1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR 2.0.1
  6. Administration manual

Novell APPARMOR 2.0.1 Administration Manual

Hide thumbs Also See for APPARMOR 2.0.1:
Table of Contents

Advertisement

Quick Links

Download this manual
Novell AppArmor
2.0.1
www.novell.com
Novell AppArmor Administration Guide
November 29, 2006

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the APPARMOR 2.0.1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell APPARMOR 2.0.1

Summary of Contents for Novell APPARMOR 2.0.1

  • Page 1 Novell AppArmor 2.0.1 www.novell.com Novell AppArmor Administration Guide November 29, 2006...
  • Page 2 Novell, the Novell logo, the N logo, openSUSE, SUSE, and the SUSE “geeko” logo are registered trademarks of Novell, Inc. in the United States and other countries. * Linux is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners.

  • Page 3: Table Of Contents

    Adding or Creating a Novell AppArmor Profile ... . Editing a Novell AppArmor Profile ....
  • Page 4 Deleting a Novell AppArmor Profile ....Two Methods of Profiling ..... .

  • Page 5: About This Guide

    About This Guide Novell® AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor...
  • Page 6 Enables you to create subprofiles for the Apache Web server that allow you to tightly confine small sections of Web application processing. Managing Profiled Applications Describes how to perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. Support Indicates support options for this product.
  • Page 7 The source code of openSUSE is publicly available. To download the source code, proceed as outlined under http://www.novell.com/products/suselinux/ source_code.html. If requested we send you the source code on a DVD. We need to charge a $15 or €15 fee for creation, handling and postage. To request a DVD of the source code, send an e-mail to sourcedvd@suse.de...

  • Page 9: Immunizing Programs

    This ensures that each program does what it is supposed to do and nothing else. Novell AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process.

  • Page 10: Introducing The Apparmor Framework

    Armor. An AppArmor profile is a plain text file containing path entries and access permissions, Section 2.1, “Breaking a Novell AppArmor Profile into Its Parts” (page 19) for a detailed reference profile. The directives contained in this text file are then enforced by the AppArmor routines to quarantine the process/program.
  • Page 11 AppArmor policies. You will be guided through a series of questions to deal with the log events that have been triggered during the application's execution. After the profile has been generated, it gets loaded and put into enforce mode. Refer to Section “aa-genprof—Generating Profiles”...

  • Page 12: Determining Programs To Immunize

    Because cp does not have its own profile, it inherits the profile of the parent shell script, so can copy any files that the parent shell script's profile can read and write. Novell AppArmor Administration Guide...

  • Page 13: Immunizing Cron Jobs

    The aa-unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. aa-unconfined then reports these programs along with the Novell AppArmor profile associated with each program or reports “none”...
  • Page 14 Applying Novell AppArmor profiles to user network client applications is also dependent on user preferences. Therefore, we leave profiling of user network client applications as an exercise for the user.
  • Page 15 Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile. Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them.
  • Page 16 /srv/www/cgi-bin/localtime.php /usr/lib/locale/** If no subprofile has been defined, the Novell AppArmor version of Apache applies the DEFAULT_URI hat. This subprofile is basically sufficient to display an HTML Web page. The DEFAULT_URI hat that Novell AppArmor provides by default is the follow-...
  • Page 17 /srv/www/htdocs/** /srv/www/icons/*.{gif,jpg,png} /usr/share/apache2/** To use a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile. 1.4.2 Immunizing Network Agents To find network server daemons and network clients (such as fetchmail, Firefox, amaroK...

  • Page 19: Profile Components And Syntax

    Profile Components and Syntax This chapter explains the components and syntax of Novell® AppArmor profiles. You are ready to build Novell AppArmor profiles after you select the programs to profile. For help with this, refer to Section 1.2, “Determining Programs to Immunize”...
  • Page 20 The curly braces ({}) serve as a container for include statements of other profiles as well as for path and capability entries. This directive pulls in components of Novell AppArmor profiles to simplify pro- files. Capability entry statements enable each of the 29 POSIX.1e draft capabilities.

  • Page 21: Include Statements

    In many cases, Novell AppArmor rules prevent an attack from working because neces- sary files are not accessible and, in all cases, Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor. 2.2 #include Statements #include statements are directives that pull in components of other Novell AppArmor profiles to simplify profiles.

  • Page 22: Capability Entries (Posix.1E)

    AppArmor expects the include files to be located in /etc/apparmor.d. Unlike other profile statements (but similar to C programs), #include lines do not end with a comma. To assist you in profiling your applications, Novell AppArmor provides two classes of #includes: abstractions and program chunks. 2.2.1 Abstractions Abstractions are #includes that are grouped by common application tasks.

  • Page 23: Building And Managing Profiles With Yast

    Building and Managing Profiles With YaST There are two three ways you can build and manage Novell® AppArmor, depending on whether you want to work in a graphical user environment or whether you prefer the less resource consuming text or command line based approach:...
  • Page 24 Section 3.1, “Adding a Profile Using the Wizard” (page 25). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.2, “Manually Adding a Profile”...

  • Page 25: Adding A Profile Using The Wizard

    (page 40). 3.1 Adding a Profile Using the Wizard The Add Profile Wizard is designed to set up Novell AppArmor profiles using the Novell AppArmor profiling tools, aa-genprof (Generate Profile) and aa-logprof (Update Profiles from Learning Mode Log File). For more information about these tools, refer Section 4.6.3, “Summary of Profiling Tools”...
  • Page 26 3 Enter the name of the application or browse to the location of the program. 4 Click Create. This runs a Novell AppArmor tool named aa-autodep, which per- forms a static analysis of the program to profile and loads an approximate profile into Novell AppArmor module.
  • Page 27 If requests to add hats appear, proceed to Chapter 5, Profiling Your Web Appli- cations Using ChangeHat (page 75). The questions fall into two categories: • A resource is requested by a profiled program that is not in the profile (see Figure 3.1, “Learning Mode Exception: Controlling Access to Specific Re- sources”...
  • Page 28 8 The Add Profile Wizard begins suggesting directory path entries that have been accessed by the application you are profiling (as seen in Figure 3.1, “Learning Mode Exception: Controlling Access to Specific Resources” (page 28)) or re- Novell AppArmor Administration Guide...
  • Page 29 Literal path that the program needs to access to run properly. After you select a directory path, process it as an entry into the Novell App- Armor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 30 The number of learning mode entries corresponds to the complexity of the application. • For Figure 3.2: Learning Mode Exception: Defining Execute Permissions for an Entry: From the following options, select the one that satisfies the re- Novell AppArmor Administration Guide...
  • Page 31 quest for access. For detailed information about the options available, refer Section 4.8, “File Permission Access Modes” (page 69). Inherit Stay in the same security profile (parent's profile). Profile Require a separate profile to exist for the executed program. When se- lecting this option, also select whether AppArmor should sanitize the environment when switching profiles by removing certain environment variables that can modify the execution behavior of the child process.

  • Page 32: Manually Adding A Profile

    3 When you find the application, select it and click Open. A basic, empty profile appears in the Novell AppArmor Profile Dialog window. 4 In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 3.3.1, “Adding an Entry”...

  • Page 33: Editing Profiles

    5 When you are finished, click Done. 3.3 Editing Profiles Novell AppArmor enables you to manually edit Novell AppArmor profiles by adding, editing, or deleting entries. To edit a profile, proceed as follows: 1 Start YaST and select Novell AppArmor → Edit Profile.
  • Page 34 4 In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 3.3.1, “Adding an Entry” (page 35), Section 3.3.2, “Editing an Entry” (page 37), or Section 3.3.3, “Deleting an Entry”...
  • Page 35 (page 32) or Section 3.3, “Editing Profiles” (page 33). When you select Add Entry, a drop-down list displays the types of entries you can add to the Novell AppArmor profile. From the list, select one of the following: File In the pop-up window, specify the absolute path of a file, including the type of ac- cess permitted.
  • Page 36 In the pop-up window, select the appropriate capabilities. These are statements that enable each of the 32 POSIX.1e capabilities. Refer to Section 2.1, “Breaking a Novell AppArmor Profile into Its Parts” (page 19) for more information about capabilities. When finished making your selections, click OK.
  • Page 37 Include In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 2.2, “#include Statements” (page 21). In the pop-up window, specify the name of the subprofile (hat) to add to your current profile and click Create Hat.

  • Page 38: Deleting A Profile

    Modes” (page 69). 3.3.3 Deleting an Entry To delete an entry in a given profile, select Delete Entry. Novell AppArmor removes the selected profile entry. 3.4 Deleting a Profile Novell AppArmor enables you to delete a Novell AppArmor profile manually. Simply select the application for which to delete a profile then delete it as follows: 1 Start YaST and select Novell AppArmor →...

  • Page 39: Updating Profiles From Log Entries

    3.5 Updating Profiles from Log Entries The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These excep- tions represent the behavior of the profiled application that is outside of the profile definition for the program.

  • Page 40: Managing Novell Apparmor And Security Event Status

    3.6 Managing Novell AppArmor and Security Event Status You can change the status of Novell AppArmor by enabling or disabling it. Enabling Novell AppArmor protects your system from potential program exploitation. Disabling Novell AppArmor, even if your profiles have been set up, removes protection from your system.
  • Page 41 “Configuring Security Event Notification” (page 88). 3.6.1 Changing Novell AppArmor Status When you change the status of Novell AppArmor, set it to enabled or disabled. When Novell AppArmor is enabled, it is installed, running, and enforcing the Novell AppArmor security policies.
  • Page 42 2 In the Enable Novell AppArmor section of the window, click Configure. The Enable AppArmor dialog box opens. 3 Enable Novell AppArmor by selecting Enabled or disable Novell AppArmor by selecting Disabled. Then click OK. 4 Click Done in the AppArmor Configuration window.
  • Page 43 4 Select Toggle Mode to either set this profile to complain mode or to enforce mode. 5 Apply your settings and leave YaST with Done. To change the mode of all profiles, use Set All to Enforce or Set All to Complain. TIP: Listing the Profiles Available By default, only active profiles are listed, i.e.

  • Page 45: Building Profiles Via The Command Line

    Building Profiles via the Command Line Novell® AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor, create, delete or modify Novell AppArmor profiles using the Novell AppArmor command line tools.
  • Page 46 If cat /sys/kernel/security/apparmor/profiles reports a list of profiles, Novell AppArmor is running. If it is empty and returns nothing, AppArmor is stopped. If the file does not exist, AppArmor is unloaded. You can load and unload the AppArmor module with the standard Linux module commands, such as modprobe, insmod, lsmod, and rmmod, but this approach is not recommended.

  • Page 47: Building Novell Apparmor Profiles

    WARNING Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from a rescue medium (such as CD 1 of openSUSE) to regain control.

  • Page 48: Adding Or Creating A Novell Apparmor Profile

    4.3 Adding or Creating a Novell AppArmor Profile To add or create a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs. Learn more about these two approaches in Section 4.6, “Two Methods of Profiling”...

  • Page 49: Two Methods Of Profiling

    3 Go to the Novell AppArmor directory with cd /etc/apparmor.d/. 4 Enter ls to view all the Novell AppArmor profiles that are currently installed. 5 Delete the profile with rm profilename. 6 Restart Novell AppArmor by entering rcapparmor restart in a terminal window.
  • Page 50 1 Create profiles for the individual programs that make up your application. Although this approach is systemic, Novell AppArmor only monitors those pro- grams with profiles and their children. To get Novell AppArmor to consider a program, you must at least have aa-autodep create an approximate profile for it.
  • Page 51 To ensure that all profiles are taken out of complain mode and put into enforce mode, enter aa-enforce /etc/apparmor.d/*. 8 Rescan all profiles. To have Novell AppArmor rescan all of the profiles and change the enforcement mode in the kernel, enter rcapparmor restart. Building Profiles via the Command Line...
  • Page 52 The resulting profile is called “approximate” because it does not necessarily contain all of the profile entries that the program needs to be properly confined by Novell AppArmor. The minimum aa-autodep approximate profile has at least a base include directive, which contains basic profile entries needed by most programs.
  • Page 53 Complain or Learning Mode The complain or learning mode tool (aa-complain) detects violations of Novell App- Armor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are permitted, but also logged. To improve the profile, turn...
  • Page 54 Enforce Mode The enforce mode detects violations of Novell AppArmor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are logged and not permitted. The default is for enforce mode to be enabled. To log the violations only, but still permit them, use complain mode.
  • Page 55 (if a profile does not already exist for it), sets it to complain mode, reloads it into Novell AppArmor, marks the log, and prompts the user to execute the program and exercise its functionality. Its syntax is as...
  • Page 56 • S runs aa-logprof against the system log from where it was marked when aa- genprof was started and reloads the profile. If system events exist in the log, Novell AppArmor parses the learning mode log files. This generates a series of questions that you must answer to guide aa-genprof in generating the se- curity profile.
  • Page 57 • F exits the tool and returns to the main menu. NOTE If requests to add hats appear, proceed to Chapter 5, Profiling Your Web Applications Using ChangeHat (page 75). 5 Answer two types of questions: • A resource is requested by a profiled program that is not in the profile (see Example 4.1, “Learning Mode Exception: Controlling Access to Specific Resources”...
  • Page 58 (ux) The child runs completely unconfined without any Novell AppArmor profile applied to the executed resource. Choose the unconfined with clean exec (Ux) option to scrub the environ- ment of environment variables that could modify execution behavior when passed on to the child process.
  • Page 59 #include This is the section of a Novell AppArmor profile that refers to an include file, which procures access permissions for programs. By using an in- clude, you can give the program access to directory paths or files that are also required by other programs.
  • Page 60 After you select the pathname or include, you can process it as an entry into the Novell AppArmor profile by selecting Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob...
  • Page 61 /var/log/audit/audit.log or /var/log/ messages (if auditd is not running) and generate new entries in Novell AppArmor security profiles. When you run aa-logprof, it begins to scan the log files produced in learning or complain mode and, if there are new security events that are not covered by the existing profile set, it gives suggestions for modifying the profile.
  • Page 62 -m e2ff78636296f16d0b5301209a04430d aa-logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list. By default, aa-logprof looks for profiles in /etc/apparmor.d/ and scans the log in /var/log/messages.
  • Page 63 /etc/group. [] indicates the default option. In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which includes a predefined set of Novell AppArmor rules. Selecting 1 to #include the name service package resolves all of...
  • Page 64 FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, Novell AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path.
  • Page 65 (ux) The child runs completely unconfined without any Novell AppArmor profile applied to the executed resource. Choose the unconfined with clean exec (Ux) option to scrub the environment of...
  • Page 66 /usr/bin/mail. This has two consequences: • You need to add all of the basic file accesses for /usr/bin/less to the profile for /usr/bin/mail. Novell AppArmor Administration Guide...
  • Page 67 • You can avoid adding the helper applications, such as tar and rpm, to the /usr/ bin/mail profile so that when /usr/bin/mail runs /usr/bin/less in this context, the less program is far less dangerous than it would be without Novell AppArmor protection.

  • Page 68: Pathnames And Globbing

    Substitutes for the single character a, b, or c [abc] Example: a rule that matches /home[01]/*/.plan allows a program to access .plan files for users in both /home0 and /home1. Substitutes for the single character a, b, or c. [a-c] Novell AppArmor Administration Guide...

  • Page 69: File Permission Access Modes

    Expand to one rule to match ab and one rule to {ab,cd} match cd. Example: a rule that matches /{usr,www}/pages/** to grant access to Web pages in both /usr/pages and /www/ pages. 4.8 File Permission Access Modes File permission access modes consist of combinations of the following nine modes: Read mode Write mode Discrete profile execute mode...
  • Page 70 Discrete Profile Execute Mode (px) This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. If there is no profile defined, the access is denied. WARNING: Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD.
  • Page 71 may have an undue amount of influence over the callee. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Any profile using this mode provides negligible security. Use at your own risk. This mode is incompatible with Ux, px, Px, and ix.
  • Page 72 Ux or Px flags: • GCONV_PATH • GETCONF_DIR • HOSTALIASES • LD_AUDIT • LD_DEBUG • LD_DEBUG_OUTPUT • LD_DYNAMIC_WEAK • LD_LIBRARY_PATH • LD_ORIGIN_PATH • LD_PRELOAD • LD_PROFILE • LD_SHOW_AUXV • LD_USE_LOAD_BIAS • LOCALDOMAIN Novell AppArmor Administration Guide...

  • Page 73: Important Filenames And Directories

    • LOCPATH • MALLOC_TRACE • NLSPATH • RESOLV_HOST_CONF • RES_OPTIONS • TMPDIR • TZDIR 4.9 Important Filenames and Directories The following list comprises the most important files and directories used by the App- Armor framework. Should you intend to manage and troubleshoot your profiles manu- ally, make sure you know about these files and directories: /sys/kernel/security/apparmor/profiles Virtualized file representing the currently loaded set of profiles.
  • Page 74 /proc/*/attr/current Check this file to review the confinement status of a process and the profile that is used to confine the process. The ps auxZ command retrieves this information automatically. Novell AppArmor Administration Guide...

  • Page 75: Profiling Your Web Applications Using Changehat

    It enables you to define security at a finer level than the process. This feature requires that each application be made “ChangeHat aware” meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution. Two examples for ChangeHat aware applications are the Apache Web server and Tomcat.

  • Page 76: Apache Changehat

    5.1.1 Managing ChangeHat Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Manage ChangeHat aware applications is much more flexible at the command line, but the process is also more complicated.
  • Page 77 AppArmor. 1 Once phpsysinfo-dev is installed, you are ready to add hats to the Apache profile. From the Novell AppArmor GUI, select Add Profile Wizard. 2 In Application to Profile, enter httpd2-prefork. 3 Click Create Profile.
  • Page 78 Refresh button to make sure that Apache processes the re- quest for the phpsysinfo-dev URI. 6 Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the aa-logprof tool, which scans the information learned in the previous step.
  • Page 79 In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsys- info-dev hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined).
  • Page 80 The process of adding entries to profiles is covered in detail in the Section 3.1, “Adding a Profile Using the Wizard” (page 25). When all profiling questions are answered, click Finish to save your changes and exit the wizard. The following is an example phpsysinfo-dev hat. Novell AppArmor Administration Guide...
  • Page 81 Section 3.2, “Manually Adding a Profile” (page 32)), you are given the option of adding hats (subprofiles) to your Novell AppArmor profiles. Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following. Profiling Your Web Applications Using ChangeHat...
  • Page 82 1 From the AppArmor Profile Dialog window, click Add Entry then select Hat. The Enter Hat Name dialog box opens: 2 Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat.

  • Page 83: Configuring Apache For Mod_Apparmor

    NOTE: For More Information For an example of an Novell AppArmor profile, refer to Example 5.1, “Example phpsysinfo-dev Hat” (page 81). 5.2 Configuring Apache for mod_apparmor Apache is configured by placing directives in plain text configuration files. The main configuration file is usually httpd.conf. When you compile Apache, you can indicate the location of this file.
  • Page 84 The tarball can be downloaded from http://phpsysinfo .sourceforge.com. 1 After downloading the tarball, install it into /srv/www/htdocs/sysinfo. 2 Create /etc/apache2/conf.d/sysinfo.conf and add the following text to it: <Location "/sysinfo"> AAHatName sysinfo </Location> The following hat should then work for phpsyinfo: Novell AppArmor Administration Guide...
  • Page 85 /usr/bin/who /usr/share/pci.ids /var/log/apache2/{access,error}_log /var/run/utmp 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root. 4 Restart Apache by entering rcapache2 restart at a terminal window as root. 5 Enter http://hostname/sysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  • Page 87: Managing Profiled Applications

    Applications After creating profiles and immunizing your applications, openSUSE™ becomes more efficient and better protected if you perform Novell® AppArmor profile maintenance, which involves analyzing log files and refining your profiles as well as backing up your set of profiles and keeping it up-to-date. You can deal with these issues before they...

  • Page 88: Configuring Security Event Notification

    Novell AppArmor activity occurs. Activate it by selecting a notification frequency (receiving daily notification, for example). Enter an e-mail address, so you can be noti- fied via e-mail when Novell AppArmor security events occur. Select one of the following notification types:...
  • Page 89 aa-logprof tool (see Section “aa-logprof—Scanning the System Log” (page 61)) uses to interpret profiles. For example: type=APPARMOR msg=audit(1148308355.074:198): REJECTING w access to /var/log/apache2/error_log (httpd2-prefork(5173) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) NOTE You must set up a mail server that can send outgoing mail using the SMTP protocol (for example, postfix or exim) for event notification to work.
  • Page 90 NOTE: Severity Levels Novell AppArmor sends out event messages for things that are in the severity database and above the level that you select. Severity levels are numbered 1 through 10, 10 being the most severe security incident.

  • Page 91: Configuring Reports

    Section 6.4, “Reacting to Security Event Rejections” (page 110). 6.3 Configuring Reports Novell AppArmor's reporting feature adds flexibility by enhancing the way users can view security event data. The reporting tool performs the following: • Creates on-demand reports • Exports reports •...
  • Page 92 Section “Security Incident Report” (page 98). To use the Novell AppArmor reporting features, proceed with the following steps: 1 Open YaST → Novell AppArmor. 2 In Novell AppArmor, click AppArmor Reports. The AppArmor Security Event Reports window appears. From the Reports window, select an option and proceed...
  • Page 93 Delete Deletes a scheduled security incident report. All stock or canned reports cannot be deleted. Back Returns you to the Novell AppArmor main screen. Abort Returns you to the Novell AppArmor main screen. Next Performs the same function as the Run Now button.
  • Page 94 Report field then select View. 5 For Application Audit and Executive Security Summary reports, proceed to Step (page 96). 6 The Report Configuration Dialog opens for Security Incident reports. Novell AppArmor Administration Guide...
  • Page 95 7 The Report Configuration dialog enables you to filter the reports selected in the previous screen. Enter the desired filter details. The fields are: Date Range To display reports for a certain time period, select Filter By Date Range. Enter the start and end dates that define the scope of the report. Program Name When you enter a program name or pattern that matches the name of the bi- nary executable of the program of interest, the report displays security events...
  • Page 96 9 Refer the following sections for detailed information about each type of report. • For the application audit report, refer to Section “Application Audit Report” (page 97). • For the security incident report, refer to Section “Security Incident Report” (page 98). Novell AppArmor Administration Guide...
  • Page 97 • For the executive summary report, refer to Section “Executive Security Summary” (page 100). Application Audit Report An application audit report is an auditing tool that reports which application servers are running and whether they are confined by AppArmor. The following fields are provided in an application audit report: Host The machine protected by AppArmor for which the security events are reported.
  • Page 98 Policy Engine State Changes Enforces policy for applications and maintains its own state, including when engines start or stop, when a policy is reloaded, and when global security feature are enabled or disabled. Novell AppArmor Administration Guide...
  • Page 99 The fields in the SIR report have the following meanings: Host The machine protected by AppArmor for which the security events are reported. Date The date during which security events occurred. Program The name of the executing process. Profile The absolute name of the security profile that is applied to the process. A number that uniquely identifies one specific process or running program (this number is valid only during the lifetime of that process).
  • Page 100 This report can provide a single view of security events on multiple machines if each machine's data is copied to the report archive directory, which is /var/log/ apparmor/reports-archived. One line of the ESS report represents a range of SIR reports. Novell AppArmor Administration Guide...
  • Page 101 6.3.2 Run Now: Running On-Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. If you need help navigating to the main report screen, see Section 6.3, “Configuring Reports”...
  • Page 102 You can use this to see what is confined by a specific profile. PID Number A number that uniquely identifies one specific process or running program (this number is valid only during the lifetime of that process). Novell AppArmor Administration Guide...
  • Page 103 Severity Select the lowest severity level for security events to include in the report. The selected severity level and above are included in the reports. Detail A source to which the profile has denied access. This includes capabilities and files. You can use this field to report the resources to which profiles prevent access.
  • Page 104 Adding new reports enables you to create a scheduled security incident report that dis- plays Novell AppArmor security events according to your preset filters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.
  • Page 105 2 Fill in the fields with the following filtering information, as necessary: Report Name Specify the name of the report. Use names that easily distinguish different reports. Day of Month Select any day of the month to activate monthly filtering in reports. If you select All, monthly filtering is not performed.
  • Page 106 You can use this field to create a report of resources to which profiles prevent access. Severity Select the lowest severity level of security events to include in the report. The selected severity level and above are included in the reports. Novell AppArmor Administration Guide...
  • Page 107 The options are r (read), w (write), l (link), and x (execute). 5 Click Save to save this report. Novell AppArmor returns to the Scheduled Reports main window where the newly scheduled report appears in the list of reports.
  • Page 108 /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the file system. 4 Click Next to proceed to the next Edit Scheduled SIR page. The second page of Edit Scheduled Reports opens. Novell AppArmor Administration Guide...
  • Page 109 5 Modify the fields with the following filtering information, as necessary: Program Name You can specify a program name or pattern that matches the name of the binary executable for the program of interest. The report displays security events that have occurred for the specified program only. Profile Name You can specify the name of the profile for which to display security events.

  • Page 110: Reacting To Security Event Rejections

    The options are r (read), w (write), l (link), and x (execute). 6 Select Save to save the changes to this report. Novell AppArmor returns to the Scheduled Reports main window where the scheduled report appears in the list of reports.

  • Page 111: Maintaining Your Security Profiles

    6.5.2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 3.3, “Editing Profiles”...
  • Page 112 • Run the YaST Update Profile Wizard to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to Section 3.5, “Updating Profiles from Log Entries” (page 39). Novell AppArmor Administration Guide...

  • Page 113: Support

    7.1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for openSUSE. Retrieve and apply them exactly like for any other package that ships as part of openSUSE.
  • Page 114 The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are: • unconfined(8) • autodep(1) • complain(1) •...

  • Page 115: For More Information

    • apparmor.vim(5) • apparmor(7) • apparmor_parser(8) 7.3 For More Information Find more information about the AppArmor product on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. Find the product documentation for Novell AppArmor, including this document, at http:// or in the installed system in www.novell.com/documentation/apparmor/...

  • Page 116: Troubleshooting

    To check reject messages, start YaST → Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred.

  • Page 117: Reporting Bugs For Apparmor

    AppArmor would not check for it. AppArmor Syntax Error Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart AppArmor with syntax errors in your profiles, error results are shown. This example shows the syntax of the entire parser error.
  • Page 118 Provide a username and password and additional address data and click Create Login to immediately proceed with the login creation. Provide data on which other Novell accounts you maintain to sync all these to one account. 3 Check whether a problem similar to yours has already been reported by clicking Search Reports.

  • Page 119: A Background Information On Apparmor Profiling

    Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se- curity problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.

  • Page 121: B Gnu Licenses

    GNU Licenses This appendix contains the GNU General Public License and the GNU Free Documen- tation License. B.1 GNU General Public License Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
  • Page 122 To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. Novell AppArmor Administration Guide...
  • Page 123 B.1.2 GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
  • Page 124 Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed Novell AppArmor Administration Guide...
  • Page 125 under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distri- bution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifica-...
  • Page 126 The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Novell AppArmor Administration Guide...
  • Page 127 Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.
  • Page 128 `show c for details. The hypothetical commands `show w’ and `show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called some- Novell AppArmor Administration Guide...

  • Page 129: Gnu Free Documentation License

    thing other than `show w’ and `show c’; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision...
  • Page 130 License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. Novell AppArmor Administration Guide...
  • Page 131 The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.
  • Page 132 If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which Novell AppArmor Administration Guide...
  • Page 133 the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus ac- cessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
  • Page 134 To do this, add their titles to the list of Invariant Sections in the Modified Version’s license notice. These titles must be distinct from any other section titles. Novell AppArmor Administration Guide...
  • Page 135 You may add a section Entitled “Endorsements”, provided it contains nothing but en- dorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version.
  • Page 136 Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the orig- Novell AppArmor Administration Guide...
  • Page 137 inal English version of this License and the original versions of those notices and dis- claimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the requirement (section 4) to Preserve its Title (section 1) will typically re- quire changing the actual title.
  • Page 138 If your document contains nontrivial examples of program code, we recommend releas- ing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software. Novell AppArmor Administration Guide...

  • Page 139: Glossary

    By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks.
  • Page 140 Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.
  • Page 141 or implementation weaknesses or flaws in hardware, firmware, or software. If ex- ploited, a vulnerability could lead to an unacceptable impact in the form of unau- thorized access to information or disruption of critical processing. Glossary...

Table of Contents