Determining Programs To Immunize - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

Once a profile has been built and is loaded, there are two ways in which it can get pro-
cessed:
aa-complain / complain
In complain mode, violations of AppArmor profile rules, such as the profiled pro-
gram accessing files not permitted by the profile, are detected. The violations are
permitted, but also logged. To improve the profile, turn complain mode on, run the
program through a suite of tests to generate log events that characterize the program's
access needs, then postprocess the log with the AppArmor tools (YaST or aa-log-
prof) to transform log events into improved profiles.
aa-enforce / enforce
In enforce mode, violations of AppArmor profile rules, such as the profiled program
accessing files not permitted by the profile, are detected. The violations are logged
and not permitted. The default is for enforce mode to be enabled. To log the viola-
tions only, but still permit them, use complain mode. Enforce toggles with complain
mode.
20.2 Determining Programs to
Now that you have familiarized yourself with AppArmor, start selecting the applications
for which to build profiles. Programs that need profiling are those that mediate privilege.
The following programs have access to resources that the person using the program
does not have, so they grant the privilege to the user when used:
cron Jobs
Programs that are run periodically by cron. Such programs read input from a variety
of sources and can run with special privileges, sometimes with as much as root
privilege. For example, cron can run /usr/sbin/logrotate daily to rotate,
compress, or even mail system logs. For instructions for finding these types of
programs, refer to
Web Applications
Programs that can be invoked through a Web browser, including CGI Perl scripts,
PHP pages, and more complex Web applications. For instructions for finding these
190 Security Guide
Immunize
Section 20.3, "Immunizing cron Jobs" (page 191).