Page 1 SUSE Linux Enterprise Server www.novell.com Security Guide March 17, 2009...
Page 2 That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. http://www.novell For Novell trademarks, see the Novell Trademark and Service Mark list .com/company/legal/trademarks/tmlist.html.
Page 3: Table Of Contents
Contents About This Guide 1 Security and Confidentiality Local Security and Network Security ....Some General Security Tips and Tricks ....Using the Central Security Reporting Address .
Page 4 Browsing the LDAP Directory Tree ....Manually Configuring an LDAP Server ....Manually Administering LDAP Data .
Page 5 1 0 Access Control Lists in Linux 10.1 Traditional File Permissions ....10.2 Advantages of ACLs ..... . . 10.3 Definitions .
Page 6 1 9 Getting Started 19.1 Installing Novell AppArmor ....19.2 Enabling and Disabling Novell AppArmor ....
Page 7 Updating Profiles from Log Entries ....23.6 Managing Novell AppArmor and Security Event Status ..2 4 Building Profiles from the Command Line 24.1...
Page 8 2 8 Support 28.1 Updating Novell AppArmor Online ....28.2 Using the Man Pages ..... . .
Page 9 32.7 Managing Audit Event Records Using Keys ....3 3 Useful Resources...
Page 11: About This Guide
(VPN). This manual also shows how to make use of the product inherent security software like Novell AppArmor (which lets you specify per program which files the program may read, write, and execute) or the auditing system that reliably collects information about any security-relevant events.
Page 12 Introduces basic concepts of system security, covering both local and network se- curity aspects. Shows how to make use of the product inherent security software like Novell AppArmor (which lets you specify per program which files the program may read, write, and execute) or the auditing system that reliably collects informa- tion about any security-relevant events.
Page 13 • To report bugs for a product component or to submit enhancements requests, please use https://bugzilla.novell.com/. If you are new to Bugzilla, you might find the Bug Writing FAQs helpful, available from the Novell Bugzilla home page. • We want to hear your comments and suggestions about this manual and the other documentation included with this product.
Page 14 ►ipseries zseries: This paragraph is only relevant for the specified architectures. The arrows mark the beginning and the end of the text block. ◄ • Dancing Penguins (Chapter Penguins, ↑Another Manual): This is a reference to a chapter in another manual. Security Guide...
Page 15: Security And Confidentiality
Security and Confidentiality One of the main characteristics of a Linux or UNIX system is its ability to handle sev- eral users at the same time (multiuser) and to allow these users to perform several tasks (multitasking) on the same computer simultaneously. Moreover, the operating system is network transparent.
Page 16: Local Security And Network Security
1.1 Local Security and Network Security There are several ways of accessing data: • personal communication with people who have the desired information or access to the data on a computer • directly from the console of a computer (physical access) •...
Page 17 Serial terminals connected to serial ports are still used in many places. Unlike network interfaces, they do not rely on a network protocol to communicate with the host. A simple cable or an infrared port is used to send plain characters back and forth between the devices.
Page 18: File Permissions
In the seventies, it was argued that this method would be more secure than others due to the relative slowness of the algorithm used, which took a few seconds to encrypt just one password. In the meantime, however, PCs have become powerful enough to do several hundred thousand or even millions of encryptions per second.
Page 19 The permissions of all files included in the SUSE Linux Enterprise Server distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits. Experienced and security-conscious system administrators always use the -l option with the command ls to get an extensive file list, which allows them to detect any in- correct file permissions immediately.
Page 20 the user) uses up some more space than what is available in the buffer. As a result, data is written beyond the end of that buffer area, which, under certain circumstances, makes it possible for a program to execute program sequences influenced by the user (and not by the programmer), rather than just processing user data.
Page 21: Network Security
a cryptographic signature as a digital label that the necessary care was taken to build them. Viruses are a typical sign that the administrator or the user lacks the required se- curity awareness, putting at risk even a system that should be highly secure by its very design.
Page 22 In the case of cookie-based access control, a character string is generated that is only known to the X server and to the legitimate user, just like an ID card of some kind. This cookie (the word goes back not to ordinary cookies, but to Chinese fortune cookies, which contain an epigram) is stored on login in the file .Xauthority in the user's home directory and is available to any X client wanting to use the X server to display a window.
Page 23: Denial Of Service
Over the years, experience has shown that the availability of exploit codes has contribut- ed to more secure operating systems, obviously due to the fact that operating system makers were forced to fix the problems in their software. With free software, anyone has access to the source code (SUSE Linux Enterprise Server comes with all available source codes) and anyone who finds a vulnerability and its exploit code can submit a patch to fix the corresponding bug.
Page 24 Spoofing is an attack where packets are modified to contain counterfeit source data, usually the IP address. Most active forms of attack rely on sending out such fake packets—something that, on a Linux machine, can only be done by the superuser (root).
Page 25: Some General Security Tips And Tricks
SUSE's security team among its active contributors. You can subscribe to this list on page http://en.opensuse.org/Communicate/Mailinglists. http://www.novell SUSE security advisories are also available as a news feed at .com/linux/security/suse_security.xml.
Page 26 such programs (bind, postfix, ssh, etc.). The same should apply to software relevant to local security. • Change the /etc/permissions file to optimize the permissions of files crucial to your system's security. If you remove the setuid bit from a program, it might well be that it cannot do its job anymore in the intended way.
Page 27 SUSE's RPM packages are gpg-signed. The key used by SUSE for signing is: ID:9C800ACA 2000-10-19 SUSE Package Signing Key <build@suse.de> Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA The command rpm --checksig package.rpm shows whether the checksum and the signature of an uninstalled package are correct.
Page 28: Using The Central Security Reporting Address
SUSE's pgp key is: ID:3D25D3D9 1999-03-06 SUSE Security Team <security@suse.de> Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 http://www.novell.com/linux/ This key is also available for download from security/securitysupport.html. Security Guide...
Page 29: Part I Authentication
Part I. Authentication...
Page 31: Authentication With Pam
Authentication with PAM Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
Page 32: Structure Of A Pam Configuration File
To facilitate the creation and maintenance of PAM modules, common default configu- ration files for the functions auth, account, password, and session modules have been introduced. These are pulled in from every application's PAM configuration. Updates to the global PAM configuration modules in common-* are thus propagated across all PAM configuration files without requiring the administrator to update every single PAM configuration file.
Page 33 session Modules of this type are responsible for managing and configuring user sessions. They are started before and after authentication to register login attempts in system logs and configure the user's specific environment (mail accounts, home directory, system limits, etc.). The second column contains control flags to influence the behavior of the modules started: required...
Page 34: The Pam Configuration Of Sshd
The module path does not need to be specified explicitly, as long as the module is lo- cated in the default directory /lib/security (for all 64-bit platforms supported by SUSE® Linux Enterprise Server, the directory is /lib64/security). The fourth column may contain an option for the given module, such as debug (enables debugging) or nullok (allows the use of empty passwords).
Page 35 tion is made with central configuration files and all changes are automatically inherited by the PAM configuration of each service. The first include file (common-auth) calls two modules of the auth type: pam_env.so and pam_unix2.so. See Example 2.2, “Default Configuration for the auth Section”...
Page 36: Configuration Of Pam Modules
Again, the PAM configuration of sshd involves just an include statement referring to the default configuration for password modules located in common-password. These modules must successfully be completed (control flags requisite and required) whenever the application requests the change of an authentication token. Changing a password or another authentication token requires a security check.
Page 37 2.3.1 pam_env.conf This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax: VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE Name of the environment variable to set. [DEFAULT=[value]] Default value the administrator wants set.
Page 38: Configuring Pam Using Pam-Config
After installing pam_mount, a template of pam_mount.conf.xml is available in /etc/security. The description of the various elements can be found in the manual page man 5 pam_mount.conf. A basic configuration of this feature can be done by means of yast. Select Network Settings >...
Page 39 2 Add a new authentication method. Adding a new authentication method (for example, LDAP) to your stack of PAM modules comes down to a simple pam-config --add --ldap command. LDAP is added wherever appropri- ate across all common-*-pc PAM configuration files. 3 Add debugging for test purposes.
Page 40: For More Information
2.5 For More Information In the directory /usr/share/doc/packages/pam of your installed system, find the following additional documentation: READMEs In the top level of this directory, there are some general README files. The sub- directory modules holds README files about the available PAM modules. The Linux-PAM System Administrators' Guide This document includes everything that a system administrator should know about PAM.
Page 41: Using Nis
Using NIS As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to users: whatever machines they use, they always find themselves in exactly the same environment.
Page 42 and set up slave servers in the subnets as described in Section 3.1.2, “Configuring a NIS Slave Server” (page 32). 3.1.1 Configuring a NIS Master Server To configure a NIS master server for your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers, select Install and Set Up NIS Master Server.
Page 43 3b Define whether the host should also be a NIS client, enabling users to log in and access data from the NIS server, by selecting This Host is also a NIS Client. Select Allow Changes to Passwords to allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd).
Page 44 3e Leave this dialog with Next or click Other Global Settings to make additional settings. Other Global Settings include changing the source directory of the NIS server (/etc by default). In addition, passwords can be merged here. The setting should be Yes to create the user database from the system authen- tification files /etc/passwd, /etc/shadow, and /etc/group.
Page 45 Figure 3.4 NIS Server Maps Setup 7 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries: 255.0.0.0 127.0.0.0...
Page 46 Figure 3.5 Setting Request Permissions for a NIS Server 8 Click Finish to save changes and exit the setup. 3.1.2 Configuring a NIS Slave Server To configure additional NIS slave servers in your network, proceed as follows: 1 Start YaST > Network Services > NIS Server. 2 Select Install and Set Up NIS Slave Server and click Next.
Page 47: Configuring Nis Clients
3c Set This Host is also a NIS Client if you want to enable user logins on this server. 3d Adapt the firewall settings with Open Ports in Firewall. 3e Click Next. 4 Enter the hosts that are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button.
Page 48 In the expert settings, disable Answer Remote Hosts if you do not want other hosts to be able to query which server your client is using. By checking Broken Server, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind.
Page 49: Ldap-A Directory Service
LDAP—A Directory Service The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.
Page 50: Ldap Versus Nis
• When static data is administered, updates of the existing data sets are very rare. When working with dynamic data, especially when data sets like bank accounts or accounting are concerned, the consistency of the data is of primary importance. If an amount should be subtracted from one place to be added to another, both opera- tions must happen concurrently, within one transaction, to ensure balance over the data stock.
Page 51: Structure Of An Ldap Directory Tree
• Administration of zone descriptions for a BIND9 name server • User authentication with Samba in heterogeneous networks This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, be- cause it can be searched more easily.
Page 52 Figure 4.1 Structure of an LDAP Directory dc=example,dc=com ou=devel ou=doc ou=it cn=Tux Linux cn=Geeko Linux The complete diagram is a fictional directory information tree. The entries on three levels are depicted. Each entry corresponds to one box in the picture. The complete, valid distinguished name for the fictional employee Geeko Linux, in this case, is cn=Geeko Linux,ou=doc,dc=example,dc=com.
Page 53 Table 4.1 Commonly Used Object Classes and Attributes Object Class Meaning Example En- Required At- tributes dcObject domainComponent (name example components of the domain) organizationalU- organizationalUnit (organiza- tional unit) inetOrgPerson inetOrgPerson (person-related Geeko Linux sn and cn data for the intranet or Inter- net) Example 4.1, “Excerpt from schema.core”...
Page 54: Configuring An Ldap Server With Yast
Line 2 gives a brief description of the attribute with DESC. The corresponding RFC on which the definition is based is also mentioned here. SUP in line 3 indicates a superor- dinate attribute type to which this attribute belongs. The definition of the object class organizationalUnit begins in line 4, like in the definition of the attribute, with an OID and the name of the object class.
Page 55 Figure 4.2 YaST LDAP Server Configuration LDAP—A Directory Service...
Page 56 Figure 4.3 YaST LDAP Server—New Database To set up an LDAP server for user account data, make sure the yast2-ldap-server and openldap2 packages and packages they depend on are installed. Then proceed as follows: 1 Log in as root. 2 Start YaST and select Network Services > LDAP Server to invoke the configura- tion wizard.
Page 57 3c Configure Firewall Settings. 3d Click Next. 4 Consider to Enable TLS. TLS is an encryption technology. For more information, Step 4 (page 45). 5 Confirm Basic Database Settings with entering an LDAP Administrator Password and then clicking Next—see Figure 4.2, “YaST LDAP Server Configuration” (page 41).
Page 58 For changes or additional configuration start the LDAP server module again and in the left pane expand Global Settings to make subentries visible—see Figure 4.4, “YaST LDAP Server Configuration” (page 43): 1 With Log Level Settings, configure the degree of logging activity (verbosity) of the LDAP server.
Page 59 4 To configure secure communication between client and server, proceed with TLS Settings: 4a Activate Enable TLS to enable TLS and SSL encryption of the client/server communication. 4b Either Import Certificate by specifying the exact path to its location or enable the Use Common Server Certificate.
Page 60 Figure 4.5 YaST LDAP Server Database Configuration To configure the databases managed by your LDAP server, proceed as follows: 1 Select the Databases item in the left part of the dialog. 2 Click Add Database to add the new database. 3 Enter the requested data: Base DN Enter the base DN of your LDAP server.
Page 61 LDAP Administrator Password Enter the password for the database administrator. Use This Database as the Default for OpenLDAP Clients For convenience, check this option if wanted. 4 In the next dialog, enable enforcement of password policies to provide extra se- curity to your LDAP server: 4a Check Enable Password Policies to be able to specify a password policy.
Page 62 Determine the number of passwords stored in the password history. Saved passwords may not be reused by the user. 3b Determine whether users can change their password and whether they need to change their password after a reset by the administrator. Optionally require the old password for password changes.
Page 63: Configuring An Ldap Client With Yast
To edit a previously created database, select its base DN in the tree to the left. In the right part of the window, YaST displays a dialog similar to the one used for the creation of a new database—with the main difference that the base DN entry is grayed out and cannot be changed.
Page 64 4.4.1 Configuring Basic Settings The basic LDAP client configuration dialog (Figure 4.6, “YaST: LDAP Client Confi- guration” (page 50)) opens during installation if you choose LDAP user management or when you select Network Services > LDAP Client in the YaST Control Center in the installed system.
Page 65 3 Enter the LDAP Base DN to select the search base on the LDAP server. To retrieve the base DN automatically, click Fetch DN. YaST then checks for any LDAP database on the server address specified above. Choose the appropriate base DN from the search results given by YaST.
Page 66 Figure 4.7 YaST: Advanced Configuration 1 In the Client Settings tab, adjust the following settings according to your needs: 1a If the search base for users, passwords, and groups differs from the global search base specified in the LDAP base DN, enter these different naming contexts in User Map, Password Map, and Group Map.
Page 67 2 In Administration Settings, adjust the following settings: 2a Set the base for storing your user management data via Configuration Base 2b Enter the appropriate value for Administrator DN. This DN must be identical with the rootdn value specified in /etc/openldap/slapd.conf to enable this particular user to manipulate data stored on the LDAP server.
Page 68 objects in the LDAP directory. The registration of user data is still done with the regular YaST modules for user and group management. The registered data is stored as LDAP objects on the server. Figure 4.8 YaST: Module Configuration The dialog for module configuration (Figure 4.8, “YaST: Module Configuration”...
Page 69 2 Click New and select the type of module to create. For a user configuration module, select suseuserconfiguration and for a group configuration choose susegroupconfiguration. 3 Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values.
Page 70 Figure 4.9 YaST: Configuration of an Object Template Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template. The default values for an attribute can be created from other attributes by using a variable instead of an absolute value.
Page 71: Configuring Ldap Users And Groups In Yast
4.5 Configuring LDAP Users and Groups in YaST The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following brief instructions relate to the administration of users. The procedure for administering groups is analogous. 1 Access the YaST user administration with Security and Users >...
Page 72 Figure 4.10 YaST: Additional LDAP Settings The initial input form of user administration offers LDAP Options. This gives the pos- sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.
Page 73: Browsing The Ldap Directory Tree
4.6 Browsing the LDAP Directory Tree To browse the LDAP directory tree and all its entries conveniently, use the YaST LDAP Browser: 1 Log in as root. 2 Start YaST > Network Services > LDAP Browser. 3 Enter the address of the LDAP server, the Administrator DN, and the password for the Root DN of this server if you need both, to read and write the data stored on the server.
Page 74: Manually Configuring An Ldap Server
Figure 4.12 Browsing the Entry Data 5 To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the Root DN password when prompted. 6 Leave the LDAP browser with Close. 4.7 Manually Configuring an LDAP Server YaST does not use /etc/openldap/slapd.conf to store the OpenLDAP confi-...
Page 75: Manually Administering Ldap Data
To access the new configuration backend easily you can use SASL external authentica- tion. For example, the following ldapsearch command executed as root can be used to print the complete slapd configuration to stdout: ldapsearch -Y external -H ldapi:/// -b cn=config 4.7.1 Starting and Stopping the Servers Once the LDAP server is fully configured and all desired entries have been made ac- cording to the pattern described in...
Page 76 the LDIF format (LDAP data interchange format) for this. An LDIF file is a simple text file that can contain an arbitrary number of attribute and value pairs. The LDIF file for creating a rough framework for the example in Figure 4.1, “Structure of an LDAP Di- rectory”...
Page 77 The -f option passes the filename. See the details of running ldapadd in Example 4.3, “ldapadd with example.ldif” (page 63). Example 4.3 ldapadd with example.ldif ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif Enter LDAP password: adding new entry "dc=example,dc=com" adding new entry "ou=devel,dc=example,dc=com" adding new entry "ou=doc,dc=example,dc=com"...
Page 78 Example 4.5 Modified LDIF File tux.ldif # coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10 Import the modified file into the LDAP directory with the following command: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below: 1 Start ldapmodify and enter your password: ldapmodify -x -D cn=Administrator,dc=example,dc=com -W...
Page 79: For More Information
(for example, only within the devel department), pass this section to ldapsearch with -b. -x requests activation of simple authentication. (objectClass=*) declares that all objects contained in the directory should be read. This command option can be used after the creation of a new directory tree to verify that all entries have been recorded correctly and the server responds as desired.
Page 80 OpenLDAP 2.4 Administrator's Guide A detailed introduction to all important aspects of LDAP configuration, including http://www.openldap.org/doc/ access controls and encryption. See admin24/ or, on an installed system, /usr/share/doc/packages/ openldap2/admin-guide/index.html. Understanding LDAP http://www A detailed general introduction to the basic principles of LDAP: .redbooks.ibm.com/redbooks/pdfs/sg244986.pdf.
Page 81: Active Directory Support
Active Directory Support Active Directory* (AD) is a directory service based on LDAP, Kerberos, and other services that is used by Microsoft Windows to manage resources, services, and people. In an MS Windows network, AD provides information about these objects, restricts access to any of them, and enforces policies.
Page 82: Background Information For Linux Ad Support
Accessing and Manipulating User Data on the Windows Server Through Nautilus and Konqueror, users are able to access their Windows user data and can edit, create, and delete files and folders on the Windows server. Users can access their data without having to enter their password again and again. Offline Authentication Users are able to log in and access their local data on the Linux machine even if they are offline (for example, using a laptop) or the AD server is unavailable for...
Page 83 Figure 5.1 Active Directory Authentication Schema PAM aware applications kerberized apps (gdm, kdm, login) Kerberos Credential nscd pam_winbind Cache pam_unix2 nss_compat nss_winbind pam_mkhomedir Offline Cache winbindd Windows DC (Active Directory) To communicate with the directory service, the client needs to share at least two proto- cols with the server: LDAP LDAP is a protocol optimized for managing directory information.
Page 84 Kerberos Kerberos is a third-party trusted authentication service. All its clients trust Kerberos's judgment of another client's identity, enabling kerberized single-sign-on (SSO) solutions. Windows supports a Kerberos implementation, making Kerberos SSO possible even with Linux clients. To learn more about Kerberos in Linux, refer to Chapter 6, Network Authentication with Kerberos (page 81).
Page 85 1 The Windows domain controller providing both LDAP and KDC (Key Distribu- tion Center) services is located. 2 A machine account for the joining client is created in the directory service. 3 An initial ticket granting ticket (TGT) is obtained for the client and stored in its local Kerberos credential cache.
Page 86 Account disabled The user sees an error message stating that his account has been disabled and that he should contact the system administrator. Account locked out The user sees an error message stating that his account has been locked and that he should contact the system administrator.
Page 87 SUSE Linux Enterprise Server supports local home directories for AD users. If config- ured through YaST as described in Section 5.3, “Configuring a Linux Client for Active Directory” (page 74), user homes are created at the first login of a Windows (AD) user into the Linux client.
Page 88: Configuring A Linux Client For Active Directory
5.3 Configuring a Linux Client for Active Directory Before your client can join an AD domain, some adjustments must be made to your network setup to ensure a flawless interaction of client and server. Configure your client machine to use a DNS server that can forward DNS requests to the AD DNS server.
Page 89 Join an existing AD domain during installation or by later activating SMB user authen- tication with YaST in the installed system. The domain join during installation is covered in Section “User Authentication Method” (Chapter 6, Installation with YaST, ↑Deploy- ment Guide). NOTE Currently only a domain administrator account, such as Administrator, can join SUSE Linux Enterprise Server into Active Directory.
Page 90 Figure 5.2 Determining Windows Domain Membership 4 Check Also Use SMB Information for Linux Authentication to use the SMB source for Linux authentication. 5 Check Create Home Directory on Login to automatically create a local home directory for your AD user on the Linux machine. 6 Check Offline Authentication to allow your domain users to log in even if the AD server is temporarily unavailable or you do not have a network connection.
Page 91: Logging In To An Ad Domain
10 Provide the password for the Windows administrator on the AD server and click OK (see Figure 5.3, “Providing Administrator Credentials” (page 77)). Figure 5.3 Providing Administrator Credentials After you have joined the AD domain, you can log in to it from your workstation using the display manager of your desktop or the console.
Page 92 5.4.1 GDM and KDM To authenticate a GNOME client machine against an AD server, proceed as follows: 1 Select the domain. 2 Enter your Windows username and press Enter . 3 Enter your Windows password and press Enter . To authenticate a KDE client machine against an AD server, proceed as follows: 1 Select the domain.
Page 93: Changing Passwords
5.5 Changing Passwords SUSE Linux Enterprise Server has the ability to help a user choose a suitable new password that meets the corporate security policy. The underlying PAM module retrieves the current password policy settings from the domain controller. It informs about the specific password quality requirements a user account typically has by means of a message at login time.
Page 94 To change your Windows password from the GNOME desktop, proceed as follows: 1 Click the Computer icon on the left edge of the panel. 2 Select Control Center. 3 From the Personal section, select Change Password. 4 Enter your old password. 5 Enter and confirm the new password.
Page 95: Network Authentication With Kerberos
Network Authentication with Kerberos An open network provides no means to ensure that a workstation can identify its users properly except the usual password mechanisms. In common installations, the user must enter the password each time a service inside the network is accessed. Kerberos provides an authentication method with which a user registers once then is trusted in the complete network for the rest of the session.
Page 96: Kerberos Terminology
6.1 Kerberos Terminology The following glossary defines some Kerberos terminology. credential Users or clients need to present some kind of credentials that authorize them to re- quest services. Kerberos knows two kinds of credentials—tickets and authenticators. ticket A ticket is a per-server credential used by a client to authenticate at a server from which it is requesting a service.
Page 97: How Kerberos Works
session key Session keys are temporary private keys generated by Kerberos. They are known to the client and used to encrypt the communication between the client and the server for which it requested and received a ticket. replay Almost all messages sent in a network can be eavesdropped, stolen, and resent. In the Kerberos context, this would be most dangerous if an attacker manages to obtain your request for a service containing your ticket and authenticator.
Page 98 • The names both of the client and the ticket-granting server • The current time • A lifetime assigned to this ticket • The client's IP address • The newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used.
Page 99 Without any security measures implemented on the server side, this stage of the process would be an ideal target for replay attacks. Someone could try to resend a request stolen off the net some time before. To prevent this, the server does not accept any request with a time stamp and ticket received previously.
Page 100: Users' View Of Kerberos
• The client's principal • The server's principal • The current time • The client's IP address • The newly-generated session key The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of the ticket-granting ticket and the default for the service. The client receives this ticket and the session key, which are sent by the ticket-granting service, but this time the answer is encrypted with the session key that came with the original ticket-granting ticket.
Page 101: Installing And Administering Kerberos
Here is a short list of some applications that use Kerberos authentication. These appli- cations can be found under /usr/lib/mit/bin or /usr/lib/mit/sbin after installing the package krb5-apps-clients. They all have the full functionality of their common UNIX and Linux brothers plus the additional bonus of transparent authen- tication managed by Kerberos: •...
Page 102 Realms” (page 89). Carefully set up the machine that is to serve as the KDC and apply tight security, see Section 6.4.3, “Setting Up the KDC Hardware” (page 90). Set up a reliable time source in your network to make sure all tickets contain valid timestamps, see Section 6.4.4, “Configuring Time Synchronization”...
Page 103: Choosing The Kerberos Realms
The following figure depicts a simple example network with just the minimum compo- nents needed to build a Kerberos infrastructure. Depending on the size and topology of your deployment, you might need to use a different setup. Figure 6.1 Kerberos Network Topology TIP: Configuring Subnet Routing For a setup similar to the one in Figure 6.1, “Kerberos Network Topology”...
Page 104: Setting Up The Kdc Hardware
It is also a good idea to use your DNS domain name (or a subdomain, such as ACCOUNTING.EXAMPLE.COM). As shown below, your life as an administrator can be much easier if you configure your Kerberos clients to locate the KDC and other Kerberos services via DNS.
Page 105 4 No graphical login is provided on this machine as an X server is a potential secu- rity risk. Kerberos provides its own administration interface. 5 Configure /etc/nsswitch.conf to use only local files for user and group lookup. Change the lines for passwd and group to look like this: passwd: files group:...
Page 106: Configuring The Kdc
A different possibility to secure the time service and still use the NTP daemon is, to attach a hardware reference clock to a dedicated NTP server as well as an additional hardware reference clock to the KDC. It is also possible to adjust the maximum deviation Kerberos allows when checking time stamps.
Page 107 6 Start the Kerberos Daemon Once the KDC software is installed and properly configured, start the Kerberos daemon to provide Kerberos service for your realm. Refer to Section “Starting the KDC” (page 94) for details. 7 Create a Principal for Yourself You need a principal for yourself.
Page 108: Configuring A Kerberos Client With Yast
This shows that there are now a number of principals in the database. All of these are for internal use by Kerberos. Creating a Principal Next, create two Kerberos principals for yourself: one normal principal for your everyday work and one for administrative tasks relating to Kerberos. Assuming your login name is newbie, proceed as follows: kadmin.local kadmin>...
Page 109 1 Log in as root and select Network Services > Kerberos Client. 2 Select Use Kerberos. 3 To configure a DNS-based Kerberos client, proceed as follows: 3a Confirm the Basic Kerberos Settings that are displayed. 3b Click Advanced Settings to configure details on ticket-related issues, OpenSSH support, time synchronization, and extended PAM configurations.
Page 110 To configure ticket-related options in the Advanced Settings dialog, choose from the following options: • Specify the Default Ticket Lifetime and the Default Renewable Lifetime in days, hours, or minutes (using the units of measurement d, h, and m, with no blank space between the value and the unit).
Page 111: Manually Configuring Kerberos Clients
Figure 6.3 YaST: Advanced Configuration of a Kerberos Client For more information about the configuration of Expert PAM Settings and PAM Services tabs, see the official documentation referenced in Section 6.5, “For More Information” (page 108) and the manual page man 5 krb5.conf. Manually Configuring Kerberos Clients When configuring Kerberos, there are basically two approaches you can take—static configuration in the /etc/krb5.conf file or dynamic configuration with DNS.
Page 112 static configuration case unless you enter IP addresses in krb5.conf instead of hostnames. Static Configuration One way to configure Kerberos is to edit the configuration file /etc/krb5.conf. The file installed by default contains various sample entries. Erase all of these entries before starting.
Page 113 records are not supported in earlier implementations of the BIND name server. At least BIND version 8 is required for this. The name of an SRV record, as far as Kerberos is concerned, is always in the format _service._proto.realm, where realm is the Kerberos realm. Domain names in DNS are case insensitive, so case-sensitive Kerberos realms would break when using this configuration method.
Page 114 Adjusting the Clock Skew The clock skew is the tolerance for accepting tickets with time stamps that do not exactly match the host's system clock. Usually, the clock skew is set to 300 seconds (five min- utes). This means a ticket can have a time stamp somewhere between five minutes ago and five minutes in the future from the server's point of view.
Page 115 Using the getprivs command, verify which privileges you have. The list shown above is the full set of privileges. As an example, modify the principal newbie: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password. Password for newbie/admin@EXAMPLE.COM: kadmin: getprinc newbie Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005...
Page 116 6.4.8 Creating Kerberos Service Principals So far, only user credentials have been discussed. However, Kerberos-compatible ser- vices usually need to authenticate themselves to the client user, too. Therefore, special service principals must be present in the Kerberos database for each service offered in the realm.
Page 117: Enabling Pam Support For Kerberos
Services such the SSH daemon read this key and use it to obtain new tickets automati- cally when needed. The default keytab file resides in /etc/krb5.keytab. To create a host service principal for jupiter.example.com enter the following commands during your kadmin session: kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password.
Page 118 The above command adds the pam_krb5 module to the existing PAM configuration files and makes sure it is called in the right order. To make fine adjustments to the way in which pam_krb5 is used, edit the file /etc/krb5.conf and add default appli- cations to pam.
Page 119: Using Ldap And Kerberos
You should now be able to connect using Kerberos authentication. Use klist to ver- ify that you have a valid ticket then connect to the SSH server. To force SSH protocol version 1, specify the -1 option on the command line. TIP: Additional Information The file /usr/share/doc/packages/openssh/README.kerberos dis- cusses the interaction of OpenSSH and Kerberos in more detail.
Page 120 To run slapd as root, edit /etc/sysconfig/openldap. Disable the OPENLDAP_USER and OPENLDAP_GROUP variables by putting a comment character in front of them. To make the keytab file readable by group LDAP, execute chgrp ldap /etc/krb5.keytab chmod 640 /etc/krb5.keytab A third, and maybe the best solution, is to tell OpenLDAP to use a special keytab file. To do this, start kadmin, and enter the following command after you have added the principal ldap/ldap.example.com: ktadd -k /etc/openldap/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM...
Page 121 As you can see, ldapsearch prints a message that it started GSSAPI authentication. The next message is very cryptic, but it shows that the security strength factor (SSF for short) is 56 (The value 56 is somewhat arbitrary. Most likely it was chosen because this is the number of bits in a DES encryption key).
Page 122: For More Information
To understand how this works, you need to know that when SASL authenticates a user, OpenLDAP forms a distinguished name from the name given to it by SASL (such as joe) and the name of the SASL flavor (GSSAPI). The result would be uid=joe,cn=GSSAPI,cn=auth.
Page 123: Using The Fingerprint Reader
Using the Fingerprint Reader If your system includes a fingerprint reader, you can use biometric authentication in addition to standard authentication via login and password. After registering their fin- gerprint, users can log in to the system either by swiping a finger on the fingerprint reader or by typing in a password.
Page 124: Managing Fingerprints With Yast
• Starting YaST and the YaST modules • Starting an application with root permission: sudo or gnomesu • Changing to a different user identity with su or su - username NOTE: Fingerprint Reader Devices and Encrypted Home Directories If you want to use a fingerprint reader device, you must not use encrypted home directories (see Chapter 12, Managing Users with YaST (↑Deployment Guide) for more information).
Page 125 4 YaST prompts the user to swipe his finger until three readable fingerprints have been gathered. 5 After the fingerprint has been acquired successfully, click Accept to close the Fingerprint Configuration dialog and the dialog for the user. 6 If you also want to use fingerprint authentication for starting YaST or the YaST modules, you need to register a fingerprint for root, too.
Page 127: Part Ii Local Security
Part II. Local Security...
Page 129: Configuring Security Settings With Yast
Configuring Security Settings with YaST The YaST module Local Security offers a central clearinghouse to configure security- related settings for SUSE Linux Enterprise Server. Use it to configure security aspects such as settings for the login procedure and for password creation, for boot permissions, user creation or for default file permissions.
Page 130: Predefined Security Configurations
Unknown A setting's status is set to unknown when the associated service is not installed. Such a setting does not represent a potential security risk. Figure 8.1 YaST Local Security - Security Overview 8.2 Predefined Security Configurations SUSE Linux Enterprise Server comes with three predefined sets of security configura- tions.
Page 131: Password Settings
Network Server Security settings designed for a machine providing network services such as a web server, file server, name server, etc. This set provides the most secure configuration of the predefined settings. Custom Settings A pre-selected Custom Settings (when opening the Predefined Security Configura- tions dialog) indicates that one of the predefined sets has been modified.
Page 132: Boot Settings
Password Age Activate password expiration by specifying a minimum and a maximum time limit (in days). By setting the minimum age to a value greater than 0 days, you can pre- vent users from immediately changing their passwords again (and in doing so cir- cumventing the password expiration).
Page 133: User Addition
Allow Remote Graphical Login When checked, the graphical login manager (e.g. gdm or kdm) can be accessed from the network. This is a potential security risk. 8.6 User Addition Set minimum and maximum values for user and group IDs. These default settings would rarely need to be changed.
Page 134 Current Directory in root's Path / Current Directory in Path of Regular Users Whenever a program is called without specifying the full path to the executable, the system looks in the user's search path (defined by the variable $PATH) for the executable.
Page 135: Policykit
PolicyKit PolicyKit is an application framework that acts as a negotiator between the unprivileged user session and the privileged system context. Whenever a process from the user session tries to carry out an action in the system context, PolicyKit is queried. Based on its configuration—specified in a so-called “policy”—the answer could be “yes”, “no”, or needs authentication.
Page 136: Authorization Types
GNOME Modify system and mandatory values with GConf Change the system time PolicyKit Read and change privileges for other users Modify defaults System Wake on LAN Mount or unmount fixed, hotplugable and encrypted devices Enable or disable WLAN Enable or disable Bluetooth Device access Stop and restart the system 9.2 Authorization Types...
Page 137: Modifying And Setting Privileges
A user can either authorize by authenticating as root or by authenticating as self. Both authentication methods exist in four variants: Authentication The user always has to authenticate One Shot Authentication The authentication is bound to the instance of the program currently running. Once the program is restarted, the user is required to authenticate again.
Page 138 9.3.1 Using the Graphical Authorizations Tool Start the Authorizations tool either via the GNOME main menu by selecting More Ap- plications > Tools > Authorizations or by pressing Alt + F2 and entering polkit-gnome-authorization. TIP: Using the Authorizations tool in non-GNOME environments Authorizations is a GNOME tool and therefore not installed when the GNOME desktop environment is not installed.
Page 139 The Authorizations window is divided into two parts. The left side shows all policies available in a tree view, while the right side displays details for the policy selected and offers means to change it. Action Lists details of the chosen policy. The Identifier is the unique string used by Poli- cyKit to identify the policy.
Page 140 polkit-action List and modify implicit privileges. Using this command you can also reset all policies to the default value. When invoked with no parameters, The command polkit-action shows a list of all policies. See man 1 polkit-action for more information. polkit-auth Inspect, grant, block and revoke explicit privileges.
Page 141 POLKIT_DEFAULT_PRIVS to restrictive in /etc/sysconfig/security and run set_polkit_default_privs as root afterwards. Do not modify these two files. In order to define your custom set of privileges, use /etc/polkit-default-privs .local. Privileges defined here will always take precedence over the ones defined in the other configuration files.
Page 142 auth_admin_keep_always user needs to authenticate with root password once, privilege is granted for the current and for future sessions Run set_polkit_default_privs to activate your settings. Modifying Configuration Files for Explicit Privileges Explicit privileges can be set in /etc/PolicyKit/PolicyKit.conf. This con- figuration file is written in XML using the PolicyKit DTD.
Page 143 Example 9.1 An example /etc/PolicyKit/PolicyKit.conf file <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN" "http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd"> <config version="0.1"> <match action="org.freedesktop.packagekit.system-update"> <match user="tux"> <return result="yes"/> </match> </match> <match action="org.freedesktop.policykit.*"> <match user="tux|wilber"> <return result="no"/> </match> </match> <define_admin_auth group="administrators"/> </config> The first three lines of the config file are the XML header. These lines are already present in the template file, leave them untouched.
Page 144 leges” (page 126) for more information) that is activated by default, overriding the up- stream defaults. Since the Authorization tool and the PolicyKit command line utilities always operate on the upstream defaults, SUSE Linux Enterprise Server comes with the command-line tool set_polkit_default_privs that resets privileges to the values defined in /etc/polkit-default-privs.*.
Page 145: 0 Access Control Lists In Linux
Access Control Lists in Linux POSIX ACLs (access control lists) can be used as an expansion of the traditional per- mission concept for file system objects. With ACLs, permissions can be defined more flexibly than the traditional permission concept allows. The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard.
Page 146 would not be able to change passwd, because it would be too dangerous to grant all users direct access to this file. A possible solution to this problem is the setuid mecha- nism. setuid (set user ID) is a special file attribute that instructs the system to execute programs marked accordingly under a specific user ID.
Page 147: Advantages Of Acls
10.2 Advantages of ACLs Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is pos- sible to set the set user id, the set group id, and the sticky bit.
Page 148: Handling Acls
default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created. ACL entry Each ACL consists of a set of ACL entries. An ACL entry contains a type, a qual- ifier for the user or group to which the entry refers, and a set of permissions.
Page 149 Table 10.1 ACL Entry Types Type Text Form owner user::rwx named user user:name:rwx owning group group::rwx named group group:name:rwx mask mask::rwx other other::rwx Table 10.2 Masking Access Permissions Entry Type Text Form Permissions named user user:geeko:r-x mask mask::rw- effective permissions: 10.4.1 ACL Entries and File Mode Permission Bits Figure 10.1, “Minimum ACL: ACL Entries Compared to Permission Bits”...
Page 150 ACL entry owner. Other class permissions are mapped to the respective ACL entry. However, the mapping of the group class permissions is different in the two cases. Figure 10.1 Minimum ACL: ACL Entries Compared to Permission Bits In the case of a minimum ACL—without mask—the group class permissions are mapped to the ACL entry owning group.
Page 151 Before creating the directory, use the umask command to define which access permis- sions should be masked each time a file object is created. The command umask 027 sets the default permissions by giving the owner the full range of permissions (0), denying the group write access (2), and giving other users no permissions at all (7).
Page 152 # file: mydir # owner: tux # group: project3 user::rwx user:geeko:rwx group::r-x group:mascots:rwx mask::rwx other::--- In addition to the entries initiated for the user geeko and the group mascots, a mask entry has been generated. This mask entry is set automatically so that all permissions are effective.
Page 153 group:mascots:rwx # effective: r-x mask::r-x other::--- After executing the chmod command to remove the write permission from the group class bits, the output of the ls command is sufficient to see that the mask bits must have changed accordingly: write permission is again limited to the owner of mydir. The output of the getfacl confirms this.
Page 154 Application of Default ACLs The following three examples show the main operations for directories and default ACLs: 1. Add a default ACL to the existing directory mydir with: setfacl -d -m group:mascots:r-x mydir The option -d of the setfacl command prompts setfacl to perform the fol- lowing modifications (option -m) in the default ACL.
Page 155 2. In the next example, use mkdir to create a subdirectory in mydir, which inherits the default ACL. mkdir mydir/mysubdir getfacl mydir/mysubdir # file: mydir/mysubdir # owner: tux # group: project3 user::rwx group::r-x group:mascots:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:mascots:r-x default:mask::r-x default:other::--- As expected, the newly-created subdirectory mysubdir has the permissions from the default ACL of the parent directory.
Page 156: Acl Support In Applications
Although no permissions were removed from the ACL entry of the group class, the mask entry was modified to mask permissions not set in mode. This approach ensures the smooth interaction of applications, such as compilers, with ACLs. You can create files with restricted access permissions and subsequently mark them as executable.
Page 157: For More Information
itor supports ACLs. Except for the star archiver, there are currently no backup applica- tions that preserve ACLs. 10.6 For More Information Detailed information about ACLs is available at http://acl.bestbits.at/. Also see the man pages for getfacl(1), acl(5), and setfacl(1). Access Control Lists in Linux...
Page 159: 1 Encrypting Partitions And Files
Encrypting Partitions and Files Every user has some confidential data that third parties should not be able to access. The more you rely on mobile computing and on working in different environments and networks, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have network or physical access to your system.
Page 160: Setting Up An Encrypted File System With Yast
Encrypting Home Directories With SUSE Linux Enterprise Server, you can also create encrypted home directories for users. When the user logs in to the system, the encrypted home directory is mounted and the contents are made available to the user. Refer to Section 11.2, “Using Encrypted Home Directories”...
Page 161 11.1.1 Creating an Encrypted Partition during Installation WARNING: Password Input Make sure to memorize the password for your encrypted partitions well. Without that password you cannot access or restore the encrypted data. The YaST expert dialog for partitioning offers the options needed for creating an en- crypted partition.
Page 162 When you are installing your system on a machine where several partitions already exist, you can also decide to encrypt an existing partition during installation. In this case follow the description in Section 11.1.2, “Creating an Encrypted Partition on a Running System”...
Page 163: Using Encrypted Home Directories
11.1.4 Encrypting the Content of Removable Media YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk. Container files or partitions on such media can be encrypted as described above. However, enable Do Not Mount During Booting in the Fstab Options dialog, because removable media are usually only connected while the system is running.
Page 164: Using Vi To Encrypt Single Ascii Text Files
On login the home directory automatically gets decrypted. Internally, it is provided by means of the pam module pam_mount. If you need to add an additional login method that provides encrypted home directories, you have to add this module to the respective configuration file in /etc/pam.d/.
Page 165: 2 Certificate Store
Certificate Store Certificates play an important role in authentication of companies and individuals. Usually certificates are administered by the application itself. In some cases, it makes sense to share certificates between application. The certificate store is a common ground for Firefox, Evolution, and NetworkManager. This chapter explains some details. The certificate store is a common database for Firefox, Evolution, and NetworkManager at the moment.
Page 166: Importing Certificates
3 Logoff and login into your desktop. All the certificates are stored under $HOME/.local/var/pki/nssdb/. 12.2 Importing Certificates To import a certificate into the certificate store, do the following: 1 Start Firefox. 2 Open the dialog from Edit > Preferences. Change to Advanced > Encryption and click on View Certificates.
Page 167: 3 Intrusion Detection With Aide
Intrusion Detection with AIDE Securing your systems is a mandatory task for any mission critical system. However, regardless how hard you try, it is impossible to guarantee that the system is not compro- mised. When administering important servers, where the integrity and security of your data is critical, it is a good idea to do some extra checks from time to time to ensure that the system is still under control of the administrator.
Page 168 To tell AIDE which attributes of which files should be checked, a configuration file must be created. Find an example configuration at /etc/aide.conf. This file is also a template and may be modified to create the actually used configuration. The first section of the configuration handles general configuration parameters like the location of the AIDE database file.
Page 169 For a complete list of the available checking options, see /usr/share/doc/ packages/aide/manual.html Before you can start using AIDE, you have to define which files should be checked with what checking options. The definition of the file selection needs some knowledge about regular expression.
Page 170: Local Aide Checks
This will create a new database at the location specified as database_out in the configuration file. By default, this is /var/lib/aide/aide.db.new. If you want to check if all of your configuration worked as expected, you can open this database file in a text viewer. Each of the checked files should appear at the beginning of a line in this file.
Page 171: System Independent Checking
aide --check -V AIDE found differences between database and filesystem!! Start timestamp: 2009-02-18 15:14:10 Summary: Total number of files: 1992 Added files: Removed files: Changed files: --------------------------------------------------- Changed files: --------------------------------------------------- changed: /etc/passwd -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /etc/passwd Mtime : 2009-02-18 15:11:02 , 2009-02-18 15:11:47...
Page 172: For More Information
Procedure 13.1 Starting a Rescue System with AIDE 1 You need a second machine that provides an ftp server. 2 Copy the packages aide and mhash to the ftp server directory, in our case /srv/ftp: cp DVD1/suse/<architecture>/aide<version_string>.<architecture>.rpm /srv/ftp cp DVD1/suse/<architecture>/mhash<version_string>.<architecture>.rpm /srv/ftp 3 Create an info file /srv/ftp/info.txt that provides the needed boot param- eters for the rescue system:...
Page 173: Part Iii Network Security
Part III. Network Security...
Page 175: 4 Ssh: Secure Network Operations
SSH: Secure Network Operations With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it.
Page 176: The Ssh Program
14.2 The ssh Program Using the ssh program, it is possible to log in to remote systems and work interactively. It replaces both telnet and rlogin. The slogin program is just a symbolic link pointing to ssh. For example, log in to the host sun with the command ssh sun. The host then prompts for the password on sun.
Page 177: Sftp-Secure File Transfer
scp also provides a recursive copying feature for entire directories. The command scp -r src/ sun:backup/ copies the entire contents of the directory src includ- ing all subdirectories to the backup directory on the host sun. If this subdirectory does not exist yet, it is created automatically.
Page 178: Ssh Authentication Mechanisms
For the communication between SSH server and SSH client, OpenSSH supports ver- sions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of the protocol with the -1 switch. To continue using version 1 after a system update, follow the instructions in /usr/share/doc/ packages/openssh/README.SuSE.
Page 179 able to provide an authentication method appropriate for daily use. SSH accomplishes this by way of another key pair, which is generated by the user. The SSH package provides a helper program for this: ssh-keygen. After entering ssh-keygen -t rsa or ssh-keygen -t dsa, the key pair is generated and you are prompted for the base filename in which to store the keys.
Page 180: X, Authentication, And Forwarding Mechanisms
NOTE: File Permissions for Host-Based Authentication If the host-based authentication is to be used, the file /usr/lib/ssh/ ssh-keysign or /usr/lib64/ssh/ssh-keysign should have setuid bit set, which is not the defaut setting in SUSE Linux Enterprise Server. In such a case, set the file permissions manually. You should use /etc/permissions .local for this purpose, to make sure that the setuid bit is preserved after security updates of openssh.
Page 181: Configuring An Ssh Daemon With Yast
for delivery. Similarly, all POP3 requests (port 110) on jupiter can be forwarded to the POP3 port of sun with this command: ssh -L 110:sun:110 jupiter Both commands must be executed as root, because the connection is made to privileged local ports.
Page 182 3 The Login Settings tab contains general login and authentication settings. In Print Message of the day After Login determine, whether sshd should print message from /etc/motd when a user logs in interactively. If you want to disable con- nection of a user root, uncheck Permit Root Login. In Maximum Authentication Tries enter the maximum allowed number of authen- tication attempts per connection.
Page 183: 5 Masquerading And Firewalls
Masquerading and Firewalls Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. The Linux netfilter framework provides the means to estab- lish an effective firewall that keeps different networks apart.
Page 184 This table defines any changes to the source and target addresses of packets. Using these functions also allows you to implement masquerading, which is a special case of NAT used to link a private network with the Internet. mangle The rules held in this table make it possible to manipulate values stored in IP headers (such as the type of service).
Page 185 Figure 15.1 iptables: A Packet's Possible Paths PREROUTING incoming packet mangle INPUT mangle Routing filter FORWARD Processes mangle in the local system filter OUTPUT Routing mangle filter POSTROUTING mangle outgoing packet Masquerading and Firewalls...
Page 186: Masquerading Basics
15.2 Masquerading Basics Masquerading is the Linux-specific form of NAT (network address translation). It can be used to connect a small LAN (where hosts use IP addresses from the private range—see Section “Netmasks and Routing” (Chapter 18, Basic Networking, ↑Admin- istration Guide)) with the Internet (where official IP addresses are used).
Page 187: Firewalling Basics
As a consequence of all this, you might experience some problems with a number of application protocols, such as ICQ, cucme, IRC (DCC, CTCP), and FTP (in PORT mode). Web browsers, the standard FTP program, and many other programs use the PASV mode.
Page 188: Susefirewall2
15.4 SuSEfirewall2 SuSEfirewall2 is a script that reads the variables set in /etc/sysconfig/ SuSEfirewall2 to generate a set of iptables rules. It defines three security zones, although only the first and the second one are considered in the following sample con- figuration: External Zone Given that there is no way to control what is happening on the external network,...
Page 189 15.4.1 Configuring the Firewall with YaST IMPORTANT: Automatic Firewall Configuration After the installation, YaST automatically starts a firewall on all configured in- terfaces. If a server is configured and activated on the system, YaST can modify the automatically-generated firewall configuration with the options Open Ports on Selected Interface in Firewall or Open Ports on Firewall in the server configu- ration modules.
Page 190 Masquerading Masquerading hides your internal network from external networks, such as the In- ternet, while enabling hosts in the internal network to access the external network transparently. Requests from the external network to the internal one are blocked and requests from the internal network seem to be issued by the masquerading server when seen externally.
Page 191: Configuring Manually
15.4.2 Configuring Manually The following paragraphs provide step-by-step instructions for a successful configura- tion. Each configuration item is marked as to whether it is relevant to firewalling or masquerading. Use port range (for example, 500:510) whenever appropriate. Aspects related to the DMZ (demilitarized zone) as mentioned in the configuration file are not covered here.
Page 192 FW_MASQ_NETS (masquerading) Specify the hosts or networks to masquerade, leaving a space between the individ- ual entries. For example: FW_MASQ_NETS="192.168.0.0/24 192.168.10.1" FW_PROTECT_FROM_INT (firewall) Set this to yes to protect your firewall host from attacks originating in your internal network. Services are only available to the internal network if explicitly enabled. Also see FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP.
Page 193: For More Information
FW_SERVICES_ACCEPT_RELATED_* (firewall) SuSEfirewall2 now implements a subtle change regarding packets that are consid- ered RELATED by netfilter. For example, to allow finer grained filtering of Samba broadcast packets, RELATED packets are no longer accepted unconditionally. The new variables starting with FW_SERVICES_ACCEPT_RELATED_ have been introduced to allow restricting RELATED packets handling to certain networks, protocols and ports.
Page 195: 6 Configuring Vpn Server
Configuring VPN Server Internet connections these days are cheap and available almost everywhere, although insecure. VPN, the Virtual Private Network, is a secure network within a second, insecure network such as the Internet or WLAN. It can be implemented in different ways and has several meanings.
Page 196 Figure 16.1 Scenario 1 Bridged VPN Bridging is more complicated and is recommended when you need to browse Windows file shares across the VPN without setting up a Samba or WINS server. Bridged VPN is also needed if you want to use non IP protocols (such as IPX) or applications relying on network broadcasts.
Page 197 Figure 16.2 Scenario 2 Figure 16.3 Scenario 3 Configuring VPN Server...
Page 198 Figure 16.4 Scenario 4 The major difference between bridging and routing is that a routed VPN cannot IP- broadcast while a bridged VPN can. 16.1.2 Tun and Tap Devices Whenever you setup a VPN connection your IP packets are transferred over your secured tunnel.
Page 199: Creating The Simplest Vpn Example
The userspace program OpenVPN can attach itself to a tun or tap device to receive packets sent by your OS. The program is also able to write packets to the device. Read more details in /usr/src/linux/Documentation/networking/tuntap .txt. 16.2 Creating the Simplest VPN Example The following example creates a point-to-point VPN tunnel.
Page 200 4 Create the file /etc/openvpn/server.conf with the following content: dev tun ifconfig 10.23.8.1 10.23.8.2 secret secret.key 5 Start the YaST firewall module and UDP port 1194. 6 Start the OpenVPN service as root: rcopenvpn start 16.2.2 Configuring the VPN Client To configure the VPN client, do the following: 1 Install the package openvpn on the machine that will later become your VPN client.
Page 201: Setting Up Your Vpn Server Using Certificate Authority
To verify the VPN connection, use ping on both client and server to see if you can reach each other. Ping server from client: ping 10.23.8.1 Ping client from server: ping 10.23.8.2 16.3 Setting Up Your VPN Server Using Certificate Authority The example shown in Section 16.2 (page 185) is useful for testing, but not for daily...
Page 202 You can use two methods to create the respective certificates and keys: • Use the YaST CA module (see Chapter 17, Managing X.509 Certification (page 197)), or • Use the scripts included with the openvpn package. Generating Certificates with easy-ca The easy-ca utilities use the configuration file openssl.cnf stored under /usr/ share/openvpn/easy-ca.
Page 203 3 Accept the default parameters, but insert for Common Name the value server. 4 Answer the next two questions (“Sign the certificate? [y/n]” and “1 out of 1 cer- tificate requests certified, commit? [y/n]”) with y (yes). After this procedure, the private server key is saved /usr/share/openvpn/ easy-ca/keys/server.*.
Page 204: Configuring The Server
Configuring Certificates with YaST CA You can skip this section if you have already configured the certificates with the easy- ca utilties. 16.3.2 Configuring the Server The configuration file is mostly a summary from /usr/share/doc/packages/ openvpn/sample-config-files/server.conf without the comments and with some small changes to some paths.
Page 205: Configuring The Clients
The tun or tap device, see Section 16.1.2, “Tun and Tap Devices” (page 184) for the differences. The following lines contain the relative or absolute path to the root server CA certificate (ca), the root CA key (cert), the private server key (key) and the Diffie Hellman parameters (dh).
Page 206 Example 16.2 VPN Client Configuration File # /etc/openvpn/client.conf client dev tun proto udp remote IP_OR_HOSTNAME 1194 resolv-retry infinite nobind # Privleges user nobody group nobody # Try to preserve some state across restarts. persist-key persist-tun # Security ssl/ca.crt cert ssl/client.crt ssl/client.key comp-lzo We have to specify that this machine is a client.
Page 207: Kde- And Gnome Applets For Clients
16.4 KDE- and GNOME Applets For Clients The following subsections describe how to setup a OpenVPN connection with the GNOME and KDE desktops. 16.4.1 KDE To setup an OpenVPN connection in KDE4 that can be easily turned on or off, proceed as follows: 1 Make sure you have installed the package NetworkManager-openvpn-kde4 and have resolved all dependencies.
Page 208 7 Insert the necessary files into the respective text fields. From our example configuration these are: CA file /etc/openvpn/ssl/ca.crt Certificate /etc/openvpn/ssl/client1.crt /etc/openvpn/ssl/client1.key Username The respective user Password The password for the user 8 If you have not used the KDE Wallet System, you are asked if you want to configure it.
Page 209: For More Information
5 Choose the Authentication type between Certificates (TLS) or Password with Certificates (TLS) depending on what you have setup with your OpenVPN server. 6 Insert the necessary files into the respective text fields. From our example confi- guration, these are: Username The respective user (only available when you have selected Password with Certificates (TLS))
Page 211: 7 Managing X.509 Certification
Managing X.509 Certification An increasing number of authentication mechanisms are based on cryptographic proce- dures. Digital certificates that assign cryptographic keys to their owners play an important role in this context. These certificates are used for communication and can also be found, for example, on company ID cards.
Page 212 Private Key The private key must be kept safely by the key owner. Accidental publication of the private key compromises the key pair and renders it useless. Public Key The key owner circulates the public key for use by third parties. 17.1.1 Key Authenticity Because the public key process is in widespread use, there are many public keys in circulation.
Page 213 17.1.2 X.509 Certificates An X.509 certificate is a data structure with several fixed fields and, optionally, addi- tional extensions. The fixed fields mainly contain the name of the key owner, the public key, and the data relating to the issuing CA (name and signature). For security reasons, a certificate should only have a limited period of validity, so a field is also provided for this date.
Page 214 Field Content Extensions Optional additional information, such as “KeyUsage” or “BasicConstraints” 17.1.3 Blocking X.509 Certificates If a certificate becomes untrustworthy before it has expired, it must be blocked imme- diately. This can be needed if, for example, the private key has accidentally been made public.
Page 215 Field Content List of revoked certificates Every entry contains the serial number of the certificate, the time of revocation, and optional extensions (CRL entry extensions) Extensions Optional CRL extensions 17.1.4 Repository for Certificates and CRLs The certificates and CRLs for a CA must be made publicly accessible using a repository. Because the signature protects the certificates and CRLs from being forged, the repos- itory itself does not need to be secured in a special way.
Page 216: Yast Modules For Ca Management
17.2 YaST Modules for CA Management YaST provides two modules for basic CA management. The primary management tasks with these modules are explained here. 17.2.1 Creating a Root CA The first step when setting up a PKI is to create a root CA. Do the following: 1 Start YaST and go to Security and Users >...
Page 217 CA Name Enter the technical name of the CA. Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.
Page 218 5 Review the summary. YaST displays the current settings for confirmation. Click Create. The root CA is created then appears in the overview. In general, it is best not to allow user certificates to be issued by the root CA. It is better to create at least one sub-CA and create the user certificates from there.
Page 219 default value leads to an error message. To avoid this, enter a permissible value for the period of validity. Do the following: 1 Start YaST and open the CA module. 2 Select the required root CA and click Enter CA. 3 Enter the password if you entered a CA the first time.
Page 220 NOTE: Check your Valid Period Take into account that the valid period must be lower than the valid period in the root CA. 6 Select the Certificates tab. Reset compromised or otherwise unwanted sub-CAs here using Revoke. Revocation is not enough to deactivate a sub-CA on its own. Also publish revoked sub-CAs in a CRL.
Page 221 Figure 17.3 Certificates of a CA 5 Click Add > Add Server Certificate and create a server certificate. 6 Click Add > Add Client Certificate and create a client certificate. Do not forget to enter an e-mail address. 7 Finish with OK To revoke compromised or otherwise unwanted certificates, do the following: 1 Start YaST and open the CA module.
Page 222 NOTE Revocation alone is not enough to deactivate a certificate. Also publish revoked certificates in a CRL. Section 17.2.6, “Creating CRLs” (page 209) explains how to create CRLs. Revoked certificates can be completely removed after publication in a CRL with Delete. 17.2.5 Changing Default Values The previous sections explained how to create sub-CAs, client certificates, and server certificates.
Page 223 Figure 17.4 YaST CA Module—Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical. 6 Click Next to see a short summary. 7 Finish your changes with Save. NOTE All changes to the defaults only affect objects created after this point. Already existing CAs and certificates remain unchanged.
Page 224 The system maintains only one CRL for each CA. To create or update this CRL, do the following: 1 Start YaST and open the CA module. 2 Enter the required CA, as described in Section 17.2.3, “Creating or Revoking a Sub-CA”...
Page 225 Table 17.3 Passwords during LDAP Export Password Meaning LDAP Password Authorizes the user to make entries in the LDAP tree. Certificate Password Authorizes the user to export the certificate. New Certificate Password The PKCS12 format is used during LDAP export. This format forces the assignment of a new password for the exported certificate.
Page 226 17.2.8 Exporting CA Objects as a File If you have set up a repository on the computer for administering CAs, you can use this option to create the CA objects directly as a file at the correct location. Different output formats are available, such as PEM, DER, and PKCS12.
Page 227 The general server certificate is stored in /etc/ssl/servercerts and can be used there by any CA-supported service. When this certificate expires, it can easily be replaced using the same mechanisms. To get things functioning with the replaced certificate, restart the participating services. If you select Import here, you can select the source in the file system.
Page 229: Part Iv Confining Privileges With Novell Apparmor
Part IV. Confining Privileges with Novell AppArmor...
Page 231: 8 Introducing Apparmor
The program fails to keep that trust if there is a bug in the program that allows the attacker to acquire that privilege. Novell® AppArmor is an application security solution designed specifically to provide least privilege confinement to suspect programs. AppArmor allows the administrator to specify the domain of activities the program can perform by developing a security profile for that application—a listing of files that the program may access and the oper-...
Page 232: Background Information On Apparmor Profiling
Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se- curity problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.
Page 233: 9 Getting Started
Getting Started Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items: 1 Determine the applications to profile. Read more on this in Section 19.3, “Choosing the Applications to Profile” (page 221). 2 Build the needed profiles as roughly outlined in Section 19.4, “Building and...
Page 234: Installing Novell Apparmor
Using Novell AppArmor Control Panel Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.
Page 235: Choosing The Applications To Profile
Panel. These changes take effect as soon as you apply them and survive a reboot of the system. To toggle AppArmor's status, proceed as follows: 1 Start YaST. 2 Select Novell AppArmor > AppArmor Control Panel. 3 Select Enable AppArmor. To disable AppArmor, uncheck this option. 4 Exit the AppArmor Control Panel with Done.
Page 236: Building And Modifying Profiles
There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
Page 237 Outline the basic profile by running YaST > Novell AppArmor > Add Profile Wizard and specifying the complete path of the application to profile. A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing but does not yet restrict 2 Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.
Page 238: Configuring Novell Apparmor Event Notification And Reports
19.5 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.
Page 239 4 Leave this dialog with OK > Done to apply your settings. Using Novell AppArmor reports, you can read important Novell AppArmor security events reported in the log files without manually sifting through the cumbersome mes- sages only useful to the aa-logprof tool.
Page 240: Updating Your Profiles
Update Profile Wizard. To update your profile set, proceed as follows: 1 Start YaST and choose Novell AppArmor > Update Profile Wizard. 2 Adjust access or execute rights to any resource or for any executable that has been logged when prompted.
Page 241: 0 Immunizing Programs
Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer.
Page 242: Introducing The Apparmor Framework
This ensures that each program does what it is supposed to do and nothing else. Novell AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process.
Page 243 aa-unconfined / unconfined aa-unconfined detects any application running on your system that listens for network connections and is not protected by an AppArmor profile. Refer to Section “aa-unconfined—Identifying Unprotected Processes” (page 312) for detailed infor- mation about this tool. aa-autodep / autodep aa-autodep creates a basic skeleton of a profile that needs to be fleshed out before it is put to productive use.
Page 244: Determining Programs To Immunize
Once a profile has been built and is loaded, there are two ways in which it can get pro- cessed: aa-complain / complain In complain mode, violations of AppArmor profile rules, such as the profiled pro- gram accessing files not permitted by the profile, are detected. The violations are permitted, but also logged.
Page 245: Immunizing Cron Jobs
types of programs, refer to Section 20.4.1, “Immunizing Web Applications” (page 234). Network Agents Programs (servers and clients) that have open network ports. User clients, such as mail clients and Web browsers mediate privilege. These programs run with the privilege to write to the user's home directory and they process input from poten- tially hostile remote sources, such as hostile Web sites and e-mailed malicious code.
Page 246: Immunizing Network Applications
The aa-unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. aa-unconfined then reports these programs along with the Novell AppArmor profile associated with each program or reports “none”...
Page 247 Applying Novell AppArmor profiles to user network client applications is also dependent on user preferences. Therefore, we leave profiling of user network client applications as an exercise for the user.
Page 248 SUSE Linux Enterprise Server, by default, stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile. Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them.
Page 249 /srv/www/cgi-bin/localtime.php /usr/lib/locale/** If no subprofile has been defined, the Novell AppArmor version of Apache applies the DEFAULT_URI hat. This subprofile is basically sufficient to display an HTML Web page. The DEFAULT_URI hat that Novell AppArmor provides by default is the follow-...
Page 250 To use a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile. 20.4.2 Immunizing Network Agents To find network server daemons and network clients (such as fetchmail, Firefox, amaroK...
Page 251: 1 Profile Components And Syntax
AppArmor offers intuitive tools to handle profile updates or modifications. You are ready to build Novell AppArmor profiles after you select the programs to profile. To do so, it is important to understand the components and syntax of profiles.
Page 252: Breaking A Novell Apparmor Profile Into Its Parts
Chapter 24, Building Profiles from the Command Line (page 287). 21.1 Breaking a Novell AppArmor Profile into Its Parts The easiest way of explaining what a profile consists of and how to create one is to show the details of a sample profile, in this case for a hypothetical application called /usr/bin/foo: #include <tunables/global>...
Page 253 link /etc/sysconfig/foo -> /etc/foo.conf, /bin/mount /dev/{,u} random /etc/ld.so.cache /etc/foo/* /lib/ld-*.so* /lib/lib*.so* /proc/[0-9]** /usr/lib/** /tmp/ /tmp/foo.pid /tmp/foo.* lrw, /@{HOME} /.foo_file /@{HOME}/.foo_lock owner /shared/foo/** rw, /usr/bin/foobar /bin/** px -> bin_generic, # a comment about foo's local (children)profile for /usr/bin/foobar. profile /usr/bin/foobar /bin/bash rmix, /bin/cat rmix,...
Page 254 A link pair rule specifying the source and the target of a link. See Section 21.7.6, “Link Pair” (page 250) for more information. The curly braces ({}) make this rule apply to the path both with and without the content enclosed by the braces. A path entry specifying what areas of the file system the program can access.
Page 255: Profile Types
In many cases, Novell AppArmor rules prevent an attack from working because neces- sary files are not accessible and, in all cases, Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor. 21.2 Profile Types AppArmor knows four different types of profiles: standard profiles, unattached profiles, local profiles and hats.
Page 256 profile /usr/bin/foo { /usr/bin/foo { Unattached profiles are never used automatically, nor can they be transitioned to through a px rule. They need to be attached to a program by either using a named profile tran- sition (see Section 21.8.7, “Named Profile Transitions” (page 254)) or with the change_profile rule (see Section 21.2.5, “Change rules”...
Page 257 21.2.5 Change rules AppArmor provides change_hat and change_profile rules that control domain transitioning. change_hat are specified by defining hats in a profile, while change_profile rules refer to another profile and start with the keyword change_profile: change_profile /usr/bin/foobar, Both change_hat and change_profile provide for an application directed profile transition, without having to launch a separate application.
Page 258: Include Statements
21.3 #include Statements #include statements are directives that pull in components of other Novell AppArmor profiles to simplify profiles. Include files fetch access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
Page 259: Capability Entries (Posix.1E)
21.3.3 Tunables The tunables directory (/etc/apparmor.d/tunables) contains global variable definitions. When used in a profile, these variables expand to a value that can be changed without changing the entire profile. Add all the tunables definitions that should be available to every profile to /etc/apparmor.d/tunables/global. 21.4 Capability Entries (POSIX.1e) Capabilities statements are simply the word capability followed by the name of the POSIX.1e capability as defined in the capabilities(7) man page.
Page 260: Paths And Globbing
network , network inet , network inet6 , network inet stream , network inet tcp , network tcp , Allow all networking. No restrictions applied with regards to domain, type, or protocol. Allow general use of IPv4 networking. Allow general use of IPv6 networking. Allow the use of IPv4 TCP networking.
Page 261 Globbing (or regular expression matching) is when you modify the directory path using wild cards to include a group of files or subdirectories. File resources can be specified with a globbing syntax similar to that used by popular shells, such as csh, Bash, and zsh.
Page 262 home directories in all affected profiles, you only need to change the value of a variable. Global variables are defined under /etc/apparmor.d/tunables and have to be made available via an #include statement. Find the variable definitions for this use case (@{HOME} and @{HOMEDIRS}) in the /etc/apparmor.d/tunables/ home file.
Page 263: File Permission Access Modes
21.7 File Permission Access Modes File permission access modes consist of combinations of the following modes: Read mode Write mode (mutually exclusive to a) Append mode (mutually exclusive to w) File locking mode Link mode link file -> target Link pair rule (cannot be combined with other access modes) 21.7.1 Read Mode (r) Allows the program to have read access to the resource.
Page 264 As the append permission is just a subset of the permissions associated with the write mode, the w and a permission flags cannot be used together and are mutually exclusive. 21.7.4 File Locking Mode (k) The application can take file locks. Former versions of AppArmor allowed files to be locked if an application had access to them.
Page 265 21.7.7 Owner Conditional Rules The file rules can be extended so that they can be conditional upon the the user being the owner of the file (the fsuid has to match the file's uid). For this purpose the owner keyword is prepended to the rule. Owner conditional rules accumulate just as regular file rules.
Page 266: Execute Modes
21.8 Execute Modes Execute modes, also named profile transitions, consist of the following modes: Discrete profile execute mode Discrete local profile execute mode Unconstrained execute mode Inherit execute mode Allow PROT_EXEC with mmap(2) calls 21.8.1 Discrete Profile Execute Mode (px) This mode requires that a discrete security profile is defined for a resource executed at an AppArmor domain transition.
Page 267 NOTE: Limitations of the Discrete Local Profile Execute Mode (cx) Currently cx transitions are limited to top level profiles and can not be used in hats and children profiles. This restriction will be removed in the future. Incompatible with Ux, ux, Px, px, Cx, and ix. 21.8.3 Unconstrained Execute Mode (ux) Allows the program to execute the resource without any AppArmor profile applied to the executed resource.
Page 268 21.8.5 Inherit Execute Mode (ix) ix prevents the normal AppArmor domain transition on execve(2) when the profiled program executes the named program. Instead, the executed resource inherits the current profile. This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's profile or losing the permissions of the current profile.
Page 269 /usr/*bash cx -> local_profile, profile local_profile NOTE: Difference Between Normal and Named Transitions When used with globbing, normal transitions provide a “one to many” relation- ship—/bin/** px will transition to /bin/ping, /bin/cat, etc, depending on the program being run. Named transitions provide a “many to one” relationship—all programs that match the rule regardless of their name will transition to the specified profile.
Page 270 • GCONV_PATH • GETCONF_DIR • HOSTALIASES • LD_AUDIT • LD_DEBUG • LD_DEBUG_OUTPUT • LD_DYNAMIC_WEAK • LD_LIBRARY_PATH • LD_ORIGIN_PATH • LD_PRELOAD • LD_PROFILE • LD_SHOW_AUXV • LD_USE_LOAD_BIAS • LOCALDOMAIN • LOCPATH • MALLOC_TRACE • NLSPATH • RESOLV_HOST_CONF • RES_OPTIONS • TMPDIR •...
Page 271: Resource Limit Control
21.9 Resource Limit Control AppArmor provides the ability to set and control an application's resource limits (rlimits, also known as ulimits). By default AppArmor does not control applications rlimits, and it will only control those limits specified in the confining profile. For more information about resource limits, refer to the setrlimit(2), ulimit(1), or ulimit(3) man pages.
Page 272: Auditing Rules
fsize, nofile, locks, sigpending, nproc , rtprio a number greater or equal to 0 nice a value between -20 and 19 The nproc rlimit is handled different than all the other rlimits. Instead of indicating the standard process rlimit it controls the maximum number of processes that can be running under the profile at any given time.
Page 273: Setting Capabilities Per Profile
Audit control can be combined with owner conditional file rules to provide auditing when a user access files they own (at the moment it is not possible to audit files they don't own): audit owner /home/*/.ssh/** 21.11 Setting Capabilities per Profile Normally AppArmor only restricts existing native Linux controls and does not grant additional privileges.
Page 275: 2 Apparmor Profile Repositories
AppArmor also supports the use of an external profile repository. This repository is maintained by Novell and allows you to download profiles generated by Novell and other AppArmor users as well as uploading your own. Find the profile repository at http://apparmor.opensuse.org.
Page 276: Using The External Repository
22.2 Using the External Repository http://apparmor.opensuse.org The external AppArmor profile repository at serves two main purposes: Allow users to either browse and download profiles created by other users or to upload their profiles to be able to easily use them on different ma- chines.
Page 277 AppArmor tools should search profiles on the server. url holds the server URL and preferred_user tells the AppArmor tools to prefer profiles created by the novell user. Those profiles were created, tested and approved by members of the SUSE development team.
Page 278 22.2.3 Uploading Your own Profile After a profile has been created or updated, the AppArmor tools that a profile also present in the repository has been changed or that a new one has been created. If your system is configured to upload profiles to the repository, you are prompted to provide a ChangeLog to document your changes before the changes are uploaded to the server.
Page 279: 3 Building And Managing Profiles With Yast
Building and Managing Profiles with YaST YaST provides an easy way to build profiles and manage Novell® AppArmor. It pro- vides two interfaces: a fully graphical one and a text-based one. The text-based interface consumes less resources and bandwidth, making it a better choice for remote adminis- tration or for times when a local graphical environment is inconvenient.
Page 280 Section 23.1, “Adding a Profile Using the Wizard” (page 267). Manually Add Profile Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 23.2, “Manually Adding a Profile”...
Page 281: Adding A Profile Using The Wizard
23.1 Adding a Profile Using the Wizard Add Profile Wizard is designed to set up Novell AppArmor profiles using the AppArmor profiling tools, aa-genprof (generate profile) and aa-logprof (update profiles from learning mode log file). For more information about these tools, refer to Section 24.6.3,...
Page 282 3 Enter the name of the application or browse to the location of the program. 4 Click Create. This runs an AppArmor tool named aa-autodep, which performs a static analysis of the program to profile and loads an approximate profile into the AppArmor module.
Page 283 5 If the profile already exists in the local profile repository under /etc/ apparmor/profiles/extra, YaST informs you that there is an inactive profile which you can either use as a base for your own efforts or which you can just accept as is. Alternatively, you can choose not to use the local version at all and start cre- ating the profile from scratch.
Page 284 The questions fall into two categories: • A resource is requested by a profiled program that is not in the profile (see Figure 23.2, “Learning Mode Exception: Controlling Access to Spe- cific Resources” (page 270)). Allow or deny access to a specific resource. •...
Page 285 Depending on the situation, these options are avail- able: #include The section of a Novell AppArmor profile that refers to an include file. Include files give access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
Page 286 Actual Pathname Literal path that the program needs to access to run properly. After selecting a directory path, process it as an entry to the Novell App- Armor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
Page 287 Close aa-logprof, saving all rule changes entered so far and modifying all profiles. Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile. NOTE The number of learning mode entries corresponds to the complex- ity of the application.
Page 288 Unconfined Execute the program without a security profile. When prompted, have AppArmor sanitize the environment to avoid adding security risks by inheriting certain environment variables from the parent process. WARNING: Risks of Running Unconfined Unless absolutely necessary, do not run unconfined. Choosing the Unconfined option executes the new program without any protection from AppArmor.
Page 289: Manually Adding A Profile
23.2 Manually Adding a Profile Novell AppArmor enables you to create a Novell AppArmor profile by manually adding entries into the profile. Select the application for which to create a profile then add en- tries. 1 Start YaST and select Novell AppArmor > Manually Add Profile.
Page 290 2 From the list of profiled applications, select the profile to edit. 3 Click Next. The AppArmor Profile Dialog window displays the profile. 4 In the AppArmor Profile Dialog window, add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to...
Page 291 (page 275) or Section 23.3, “Editing Profiles” (page 275). When you select Add Entry, a list shows the types of entries you can add to the Novell AppArmor profile. From the list, select one of the following: File In the pop-up window, specify the absolute path of a file, including the type of ac- cess permitted.
Page 292 Directory In the pop-up window, specify the absolute path of a directory, including the type of access permitted. You can use globbing if necessary. When finished, click OK. For globbing information, refer to Section 21.6, “Paths and Globbing” (page 246). For file access permission information, refer to Section 21.7, “File Permission Access Modes”...
Page 293 OK. Include In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 21.3, “#include Statements”...
Page 294 In the pop-up window, specify the name of the subprofile (hat) to add to your current profile and click Create Hat. For more information, refer to Chapter 25, Profiling Your Web Applications Using ChangeHat (page 315). 23.3.2 Editing an Entry When you select Edit Entry, the file browser pop-up window opens.
Page 295: Deleting A Profile
23.5 Updating Profiles from Log Entries The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These excep- tions represent the behavior of the profiled application that is outside of the profile definition for the program.
Page 296 Section 23.1, “Adding a Profile Using the Wizard” (page 267) for details. 2 When you are done, click Finish. In the following pop-up, click Yes to exit the Add Profile Wizard. The profile is saved and loaded into the Novell AppArmor module. Security Guide...
Page 297: Managing Novell Apparmor And Security Event Status
To configure event notification or change the status of AppArmor, start YaST and select Novell AppArmor > Novell AppArmor Control Panel. From the AppArmor Configuration screen, determine whether Novell AppArmor and security event notification are running by looking for a status message that reads enabled or configure the mode of individual profiles.
Page 298 To change the status of Novell AppArmor, continue as described in Section 23.6.1, “Changing Novell AppArmor Status” (page 284). To change the mode of individual profiles, continue as described in Section 23.6.2, “Changing the Mode of Individual Profiles” (page 284). To configure security event notification, continue as described in Section 27.2, “Configuring Security Event Notification”...
Page 299 To edit an application's profile mode, proceed as follows: 1 Start YaST and select Novell AppArmor > AppArmor Control Panel. 2 In the Configure Profile Modes section, select Configure. 3 Select the profile for which to change the mode.
Page 301: 4 Building Profiles From The Command Line
Building Profiles from the Command Line Novell® AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor and create, delete, or modify AppArmor profiles using the AppArmor command line tools.
Page 302 Stopped The AppArmor module is loaded into the kernel, but no policies are enforced. Detect the state of the AppArmor module by inspecting /sys/kernel/security/ apparmor/profiles. If cat /sys/kernel/security/apparmor/profiles reports a list of profiles, AppArmor is running. If it is empty and returns nothing, AppArmor is stopped. If the file does not exist, AppArmor is unloaded.
Page 303: Building Apparmor Profiles
WARNING AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you must boot the machine from a rescue medium (such as the first medium of SUSE Linux Enterprise Server) to regain control.
Page 304: Adding Or Creating An Apparmor Profile
24.3 Adding or Creating an AppArmor Profile To add or create an AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs. Learn more about these two approaches in Section 24.6, “Two Methods of Profiling” (page 291).
Page 305: Two Methods Of Profiling
4 Enter ls to view all the AppArmor profiles that are currently installed. 5 Delete the profile with rm profilename. 6 Restart AppArmor by entering rcapparmor restart in a terminal window. 24.6 Two Methods of Profiling Given the syntax for AppArmor profiles in Chapter 21, Profile Components and Syntax (page 237), you could create profiles without using the tools.
Page 306 24.6.1 Stand-Alone Profiling Stand-alone profile generation and improvement is managed by a program called aa- genprof. This method is easy because aa-genprof takes care of everything, but is limited because it requires aa-genprof to run for the entire duration of the test run of your pro- gram (you cannot reboot the machine while you are still developing your profile).
Page 307 Step 3 (page 293)) and learn the access needs of the program so it runs properly. With this information, you can decide how secure to make the profile. Refer to Section “aa-complain—Entering Complain or Learning Mode” (page 295) for more detailed instructions for using learning or complain mode. 3 Exercise your application.
Page 308 available through the YaST Profile Mode module, described in Section 23.6.2, “Changing the Mode of Individual Profiles” (page 284). To ensure that all profiles are taken out of complain mode and put into enforce mode, enter aa-enforce /etc/apparmor.d/*. 8 Rescan all profiles. To have AppArmor rescan all of the profiles and change the enforcement mode in the kernel, enter rcapparmor restart.
Page 309 aa-autodep [ -d /path/to/profiles ] [program1 program2...] If you do not enter the program name or names, you are prompted for them. /path/to/profiles overrides the default location of /etc/apparmor.d, should you keep profiles in a location other than the default. To begin profiling, you must create profiles for each main executable service that is part of your application (anything that might start without being a child of another program that already has a profile).
Page 310 • If the example program (program1) is in your path, use: aa-complain [program1 program2 ...] • If the program is not in your path, specify the entire path as follows: aa-complain /sbin/program1 • If the profiles are not in /etc/apparmor.d, use the following to override the default location: aa-complain /path/to/profiles/ program1 •...
Page 311 Manually activating enforce mode (using the command line) adds a flag to the top of the profile so that /bin/foo becomes /bin/foo flags=(enforce). To use enforce mode, open a terminal window and enter one of the following lines as root. •...
Page 312 it to complain mode, reloads it into AppArmor, marks the log, and prompts the user to execute the program and exercise its functionality. Its syntax is as follows: aa-genprof [ -d /path/to/profiles ] program To create a profile for the the Apache Web server program httpd2-prefork, do the fol- lowing as root: 1 Enter rcapache2 stop.
Page 313 4. Marks the log with a beginning marker of log events to consider. For exam- ple: Sep 13 17:48:52 figwit root: GenProf: e2ff78636296f16d0b5301209a04430d 3 When prompted by the tool, run the application to profile in another terminal window and perform as many of the application functions as possible. Thus, the learning mode can log the files and directories to which the program requires access in order to function properly.
Page 314 Each of these categories results in a series of questions that you must answer to add the resource or program to the profile. Example 24.1, “Learning Mode Ex- ception: Controlling Access to Specific Resources” (page 300) and Example 24.2, “Learning Mode Exception: Defining Execute Permissions for an Entry” (page 302) provide examples of each one.
Page 315 Unconfined (ux) The child runs completely unconfined without any AppArmor profile applied to the executed resource. Choose the unconfined with clean exec (Ux) option to scrub the environ- ment of environment variables that could modify execution behavior when passed to the child process. This option introduces a security vul- nerability that could be used to exploit AppArmor.
Page 316 Example 24.2 Learning Mode Exception: Defining Execute Permissions for an Entry Adding /bin/ps ix to profile. Profile: /usr/sbin/xinetd Path: /etc/hosts.allow New Mode: r [1 - /etc/hosts.allow] [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish AppArmor provides one or more paths or includes.
Page 317 Select Enter Allows access to the selected directory path. Allow Allows access to the specified directory path entries. AppArmor suggests file permission access. For more information, refer to Section 21.7, “File Permission Access Modes” (page 249). Deny Prevents the program from accessing the specified directory path entries. AppArmor then continues to the next event.
Page 318 6 To view and edit your profile using vim, enter vim /etc/apparmor.d/profilename in a terminal window. 7 Restart AppArmor and reload the profile set including the newly created one using the rcapparmor restart command. Like the graphical front-end for building AppArmor profiles, the YaST Add Profile Wizard, aa-genprof also supports the use of the local profile repository under /etc/ apparmor/profiles/extras and the remote AppArmor profile repository.
Page 319 5 Determine whether you want to use the profile downloaded from the server or whether you would just like to review it: Profile: /usr/bin/opera [1 - novell] [(V)iew Profile] / (U)se Profile / (C)reate New Profile / Abo(r)t / (F)inish If you want to just use this profile, hit U (Use Profile) and follow the profile generation procedure outlined above.
Page 320 aa-logprof—Scanning the System Log aa-logprof is an interactive tool used to review the learning or complain mode output found in the log entries in /var/log/audit/audit.log or /var/log/ messages (if auditd is not running) and generate new entries in AppArmor security profiles.
Page 321 aa-logprof -d /path/to/profile/directory/ Specifies the full path to the location of the profiles if the profiles are not located in the standard directory, /etc/apparmor.d/. aa-logprof -f /path/to/logfile/ Specifies the full path to the location of the log file if the log file is not located in the default directory, /var/log/audit/audit.log or /var/log/ messages (if auditd is not running).
Page 322 questions pertaining to DNS lookups and also makes the profile less brittle in that any changes to DNS configuration and the associated name service profile package can be made just once, rather than needing to revise many profiles. Profile: /usr/sbin/httpd2-prefork Path: /etc/group New Mode: r...
Page 323 Glob w/Ext This modifies the original directory path while retaining the filename extension. For example, /etc/apache2/file.ext becomes /etc/apache2/*.ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directory that end with the .ext extension. Abort Aborts aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.
Page 324 to all .jpg files in the entire directory tree) or /** (which would grant access to all files in the directory tree). These items deal with read accesses. Write accesses are similar, except that it is good policy to be more conservative in your use of regular expressions for write accesses. Dealing with execute accesses is more complex.
Page 325 • You can avoid adding the helper applications, such as tar and rpm, to the /usr/ bin/mail profile so that when /usr/bin/mail runs /usr/bin/less in this context, the less program is far less dangerous than it would be without App- Armor protection.
Page 326: Important Filenames And Directories
IMPORTANT: Running Unconfined Choosing ux is very dangerous and provides no enforcement of policy from a security perspective of resulting execution behavior of the child program. aa-unconfined—Identifying Unprotected Processes The aa-unconfined command examines open network ports on your system, compares that to the set of profiles loaded on your system, and reports network services that do not have AppArmor profiles.
Page 327 /etc/apparmor/ Location of AppArmor configuration files. /etc/apparmor/profiles/extras/ A local repository of profiles shipped with AppArmor, but not enabled by default. /etc/apparmor.d/ Location of profiles, named with the convention of replacing the / in paths with . (not for the root /) so profiles are easier to manage. For example, the profile for the program /usr/sbin/ntpd is named usr.sbin.ntpd.
Page 329: 5 Profiling Your Web Applications Using Changehat
It enables you to define security at a finer level than the process. This feature requires that each application be made “ChangeHat aware” meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution. Two examples for ChangeHat-aware applications are the Apache Web server and Tomcat.
Page 330: Apache Changehat
Enterprise Server). This module makes the Apache Web server ChangeHat aware. Install it along with Apache. When Apache is ChangeHat aware, it checks for the following customized Novell AppArmor security profiles in the order given for every URI request that it receives.
Page 331 25.1.1 Managing ChangeHat-Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Managing ChangeHat-aware applica- tions from the command line is much more flexible, but the process is also more com- plicated.
Page 332 Refresh button to make sure that Apache processes the re- quest for the phpsysinfo URI. 6 Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the aa-logprof tool, which scans the information learned in the previous step.
Page 333 In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsys- info hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined).
Page 334 Example 25.1 Example phpsysinfo Hat /usr/sbin/httpd2-prefork { ^phpsysinfo { #include <abstractions/bash> #include <abstractions/nameservice> /bin/basename ixr, /bin/bash ixr, /bin/df ixr, /bin/grep ixr, /bin/mount /bin/sed ixr, /dev/bus/usb/ /dev/bus/usb/** /dev/null /dev/tty /dev/urandom /etc/SuSE-release /etc/ld.so.cache /etc/lsb-release /etc/lsb-release.d/ /lib/ld-2.6.1.so ixr, /proc/** /sbin/lspci ixr, /srv/www/htdocs/phpsysinfo/** /sys/bus/pci/** /sys/bus/scsi/devices/ /sys/devices/** /usr/bin/cut...
Page 335 Section 23.2, “Manually Adding a Profile” (page 275)), you are given the option of adding hats (subprofiles) to your Novell AppArmor profiles. Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following. 1 From the AppArmor Profile Dialog window, click Add Entry then select Hat.
Page 336: Configuring Apache For Mod_Apparmor
2 Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat. 3 Click Create Hat. You are returned to the AppArmor Profile Dialog screen.
Page 337 http://httpd.apache.org/docs-2.2/mod/core.html #virtualhost. The ChangeHat-specific configuration keyword is AADefaultHatName. It is used similarly to AAHatName, for example, AADefaultHatName My_Funky_Default_Hat. The configuration option is actually based on a server directive, which enables you to use the keyword outside of other options, setting it for the default server. Virtual hosts are considered internally within Apache to be separate “servers,”...
Page 338 The directory directive works similarly to the location directive, except it refers to a path in the file system as in the following example: <Directory "/srv/www/www.immunix.com/docs"> # Note lack of trailing slash AAHatName immunix.com </Directory> The program phpsysinfo is used to illustrate a location directive in the Example: http://phpsysinfo following example.
Page 339 /usr/share/pci.ids /usr/share/usb.ids /var/log/apache2/access_log /var/run/utmp 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root. 4 Restart Apache by entering rcapache2 restart at a terminal window as root. 5 Enter http://hostname/phpsysinfo/ into a browser to receive the system information that phpsysinfo delivers.
Page 341: Confining Users With Pam_Apparmor
(see Section 21.11, “Setting Capabilities per Profile” (page 259) for more information), it allows to map restricted admin profiles to users. A detailed http://developer HOWTO on setting up RBAC with AppArmor is available at .novell.com/wiki/index.php/Apparmor_RBAC_in_version_2.3. Confining Users with pam_apparmor...
Page 343: 7 Managing Profiled Applications
Applications After creating profiles and immunizing your applications, SUSE® Linux Enterprise Server becomes more efficient and better protected if you perform Novell® AppArmor profile maintenance, which involves analyzing log files and refining your profiles as well as backing up your set of profiles and keeping it up-to-date. You can deal with...
Page 344: Configuring Security Event Notification
Novell AppArmor activity occurs. Activate it by selecting a notification frequency (receiving daily notification, for example). Enter an e-mail address, so you can be noti- fied by e-mail when Novell AppArmor security events occur. Select one of the following notification types:...
Page 345 Verbose Notification Verbose notification displays unmodified, logged Novell AppArmor security events. It tells you every time an event occurs and writes a new line in the verbose log. These security events include the date and time the event occurred, when the appli- cation profile permits and rejects access, and the type of file permission access that is permitted or rejected.
Page 346 NOTE: Severity Levels Novell AppArmor sends out event messages for things that are in the severity database and above the level selected. Severity levels are numbered 1 through 10, with 10 being the most severe security incident.
Page 347: Configuring Reports
Section 27.5, “Reacting to Security Event Rejections” (page 354). 27.3 Configuring Reports Novell AppArmor's reporting feature adds flexibility by enhancing the way users can view security event data. The reporting tool performs the following: • Creates on-demand reports • Exports reports •...
Page 348 Section “Security Incident Report” (page 341). To use the Novell AppArmor reporting features, proceed with the following steps: 1 Open YaST > Novell AppArmor. 2 In Novell AppArmor, click AppArmor Reports. The AppArmor Security Event Reports window appears. From the Reports window, select an option and proceed...
Page 349 View Archive Displays all reports that have been run and stored in /var/log/ apparmor/reports-archived/. Select the report you want to see in detail and click View. For View Archive instructions, proceed to Sec- tion 27.3.1, “Viewing Archived Reports” (page 336). Run Now Produces an instant version of the selected report type.
Page 350 Back Returns you to the Novell AppArmor main screen. Abort Returns you to the Novell AppArmor main screen. Next Performs the same function as the Run Now button. 27.3.1 Viewing Archived Reports View Reports enables you to specify the location of a collection of reports from one or more systems, including the ability to filter by date or names of programs accessed and display them all together in one report.
Page 351 3 You can alter the directory location of the archived reports in Location of Archived Reports. Select Accept to use the current directory or select Browse to find a new report location. The default directory is /var/log/apparmor/ reports-archived. 4 To view all the reports in the archive, select View All. To view a specific report, select a report file listed in the Report field then select View.
Page 352 Program Name When you enter a program name or pattern that matches the name of the bi- nary executable of the program of interest, the report displays security events that have occurred for a specific program. Profile Name When you enter the name of the profile, the report displays the security events that are generated for the specified profile.
Page 353 Location to Store Log Enables you to change the location at which to store the exported report. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the file system. 8 To see the report, filtered as desired, select Next. One of the three reports displays. 9 Refer to the following sections for detailed information about each type of report.
Page 354 The following fields are provided in an application audit report: Host The machine protected by AppArmor for which the security events are reported. Date The date during which security events occurred. Program The name and path of the executing process. Profile The absolute name of the security profile that is applied to the process.
Page 355 Type This field reveals the type of confinement the security event represents. It says either complain or enforce. If the application is not confined (state), no type of confinement is reported. Security Incident Report A security incident report displays security events of interest to an administrator. The SIR reports policy violations for locally confined applications during the specified time period.
Page 356 The fields in the SIR report have the following meanings: Host The machine protected by AppArmor for which the security events are reported. Date The date during which security events occurred. Program The name of the executing process. Profile The absolute name of the security profile that is applied to the process. A number that uniquely identifies one specific process or running program (this number is valid only during the lifetime of that process).
Page 357 termined by the threat or importance of different security events, such as certain resources accessed or services denied. Mode The mode is the permission that the profile grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute). Detail A source to which the profile has denied access.This includes capabilities and files.
Page 358 27.3.2 Run Now: Running On-Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. If you need help navigating to the main report screen, see Section 27.3, “Configuring Reports”...
Page 359 4 The Report Configuration Dialog enables you to filter the reports selected in the previous screen. Enter the desired filter details. The following filter options are available: Date Range To limit reports to a certain time period, select Filter By Date Range. Enter the start and end dates that determine the scope of the report.
Page 360 Adding new reports enables you to create a scheduled security incident report that dis- plays Novell AppArmor security events according to your preset filters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.
Page 361 NOTE Return to the beginning of this section if you need help navigating to the main report screen (see Section 27.3, “Configuring Reports” (page 333)). To add a new scheduled security incident report, proceed as follows: 1 Click Add to create a new security incident report. The first page of Add Scheduled SIR opens.
Page 362 Hour and Minute Select the time. This specifies the hour and minute that you would like the reports to run. If you do not change the time, selected reports runs at midnight. If neither month nor day of week are selected, the report runs daily at the specified time.
Page 363 The options are r (read), w (write), l (link), and x (execute). 5 Click Save to save this report. Novell AppArmor returns to the Scheduled Reports main window where the newly scheduled report appears in the list of reports.
Page 364: Editing Reports
27.3.4 Editing Reports From the AppArmor Reports screen, you can select and edit a report. The three pre- configured reports (stock reports) cannot be edited or deleted. NOTE Return to the beginning of this section if you need help navigating to the main report screen (see Section 27.3, “Configuring Reports”...
Page 365 Hour and Minute Select the time. This specifies the hour and minute that you would like the reports to run. If you do not change the time, the selected report runs at midnight. If neither the day of the month nor day of the week is selected, the report runs daily at the specified time.
Page 366 The options are r (read), w (write), l (link), and x (execute). 6 Select Save to save the changes to this report. Novell AppArmor returns to the Scheduled Reports main window where the scheduled report appears in the list of reports.
Page 367: Configuring And Using The Apparmor Desktop Monitor Applet
27.3.5 Deleting Reports Delete a Report enables you to permanently remove a report from the list of Novell AppArmor scheduled reports. To delete a report, follow these instructions: 1 To remove a report from the list of reports, highlight the report and click Delete.
Page 368: Reacting To Security Event Rejections
If the rejected action is part of normal application behavior, run aa-logprof at the command line or the Update Profile Wizard in Novell AppArmor to update your profile. If the rejected action is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.
Page 369 27.6.2 Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 23.3, “Editing Profiles”...
Page 370 • Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed using aa-logprof. For detailed instructions, refer Section “aa-logprof—Scanning the System Log” (page 306). • Run the YaST Update Profile Wizard to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected).
Page 371: 8 Support
28.1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux Enterprise Server. Retrieve and apply them exactly like for any other package that ships as part of SUSE Linux Enterprise Server.
Page 372 The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are: • unconfined(8) • autodep(1) • complain(1) •...
Page 373: For More Information
• apparmor.d(5) • apparmor.vim(5) • apparmor(7) • apparmor_parser(8) 28.3 For More Information Find more information about the AppArmor product on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. Find the http:// product documentation for Novell AppArmor, including this document, at www.novell.com/documentation/apparmor/ or in the installed system in /usr/share/doc/manual.
Page 374: Troubleshooting
AppArmor is too closely constricting your application. To check reject messages, start YaST > Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report.
Page 375 • Network Access Control • The SYS_PTRACE Capability • Directory Path Access The current version of AppArmor mediates file locking and introduces a new permission mode (k) for this. Applications requesting file locking permission might misbehave or fail altogether if confined by older profiles which do not explicitly contain permissions to lock files.
Page 376 capability SYS_PTRACE, /proc/*/fd/** To update the profile to the new syntax, use the YaST Update Profile Wizard or the aa-logprof command as outlined below. With this version of AppArmor, a few changes have been made to the profile rule syntax to better distinguish directory from file access. Therefore, some rules matching both file and directory paths in the previous version might now just match a file path.
Page 377 The following rule works similarly both under the old and the new syntax and allows access to both files and directories beginning with foo under /proc/net: /proc/net/foo** To distinguish file from directory access in the new syntax and use the ** globbing pattern, use the following two rules.
Page 378 5 Once the profile is updated, put it back into enforce mode via the YaST AppArmor Control Panel. Using the AppArmor command line tools, you would proceed as follows: 1 Put the application's profile into complain mode: aa-complain /path/to/application 2 Run the application. 3 Update the profile according to the log entries made while running the application: aa-logprof /path/to/application 4 Put the resulting profile back into enforce mode:...
Page 379 Modify KDE's process handling Use KDE_EXEC_SLAVES=1 and KDE_IS_PRELINKED=1 variables force KDE to manage its processes in a way that AppArmor can distinguish individual appli- cations from each other and apply profiles to them. This approach might slow down your desktop considerably, as it turns off a crucial optimization for speed. Note that the above mentioned environment variables have to be set before KDM/XDM/GDM or startx are started.
Page 380 28.4.8 How to Spot and fix AppArmor Syntax Errors? Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart AppArmor with syntax errors in your profiles, error results are shown. This example shows the syntax of the entire parser error.
Page 381: Reporting Bugs For Apparmor
1 Use your Web browser to go to https://bugzilla.novell.com/index .cgi. 2 Enter the account data of your Novell account and click Login Create a new Novell account as follows: 2a Click Create New Account on the Login to Continue page.
Page 382 Provide data on which other Novell accounts you maintain to sync all these to one account. 3 Check whether a problem similar to yours has already been reported by clicking Search Reports. Use a quick search against a given product and keyword or use the Advanced Search.
Page 383: 9 Apparmor Glossary
By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks.
Page 384 Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.
Page 385 The first part of the address indicates what protocol to use and the second part specifies the IP address or the domain name where the resource is located. For example, in http://www.novell.com, http is the protocol to use. vulnerabilities An aspect of a system or network that leaves it open to attack. Characteristics of computer systems that allow an individual to keep it from correctly operating or that allows unauthorized users to take control of the system.
Page 387: Part V The Linux Audit Framework
Part V. The Linux Audit Framework...
Page 389: 0 Understanding Linux Audit
Understanding Linux Audit The Linux audit framework as shipped with this version of SUSE Linux Enterprise Server provides a CAPP-compliant (Controlled Access Protection Profiles) auditing system that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed and by whom.
Page 390 Instead, Audit is useful for tracking these issues and helps you take additional security measures, like Novell AppArmor, to prevent them. Audit consists of several components, each contributing crucial functionality to the overall framework.
Page 391 • Remote Host Address • System Call • System Call Arguments • File • File Operations • Success or Failure Apply a Selective Audit Audit provides the means to filter the audit reports for events of interest and also to tune audit to record only selected events. You can create your own set of rules and have the audit daemon record only those of interest to you.
Page 392: Introducing The Components Of Linux Audit
30.1 Introducing the Components of Linux Audit The following figure illustrates how the various components of audit interact with each other: Figure 30.1 Introducing the Components of Linux Audit auditd.conf audit.rules auditctl audispd aureport auditd audit.log application ausearch autrace audit kernel Straight arrows represent the data flow between components while dashed arrows rep- resent lines of control between components.
Page 393: Configuring The Audit Daemon
auditctl The auditctl utility controls the audit system. It controls the log generation param- eters and kernel settings of the audit interface as well as the rule sets that determine which events are tracked. For more information about auditctl, refer to Section 30.3, “Controlling the Audit System Using auditctl”...
Page 394 configuration file and configure how the audit system functions once the daemon has been started in /etc/audit/auditd.conf. The most important configuration parameters in /etc/sysconfig/auditd are: AUDITD_LANG="en_US" AUDITD_DISABLE_CONTEXTS="no" AUDITD_LANG The locale information used by audit. The default setting is en_US. Setting it to none would remove all locale information from audit's environment.
Page 395 Depending on whether you want your environment to satisfy the requirements of CAPP, you need to be extra restrictive when configuring the audit daemon. Where you need to use particular settings to meet the CAPP requirements, a “CAPP Environment” note tells you how to adjust the configuration.
Page 396 NOTE: CAPP Environment In a CAPP environment, make sure that the audit trail is always fully up to date and complete. Therefore, use sync or data with the flush param- eter. num_logs Specify the number of log files to keep if you have given rotate as the max_log_file_action.
Page 397 to be taken is specified in max_log_file_action. Possible values for max_log_file_action are ignore, syslog, suspend, rotate, and keep_logs. ignore tells the audit daemon to do nothing once the size limit is reached, syslog tells it to issue a warning and send it to syslog, and suspend causes the audit daemon to stop writing logs to disk leaving the daemon itself still alive.
Page 398 action_mail_acct Specify an e-mail address or alias to which any alert messages should be sent. The default setting is root, but you can enter any local or remote account as long as e-mail and the network are properly configured on your system and /usr/lib/ sendmail exists.
Page 399: Controlling The Audit System Using Auditctl
tcp_listen_port, tcp_listen_queue, tcp_client_ports and tcp_client_max_idle The audit daemon can receive audit events from other audit daemons. The tcp pa- rameters let you control incoming connections. Specify a port between 1 and 65535 with tcp_listen_port on which the auditd will listen. tcp_listen_queue lets you configure a maximum value for pending connections.
Page 400 The main auditctl commands to control basic audit system parameters are: • auditctl -e to enable or disable audit • auditctl -f to control the failure flag • auditctl -r to control the rate limit for audit messages • auditctl -b to control the backlog limit •...
Page 401: Passing Parameters To The Audit System
Flag Meaning [Possible Values] Command rate_limit Set a limit in messages per second. If the auditctl -r rate is not zero and it is exceeded, the ac- rate tion specified in the failure flag is trig- gered. backlog_limit Specify the maximum number of outstand- auditctl -b ing audit buffers allowed.
Page 402 Example 30.2 Example Audit Rules—Audit System Parameters -b 1000 -f 1 -r 10 -e 1 Specify the maximum number of outstanding audit buffers. Depending on the level of logging activity, you might need to adjust the number of buffers to avoid causing too heavy an audit load on your system.
Page 403 Example 30.3 Example Audit Rules—File System Auditing -w /etc/shadow -w /etc -p rx -w /etc/passwd -k fk_passwd -p rwxa The -w option tells audit to add a watch to the file specified, in this case /etc/ shadow. All system calls requesting access permissions to this file are analyzed. This rule adds a watch to the /etc directory and applies permission filtering for read and execute access to this directory (-p wx).
Page 404 This rule adds auditing to the access system call, but only but only if the second argument of the system call (mode) is 4 (R_OK). entry,always tells audit to add an audit context to this system call when entering it and write out a report as soon as the call exits.
Page 405: Understanding The Audit Logs And Generating Reports
rules that are about to be added do not clash with any preexisting ones. The auditctl -D command is also used before doing an autrace to avoid having the trace rules clash with any rules present in the audit.rules file. This rule deletes a system call rule.
Page 406 30.5.1 Understanding the Audit Logs The following examples highlight two typical events that are logged by audit and how their trails in the audit log are read. The audit log or logs (if log rotation is enabled) are stored in the /var/log/audit directory. The first example is a simple less com- mand.
Page 407 arch References the CPU architecture of the system call. Decode this information using the -i option on any of your ausearch commands when searching the logs. syscall The type of system call as it would have been printed by an strace on this particular system call.
Page 408 auid The audit ID. A process is given an audit ID on user login. This ID is then handed down to any child process started by the initial process of the user. Even if the user changes his identity (for example, becomes root), the audit ID stays the same. Thus you can always trace actions to the original user who logged in.
Page 409 If you are auditing a large number of directories or files, assign key strings each of these watches. You can use these keys with ausearch to search the logs for events of this type only. The second message triggered by the example less call does not reveal anything apart from just the current working directory when the less command was executed.
Page 410 Example 30.8, “An Advanced Audit Event—Login via SSH” (page 396) highlights the audit events triggered by an incoming SSH connection. Most of the messages are related to the PAM stack and reflect the different stages of the SSH PAM process. Several of the audit messages carry nested PAM messages in them that signify that a particular stage of the PAM process has been reached.
Page 411 The user has successfully logged in. This event is the one used by aureport -l to report about user logins. PAM reports that it has successfully opened a session for root. PAM reports that the credentials have been successfully reacquired. 30.5.2 Generating Custom Audit Reports The raw audit reports stored in the /var/log/audit directory tend to become very bulky and hard to understand.
Page 412 Number of keys: 2 Number of process IDs: 1211 Number of events: 5320 The above command, aureport without any arguments, provides just the standard general summary report generated from the logs contained in myfile. To create more detailed reports, combine the -if option with any of the options below. For example, generate a login report that is limited to a certain time frame: aureport -l -ts 14:00 -te 15:00 -if myfile Login Report...
Page 413 Number of MAC events: 0 Number of failed syscalls: 994 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 2 Number of process IDs: 708 Number of events: 1583 Create a Summary Report of Successful Events If you want to break down the overall statistics of a plain aureport to the statistics of successful events, use aureport --success:...
Page 414 aureport -u -i --summary User Summary Report =========================== total auid =========================== 5640 root wilber Create a Report of Events To get an overview of the events logged by audit, use the aureport -e command. This command generates a numbered list of all events including date, time, event number, event type, and audit ID.
Page 415 Create a Report from All System Call Events To analyze the audit log from a system call's point of view, use the aureport -s command. This command generates a numbered list of all system call events including date, time, number of the system call, process ID, name of the command that used this call, audit ID, and event number.
Page 416 Create a Report about Users To generate a report from the audit log that illustrates which users are running what executables on your system, use the aureport -u command. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID.
Page 417: Querying The Audit Daemon Logs With Ausearch
Then, specify the start date and time and the end date and time of the desired time frame and combine it with the report option needed. This example focuses on login attempts: aureport -ts 02/16/09 8:00 -te 02/16/09 18:00 -l Login Report ============================================ # date time auid host term exe success event...
Page 418 audit/audit.log. Not all record types contain the same search phrases. There are no hostname or uid entries in a PATH record, for example. When searching, make sure that you choose appropriate search criteria to catch all records you need. On the other hand, you could be searching for a specific type of record and still get various other related records along with it.
Page 419 In both cases, use a command similar to the following: ausearch -a 5207 ---- time->Tue Feb 17 13:43:58 2009 type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1234874638.599:5207): cwd="/root" type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid=25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less"...
Page 420 Search by Command Line Name View records related to a certain command, using the ausearch -c comm_name command, for example, ausearch -c less for all records related to the less command. Search by Executable Name View records related to a certain executable with the ausearch -x exe com- mand, for example ausearch -x /usr/bin/less for all records related to the /usr/bin/less executable.
Page 421: Analyzing Processes With Autrace
Search by Hostname View records related to a certain remote hostname with ausearch -hn hostname, for example, ausearch -hn jupiter.example.com. You can use a hostname, fully qualified domain name, or numeric network address. Search by Key Field View records that contain a certain key assigned in the audit rule set to identify events of a particular type.
Page 422: Visualizing Audit Data
auditctl -D No rules autrace /usr/bin/less /etc/sysconfig/auditd Waiting to execute: /usr/bin/less Cleaning up... No rules Trace complete. You can locate the records with 'ausearch -i -p 7642' Always use the full path to the executable to track with autrace. After the trace is complete, autrace provides the event ID of the trace, so you can analyze the entire data trail with ausearch.
Page 423 3. 16/02/09 17:45:02 mkdir 20351 mkdir root 2285 The first thing that the visualization script needs to do on this report is to extract only those columns that are of interest, in this example, the syscall and the comm columns. The output is sorted and duplicates removed then the final output is piped into the visu- alization program itself: LC_ALL=C aureport -s -i | awk '/^[0-9]/ { print $6"...
Page 424 Because this type of report already contains a two column output, it is just piped into the the visualization script and transformed into a bar chart. aureport -e -i --summary | mkbar events Figure 30.3 Bar Chart—Common Event Types For background information about the visualization of audit data, refer to the Web site http://people.redhat.com/sgrubb/audit/ of the audit project at visualize/index.html.
Page 425: 1 Setting Up The Linux Audit Framework
Setting Up the Linux Audit Framework This chapter shows how to set up a simple audit scenario. Every step involved in con- figuring and enabling audit is explained in detail. After you have learned to set up audit, consider a real-world example scenario in Chapter 32, Introducing an Audit Rule Set (page 423).
Page 426: Determining The Components To Audit
6 Generate logs and configure tailor-made reports. Refer to Section 31.5, “Config- uring Audit Reports” (page 417) for details. 7 Configure optional log visualization. Refer to Section 31.6, “Configuring Log Visualization” (page 420) for details. IMPORTANT: Controlling the Audit Daemon Before configuring any of the components of the audit system, make sure that the audit daemon is not running by entering rcauditd status as root.
Page 427: Configuring The Audit Daemon
31.2 Configuring the Audit Daemon The basic setup of the audit daemon is done by editing /etc/audit/auditd.conf. You may also use YaST to configure the basic settings by calling YaST > Security and Users > Linux Audit Framework (LAF). Use the tabs Log File and Disk Space for con- figuration.
Page 428: Enabling Audit For System Calls
However, other kernel components and modules may log audit events outside of the control of auditctl and these appear in the audit log. By default, the only module that generates audit events is Novell AppArmor. Advanced Logging with System Call Auditing To audit system calls and get meaningful file watches, you need to enable audit contexts for system calls.
Page 429: Setting Up Audit Rules
As you need system call auditing capabilities even when you are configuring plain file or directory watches, you need to enable audit contexts for system calls. To enable audit contexts for the duration of the current session only, execute auditctl -e 1 as root.
Page 430 -w /etc/passwd -k CFG_passwd -p rwxa -w /etc/sysconfig/ -k CFG_sysconfig # an example system call rule -a entry,always -S umask ### add your own rules When configuring the basic audit system parameters, such as the backlog parameter -b, test these settings with your intended audit rule set to determine whether the backlog size is appropriate for the level of logging activity caused by your audit rule set.
Page 431: Configuring Audit Reports
For more information about creating custom rules, refer to Section 30.4, “Passing Pa- rameters to the Audit System” (page 387). IMPORTANT: Changing Audit Rules Never change audit rules in a running audit system. Always stop the audit daemon with rcauditd stop before touching the audit configuration and reread the audit configuration by restarting the daemon with rcauditd start.
Page 432 these might have failed due to insufficient permissions to access a file or a file not being there at all: aureport Summary Report ====================== Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 16:30:10.352 Selected time for report: 03/02/09 14:13:38 - 17/02/09 16:30:10.352 Number of changes in configuration: 24 Number of changes to accounts, groups, or roles: 0 Number of logins: 9...
Page 433 Number of MAC events: 0 Number of failed syscalls: 994 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 2 Number of process IDs: 713 Number of events: 1589 3 To list the files that could not be accessed, run a summary report of failed file events: aureport -f -i --failed --summary...
Page 434: Configuring Log Visualization
aureport -f -i --failed |grep -e "/etc/audit/auditd.conf" -e "/etc/pam.d/" -e "/etc/sysconfig" 993. 17/02/09 16:47:34 /etc/sysconfig/displaymanager readlink no /bin/vim-normal root 7887 994. 17/02/09 16:48:23 /etc/sysconfig/displaymanager getxattr no /bin/vim-normal root 7889 5 Use the event ID to get a detailed record for each item of interest: ausearch -a 7887 -i ---- time->Tue Feb 17 16:48:23 2009...
Page 435 mkbar and mkgraph were created by Steve Grubb at Red Hat. They are available from http://people.redhat.com/sgrubb/audit/visualize/. Because the current version of audit in SUSE Linux Enterprise Server does not ship with these scripts, proceed as follows to make them available on your system: 1 Download the scripts to root's ~/bin directory: wget http://people.redhat.com/sgrubb/audit/visualize/mkbar -O ~/bin/mkbar wget http://people.redhat.com/sgrubb/audit/visualize/mkgraph -O...
Page 436 To illustrate the relationship between different kinds of audit objects, such as users and system calls, use the script mkgraph. Some example commands could look like the following: Users versus Executables LC_ALL=C aureport -u -i | awk '/^[0-9]/ { print $4" "$7 }' | sort | uniq | mkgraph users_vs_exec Users versus Files LC_ALL=C aureport -f -i | awk '/^[0-9]/ { print $8"...
Page 437: 2 Introducing An Audit Rule Set
Introducing an Audit Rule Set The following example configuration illustrates how audit can be used to monitor your system. It highlights the most important items that need to be audited to cover the list of auditable events specified by Controlled Access Protection Profile (CAPP). The example rule set is divided into the following sections: •...
Page 438: Adding Basic Audit Configuration Parameters
To transform this example into a configuration file to use in your live setup, proceed as follows: 1 Choose the appropriate settings for your setup and adjust them. 2 Adjust the file /etc/audit/audit.rules by adding rules from the examples below or by modifying existing rules. NOTE: Adjusting the Level of Audit Logging Do not copy the example below into your audit setup without adjusting it to your needs.
Page 439: Adding Watches On Audit Log Files And Configuration Files
system on a critical error, audit makes sure that no process escapes from its control as it otherwise might if level 1 (printk) were chosen. IMPORTANT: Choosing the Failure Flag Before using your audit rule set on a live system, make sure that the setup has been thoroughly evaluated on test systems using the worst case production workload.
Page 440: Monitoring File System Objects
Set a watch on the directory where the audit log is located. Trigger an event for any type of access attempt to this directory. If you are using log rotation, add watches for the rotated logs as well. Set a watch on an audit configuration file. Log all write and attribute change at- tempts to this file.
Page 441: Monitoring Security Configuration Files And Databases
Enable an audit context for system calls related to changing file ownership and permissions. Depending on the hardware architecture of your system, enable or disable the *32 rules. 64-bit systems, like x86_64 and ia64, require the *32 rules to be removed. Enable an audit context for system calls related to file content modification.
Page 442 The same applies to any other configuration files related to secure authentication and communication. -w /var/spool/atspool -w /etc/at.allow -w /etc/at.deny -w /etc/cron.allow -p wa -w /etc/cron.deny -p wa -w /etc/cron.d/ -p wa -w /etc/cron.daily/ -p wa -w /etc/cron.hourly/ -p wa -w /etc/cron.monthly/ -p wa -w /etc/cron.weekly/ -p wa -w /etc/crontab -p wa...
Page 443 -w /etc/ssh/sshd_config -w /etc/stunnel/stunnel.conf -w /etc/stunnel/stunnel.pem -w /etc/vsftpd.ftpusers -w /etc/vsftpd.conf -a exit,always -S sethostname -w /etc/issue -p wa -w /etc/issue.net -p wa Set watches on the at and cron configuration and the scheduled jobs and assign labels to these events. Set watches on the user, group, password, and login databases and logs and set labels to better identify any login-related events, such as failed login attempts.
Page 444: Monitoring Miscellaneous System Calls
32.5 Monitoring Miscellaneous System Calls As well as auditing file system related system calls, as described in Section 32.3, “Monitoring File System Objects” (page 426), you can also track various other system calls. Tracking task creation helps you understand your applications' behavior. Auditing the umask system call lets you track how processes modify permissions.
Page 445 IMPORTANT: Auditing System Calls Auditing system calls results in a high logging activity, which in turn puts a heavy load on the kernel. With a kernel less responsive than usual, the system's backlog and rate limits might well be exceeded. Carefully evaluate which system calls to include in your audit rule set and adjust the log settings accordingly.
Page 446 -a entry,always -S socketcall -F a0=1 -F a1=10 ## Use this line on x86_64, ia64 instead #-a entry,always -S socket -F a0=10 -a entry,always -S socketcall -F a0=5 ## Use this line on x86_64, ia64 instead #-a entry, always -S accept Audit the socket(PF_INET6) system call.
Page 447 #-a entry,always -S semctl #-a entry,always -S semget #-a entry,always -S semop #-a entry,always -S semtimedop ## shmctl -a entry,always -S ipc -F a0=24 ## shmget -a entry,always -S ipc -F a0=23 ## Use these lines on x86_64, ia64 instead #-a entry,always -S shmctl #-a entry,always -S shmget Audit system calls related to IPC SYSV message queues.
Page 448 event. To retrieve these log entries, simply run ausearch -k your_key to get a list of records related to the rule carrying this particular key. As an example, assume you have added the following rule to your rule file: -w /etc/audit/audit.rules -p wa Without a key assigned to it, you would probably have to filter for SYSCALL or PATH events then use grep or similar tools to isolate any events related to the above rule.
Page 449 Useful Resources There are other resources available containing valuable information about the Linux audit framework: The Audit Manual Pages There are several man pages installed along with the audit tools that provide valuable and very detailed information: auditd(8) The Linux Audit daemon auditd.conf(5) The Linux Audit daemon configuration file auditctl(8)
Page 450 http://people.redhat.com/sgrubb/audit/index.html The home page of the Linux audit project. This site contains several specifications relating to different aspects of Linux audit as well as a short FAQ. /usr/share/doc/packages/audit The audit package itself contains a README with basic design information and sample .rules files for different scenarios: capp.rules: Controlled Access Protection Profile (CAPP) lspp.rules: Labeled Security Protection Profile (LSPP)

This manual is also suitable for:

Suse linux enterprise server 11

Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

About this Guide

1 Security and Confidentiality

Part I Authentication

2 Authentication with PAM

3 Using NIS

4 LDAP-A Directory Service

5 Active Directory Support

6 Network Authentication with Kerberos

7 Using the Fingerprint Reader

Part II Local Security

8 Configuring Security Settings with Yast

9 Policykit

10 Access Control Lists in Linux

1 Encrypting Partitions and Files

2 Certificate Store

3 Intrusion Detection with AIDE

Part III Network Security

4 SSH: Secure Network Operations

5 Masquerading and Firewalls

6 Configuring VPN Server

7 Managing X.509 Certification

Part IV Confining Privileges with Novell Apparmor

8 Introducing Apparmor

9 Getting Started

20 Immunizing Programs

1 Profile Components and Syntax

2 Apparmor Profile Repositories

3 Building and Managing Profiles with Yast

4 Building Profiles from the Command Line

5 Profiling Your Web Applications Using Changehat

26 Confining Users with Pam_Apparmor

7 Managing Profiled Applications

8 Support

9 Apparmor Glossary

Part V the Linux Audit Framework

30 Understanding Linux Audit

1 Setting up the Linux Audit Framework

2 Introducing an Audit Rule Set

Quick Links

Related Manuals for Novell LINUX ENTERPRISE SERVER 11 - SECURITY

Summary of Contents for Novell LINUX ENTERPRISE SERVER 11 - SECURITY