Table of Contents
Advertisement
48
Confining Privileges with
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program
runs with privilege that some attacker would like to have. The program fails to keep
that trust if there is a bug in the program that allows the attacker to acquire that privilege.
Novell® AppArmor is an application security solution designed specifically to provide
least privilege confinement to suspect programs. AppArmor allows the administrator
to specify the domain of activities the program can perform by developing a security
profile for that application—a listing of files that the program may access and the oper-
ations the program may perform.
Effective hardening of a computer system requires minimizing the number of programs
that mediate privilege then securing the programs as much as possible. With Novell
AppArmor, you only need to profile the programs that are exposed to attack in your
environment, which drastically reduces the amount of work required to harden your
computer. AppArmor profiles enforce policies to make sure that programs do what they
are supposed to do, but nothing else.
Administrators only need to care about the applications that are vulnerable to attacks
and generate profiles for these. Hardening a system thus comes down to building and
maintaining the AppArmor profile set and monitoring any policy violations or exceptions
logged by AppArmor's reporting facility.
Building AppArmor profiles to confine an application is very straightforward and intu-
itive. AppArmor ships with several tools that assist in profile creation. It does not require
you to do any programming or script handling. The only task that is required from the
administrator is to determine a policy of strictest access and execute permissions for
each application that needs to be hardened.
Confining Privileges with AppArmor
869
Advertisement
Table of Contents
Troubleshooting
