0 Immunizing Programs - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

20
Immunizing Programs
Effective hardening of a computer system requires minimizing the number of programs
that mediate privilege then securing the programs as much as possible. With Novell
AppArmor, you only need to profile the programs that are exposed to attack in your
environment, which drastically reduces the amount of work required to harden your
computer. AppArmor profiles enforce policies to make sure that programs do what they
are supposed to do, but nothing else.
Novell® AppArmor provides immunization technologies that protect applications from
the inherent vulnerabilities they possess. After installing Novell AppArmor, setting up
Novell AppArmor profiles, and rebooting the computer, your system becomes immu-
nized because it begins to enforce the Novell AppArmor security policies. Protecting
programs with Novell AppArmor is referred to as immunizing.
Administrators only need to care about the applications that are vulnerable to attacks
and generate profiles for these. Hardening a system thus comes down to building and
maintaining the AppArmor profile set and monitoring any policy violations or exceptions
logged by AppArmor's reporting facility.
Users should not notice AppArmor at all. It runs "behind the scenes" and does not require
any user interaction. Performance is not affected noticeably by AppArmor. If some
activity of the application is not covered by an AppArmor profile or if some activity
of the application is prevented by AppArmor, the administrator needs to adjust the
profile of this application to cover this kind of behavior.
Novell AppArmor sets up a collection of default application profiles to protect standard
Linux services. To protect other applications, use the Novell AppArmor tools to create
profiles for the applications that you want protected. This chapter introduces the philos-
Immunizing Programs 187