1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR 2.0
  6. Administration manual

Novell APPARMOR 2.0 Administration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Novell AppArmor
2.0
www.novell.com
Novell AppArmor 2.0 Administration Guide
August 28, 2006

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the APPARMOR 2.0 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell APPARMOR 2.0

Summary of Contents for Novell APPARMOR 2.0

  • Page 1 Novell AppArmor www.novell.com Novell AppArmor 2.0 Administration Guide August 28, 2006...
  • Page 2 Novell, the Novell logo, the N logo and SUSE are registered trademarks of Novell, Inc. in the United States and other countries. * Linux is a registered trademark of Linus Torvalds. All other third party...

  • Page 3: Table Of Contents

    Building and Managing Novell AppArmor Profiles ... Building Novell AppArmor Profiles with the YaST GUI ..Building Novell AppArmor Profiles Using the Command Line Interface . .
  • Page 4 6 Support Updating Novell AppArmor Online ....Using the Man Pages ..... . .

  • Page 5: About This Guide

    About This Guide Novell® AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor...
  • Page 6 It also helps you to add, edit, or delete profiles that have been created for your ap- plications. Managing Profiled Applications Describes how to perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. Profiling Your Web Applications Using ChangeHat Apache Enables you to create subprofiles for the Apache Web server that allow you to tightly confine small sections of Web application processing.
  • Page 7 • PATH: the environment variable PATH • ls, --help: commands, options, and parameters • user: users or groups • : a key to press or a key combination; keys are shown in uppercase as on a keyboard • File, File → Save As: menu items, buttons •...

  • Page 9: Immunizing Programs

    Web, mail, file, and print. Novell AppArmor controls the access given to network services and other programs to prevent weaknesses from being exploited.
  • Page 10 TIP: Background Information for Novell AppArmor To get a more in-depth overview of AppArmor and the overall concept behind it, refer to Appendix A, Background Information on AppArmor Profiling (page 123). Novell AppArmor 2.0 Administration Guide...

  • Page 11: Selecting Programs To Immunize

    Selecting Programs to Immunize Novell® AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process. You should inspect your ports to see which pro- grams should be profiled (refer to Section 2.2, “Inspect Open Ports to Immunize Pro- grams”...

  • Page 12: Inspect Open Ports To Immunize Programs

    The aa-unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. aa-unconfined then reports these programs along with the Novell AppArmor profile associated with each program or reports “none”...
  • Page 13 Applying Novell AppArmor profiles to user network client applications is also dependent on user preferences and Novell AppArmor is intended for servers rather than worksta- tions. Therefore, we leave profiling of user network client applications as an exercise for the user.
  • Page 14 SUSE Linux, by default, stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile. Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them.
  • Page 15 Profiling Web applications that use mod_perl and mod_php requires slightly different handling. In this case, the “program” is a script interpreted directly by the module within the Apache process, so no exec happens. Instead, the Novell AppArmor version of Apache calls change_hat() using a subprofile (a “hat”) corresponding to the name of the URI requested.
  • Page 16 /srv/www/htdocs/** /srv/www/icons/*.{gif,jpg,png} /usr/share/apache2/** To use a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile. 2.2.3 Immunizing Network Agents To find network server daemons and network clients (such as fetchmail, Firefox, or...
  • Page 17 Novell AppArmor profile policy. Scan your server for open network ports manually from outside the machine using a scanner, such as nmap, or from inside the machine using the netstat --inet -n -p command.

  • Page 19: Building Novell Apparmor Profiles

    Building Novell AppArmor Profiles This chapter explains how to build and manage Novell® AppArmor profiles. You are ready to build Novell AppArmor profiles after you select the programs to profile. For help with this, refer to Chapter 2, Selecting Programs to Immunize (page 11).
  • Page 20 The curly braces ({}) serve as a container for include statements of other profiles as well as for path and capability entries. This directive pulls in components of Novell AppArmor profiles to simplify pro- files. Capability entry statements enable each of the 29 POSIX.1e draft capabilities.
  • Page 21 In many cases, Novell AppArmor rules prevent an attack from working because neces- sary files are not accessible and, in all cases, Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor. 3.1.2 #include #include statements are directives that pull in components of other Novell AppArmor profiles to simplify profiles.
  • Page 22 AppArmor expects the include files to be located in /etc/apparmor.d. Unlike other profile statements (but similar to C programs), #include lines do not end with a comma. To assist you in profiling your applications, Novell AppArmor provides two classes of #includes: abstractions and program chunks. Abstractions Abstractions are #includes that are grouped by common application tasks.

  • Page 23: Building And Managing Novell Apparmor Profiles

    3.2.1 Using the YaST GUI To use the YaST GUI for building and managing Novell AppArmor profiles, refer to Section 3.3, “Building Novell AppArmor Profiles with the YaST GUI”...

  • Page 24: Building Novell Apparmor Profiles With The Yast Gui

    Performs a server audit to find processes that are running and listening for network connections then reports whether they are profiled. aa-autodep Generates a profile skeleton for a program and loads it into the Novell AppArmor module in complain mode. 3.3 Building Novell AppArmor Profiles with the YaST GUI Open the YaST GUI from the menu with YaST.
  • Page 25 Section 3.3.1, “Adding a Profile Using the Wizard” (page 26). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Profile”...
  • Page 26 For example, enter /etc/init.d/PROGRAM stop in a terminal window while logged in as root, replacing PROGRAM with the name of the program to profile. 2 If you have not done so already, click Novell AppArmor → Add Profile Wizard in the YaST GUI. Novell AppArmor 2.0 Administration Guide...
  • Page 27 3 Enter the name of the application or browse to the location of the program. 4 Click Create. This runs a Novell AppArmor tool named aa-autodep, which per- forms a static analysis of the program to profile and loads an approximate profile into Novell AppArmor module.
  • Page 28 Subsequent steps describe your options in answering these questions. NOTE: Varying Processing Options Not all of the options introduced below are always present. The options displayed depend on the type of entry processed. Novell AppArmor 2.0 Administration Guide...
  • Page 29 8 The Add Profile Wizard begins suggesting directory path entries that have been accessed by the application you are profiling (as seen in Figure 3.1, “Learning Mode Exception: Controlling Access to Specific Resources” (page 29)) or re- Building Novell AppArmor Profiles...
  • Page 30 Actual Pathname Literal path that the program needs to access to run properly. After you select a directory path, process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 31 The number of learning mode entries corresponds to the complexity of the application. b For Figure 3.2: Learning Mode Exception: Defining Execute Permissions for an Entry: From the following options, select the one that satisfies the Building Novell AppArmor Profiles...
  • Page 32 Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified. Finish Close aa-logprof, saving all rule changes entered so far and modifying all profiles. 9 Repeat the previous steps if you need to execute more functionality of the appli- cation. Novell AppArmor 2.0 Administration Guide...
  • Page 33 Select the application for which to create a profile then add en- tries. 1 To add a profile, open YaST → Novell AppArmor. The Novell AppArmor cate- gory opens. 2 In Novell AppArmor, click Manually Add Profile.
  • Page 34 (page 33) or Section 3.3.3, “Editing a Profile” (page 37). When you select Add Entry, a drop-down list displays the types of entries you can add to the Novell AppArmor profile. From the list, select one of the following: File In the pop-up window, specify the absolute path of a file, including the type of ac- cess permitted.
  • Page 35 In the pop-up window, select the appropriate capabilities. These are statements that enable each of the 32 POSIX.1e capabilities. Refer to Section 3.1.1, “Breaking a Novell AppArmor Profile into Its Parts” (page 19) for more information about capabilities. When finished making your selections, click OK.
  • Page 36 Include In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 3.1.2, “#include” (page 21). In the pop-up window, specify the name of the subprofile (hat) to add to your current profile and click Create Hat.
  • Page 37 Simply select the profile then add, edit, or delete entries. To edit a profile, follow these steps: 1 Open YaST → Novell AppArmor. 2 In Novell AppArmor, click Edit Profile. The Edit Profile—Choose profile to edit window opens. Building Novell AppArmor Profiles...
  • Page 38 3 From the list of profiled programs, select the profile to edit. 4 Click Next. The AppArmor Profile Dialog window displays the profile. 5 In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to...
  • Page 39 3.3.5 Updating Profiles from Log Entries The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These excep- tions represent the behavior of the profiled application that is outside of the profile definition for the program.
  • Page 40 Subsequent steps describe your options in answering these questions. NOTE: Varying Processing Options Not all of the options introduced below are always present. The options displayed depend on the type of entry being processed. Novell AppArmor 2.0 Administration Guide...
  • Page 41 Figure 3.4 Learning Mode Exception: Defining Execute Permissions for an Entry 3 aa-logprof begins suggesting directory path entries that have been accessed by the application profiled (as seen in Figure 3.3, “Learning Mode Exception: Controlling Access to Specific Resources” (page 41)) or requiring you to define Building Novell AppArmor Profiles...
  • Page 42 This is the literal path to which the program needs access so that it can run properly. After you select a directory path, process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 43 For Figure 3.4, “Learning Mode Exception: Defining Execute Permissions for an Entry” (page 41): Select the one that satisfies the request for access by choosing one of the following options. For detailed information about Building Novell AppArmor Profiles...
  • Page 44 Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified. Finish Close aa-logprof, saving all rule changes entered so far and modifying all profiles. 4 Repeat the previous steps if you need to execute more functionality of your ap- plication. Novell AppArmor 2.0 Administration Guide...
  • Page 45 3.3.6 Managing Novell AppArmor and Security Event Status You can change the status of Novell AppArmor by enabling or disabling it. Enabling Novell AppArmor protects your system from potential program exploitation. Disabling Novell AppArmor, even if your profiles have been set up, removes protection from your system.
  • Page 46 4.2.2, “Configuring Security Event Notification” (page 79). Changing Novell AppArmor Status When you change the status of Novell AppArmor, set it to enabled or disabled. When Novell AppArmor is enabled, it is installed, running, and enforcing the Novell AppArmor security policies.

  • Page 47: Building Novell Apparmor Profiles Using The Command Line Interface

    6 Click File → Quit in the YaST Control Center. 3.4 Building Novell AppArmor Profiles Using the Command Line Interface Novell AppArmor provides the ability to use a command line interface rather than a GUI to manage and configure your system security. 3.4.1 Checking the AppArmor Module Status...
  • Page 48 Novell AppArmor is running. If it is empty and returns nothing, AppArmor is stopped. If the file does not exist, AppArmor is unloaded. You can load and unload the AppArmor module with the standard Linux module commands, such as modprobe, insmod, lsmod, and rmmod, but this approach is not recommended.
  • Page 49 You can use a text editor, such as vim, to access and make changes to these profiles. The following options contain detailed steps for building profiles: Adding or Creating Novell AppArmor Profiles Refer to Section 3.4.3, “Adding or Creating a Novell AppArmor Profile” (page 50) Editing Novell AppArmor Profiles Refer to Section 3.4.4, “Editing a Novell AppArmor Profile”...
  • Page 50 3.4.3 Adding or Creating a Novell AppArmor Profile To add or create a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs. Learn more about these two approaches in Section 3.5, “Two Methods of Profiling”...

  • Page 51: Two Methods Of Profiling

    4 Enter ls to view all the Novell AppArmor profiles that are currently installed. 5 Delete the profile with rm profilename. 6 Restart Novell AppArmor by entering rcapparmor restart in a terminal window. 3.5 Two Methods of Profiling Given the syntax for Novell AppArmor profiles in Section 3.1, “Profile Components...
  • Page 52 1 Create profiles for the individual programs that make up your application. Although this approach is systemic, Novell AppArmor only monitors those pro- grams with profiles and their children. To get Novell AppArmor to consider a program, you must at least have aa-autodep create an approximate profile for it.
  • Page 53 To ensure that all profiles are taken out of complain mode and put into enforce mode, enter aa-enforce /etc/apparmor.d/*. 8 Rescan all profiles. To have Novell AppArmor rescan all of the profiles and change the enforcement mode in the kernel, enter rcapparmor restart. Building Novell AppArmor Profiles...
  • Page 54 The resulting profile is called “approximate” because it does not necessarily contain all of the profile entries that the program needs to be properly confined by Novell AppArmor. The minimum aa-autodep approximate profile has at least a base include directive, which contains basic profile entries needed by most programs.
  • Page 55 -print. aa-complain—Entering Complain or Learning Mode The complain or learning mode tool (aa-complain) detects violations of Novell App- Armor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are permitted, but also logged. To improve the profile, turn...
  • Page 56 .d into complain mode. aa-enforce—Entering Enforce Mode The enforce mode detects violations of Novell AppArmor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are logged and not permitted. The default is for enforce mode to be enabled. To log the violations only, but still permit them, use complain mode.
  • Page 57 (if a profile does not already exist for it), sets it to complain mode, reloads it into Novell AppArmor, marks the log, and prompts the user to execute the program and exercise its functional- ity.
  • Page 58 If system events exist in the log, Novell AppArmor parses the learning mode log files. This generates a series of questions that you must answer to guide aa-genprof in generating the security profile.
  • Page 59 This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's profile or losing the permissions of the current profile. This mode is often used when the child program is a helper application, such as the Building Novell AppArmor Profiles...
  • Page 60 (ux) The child runs completely unconfined without any Novell AppArmor profile applied to the executed resource. Choose the unconfined with clean exec (Ux) option to scrub the environment of environment variables that could modify execution behavior when passed on to the child process.
  • Page 61 #include This is the section of a Novell AppArmor profile that refers to an include file, which procures access permissions for programs. By using an include, you can give the program access to directory paths or files that are also re- quired by other programs.
  • Page 62 6 After you select the pathname or include, you can process it as an entry into the Novell AppArmor profile by selecting Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob it.
  • Page 63 /var/log/audit/audit.log or /var/log/ messages (if auditd is not running) and generate new entries in Novell AppArmor security profiles. When you run aa-logprof, it begins to scan the log files produced in learning or complain mode and, if there are new security events that are not covered by the existing profile set, it gives suggestions for modifying the profile.
  • Page 64 -m e2ff78636296f16d0b5301209a04430d aa-logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list. By default, aa-logprof looks for profiles in /etc/apparmor.d/ and scans the log in /var/log/messages.
  • Page 65 Prompts you to enter your own rule for this event, allowing you to specify whatever form of regular expression you want. If the expression you enter does not actually satisfy the event that prompted the question in the first place, Novell AppArmor asks you for confirmation and lets you reenter the expression.
  • Page 66 SUSE Linux serves FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, Novell AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path.
  • Page 67 (ux) The child runs completely unconfined without any Novell AppArmor profile applied to the executed resource. Choose the unconfined with clean exec (Ux) option to scrub the environment of environment variables that could modify execution behavior when passed on to the child process.
  • Page 68 • You can avoid adding the helper applications, such as tar and rpm, to the /usr/ bin/mail profile so that when /usr/bin/mail runs /usr/bin/less in this context, the less program is far less dangerous than it would be without Novell AppArmor protection.

  • Page 69: Pathnames And Globbing

    The aa-unconfined command examines open network ports on your system, compares that to the set of profiles loaded on your system, and reports network services that do not have Novell AppArmor profiles. It requires root privilege and that it not be confined by a Novell AppArmor profile.
  • Page 70 Substitutes for the single character a, b, or c. [a-c] Expand to one rule to match ab and one rule to {ab,cd} match cd. Example: a rule that matches /{usr,www}/pages/** to grant access to Web pages in both /usr/pages and /www/ pages. Novell AppArmor 2.0 Administration Guide...

  • Page 71: File Permission Access Modes

    (removed). Discrete Profile Execute Mode (px) This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. If there is no profile defined, the access is denied. Building Novell AppArmor Profiles...
  • Page 72 Incompatible with Ux, ux, px, and ix. Unconstrained Execute Mode (ux) Allows the program to execute the resource without any Novell AppArmor profile applied to the executed resource. Requires listing execute mode as well. This mode is useful when a confined program needs to be able to perform a privi- leged operation, such as rebooting the machine.
  • Page 73 The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created (with the exception that the destination does not need link access). Building Novell AppArmor Profiles...
  • Page 74 • GCONV_PATH • GETCONF_DIR • HOSTALIASES • LD_AUDIT • LD_DEBUG • LD_DEBUG_OUTPUT • LD_DYNAMIC_WEAK • LD_LIBRARY_PATH • LD_ORIGIN_PATH • LD_PRELOAD • LD_PROFILE • LD_SHOW_AUXV • LD_USE_LOAD_BIAS • LOCALDOMAIN • LOCPATH • MALLOC_TRACE • NLSPATH • RESOLV_HOST_CONF Novell AppArmor 2.0 Administration Guide...
  • Page 75 • RES_OPTIONS • TMPDIR • TZDIR Building Novell AppArmor Profiles...

  • Page 77: Managing Profiled Applications

    Applications After creating profiles and immunizing your applications, SUSE Linux becomes more efficient and better protected if you perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. You can deal with common issues and concerns before they become a problem by setting up event notification by e-mail, running periodic reports, updating profiles from system log entries by running the aa- logprof tool through YaST, and dealing with maintenance issues.

  • Page 78: Setting Up Event Notification

    Novell AppArmor activity occurs. This feature is currently available via YaST. When you enter an e-mail address, you are notified via e-mail when Novell AppArmor security events occur. You can enable the following three types of notifications:...
  • Page 79 (page 102). 4.2.1 Severity Level Notification You can set up Novell AppArmor to send you event messages for things that are in the severity database and above the level that you select. These are numbered 1 through 10, 10 being the most severe security incident. The severity.db file defines the severity level of potential security events.
  • Page 80 For each notification type enabled, select the frequency of notification. Select a notification frequency from the following options: • Disabled • 1 minute • 5 minutes • 10 minutes • 15 minutes • 30 minutes Novell AppArmor 2.0 Administration Guide...

  • Page 81: Reports

    4 Click Done in the Novell AppArmor Configuration window. 5 Click File → Quit in the YaST Control Center. 4.3 Reports Novell AppArmor's reporting feature adds flexibility by enhancing the way users can view security event data. The reporting tool performs the following: • Creates on-demand reports •...
  • Page 82 Narrow down the size of the report by filtering by date range or program name. You can also export an html or csv file. The following are the three types of reports available in Novell AppArmor: Executive Security Summary A combined report, consisting of one or more security incident reports from one or more machines.
  • Page 83 View Archive Displays all reports that have been run and stored in /var/log/ apparmor/reports-archived/. Select the report you want to see in detail and click View. For View Archive instructions, proceed to Section 4.3.1, “Viewing Archived Reports” (page 84). Run Now Produces an instant version of the selected report type.
  • Page 84 Back Returns you to the Novell AppArmor main screen. Abort Returns you to the Novell AppArmor main screen. Next Performs the same function as the Run Now button. 4.3.1 Viewing Archived Reports View Reports enables you to specify the location of a cumulation of reports from one or more systems, including the ability to filter by date or names of programs accessed and display them all together in one report.
  • Page 85 3 You can alter the directory location of the archived reports in Location of Archived Reports. Select Accept to use the current directory or select Browse to find a new report location. The default directory is /var/log/apparmor/ reports-archived. 4 To view all the reports in the archive, select View All. To view a specific report, select a report file listed in the Report field then select View.
  • Page 86 CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table-oriented applications. You can enter a path for your exported report by typing the full path in the field pro- vided. Novell AppArmor 2.0 Administration Guide...
  • Page 87 Location to Store Log Enables you to change the location at which to store the exported report. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the file system. 8 To see the report, filtered as desired, select Next. One of the three reports displays. 9 Refer the following sections for detailed information about each type of report.
  • Page 88 State This field reveals whether the program listed in the program field is confined. If it is not confined, you might consider creating a profile for it. Novell AppArmor 2.0 Administration Guide...
  • Page 89 Type This field reveals the type of confinement the security event represents. It says either complain or enforce. If the application is not confined (state), no type of confinement is reported. Security Incident Report A security incident report displays security events of interest to an administrator. The SIR reports policy violations for locally confined applications during the specified time period.
  • Page 90 Severity levels of events are reported from the severity database. The severity database defines the importance of potential security events and numbers them 1 through 10, 10 being the most severe security incident. The severity levels are de- Novell AppArmor 2.0 Administration Guide...
  • Page 91 termined by the threat or importance of different security events, such as certain resources accessed or services denied. Mode The mode is the permission that the profile grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute). Detail A source to which the profile has denied access.This includes capabilities and files.
  • Page 92 Num Events In the date range given, the total number of security events. Ave. Sev This is the average of the severity levels reported in the date range given. Unknown severities are disregarded in this figure. Novell AppArmor 2.0 Administration Guide...
  • Page 93 4.3.2 Run Now: Running On-Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. If you need help navigating to the main report screen, see Section 4.3, “Reports”...
  • Page 94 The options are PERMITTING, REJECTING, or AUDITING. Mode The mode is the permission that the profile grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute). Novell AppArmor 2.0 Administration Guide...
  • Page 95 Adding new reports enables you to create a scheduled security incident report that dis- plays Novell AppArmor security events according to your preset filters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.
  • Page 96 Day of Week Select the day of the week on which to schedule weekly reports, if desired. If you select ALL, weekly filtering is not performed. If monthly reporting is selected, this field defaults to ALL. Novell AppArmor 2.0 Administration Guide...
  • Page 97 Hour and Minute Select the time. This specifies the hour and minute that you would like the reports to run. If you do not change the time, selected reports runs at midnight. If neither month nor day of week are selected, the report runs daily at the specified time.
  • Page 98 The options are r (read), w (write), l (link), and x (execute). 5 Click Save to save this report. Novell AppArmor returns to the Scheduled Reports main window where the newly scheduled report appears in the list of reports.
  • Page 99 NOTE Return to the beginning of this section if you need help navigating to the main report screen (see Section 4.3, “Reports” (page 81)). Perform the following steps to modify a report from the list of reports: 1 From the list of reports in the Schedule Reports window, select the report to edit. 2 Click Edit to edit the security incident report.
  • Page 100 Program Name You can specify a program name or pattern that matches the name of the binary executable for the program of interest. The report displays security events that have occurred for the specified program only. Novell AppArmor 2.0 Administration Guide...
  • Page 101 The options are r (read), w (write), l (link), and x (execute). 6 Select Save to save the changes to this report. Novell AppArmor returns to the Scheduled Reports main window where the scheduled report appears in the list of reports.

  • Page 102: Reacting To Security Events

    If the rejection represents normal application behavior, running aa-logprof at the command line or the Update Profile Wizard in Novell AppArmor allows you to iterate through all reject messages. By se- lecting the one that matches the specific reject, you can automatically update your profile.
  • Page 103 4.5.2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 3.3.3, “Editing a Profile”...
  • Page 104 • Run the profiling tools to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to Sec- tion 3.3.5, “Updating Profiles from Log Entries” (page 39). Novell AppArmor 2.0 Administration Guide...

  • Page 105: Profiling Your Web Applications Using Changehat Apache

    It enables you to define security at a finer level than the process. This feature requires that each application be made “ChangeHat aware” meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution.

  • Page 106: Apache Changehat

    5.1.1 Tools for Managing ChangeHat-Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Manage ChangeHat-aware applications much more flexibly at the command line, but the process is also more complicated.
  • Page 107 /srv/www/htdocs/phpsysinfo-dev in a clean (new) install of Novell AppArmor. 1 Once phpsysinfo-dev is installed, you are ready to add hats to the Apache profile. From the Novell AppArmor GUI, select Add Profile Wizard. 2 In Application to Profile, enter httpd2-prefork. 3 Click Create Profile.
  • Page 108 Refresh button to make sure that Apache processes the re- quest for the phpsysinfo-dev URI. 6 Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the aa-logprof tool, which scans the information learned in the previous step.
  • Page 109 In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsys- info-dev hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined).
  • Page 110 Section 3.3.1, “Adding a Profile Using the Wizard” (page 26). When all profiling questions are answered, click Finish to save your changes and exit the wizard. The following is an example phpsyinfo-dev hat. Novell AppArmor 2.0 Administration Guide...
  • Page 111 Armor Profile (for instructions, refer to Section 3.3.2, “Manually Adding a Profile” (page 33)), you are given the option of adding hats (subprofiles) to your Novell App- Armor profiles. Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following.
  • Page 112 1 From the AppArmor Profile Dialog window, click Add Entry then select Hat. The Enter Hat Name dialog box opens: 2 Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat.

  • Page 113: Apache Configuration For Apache2-Mod-Apparmor

    NOTE: For More Information For an example of an Novell AppArmor profile, refer to Example 5.1, “Example phpsysinfo-dev Hat” (page 111). 5.2 Apache Configuration for apache2-mod-apparmor Apache is configured by placing directives in plain text configuration files. The main configuration file is usually httpd.conf. When you compile Apache, you can indicate the location of this file.
  • Page 114 The tarball can be downloaded from http://phpsysinfo .sourceforge.com. 1 After downloading the tarball, install it into /srv/www/htdocs/sysinfo. 2 Create /etc/apache2/conf.d/sysinfo.conf and add the following text to it: <Location "/sysinfo"> AAHatName sysinfo </Location> The following hat should then work for phpsyinfo: Novell AppArmor 2.0 Administration Guide...
  • Page 115 /usr/bin/who /usr/share/pci.ids /var/log/apache2/{access,error}_log /var/run/utmp 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root. 4 Restart Apache by entering rcapache2 restart at a terminal window as root. 5 Enter http://hostname/sysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  • Page 117: Support

    6.1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux-based products. Retrieve and apply them exactly like for any other package that ships as part of a SUSE Linux-based product.
  • Page 118 The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are: • unconfined(8) • autodep(1) • complain(1) •...

  • Page 119: For More Information

    • apparmor.vim(5) • apparmor(7) • apparmor_parser(8) 6.3 For More Information Find more information about the AppArmor product on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. Find the product documentation for Novell AppArmor, including this document, at http:// or in the installed system in www.novell.com/documentation/apparmor/...

  • Page 120: Troubleshooting

    To check reject messages, start YaST → Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred.

  • Page 121: Reporting Bugs For Apparmor

    Click Create New Account on the Login to Continue page. b Provide a username and password and additional address data and click Create Login to immediately proceed with the login creation. Provide data on which other Novell accounts you maintain to sync all these to one account. Support...
  • Page 122 You may create attachments to your bug report for screen shots, log files, or test cases. 9 Click Submit after you have entered all the details to send your report to the de- velopers. Novell AppArmor 2.0 Administration Guide...

  • Page 123: A Background Information On Apparmor Profiling

    Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se- curity problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.

  • Page 125: Glossary

    By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks.
  • Page 126 Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.

Table of Contents