1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR 2.1 -
  6. Administration manual

Novell APPARMOR 2.1 Administration Manual

Hide thumbs Also See for APPARMOR 2.1:
Table of Contents

Advertisement

Quick Links

Download this manual
AppArmor
2.1
www.novell.com
Novell AppArmor Administration Guide
September 27, 2007

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the APPARMOR 2.1 and is the answer not in the manual?

Questions and answers

Related Manuals for Novell APPARMOR 2.1

Summary of Contents for Novell APPARMOR 2.1

  • Page 1 AppArmor www.novell.com Novell AppArmor Administration Guide September 27, 2007...
  • Page 2 SUSE®, openSUSE®, the openSUSE® logo, Novell®, the Novell® logo, the N® logo, are registered trademarks of Novell, Inc. in the United States and other countries. Linux* is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®...

  • Page 3: Table Of Contents

    2 Profile Components and Syntax Breaking a Novell AppArmor Profile into Its Parts ... #include Statements ..... .
  • Page 4 7 Support Updating Novell AppArmor Online ....Using the Man Pages ..... . .

  • Page 5: About This Guide

    About This Guide Novell® AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor...
  • Page 6 Enables you to create subprofiles for the Apache Web server that allow you to tightly confine small sections of Web application processing. Managing Profiled Applications Describes how to perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. Support Indicates support options for this product.
  • Page 7 The source code of openSUSE is publicly available. To download the source code, proceed as outlined under http://www.novell.com/products/suselinux/ source_code.html. If requested we send you the source code on a DVD. We need to charge a $15 or €15 fee for creation, handling and postage. To request a DVD of the source code, send an e-mail to sourcedvd@suse.de...

  • Page 9: Immunizing Programs

    This ensures that each program does what it is supposed to do and nothing else. Novell AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process.

  • Page 10: Introducing The Apparmor Framework

    (and under the hood of the YaST interface) when you run AppArmor. An AppArmor profile is a plain text file containing path entries and access permissions. Section 2.1, “Breaking a Novell AppArmor Profile into Its Parts” (page 12) for a detailed reference profile.
  • Page 11 that have been triggered during the application's execution. After the profile has been generated, it is loaded and put into enforce mode. Refer to Section “aa-gen- prof—Generating Profiles” (page 59) for detailed information about this tool. aa-logprof aa-logprof interactively scans and reviews the log entries generated by an application that is confined by an AppArmor profile in complain mode.

  • Page 12: Determining Programs To Immunize

    Because cp does not have its own profile, it inherits the profile of the parent shell script, so can copy any files that the parent shell script's profile can read and write. Novell AppArmor Administration Guide...

  • Page 13: Immunizing Cron Jobs

    The aa-unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. aa-unconfined then reports these programs along with the Novell AppArmor profile associated with each program or reports “none”...
  • Page 14 Applying Novell AppArmor profiles to user network client applications is also dependent on user preferences. Therefore, we leave profiling of user network client applications as an exercise for the user.
  • Page 15 Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile. Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them.
  • Page 16 Profiling Web applications that use mod_perl and mod_php requires slightly different handling. In this case, the “program” is a script interpreted directly by the module within the Apache process, so no exec happens. Instead, the Novell AppArmor version of Apache calls change_hat() using a subprofile (a “hat”) corresponding to the name of the URI requested.
  • Page 17 /srv/www/htdocs/** /srv/www/icons/*.{gif,jpg,png} /usr/share/apache2/** To use a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile. 1.4.2 Immunizing Network Agents To find network server daemons and network clients (such as fetchmail, Firefox, amaroK...
  • Page 18 Refer to the man page of the netstat command for a detailed reference of all possible options. Novell AppArmor Administration Guide...

  • Page 19: Profile Components And Syntax

    Profile Components and Syntax You are ready to build Novell AppArmor profiles after you select the programs to profile. To do so, it is important to understand the components and syntax of profiles. AppArmor profiles contain several building blocks that help build simple and reusable profile code: #include files, abstractions, program chunks, and capability entries.

  • Page 20: Breaking A Novell Apparmor Profile Into Its Parts

    Profile into Its Parts Novell AppArmor profile components are called Novell AppArmor rules. Currently there are three main types of Novell AppArmor rules, path entries, capability entries, and network entries. Path entries specify what the process can access in the file system and capability entries provide a more fine-grained control over what a confined process is allowed to do through other system calls that require privileges.
  • Page 21 This loads a file containing variable definitions. The normalized path to the program that is confined. The curly braces ({}) serve as a container for include statements, subprofiles, path entries, capability entries, and network entries. This directive pulls in components of AppArmor profiles to simplify profiles. Capability entry statements enable each of the 29 POSIX.1e draft capabilities.
  • Page 22 In many cases, Novell AppArmor rules prevent an attack from working because neces- sary files are not accessible and, in all cases, Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor. 2.1.1 Network Access Control AppArmor allows mediation of network access based on the address type and family.
  • Page 23 The following examples illustrate possible network-related rules to be used in AppArmor profiles. Note that the syntax of the two last ones is not currently supported by the AppArmor tools. network , network inet , network inet6 , network inet stream , network inet tcp , network tcp , Allow all networking.
  • Page 24 Expands to one rule to match ab and one rule to match cd. {ab,cd} Example: a rule that matches /{usr,www}/pages/** grants access to Web pages in both /usr/pages and /www/pages. Substitutes for any character except a. [ ^a ] Novell AppArmor Administration Guide...
  • Page 25 2.1.3 File Permission Access Modes File permission access modes consist of combinations of the following eleven modes: Read mode Write mode (mutually exclusive to a) Append mode (mutually exclusive to w) File locking mode Discrete profile execute mode Discrete profile execute mode—clean exec Unconstrained execute mode Unconstrained execute mode—clean exec Inherit execute mode...
  • Page 26 This mode is useful when a confined program needs to be able to perform a privi- leged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to Novell AppArmor Administration Guide...
  • Page 27 bypass the mandatory constraints imposed on all confined processes. For more in- formation about what is constrained, see the apparmor(7) man page. WARNING: Using Unconstrained Execute Mode (ux) Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection.
  • Page 28 Ux or Px flags: • GCONV_PATH • GETCONF_DIR • HOSTALIASES • LD_AUDIT • LD_DEBUG • LD_DEBUG_OUTPUT • LD_DYNAMIC_WEAK • LD_LIBRARY_PATH • LD_ORIGIN_PATH • LD_PRELOAD • LD_PROFILE Novell AppArmor Administration Guide...

  • Page 29: Include Statements

    AppArmor expects the include files to be located in /etc/apparmor.d. Unlike other profile statements (but similar to C programs), #include lines do not end with a comma. To assist you in profiling your applications, Novell AppArmor provides two classes of #includes: abstractions and program chunks. Profile Components and Syntax...

  • Page 30: Capability Entries (Posix.1E)

    These profiles are not enabled by default and reside under another directory than the standard AppArmor profiles, /etc/apparmor/profiles/extras. The AppArmor tools, both YaST and aa-genprof and aa-logprof, support the use of a local repository. Whenever you start to create a new profile from scratch and there al- Novell AppArmor Administration Guide...

  • Page 31: Using The External Apparmor Profile Repository

    In addition to the profiles shipping with openSUSE, AppArmor supports the use of an external profile repository. This repository is maintained by Novell and allows you to download profiles generated by Novell and other AppArmor users as well as uploading your own.
  • Page 32 AppArmor tools should search profiles on the server. url holds the server URL and preferred_user tells the AppArmor tools to prefer profiles created by the novell user. Those profiles were created, tested and approved by members of the SUSE development team.

  • Page 33: Important Filenames And Directories

    enabled = yes upload = yes user = tux pass = XXXXX Once initially configured through the AppArmor tools, the configuration can only be changed manually. 2.5.2 Downloading a Profile While creating a profile from scratch or updating an existing profile by processing reject messages in the log, the AppArmor tools search the repository for a matching profile.
  • Page 34 Location of abstractions. /etc/apparmor.d/program-chunks/ Location of program chunks. /proc/*/attr/current Check this file to review the confinement status of a process and the profile that is used to confine the process. The ps auxZ command retrieves this information automatically. Novell AppArmor Administration Guide...

  • Page 35: Building And Managing Profiles With Yast

    Building and Managing Profiles with YaST YaST provides an easy way to build profiles and manage Novell® AppArmor. It pro- vides two interfaces: a fully graphical one and a text-based one. The text-based interface consumes less resources and bandwidth, making it a better choice for remote adminis- tration or for times when a local graphical environment is inconvenient.
  • Page 36 Section 3.1, “Adding a Profile Using the Wizard” (page 29). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.2, “Manually Adding a Profile”...

  • Page 37: Adding A Profile Using The Wizard

    (page 45). 3.1 Adding a Profile Using the Wizard Add Profile Wizard is designed to set up Novell AppArmor profiles using the AppArmor profiling tools, aa-genprof (generate profile) and aa-logprof (update profiles from learning mode log file). For more information about these tools, refer to Section 4.6.3,...
  • Page 38 • Create the profile from scratch and proceed with Step 7 (page 31) and beyond. 5 If the profile already exists in the local profile repository under /etc/ apparmor/profiles/extra, YaST informs you that there is an inactive Novell AppArmor Administration Guide...
  • Page 39 profile which you can either use as a base for your own efforts or which you can just accept as is. Alternatively, you can choose not to use the local version at all and start cre- ating the profile from scratch. In any case, proceed with Step 7 (page 31).
  • Page 40 (page 33). Subsequent steps describe your options in answering these questions. NOTE: Varying Processing Options Depending on the type of entry processed, the available options vary. Figure 3.2 Learning Mode Exception: Controlling Access to Specific Resources Novell AppArmor Administration Guide...
  • Page 41 Depending on the situation, these options are avail- able: #include The section of a Novell AppArmor profile that refers to an include file. Include files give access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
  • Page 42 Actual Pathname Literal path that the program needs to access to run properly. After selecting a directory path, process it as an entry to the Novell App- Armor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
  • Page 43 Close aa-logprof, saving all rule changes entered so far and modifying all profiles. Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile. NOTE The number of learning mode entries corresponds to the complex- ity of the application.
  • Page 44 As soon as you exit the Profile Creation Wizard, the profile is saved both lo- cally and on the repository server, if you have chosen to upload it. The profile is then loaded into the AppArmor module. Novell AppArmor Administration Guide...

  • Page 45: Manually Adding A Profile

    3.2 Manually Adding a Profile Novell AppArmor enables you to create a Novell AppArmor profile by manually adding entries into the profile. Select the application for which to create a profile then add en- tries. 1 Start YaST and select Novell AppArmor > Manually Add Profile.

  • Page 46: Editing Profiles

    3.3 Editing Profiles AppArmor enables you to edit Novell AppArmor profiles manually by adding, editing, or deleting entries. To edit a profile, proceed as follows: 1 Start YaST and select Novell AppArmor > Edit Profile. 2 From the list of profiled applications, select the profile to edit.
  • Page 47 4 In the AppArmor Profile Dialog window, add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 3.3.1, “Adding an Entry” (page 40), Section 3.3.2, “Editing an Entry” (page 42), or Section 3.3.3, “Deleting an Entry”...
  • Page 48 (page 37) or Section 3.3, “Editing Profiles” (page 38). When you select Add Entry, a list shows the types of entries you can add to the Novell AppArmor profile. From the list, select one of the following: File In the pop-up window, specify the absolute path of a file, including the type of ac- cess permitted.
  • Page 49 When finished making your selections, click OK. Include In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 2.2, “#include Statements”...
  • Page 50 When you select Edit Entry, the file browser pop-up window opens. From here, edit the selected entry. In the pop-up window, specify the absolute path of a file, including the type of access permitted. You can use globbing if necessary. When finished, click OK. Novell AppArmor Administration Guide...

  • Page 51: Deleting A Profile

    AppArmor enables you to delete an AppArmor profile manually. Simply select the application for which to delete a profile then delete it as follows: 1 Start YaST and select Novell AppArmor > Delete Profile. 2 Select the profile to delete.

  • Page 52: Updating Profiles From Log Entries

    3.5 Updating Profiles from Log Entries The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These excep- tions represent the behavior of the profiled application that is outside of the profile definition for the program.

  • Page 53: Managing Novell Apparmor And Security Event Status

    Wizard” (page 29) for details. 2 When you are done, click Finish. In the following pop-up, click Yes to exit the Add Profile Wizard. The profile is saved and loaded into the Novell AppArmor module. 3.6 Managing Novell AppArmor and Security Event Status You can change the status of AppArmor by enabling or disabling it.
  • Page 54 From the AppArmor Configuration screen, determine whether Novell AppArmor and security event notification are running by looking for a status message that reads enabled or configure the mode of individual profiles. To change the status of Novell AppArmor, continue as described in Section 3.6.1, “Changing Novell AppArmor Status”...
  • Page 55 To edit an application's profile mode, proceed as follows: 1 Start YaST and select Novell AppArmor > AppArmor Control Panel. 2 In the Configure Profile Modes section, select Configure. 3 Select the profile for which to change the mode.

  • Page 57: Building Profiles From The Command Line

    Building Profiles from the Command Line Novell® AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor and create, delete, or modify AppArmor profiles using the AppArmor command line tools.
  • Page 58 Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might need to be removed. Novell AppArmor Administration Guide...

  • Page 59: Building Apparmor Profiles

    WARNING AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you must boot the machine from a rescue medium (such as the first medium of openSUSE) to regain control.

  • Page 60: Adding Or Creating An Apparmor Profile

    The following steps describe the procedure for deleting an AppArmor profile. 1 If you are not currently logged in as root, enter su in a terminal window. 2 Enter the root password when prompted. 3 Go to the AppArmor directory with cd /etc/apparmor.d/. Novell AppArmor Administration Guide...

  • Page 61: Two Methods Of Profiling

    4 Enter ls to view all the AppArmor profiles that are currently installed. 5 Delete the profile with rm profilename. 6 Restart AppArmor by entering rcapparmor restart in a terminal window. 4.6 Two Methods of Profiling Given the syntax for AppArmor profiles in Chapter 2, Profile Components and Syntax (page 11), you could create profiles without using the tools.
  • Page 62 Section 3.6.2, “Changing the Mode of Individual Profiles” (page 47). When in learning mode, access requests are not blocked even if the profile dictates that they should be. This enables you to run through several tests (as shown in Novell AppArmor Administration Guide...
  • Page 63 Step 3 (page 55)) and learn the access needs of the program so it runs properly. With this information, you can decide how secure to make the profile. Refer to Section “aa-complain—Entering Complain or Learning Mode” (page 57) for more detailed instructions for using learning or complain mode. 3 Exercise your application.
  • Page 64 AppArmor profile naming convention of naming the profile after the absolute path of the program, replacing the forward slash (/) characters in the path with period (.) characters. The general form of aa-autodep is to enter the following in a terminal window when logged in as root: Novell AppArmor Administration Guide...
  • Page 65 aa-autodep [ -d /path/to/profiles ] [program1 program2...] If you do not enter the program name or names, you are prompted for them. /path/to/profiles overrides the default location of /etc/apparmor.d, should you keep profiles in a location other than the default. To begin profiling, you must create profiles for each main executable service that is part of your application (anything that might start without being a child of another program that already has a profile).
  • Page 66 Manually activating enforce mode (using the command line) adds a flag to the top of the profile so that /bin/foo becomes /bin/foo flags=(enforce). To use enforce mode, open a terminal window and enter one of the following lines as root. Novell AppArmor Administration Guide...
  • Page 67 • If the example program (program1) is in your path, use: aa-enforce [program1 program2 ...] • If the program is not in your path, specify the entire path, as follows: aa-enforce /sbin/program1 • If the profiles are not in /etc/apparmor.d, use the following to override the default location: aa-enforce /path/to/profiles/program1 •...
  • Page 68 They also can be viewed using the dmesg command: audit(1189682430.672:20810): operation="file_mmap" requested_mask="r" denied_mask="r" name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.tpl" pid=30405 profile="/usr/sbin/httpd2-prefork///phpsysinfo/" 4. Marks the log with a beginning marker of log events to consider. For exam- ple: Novell AppArmor Administration Guide...
  • Page 69 Sep 13 17:48:52 figwit root: GenProf: e2ff78636296f16d0b5301209a04430d 3 When prompted by the tool, run the application to profile in another terminal window and perform as many of the application functions as possible. Thus, the learning mode can log the files and directories to which the program requires access in order to function properly.
  • Page 70 Choose the profile with clean exec (Px) option to scrub the environment of environment variables that could modify execution behavior when passed to the child process. Unconfined (ux) The child runs completely unconfined without any AppArmor profile applied to the executed resource. Novell AppArmor Administration Guide...
  • Page 71 Choose the unconfined with clean exec (Ux) option to scrub the environ- ment of environment variables that could modify execution behavior when passed to the child process. This option introduces a security vul- nerability that could be used to exploit AppArmor. Only use it as a last resort.
  • Page 72 Allows access to the specified directory path entries. AppArmor suggests file permission access. For more information, refer to Section 2.1.3, “File Permission Access Modes” (page 17). Deny Prevents the program from accessing the specified directory path entries. AppArmor then continues to the next event. Novell AppArmor Administration Guide...
  • Page 73 Prompts you to enter your own rule for this event, allowing you to specify a regular expression. If the expression does not actually satisfy the event that prompted the question in the first place, AppArmor asks for confirmation and lets you reenter the expression. Glob Select a specific path or create a general rule using wild cards that match a broader set of paths.
  • Page 74 2 Hit E (Enable Repository) to enable the repository. 3 Determine whether you want to aa-genprof to upload any profiles to the reposi- tory server: Would you like to upload newly created and changed profiles to the profile repository? Novell AppArmor Administration Guide...
  • Page 75 5 Determine whether you want to use the profile downloaded from the server or whether you would just like to review it: Profile: /usr/bin/opera [1 - novell] [(V)iew Profile] / (U)se Profile / (C)reate New Profile / Abo(r)t / (F)inish If you want to just use this profile, hit U (Use Profile) and follow the profile generation procedure outlined above.
  • Page 76 Marks the starting point for aa-logprof to look in the system log. aa-logprof ignores all events in the system log before the specified mark. If the mark contains spaces, it must be surrounded by quotes to work correctly. For example: Novell AppArmor Administration Guide...
  • Page 77 aa-logprof -m"17:04:21" logprof -m e2ff78636296f16d0b5301209a04430d aa-logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of AppArmor rules that can be added by pressing the number of the item on the list. By default, aa-logprof looks for profiles in /etc/apparmor.d/ and scans the log in /var/log/messages.
  • Page 78 .ext extension. Abort Aborts aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified. Finish Closes aa-logprof, saving all rule changes entered so far and modifying all profiles. Novell AppArmor Administration Guide...
  • Page 79 aa-logprof Example 2 For example, when profiling vsftpd, see this question: Profile: /usr/sbin/vsftpd Path: /y2k.jpg New Mode: r [1 - /y2k.jpg] (A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish Several items of interest appear in this question. First, note that vsftpd is asking for a path entry at the top of the tree, even though vsftpd on openSUSE serves FTP files from /srv/ftp by default.
  • Page 80 • aa-logprof constructs a profile for the child and starts building it, in the same way that it built the parent profile, by assigning events for the child process to the child's profile and asking the aa-logprof user questions. Novell AppArmor Administration Guide...
  • Page 81 If a confined program forks and executes another program, aa-logprof sees this and asks the user which execution mode should be used when launching the child process. The execution modes of inherit, profile, unconfined or an option to deny the execution are presented.
  • Page 82 • A process that dies between netstat(8) and further checks is mishandled NOTE This program lists processes using TCP and UDP only. In short, this program is unsuitable for forensics use and is provided only as an aid to profiling all net- work-accessible processes in the lab. Novell AppArmor Administration Guide...

  • Page 83: Profiling Your Web Applications Using Changehat

    It enables you to define security at a finer level than the process. This feature requires that each application be made “ChangeHat aware” meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution. Two examples for ChangeHat-aware applications are the Apache Web server and Tomcat.

  • Page 84: Apache Changehat

    Apache program. This module makes the Apache Web server ChangeHat aware. Install it along with Apache. When Apache is ChangeHat aware, it checks for the following customized Novell AppArmor security profiles in the order given for every URI request that it receives.
  • Page 85 5.1.1 Managing ChangeHat-Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Managing ChangeHat-aware applica- tions from the command line is much more flexible, but the process is also more com- plicated.
  • Page 86 2 In Application to Profile, enter httpd2-prefork. 3 Click Create Profile. 4 Restart Apache by entering rcapache2 restart in a terminal window. Restart any program you are profiling at this point. Novell AppArmor Administration Guide...
  • Page 87 Refresh button to make sure that Apache processes the re- quest for the phpsysinfo URI. 6 Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the aa-logprof tool, which scans the information learned in the previous step.
  • Page 88 In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsys- info hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined).
  • Page 89 The following is an example phpsysinfo hat. Example 5.1 Example phpsysinfo Hat /usr/sbin/httpd2-prefork { ^phpsysinfo { #include <abstractions/bash> #include <abstractions/nameservice> /bin/basename ixr, /bin/bash ixr, /bin/df ixr, /bin/grep ixr, /bin/mount /bin/sed ixr, /dev/bus/usb/ /dev/bus/usb/** /dev/null /dev/tty /dev/urandom /etc/SuSE-release /etc/ld.so.cache /etc/lsb-release /etc/lsb-release.d/ /lib/ld-2.6.1.so ixr, /proc/**...
  • Page 90 Section 3.2, “Manually Adding a Profile” (page 37)), you are given the option of adding hats (subprofiles) to your Novell AppArmor profiles. Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following. 1 From the AppArmor Profile Dialog window, click Add Entry then select Hat.

  • Page 91: Configuring Apache For Mod_Apparmor

    2 Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat. 3 Click Create Hat. You are returned to the AppArmor Profile Dialog screen.
  • Page 92 This tries to use MY_HAT_NAME for any URI beginning with /foo/ (/foo/, /foo/ bar, /foo/cgi/path/blah_blah/blah, etc.). The directory directive works similarly to the location directive, except it refers to a path in the file system as in the following example: Novell AppArmor Administration Guide...
  • Page 93 <Directory "/srv/www/www.immunix.com/docs"> # Note lack of trailing slash AAHatName immunix.com </Directory> Example: The program phpsysinfo is used to illustrate a location directive in the following example. The tarball can be downloaded from http://phpsysinfo .sourceforge.com. 1 After downloading the tarball, install it into /srv/www/htdocs/ phpsysinfo.
  • Page 94 /usr/share/pci.ids /usr/share/usb.ids /var/log/apache2/access_log /var/run/utmp 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root. 4 Restart Apache by entering rcapache2 restart at a terminal window as root. 5 Enter http://hostname/phpsysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  • Page 95: Managing Profiled Applications

    Applications After creating profiles and immunizing your applications, openSUSE® becomes more efficient and better protected if you perform Novell® AppArmor profile maintenance, which involves analyzing log files and refining your profiles as well as backing up your set of profiles and keeping it up-to-date. You can deal with these issues before they...

  • Page 96: Configuring Security Event Notification

    Novell AppArmor activity occurs. Activate it by selecting a notification frequency (receiving daily notification, for example). Enter an e-mail address, so you can be noti- fied by e-mail when Novell AppArmor security events occur. Select one of the following notification types:...
  • Page 97 Verbose Notification Verbose notification displays unmodified, logged Novell AppArmor security events. It tells you every time an event occurs and writes a new line in the verbose log. These security events include the date and time the event occurred, when the appli- cation profile permits and rejects access, and the type of file permission access that is permitted or rejected.
  • Page 98 NOTE: Severity Levels Novell AppArmor sends out event messages for things that are in the severity database and above the level selected. Severity levels are numbered 1 through 10, with 10 being the most severe security incident.

  • Page 99: Configuring Reports

    Section 6.5, “Reacting to Security Event Rejections” (page 112). 6.3 Configuring Reports Novell AppArmor's reporting feature adds flexibility by enhancing the way users can view security event data. The reporting tool performs the following: • Creates on-demand reports • Exports reports •...
  • Page 100 Section “Security Incident Report” (page 99). To use the Novell AppArmor reporting features, proceed with the following steps: 1 Open YaST > Novell AppArmor. 2 In Novell AppArmor, click AppArmor Reports. The AppArmor Security Event Reports window appears. From the Reports window, select an option and proceed...
  • Page 101 View Archive Displays all reports that have been run and stored in /var/log/ apparmor/reports-archived/. Select the report you want to see in detail and click View. For View Archive instructions, proceed to Section 6.3.1, “Viewing Archived Reports” (page 94). Run Now Produces an instant version of the selected report type.
  • Page 102 Back Returns you to the Novell AppArmor main screen. Abort Returns you to the Novell AppArmor main screen. Next Performs the same function as the Run Now button. 6.3.1 Viewing Archived Reports View Reports enables you to specify the location of a collection of reports from one or more systems, including the ability to filter by date or names of programs accessed and display them all together in one report.
  • Page 103 3 You can alter the directory location of the archived reports in Location of Archived Reports. Select Accept to use the current directory or select Browse to find a new report location. The default directory is /var/log/apparmor/ reports-archived. 4 To view all the reports in the archive, select View All. To view a specific report, select a report file listed in the Report field then select View.
  • Page 104 CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table-oriented applications. You can enter a path for your exported report by typing the full path in the field pro- vided. Novell AppArmor Administration Guide...
  • Page 105 Location to Store Log Enables you to change the location at which to store the exported report. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the file system. 8 To see the report, filtered as desired, select Next. One of the three reports displays. 9 Refer the following sections for detailed information about each type of report.
  • Page 106 State This field reveals whether the program listed in the program field is confined. If it is not confined, you might consider creating a profile for it. Novell AppArmor Administration Guide...
  • Page 107 Type This field reveals the type of confinement the security event represents. It says either complain or enforce. If the application is not confined (state), no type of confinement is reported. Security Incident Report A security incident report displays security events of interest to an administrator. The SIR reports policy violations for locally confined applications during the specified time period.
  • Page 108 Severity levels of events are reported from the severity database. The severity database defines the importance of potential security events and numbers them 1 through 10, 10 being the most severe security incident. The severity levels are de- Novell AppArmor Administration Guide...
  • Page 109 termined by the threat or importance of different security events, such as certain resources accessed or services denied. Mode The mode is the permission that the profile grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute). Detail A source to which the profile has denied access.This includes capabilities and files.
  • Page 110 6.3.2 Run Now: Running On-Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. If you need help navigating to the main report screen, see Section 6.3, “Configuring Reports”...
  • Page 111 3 The Report Configuration Dialog opens for security incident reports. 4 The Report Configuration Dialog enables you to filter the reports selected in the previous screen. Enter the desired filter details. The following filter options are available: Date Range To limit reports to a certain time period, select Filter By Date Range. Enter the start and end dates that determine the scope of the report.
  • Page 112 Refer the following sections for detailed information about each type of report. • For the application audit report, refer to Section “Application Audit Report” (page 97). • For the security incident report, refer to Section “Security Incident Report” (page 99). Novell AppArmor Administration Guide...
  • Page 113 Adding new reports enables you to create a scheduled security incident report that dis- plays Novell AppArmor security events according to your preset filters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.
  • Page 114 Enables you to change the location that the exported report is stored. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the file system. 3 Click Next to proceed to the second page of Add Scheduled SIR. Novell AppArmor Administration Guide...
  • Page 115 4 Fill in the fields with the following filtering information, as necessary: Program Name You can specify a program name or pattern that matches the name of the binary executable for the program of interest. The report displays security events that have occurred for the specified program only. Profile Name You can specify the name of the profile for which the report should display security events.
  • Page 116 The options are r (read), w (write), l (link), and x (execute). 5 Click Save to save this report. Novell AppArmor returns to the Scheduled Reports main window where the newly scheduled report appears in the list of reports.
  • Page 117 3 Modify the following filtering information, as necessary: Day of Month Select any day of the month to activate monthly filtering in reports. If you select All, monthly filtering is not performed. Day of Week Select the day of the week on which to schedule the weekly reports. If you select All, weekly filtering is not performed.
  • Page 118 You can use this field to create a report of resources to which profiles prevent access. Severity Select the lowest severity level for security events to include in the report. The selected severity level and above are included in the reports. Novell AppArmor Administration Guide...

  • Page 119: Configuring And Using The Apparmor Desktop Monitor Applet

    The options are r (read), w (write), l (link), and x (execute). 6 Select Save to save the changes to this report. Novell AppArmor returns to the Scheduled Reports main window where the scheduled report appears in the list of reports.

  • Page 120: Reacting To Security Event Rejections

    If the rejected action is part of normal application behavior, run aa-logprof at the command line or the Update Profile Wizard in Novell AppArmor to update your profile. If the rejected action is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.
  • Page 121 6.6.2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 3.3, “Editing Profiles”...
  • Page 122 • Run the YaST Update Profile Wizard to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to Section 3.5, “Updating Profiles from Log Entries” (page 44). Novell AppArmor Administration Guide...

  • Page 123: Support

    7.1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for openSUSE. Retrieve and apply them exactly like for any other package that ships as part of openSUSE.
  • Page 124 The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are: • unconfined(8) • autodep(1) • complain(1) •...

  • Page 125: For More Information

    • apparmor.vim(5) • apparmor(7) • apparmor_parser(8) 7.3 For More Information Find more information about the AppArmor product on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. Find the product documentation for Novell AppArmor, including this document, at http:// or in the installed system in www.novell.com/documentation/apparmor/...

  • Page 126: Troubleshooting

    AppArmor is too closely constricting your application. To check reject messages, start YaST > Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report.
  • Page 127 • Network Access Control • The SYS_PTRACE Capability • Directory Path Access The current version of AppArmor mediates file locking and introduces a new permission mode (k) for this. Applications requesting file locking permission might misbehave or fail altogether if confined by older profiles which do not explicitly contain permissions to lock files.
  • Page 128 /proc/net while the second one explicitly allows for recursive file access only. /proc/net/**/ /proc/net/**[^/] The following rule works similarly both under the old and the new syntax and allows access to both files and directories beginning with foo under /proc/net: /proc/net/foo** Novell AppArmor Administration Guide...
  • Page 129 To distinguish file from directory access in the new syntax and use the ** globbing pattern, use the following two rules. The first one would have matched both files and directories in the old syntax, but only matches files in the new syntax due to the missing trailing slash.
  • Page 130 Note that the above mentioned environment variables have to be set before KDM/XDM/GDM or startx are started. One way to achieve this would be to add them to /etc/security/pam_env.conf. Novell AppArmor Administration Guide...
  • Page 131 7.4.4 How to Resolve Issues with Apache? Apache is not starting properly or it is not serving Web pages and you just installed a new module or made a configuration change. When you install additional Apache modules (like apache2-mod_apparmor) or make configuration changes to Apache, you should profile Apache again to catch any additional rules that need to be added to the profile.

  • Page 132: Reporting Bugs For Apparmor

    7.4.8 How to Spot and fix AppArmor Syntax Errors? Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart AppArmor with syntax errors in your profiles, error results are shown. This example shows the syntax of the entire parser error.
  • Page 133 2b Provide a username and password and additional address data and click Create Login to immediately proceed with the login creation. Provide data on which other Novell accounts you maintain to sync all these to one account. 3 Check whether a problem similar to yours has already been reported by clicking Search Reports.

  • Page 135: A Background Information On Apparmor Profiling

    Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se- curity problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.

  • Page 137: B Gnu Licenses

    GNU Licenses This appendix contains the GNU General Public License and the GNU Free Documen- tation License. GNU General Public License Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
  • Page 138 Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. Novell AppArmor Administration Guide...
  • Page 139 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, dis- tributing or modifying the Program or works based on it.

  • Page 140: Gnu Free Documentation License

    This License is a kind of “copyleft”, which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. Novell AppArmor Administration Guide...
  • Page 141 We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book.
  • Page 142 If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. Novell AppArmor Administration Guide...
  • Page 143 The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.
  • Page 144 If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software. Novell AppArmor Administration Guide...

  • Page 145: Glossary

    By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks.
  • Page 146 Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.
  • Page 147 or implementation weaknesses or flaws in hardware, firmware, or software. If ex- ploited, a vulnerability could lead to an unacceptable impact in the form of unau- thorized access to information or disruption of critical processing. Glossary...

Table of Contents