1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR 2.0.1 - ADMINISTRATION GUIDE...
  6. Administration manual

Novell APPARMOR 2.0.1 - ADMINISTRATION GUIDE 05-2008 Administration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Novell AppArmor
2.0.1
www.novell.com
Novell AppArmor Administration Guide
May 08, 2008

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the APPARMOR 2.0.1 - ADMINISTRATION GUIDE 05-2008 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell APPARMOR 2.0.1 - ADMINISTRATION GUIDE 05-2008

Summary of Contents for Novell APPARMOR 2.0.1 - ADMINISTRATION GUIDE 05-2008

  • Page 1 Novell AppArmor 2.0.1 www.novell.com Novell AppArmor Administration Guide May 08, 2008...
  • Page 2 The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell...

  • Page 3: Table Of Contents

    2 Profile Components and Syntax Breaking a Novell AppArmor Profile into Its Parts ... #include Statements ..... .
  • Page 4 7 Support Updating Novell AppArmor Online ....Using the Man Pages ..... . .

  • Page 5: About This Guide

    About This Guide Novell® AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor...
  • Page 6 Enables you to create subprofiles for the Apache Web server that allow you to tightly confine small sections of Web application processing. Managing Profiled Applications Describes how to perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. Support Indicates support options for this product.
  • Page 7 • Alt , Alt + F1 : a key to press or a key combination; keys are shown in uppercase as on a keyboard • File, File > Save As: menu items, buttons • Dancing Penguins (Chapter Penguins, ↑Another Manual): This is a reference to a chapter in another manual.

  • Page 9: Immunizing Programs

    This ensures that each program does what it is supposed to do and nothing else. Novell AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process.

  • Page 10: Introducing The Apparmor Framework

    (and under the hood of the YaST interface) when you run AppArmor. An AppArmor profile is a plain text file containing path entries and access permissions. Section 2.1, “Breaking a Novell AppArmor Profile into Its Parts” (page 12) for a detailed reference profile.
  • Page 11 that have been triggered during the application's execution. After the profile has been generated, it is loaded and put into enforce mode. Refer to Section “aa-gen- prof—Generating Profiles” (page 47) for detailed information about this tool. aa-logprof aa-logprof interactively scans and reviews the log entries generated by an application that is confined by an AppArmor profile in complain mode.

  • Page 12: Determining Programs To Immunize

    Because cp does not have its own profile, it inherits the profile of the parent shell script, so can copy any files that the parent shell script's profile can read and write. Novell AppArmor Administration Guide...

  • Page 13: Immunizing Cron Jobs

    The aa-unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. aa-unconfined then reports these programs along with the Novell AppArmor profile associated with each program or reports “none”...
  • Page 14 Applying Novell AppArmor profiles to user network client applications is also dependent on user preferences. Therefore, we leave profiling of user network client applications as an exercise for the user.
  • Page 15 SUSE Linux Enterprise, by default, stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile. Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them.
  • Page 16 Profiling Web applications that use mod_perl and mod_php requires slightly different handling. In this case, the “program” is a script interpreted directly by the module within the Apache process, so no exec happens. Instead, the Novell AppArmor version of Apache calls change_hat() using a subprofile (a “hat”) corresponding to the name of the URI requested.
  • Page 17 /srv/www/htdocs/** /srv/www/icons/*.{gif,jpg,png} /usr/share/apache2/** To use a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile. 1.4.2 Immunizing Network Agents To find network server daemons and network clients (such as fetchmail, Firefox, amaroK...
  • Page 18 Refer to the man page of the netstat command for a detailed reference of all possible options. Novell AppArmor Administration Guide...

  • Page 19: Profile Components And Syntax

    Profile Components and Syntax You are ready to build Novell AppArmor profiles after you select the programs to profile. To do so, it is important to understand the components and syntax of profiles. AppArmor profiles contain several building blocks that help build simple and reusable profile code: #include files, abstractions, program chunks, and capability entries.

  • Page 20: Breaking A Novell Apparmor Profile Into Its Parts

    Profile into Its Parts Novell AppArmor profile components are called Novell AppArmor rules. Currently there are two main types of Novell AppArmor rules, path entries and capability entries. Path entries specify what the process can access in the file system and capability entries provide a more fine-grained control over what a confined process is allowed to do through other system calls that require privileges.
  • Page 21 This loads a file containing variable definitions. The normalized path to the program that is confined. The curly braces ({}) serve as a container for include statements, subprofiles, path entries, and capability entries. This directive pulls in components of AppArmor profiles to simplify profiles. Capability entry statements enable each of the 29 POSIX.1e draft capabilities.

  • Page 22: Include Statements

    In many cases, Novell AppArmor rules prevent an attack from working because neces- sary files are not accessible and, in all cases, Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor. 2.2 #include Statements #include statements are directives that pull in components of other Novell AppArmor profiles to simplify profiles.

  • Page 23: Capability Entries (Posix.1E)

    2.2.2 Program Chunks The program-chunks directory (/etc/apparmor.d/program-chunks) contains some chunks of profiles that are specific to program suites and not generally useful outside of the suite, thus are never suggested for use in profiles by the profile wizards (aa-logprof and aa-genprof). Currently program chunks are only available for the postfix program suite.

  • Page 25: Building And Managing Profiles With Yast

    Building and Managing Profiles with YaST YaST provides an easy way to build profiles and manage Novell® AppArmor. It pro- vides two interfaces: a fully graphical one and a text-based one. The text-based interface consumes less resources and bandwidth, making it a better choice for remote adminis- tration or for times when a local graphical environment is inconvenient.

  • Page 26: Adding A Profile Using The Wizard

    Section 3.1, “Adding a Profile Using the Wizard” (page 18). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.2, “Manually Adding a Profile”...
  • Page 27 PROGRAM with the name of the program to profile. 2 Start YaST and select Novell AppArmor > Add Profile Wizard. 3 Enter the name of the application or browse to the location of the program.
  • Page 28 Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program to the profile. For an ex- ample of each case, see Figure 3.2, “Learning Mode Exception: Controlling Novell AppArmor Administration Guide...
  • Page 29 Access to Specific Resources” (page 21) and Figure 3.3, “Learning Mode Exception: Defining Execute Permissions for an Entry” (page 22). Subsequent steps describe your options in answering these questions. NOTE: Varying Processing Options Depending on the type of entry processed, the available options vary. Figure 3.2 Learning Mode Exception: Controlling Access to Specific Resources Building and Managing Profiles with YaST...
  • Page 30 Depending on the situation, these options are avail- able: #include The section of a Novell AppArmor profile that refers to an include file. Include files give access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
  • Page 31 Actual Pathname Literal path that the program needs to access to run properly. After selecting a directory path, process it as an entry to the Novell App- Armor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 32 Unless these variables are absolutely required to properly execute the child process, always choose the more secure, sanitized option. Novell AppArmor Administration Guide...

  • Page 33: Manually Adding A Profile

    The profile is then loaded into the AppArmor module. 3.2 Manually Adding a Profile Novell AppArmor enables you to create a Novell AppArmor profile by manually adding entries into the profile. Select the application for which to create a profile then add en- tries.

  • Page 34: Editing Profiles

    5 When finished, click Done. 3.3 Editing Profiles AppArmor enables you to edit Novell AppArmor profiles manually by adding, editing, or deleting entries. To edit a profile, proceed as follows: 1 Start YaST and select Novell AppArmor > Edit Profile.
  • Page 35 2 From the list of profiled applications, select the profile to edit. 3 Click Next. The AppArmor Profile Dialog window displays the profile. 4 In the AppArmor Profile Dialog window, add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 3.3.1,...
  • Page 36 (page 25) or Section 3.3, “Editing Profiles” (page 26). When you select Add Entry, a list shows the types of entries you can add to the Novell AppArmor profile. From the list, select one of the following: File In the pop-up window, specify the absolute path of a file, including the type of ac- cess permitted.
  • Page 37 In the pop-up window, select the appropriate capabilities. These are statements that enable each of the 32 POSIX.1e capabilities. Refer to Section 2.1, “Breaking a Novell AppArmor Profile into Its Parts” (page 12) for more information about capabilities. When finished making your selections, click OK.
  • Page 38 Include In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 2.2, “#include Statements” (page 14). In the pop-up window, specify the name of the subprofile (hat) to add to your current profile and click Create Hat.
  • Page 39 3.3.2 Editing an Entry When you select Edit Entry, the file browser pop-up window opens. From here, edit the selected entry. In the pop-up window, specify the absolute path of a file, including the type of access permitted. You can use globbing if necessary. When finished, click OK. For globbing information, refer to Section 4.7, “Paths and Globbing”...

  • Page 40: Deleting A Profile

    3.5 Updating Profiles from Log Entries The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These excep- tions represent the behavior of the profiled application that is outside of the profile definition for the program.

  • Page 41: Managing Novell Apparmor And Security Event Status

    Wizard” (page 18) for details. 2 When you are done, click Finish. In the following pop-up, click Yes to exit the Add Profile Wizard. The profile is saved and loaded into the Novell AppArmor module. 3.6 Managing Novell AppArmor and Security Event Status You can change the status of AppArmor by enabling or disabling it.
  • Page 42 From the AppArmor Configuration screen, determine whether Novell AppArmor and security event notification are running by looking for a status message that reads enabled or configure the mode of individual profiles. To change the status of Novell AppArmor, continue as described in Section 3.6.1, “Changing Novell AppArmor Status”...
  • Page 43 When you change the status of AppArmor, set it to enabled or disabled. When AppArmor is enabled, it is installed, running, and enforcing the AppArmor security policies. 1 Start YaST and select Novell AppArmor > AppArmor Control Panel. 2 Enable AppArmor by checking Enable AppArmor or disable AppArmor by des- electing it.
  • Page 44 To edit an application's profile mode, proceed as follows: 1 Start YaST and select Novell AppArmor > AppArmor Control Panel. 2 In the Configure Profile Modes section, select Configure. 3 Select the profile for which to change the mode.

  • Page 45: Building Profiles From The Command Line

    Building Profiles from the Command Line Novell® AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor and create, delete, or modify AppArmor profiles using the AppArmor command line tools.
  • Page 46 Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might need to be removed. Novell AppArmor Administration Guide...

  • Page 47: Building Apparmor Profiles

    WARNING AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you must boot the machine from a rescue medium (such as the first medium of SUSE Linux Enterprise) to regain control.

  • Page 48: Adding Or Creating An Apparmor Profile

    The following steps describe the procedure for deleting an AppArmor profile. 1 If you are not currently logged in as root, enter su in a terminal window. 2 Enter the root password when prompted. 3 Go to the AppArmor directory with cd /etc/apparmor.d/. Novell AppArmor Administration Guide...

  • Page 49: Two Methods Of Profiling

    4 Enter ls to view all the AppArmor profiles that are currently installed. 5 Delete the profile with rm profilename. 6 Restart AppArmor by entering rcapparmor restart in a terminal window. 4.6 Two Methods of Profiling Given the syntax for AppArmor profiles in Chapter 2, Profile Components and Syntax (page 11), you could create profiles without using the tools.
  • Page 50 Section 3.6.2, “Changing the Mode of Individual Profiles” (page 35). When in learning mode, access requests are not blocked even if the profile dictates that they should be. This enables you to run through several tests (as shown in Novell AppArmor Administration Guide...
  • Page 51 Step 3 (page 43)) and learn the access needs of the program so it runs properly. With this information, you can decide how secure to make the profile. Refer to Section “aa-complain—Entering Complain or Learning Mode” (page 45) for more detailed instructions for using learning or complain mode. 3 Exercise your application.
  • Page 52 AppArmor profile naming convention of naming the profile after the absolute path of the program, replacing the forward slash (/) characters in the path with period (.) characters. The general form of aa-autodep is to enter the following in a terminal window when logged in as root: Novell AppArmor Administration Guide...
  • Page 53 aa-autodep [ -d /path/to/profiles ] [program1 program2...] If you do not enter the program name or names, you are prompted for them. /path/to/profiles overrides the default location of /etc/apparmor.d, should you keep profiles in a location other than the default. To begin profiling, you must create profiles for each main executable service that is part of your application (anything that might start without being a child of another program that already has a profile).
  • Page 54 Manually activating enforce mode (using the command line) adds a flag to the top of the profile so that /bin/foo becomes /bin/foo flags=(enforce). To use enforce mode, open a terminal window and enter one of the following lines as root. Novell AppArmor Administration Guide...
  • Page 55 • If the example program (program1) is in your path, use: aa-enforce [program1 program2 ...] • If the program is not in your path, specify the entire path, as follows: aa-enforce /sbin/program1 • If the profiles are not in /etc/apparmor.d, use the following to override the default location: aa-enforce /path/to/profiles/program1 •...
  • Page 56 They also can be viewed using the dmesg command: audit(1189682430.672:20810): operation="file_mmap" requested_mask="r" denied_mask="r" name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.tpl" pid=30405 profile="/usr/sbin/httpd2-prefork///phpsysinfo/" 4. Marks the log with a beginning marker of log events to consider. For exam- ple: Novell AppArmor Administration Guide...
  • Page 57 Sep 13 17:48:52 figwit root: GenProf: e2ff78636296f16d0b5301209a04430d 3 When prompted by the tool, run the application to profile in another terminal window and perform as many of the application functions as possible. Thus, the learning mode can log the files and directories to which the program requires access in order to function properly.
  • Page 58 Choose the profile with clean exec (Px) option to scrub the environment of environment variables that could modify execution behavior when passed to the child process. Unconfined (ux) The child runs completely unconfined without any AppArmor profile applied to the executed resource. Novell AppArmor Administration Guide...
  • Page 59 Choose the unconfined with clean exec (Ux) option to scrub the environ- ment of environment variables that could modify execution behavior when passed to the child process. This option introduces a security vul- nerability that could be used to exploit AppArmor. Only use it as a last resort.
  • Page 60 Allows access to the specified directory path entries. AppArmor suggests file permission access. For more information, refer to Section 4.8, “File Permission Access Modes” (page 62). Deny Prevents the program from accessing the specified directory path entries. AppArmor then continues to the next event. Novell AppArmor Administration Guide...
  • Page 61 Prompts you to enter your own rule for this event, allowing you to specify a regular expression. If the expression does not actually satisfy the event that prompted the question in the first place, AppArmor asks for confirmation and lets you reenter the expression. Glob Select a specific path or create a general rule using wild cards that match a broader set of paths.
  • Page 62 The execution modes ix, px, Px, ux, and Ux are options for starting the child process. If a separate profile exists for the child process, the default selection is px. If one does Novell AppArmor Administration Guide...
  • Page 63 not exist, the profile defaults to ix. Child processes with separate profiles have aa-autodep run on them and are loaded into AppArmor, if it is running. When aa-logprof exits, profiles are updated with the changes. If the AppArmor module is running, the updated profiles are reloaded and, if any processes that generated secu- rity events are still running in the null-complain-profile, those processes are set to run under their proper profiles.
  • Page 64 Prevents the program from accessing the specified directory path entries. AppArmor then continues to the next event. Prompts you to enter your own rule for this event, allowing you to specify whatever form of regular expression you want. If the expression entered does not actually Novell AppArmor Administration Guide...
  • Page 65 satisfy the event that prompted the question in the first place, AppArmor asks for confirmation and lets you reenter the expression. Glob Select either a specific path or create a general rule using wild cards that matches on a broader set of paths. To select any of the offered paths, enter the number that is printed in front of the paths then decide how to proceed with the selected item.
  • Page 66 However, less is actually a large and powerful program that makes use of many other helper applications, such as tar and rpm. Run less on a tar file or an RPM file and it shows you the inventory of these containers. Novell AppArmor Administration Guide...
  • Page 67 You do not want to run rpm automatically when reading mail messages (that leads di- rectly to a Microsoft* Outlook–style virus attack, because rpm has the power to install and modify system programs), so, in this case, the best choice is to use Inherit. This results in the less program executed from this context running under the profile for /usr/bin/mail.

  • Page 68: Paths And Globbing

    4.7 Paths and Globbing Globbing (or regular expression matching) is when you modify the directory path using wild cards to include a group of files or subdirectories. File resources can be specified Novell AppArmor Administration Guide...
  • Page 69 with a globbing syntax similar to that used by popular shells, such as csh, Bash, and zsh. Substitutes for any number of any characters, except /. Example: An arbitrary number of a path element, including entire directories. Substitutes for any number of characters, including /. Example: an arbitrary number of path elements, including entire di- rectories.

  • Page 70: File Permission Access Modes

    (removed). Discrete Profile Execute Mode (px) This mode requires that a discrete security profile is defined for a resource executed at an AppArmor domain transition. If there is no profile defined, the access is denied. Novell AppArmor Administration Guide...
  • Page 71 WARNING: Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD. As a result, the calling domain may have an undue amount of influence over the called item. Incompatible with Ux, ux, Px, and ix. Discrete Profile Execute Mode (Px)—Clean Exec Px allows the named program to run in px mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid pro-...
  • Page 72 There is no version to scrub the environment because ix executions do not change privileges. Incompatible with Ux, ux, Px, and px. Implies m. Novell AppArmor Administration Guide...
  • Page 73 Allow Executable Mapping (m) This mode allows a file to be mapped into memory using mmap(2)'s PROT_EXEC flag. This flag marks the pages executable. It is used on some architectures to pro- vide nonexecutable data pages, which can complicate exploit attempts. AppArmor uses this mode to limit which files a well-behaved program (or all programs on architectures that enforce nonexecutable memory access controls) may use as li- braries, to limit the effect of invalid -L flags given to ld(1) and LD_PRELOAD,...

  • Page 74: Important Filenames And Directories

    Location of profiles, named with the convention of replacing the / in paths with . (not for the root /) so profiles are easier to manage. For example, the profile for the program /usr/sbin/ntpd is named usr.sbin.ntpd. Novell AppArmor Administration Guide...
  • Page 75 /etc/apparmor.d/abstractions/ Location of abstractions. /etc/apparmor.d/program-chunks/ Location of program chunks. /proc/*/attr/current Check this file to review the confinement status of a process and the profile that is used to confine the process. The ps auxZ command retrieves this information automatically. Building Profiles from the Command Line...

  • Page 77: Profiling Your Web Applications Using Changehat

    It enables you to define security at a finer level than the process. This feature requires that each application be made “ChangeHat aware” meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution. Two examples for ChangeHat-aware applications are the Apache Web server and Tomcat.

  • Page 78: Apache Changehat

    Enterprise Server). This module makes the Apache Web server ChangeHat aware. Install it along with Apache. When Apache is ChangeHat aware, it checks for the following customized Novell AppArmor security profiles in the order given for every URI request that it receives.
  • Page 79 5.1.1 Managing ChangeHat-Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Managing ChangeHat-aware applica- tions from the command line is much more flexible, but the process is also more com- plicated.
  • Page 80 2 In Application to Profile, enter /usr/sbin/httpd2-prefork. 3 Click Create. 4 Restart Apache by entering rcapache2 restart in a terminal window. Restart any program you are profiling at this point. Novell AppArmor Administration Guide...
  • Page 81 Refresh button to make sure that Apache processes the re- quest for the phpsysinfo URI. 6 Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the aa-logprof tool, which scans the information learned in the previous step.
  • Page 82 In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsys- info hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined).
  • Page 83 The following is an example phpsysinfo hat. Example 5.1 Example phpsysinfo Hat /usr/sbin/httpd2-prefork { ^phpsysinfo { #include <abstractions/bash> #include <abstractions/nameservice> /bin/basename ixr, /bin/bash ixr, /bin/df ixr, /bin/grep ixr, /bin/mount /bin/sed ixr, /dev/bus/usb/ /dev/bus/usb/** /dev/null /dev/tty /dev/urandom /etc/SuSE-release /etc/ld.so.cache /etc/lsb-release /etc/lsb-release.d/ /lib/ld-2.6.1.so ixr, /proc/**...
  • Page 84 Section 3.2, “Manually Adding a Profile” (page 25)), you are given the option of adding hats (subprofiles) to your Novell AppArmor profiles. Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following. 1 From the AppArmor Profile Dialog window, click Add Entry then select Hat.

  • Page 85: Configuring Apache For Mod_Apparmor

    2 Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat. 3 Click Create Hat. You are returned to the AppArmor Profile Dialog screen.
  • Page 86 This tries to use MY_HAT_NAME for any URI beginning with /foo/ (/foo/, /foo/ bar, /foo/cgi/path/blah_blah/blah, etc.). The directory directive works similarly to the location directive, except it refers to a path in the file system as in the following example: Novell AppArmor Administration Guide...
  • Page 87 <Directory "/srv/www/www.immunix.com/docs"> # Note lack of trailing slash AAHatName immunix.com </Directory> Example: The program phpsysinfo is used to illustrate a location directive in the following example. The tarball can be downloaded from http://phpsysinfo .sourceforge.com. 1 After downloading the tarball, install it into /srv/www/htdocs/ phpsysinfo.
  • Page 88 /usr/share/pci.ids /usr/share/usb.ids /var/log/apache2/access_log /var/run/utmp 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root. 4 Restart Apache by entering rcapache2 restart at a terminal window as root. 5 Enter http://hostname/phpsysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  • Page 89: Managing Profiled Applications

    Applications After creating profiles and immunizing your applications, SUSE Linux Enterprise® becomes more efficient and better protected if you perform Novell® AppArmor profile maintenance, which involves analyzing log files and refining your profiles as well as backing up your set of profiles and keeping it up-to-date. You can deal with these issues...

  • Page 90: Configuring Security Event Notification

    Novell AppArmor activity occurs. Activate it by selecting a notification frequency (receiving daily notification, for example). Enter an e-mail address, so you can be noti- fied by e-mail when Novell AppArmor security events occur. Select one of the following notification types:...
  • Page 91 aa-logprof tool (see Section “aa-logprof—Scanning the System Log” (page 54)) uses to interpret profiles. For example: type=APPARMOR_DENIED msg=audit(1189428793.218:2880): operation="file_permission" requested_mask="w" denied_mask="w" name="/var/log/apache2/error_log" pid=22969 profile="/usr/sbin/httpd2-prefork" NOTE You must set up a mail server that can send outgoing mail using the SMTP protocol (for example, postfix or exim) for event notification to work.
  • Page 92 NOTE: Severity Levels Novell AppArmor sends out event messages for things that are in the severity database and above the level selected. Severity levels are numbered 1 through 10, with 10 being the most severe security incident.

  • Page 93: Configuring Reports

    Section 6.4, “Reacting to Security Event Rejections” (page 104). 6.3 Configuring Reports Novell AppArmor's reporting feature adds flexibility by enhancing the way users can view security event data. The reporting tool performs the following: • Creates on-demand reports • Exports reports •...
  • Page 94 Section “Security Incident Report” (page 92). To use the Novell AppArmor reporting features, proceed with the following steps: 1 Open YaST > Novell AppArmor. 2 In Novell AppArmor, click AppArmor Reports. The AppArmor Security Event Reports window appears. From the Reports window, select an option and proceed...
  • Page 95 Delete Deletes a scheduled security incident report. All stock or canned reports cannot be deleted. Back Returns you to the Novell AppArmor main screen. Abort Returns you to the Novell AppArmor main screen. Next Performs the same function as the Run Now button.
  • Page 96 Report field then select View. 5 For Application Audit and Executive Security Summary reports, proceed to Step (page 90). 6 The Report Configuration Dialog opens for Security Incident reports. Novell AppArmor Administration Guide...
  • Page 97 7 The Report Configuration dialog enables you to filter the reports selected in the previous screen. Enter the desired filter details. The fields are: Date Range To display reports for a certain time period, select Filter By Date Range. Enter the start and end dates that define the scope of the report. Program Name When you enter a program name or pattern that matches the name of the bi- nary executable of the program of interest, the report displays security events...
  • Page 98 9 Refer the following sections for detailed information about each type of report. • For the application audit report, refer to Section “Application Audit Report” (page 91). • For the security incident report, refer to Section “Security Incident Report” (page 92). Novell AppArmor Administration Guide...
  • Page 99 • For the executive summary report, refer to Section “Executive Security Summary” (page 94). Application Audit Report An application audit report is an auditing tool that reports which application servers are running and whether they are confined by AppArmor. The following fields are provided in an application audit report: Host The machine protected by AppArmor for which the security events are reported.
  • Page 100 Policy Engine State Changes Enforces policy for applications and maintains its own state, including when engines start or stop, when a policy is reloaded, and when global security feature are enabled or disabled. Novell AppArmor Administration Guide...
  • Page 101 The fields in the SIR report have the following meanings: Host The machine protected by AppArmor for which the security events are reported. Date The date during which security events occurred. Program The name of the executing process. Profile The absolute name of the security profile that is applied to the process. A number that uniquely identifies one specific process or running program (this number is valid only during the lifetime of that process).
  • Page 102 This report can provide a single view of security events on multiple machines if each machine's data is copied to the report archive directory, which is /var/log/ apparmor/reports-archived. One line of the ESS report represents a range of SIR reports. Novell AppArmor Administration Guide...
  • Page 103 6.3.2 Run Now: Running On-Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. If you need help navigating to the main report screen, see Section 6.3, “Configuring Reports”...
  • Page 104 You can use this to see what is confined by a specific profile. PID Number A number that uniquely identifies one specific process or running program (this number is valid only during the lifetime of that process). Novell AppArmor Administration Guide...
  • Page 105 Severity Select the lowest severity level for security events to include in the report. The selected severity level and above are included in the reports. Detail A source to which the profile has denied access. This includes capabilities and files. You can use this field to report the resources to which profiles prevent access.
  • Page 106 Adding new reports enables you to create a scheduled security incident report that dis- plays Novell AppArmor security events according to your preset filters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.
  • Page 107 2 Fill in the fields with the following filtering information, as necessary: Report Name Specify the name of the report. Use names that easily distinguish different reports. Day of Month Select any day of the month to activate monthly filtering in reports. If you select All, monthly filtering is not performed.
  • Page 108 Select the lowest severity level of security events to include in the report. The selected severity level and above are included in the reports. Access Type The access type describes what is actually happening with the security event. The options are PERMITTING, REJECTING, or AUDITING. Novell AppArmor Administration Guide...
  • Page 109 The options are r (read), w (write), l (link), and x (execute). 5 Click Save to save this report. Novell AppArmor returns to the Scheduled Reports main window where the newly scheduled report appears in the list of reports.
  • Page 110 /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the file system. 4 Click Next to proceed to the next Edit Scheduled SIR page. The second page of Edit Scheduled Reports opens. Novell AppArmor Administration Guide...
  • Page 111 5 Modify the fields with the following filtering information, as necessary: Program Name You can specify a program name or pattern that matches the name of the binary executable for the program of interest. The report displays security events that have occurred for the specified program only. Profile Name You can specify the name of the profile for which to display security events.

  • Page 112: Reacting To Security Event Rejections

    The options are r (read), w (write), l (link), and x (execute). 6 Select Save to save the changes to this report. Novell AppArmor returns to the Scheduled Reports main window where the scheduled report appears in the list of reports.

  • Page 113: Maintaining Your Security Profiles

    6.5.2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 3.3, “Editing Profiles”...
  • Page 114 • Run the YaST Update Profile Wizard to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to Section 3.5, “Updating Profiles from Log Entries” (page 32). Novell AppArmor Administration Guide...

  • Page 115: Support

    7.1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux Enterprise. Retrieve and apply them exactly like for any other package that ships as part of SUSE Linux Enterprise.
  • Page 116 The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are: • unconfined(8) • autodep(1) • complain(1) •...

  • Page 117: For More Information

    • apparmor.vim(5) • apparmor(7) • apparmor_parser(8) 7.3 For More Information Find more information about the AppArmor product on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. Find the product documentation for Novell AppArmor, including this document, at http:// or in the installed system in www.novell.com/documentation/apparmor/...

  • Page 118: Troubleshooting

    AppArmor is too closely constricting your application. To check reject messages, start YaST > Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report.
  • Page 119 7.4.6 How to Spot and fix AppArmor Syntax Errors? Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart AppArmor with syntax errors in your profiles, error results are shown. This example shows the syntax of the entire parser error.

  • Page 120: Reporting Bugs For Apparmor

    AppArmor, file a bug report against this product: 1 Use your Web browser to go to https://bugzilla.novell.com/index .cgi. 2 Enter the account data of your Novell account and click Login Create a new Novell account as follows: Novell AppArmor Administration Guide...
  • Page 121 2b Provide a username and password and additional address data and click Create Login to immediately proceed with the login creation. Provide data on which other Novell accounts you maintain to sync all these to one account. 3 Check whether a problem similar to yours has already been reported by clicking Search Reports.

  • Page 123: A Background Information On Apparmor Profiling

    Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se- curity problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.

  • Page 125: Glossary

    By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks.
  • Page 126 Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.
  • Page 127 that allows unauthorized users to take control of the system. Design, administrative, or implementation weaknesses or flaws in hardware, firmware, or software. If ex- ploited, a vulnerability could lead to an unacceptable impact in the form of unau- thorized access to information or disruption of critical processing. Glossary...

This manual is also suitable for:

Apparmor 2.0.1

Table of Contents