create individual profiles for each URI.
  • Page 108 Refresh button to make sure that Apache processes the request for the phpsysinfo-dev URI. 6 Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the logprof tool, which scans the all the information learned in the pre-...
  • Page 109 In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsys- info-dev hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined).
  • Page 110 a Select Inherit for the /bin/bash path. This adds /bin/bash/ (accessed by Apache) to the phpsysinfo-dev hat profile with the necessary permissions. b Click Allow. 9 The remaining questions prompt you to generate new hats and add entries to your profile and its hats.
  • Page 111 Armor Profile (for instructions, refer to Section 3.3.2, “Manually Adding a Profile” (page 34)), you are given the option of adding hats (subprofiles) to your Novell App- Armor profiles. You can add a ChangeHat subprofile from the AppArmor Profile Dialog window.
  • Page 112 1 From the AppArmor Profile Dialog window, click Add Entry then select Hat.The Enter Hat Name dialog box opens: 2 Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat.

  • Page 113: Apache Configuration For Mod_Change_Hat

    NOTE For an example of an Novell AppArmor profile, refer to Example 5.1, “Example phpsysinfo-dev Hat” (page 111). 5.2 Apache Configuration for mod_change_hat Apache is configured by placing directives in plain text configuration files. The main configuration file is usually httpd.conf. When you compile Apache, you can indicate the location of this file.
  • Page 114 A hat named by the entire URI path. A default server hat as specified by the ImmDefaultHatName keyword. DEFAULT_URI (and if none of those exist, it goes back to the “parent” Apache hat). 5.2.2 Location and Directory Directives Location and directory directives specify hat names in the program configuration file so the program calls the hat regarding its security.
  • Page 115 /usr/bin/who /usr/share/pci.ids /var/log/apache2/{access,error}_log /var/run/utmp 3 Reload Novell AppArmor profiles by entering rcsubdomain restart at a terminal window as root. 4 Restart Apache by entering rcapache2 restart at a terminal window while logged in as root. 5 Enter http://hostname/sysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  • Page 117: Support

    This chapter outlines maintenance-related tasks. Learn how to update Novell® App- Armor and SubDomain and get a list of available man pages providing basic help on using the command line tools provided by Novell AppArmor. Use the troubleshooting section to learn about some common problems encountered with Novell AppArmor and their solutions.
  • Page 118 The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are: • unconfined(8) • autodep(1) • complain(1) •...

  • Page 119: For More Information

    • subdomain.vim(5) • subdomain(7) • subdomain_parser(8) 6.3 For More Information More information about the AppArmor product can be found on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. The product documentation for Novell AppArmor including this document can be found under or in the in- http://www.novell.com/documentation/apparmor/...
  • Page 120 To check reject messages, start YaST → Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the applications audit report. You can filter dates and times to narrow down the specific periods when application behavior began.

  • Page 121: Support For Suse Linux

    Subdomain parser error The example below shows the syntax of the entire parser error. Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart SubDomain with syntax errors in your profiles, you see error results like this: localhost:~ # /etc/init.d/subdomain start...
  • Page 122 Please be aware that the phone numbers may change during the sales cycle of SUSE Linux 10.0. Current numbers as well as a detailed listing of the subjects covered by the Advanced Support Service can be found at http://www.novell.com/ usersupport. NOTE While our expert staff will do their best to provide top-quality support, we cannot guarantee a solution.
  • Page 123 HOWTOs, and info pages. You can access the latest Support Database articles online at http://www.novell .com/usersupport. By means of the Support Database, which is one of the most frequently used databases in the Linux world, we offer our customers a wealth of analysis and solution approaches.
  • Page 124 • Kernel updates (only official SUSE Linux update RPMs). • Installation of bug fixes and security updates from ftp.suse.com or a SUSE FTP mirror using YOU or the manual method. For a detailed listing of the subjects covered by the free installation support, please check http://www.novell.com/usersupport.
  • Page 125 Contact Information for Free Installation Support • http://www.novell.com/usersupport • usersupport@novell.com • Germany: Phone: 0180-500 36 12 (12 Cent/min) (Monday through Friday from 13:00 to 17:00 CET) • Austria: Phone: +43 1 36 77 4440 (Monday through Friday from 13:00 to 17:00 CET) •...

  • Page 126: Reporting Bugs For Apparmor

    So, whenever you encounter a bug in AppArmor, file a bug report against this product: 1 Use your Web browser to go to https://bugzilla.novell.com/index .cgi. 2 Enter the account data of your Novell account and click Login Create a new Novell account as follows:...
  • Page 127 Provide a username and password and additional address data and click Create Login to immediately proceed with the login creation. Provide data on which other Novell accounts you maintain to sync all these to one account. 3 Check whether a problem similar to yours has already been reported by clicking Search Reports.

  • Page 129: Glossary

    By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerabilty where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks.
  • Page 130 Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.

Table of Contents