Novell APPARMOR 2.1 -, Administration Manual

Page 1: ...AppArmor www novell com 2 1 September 27 2007 Novell AppArmor Administration Guide ...

Page 2: ...SE the openSUSE logo Novell the Novell logo the N logo are registered trademarks of Novell Inc in the United States and other countries Linux is a registered trademark of Linus Torvalds All other third party trademarks are the property of their respective owners A trademark symbol etc denotes a Novell trademark an asterisk denotes a third party trademark All information found in this book has been...

Page 3: ...ty Entries POSIX 1e 22 2 4 Using the Local AppArmor Profile Repository 22 2 5 Using the External AppArmor Profile Repository 23 2 6 Important Filenames and Directories 25 3 Building and Managing Profiles with YaST 27 3 1 Adding a Profile Using the Wizard 29 3 2 Manually Adding a Profile 37 3 3 Editing Profiles 38 3 4 Deleting a Profile 43 3 5 Updating Profiles from Log Entries 44 3 6 Managing Nove...

Page 4: ...plications 87 6 2 Configuring Security Event Notification 88 6 3 Configuring Reports 91 6 4 Configuring and Using the AppArmor Desktop Monitor Applet 111 6 5 Reacting to Security Event Rejections 112 6 6 Maintaining Your Security Profiles 112 7 Support 115 7 1 Updating Novell AppArmor Online 115 7 2 Using the Man Pages 115 7 3 For More Information 117 7 4 Troubleshooting 118 7 5 Reporting Bugs for...

Page 5: ...ookup and user authentication A tool suite for developing and enhancing AppArmor profiles so that you can change the existing profiles to suit your needs and create new profiles for your own local and custom applications Several specially modified applications that are AppArmor enabled to provide en hanced security in the form of unique subprocess confinement including Apache and Tomcat The Novell...

Page 6: ...dicates support options for this product Glossary Provides a list of terms and their definitions 1 Feedback We want to hear your comments and suggestions about this manual and the other doc umentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation and enter your comments there 2 Documentation Conventions The following typograp...

Page 7: ...publicly available To download the source code proceed as outlined under http www novell com products suselinux source_code html If requested we send you the source code on a DVD We need to charge a 15 or 15 fee for creation handling and postage To request a DVD of the source code send an e mail to sourcedvd suse de mailto sourcedvd suse de or mail the request to SUSE Linux Products GmbH Product M...

Page 8: ......

Page 9: ...p ter 4 Building Profiles from the Command Line page 49 if you are ready to build and manage Novell AppArmor profiles Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read write and execute and which type of network it is allowed to access This ensures that each program does what it is supposed to do and nothing else Nove...

Page 10: ...ppArmor profiles and policies aa unconfined aa unconfined detects any application running on your system that listens for net work connections and is not protected by an AppArmor profile Refer to Section aa unconfined Identifying Unprotected Processes page 73 for detailed infor mation about this tool aa autodep aa autodep creates a basic skeleton of a profile that needs to be fleshed out before it...

Page 11: ...enforce Exceptions to rules set in a profile are logged but not permitted the profile is enforced Refer to Section aa enforce Entering Enforce Mode page 58 for detailed information about this tool Once a profile has been built and is loaded there are two ways in which it can get pro cessed complain In complain mode violations of AppArmor profile rules such as the profiled pro gram accessing files ...

Page 12: ...ough a Web browser including CGI Perl scripts PHP pages and more complex Web applications For instructions for finding these types of programs refer to Section 1 4 1 Immunizing Web Applications page 7 Network Agents Programs servers and clients that have open network ports User clients such as mail clients and Web browsers mediate privilege These programs run with the privilege to write to the use...

Page 13: ...unizing Network Applications An automated method for finding network server daemons that should be profiled is to use the aa unconfined tool You can also simply view a report of this information in the YaST module refer to Section Application Audit Report page 97 for instruc tions The aa unconfined tool uses the command netstat nlp to inspect your open ports from inside your computer detect the pr...

Page 14: ...s and should not be run from a shell that is confined by an AppArmor profile aa unconfined does not distinguish between one network interface and another so it reports all unconfined processes even those that might be listening to an internal LAN interface Finding user network client applications is dependent on your user preferences The aa unconfined tool detects and reports network ports opened ...

Page 15: ...ore information on how to use the AppArmor profile repository 1 4 1 Immunizing Web Applications To find Web applications investigate your Web server configuration The Apache Web server is highly configurable and Web applications can be stored in many directories depending on your local configuration openSUSE by default stores Web applications in srv www cgi bin To the maximum extent possible each ...

Page 16: ...features when you add a profile in YaST or at the command line To take advantage of the subprocess confinement refer to Section 5 1 Apache ChangeHat page 76 Profiling Web applications that use mod_perl and mod_php requires slightly different handling In this case the program is a script interpreted directly by the module within the Apache process so no exec happens Instead the Novell AppArmor vers...

Page 17: ...e Novell AppArmor profile for all Web pages and CGI scripts served by Apache a good approach is to edit the DEFAULT_URI subprofile 1 4 2 Immunizing Network Agents To find network server daemons and network clients such as fetchmail Firefox amaroK or Banshee that should be profiled you should inspect the open ports on your machine consider the programs that are answering on those ports and provide ...

Page 18: ...TIP Refer to the man page of the netstat command for a detailed reference of all possible options 10 Novell AppArmor Administration Guide ...

Page 19: ...fy the structure of new profiles Abstractions are include statements grouped by common application tasks Program chunks are chunks of profiles that are specific to program suites Capability entries are profile entries for any of the POSIX 1e Linux capabilities For help determining the programs to profile refer to Section 1 2 Determining Pro grams to Immunize page 4 To start building AppArmor profi...

Page 20: ...ectives that pull in path and capability entries from other files The easiest way of explaining what a profile consists of and how to create one is to show the details of a sample profile in this case for a hypothetical application called usr bin foo include tunables global a comment naming the application to confine usr bin foo include abstractions base capability setgid network inet tcp bin moun...

Page 21: ... access modes r for read w for write and x for execute A whitespace of any kind spaces or tabs can precede pathnames or separate the pathname from the access modes Spaces between the access mode and the trailing comma is optional Find a comprehensive overview of the available access modes in Section 2 1 3 File Permission Access Modes page 17 This variable expands to a value that can be changed wit...

Page 22: ...s installed or otherwise in var log messages In many cases Novell AppArmor rules prevent an attack from working because neces sary files are not accessible and in all cases Novell AppArmor confinement restricts the damage that the attacker can do to the set of files permitted by Novell AppArmor 2 1 1 Network Access Control AppArmor allows mediation of network access based on the address type and f...

Page 23: ...tworking paraphrasing the rule above Allow the use of both IPv4 and IPv6 TCP networking 2 1 2 Paths and Globbing AppArmor explicitly distinguishes directory path names from file path names Use a trailing for any directory path that needs to be explicitly distinguished some random example r Allow read access to files in the some random example directory some random example r Allow read access to th...

Page 24: ...haracters including Example An arbitrary number of path elements including entire directories Substitutes for any single character except Substitutes for the single character a b or c abc Example a rule that matches home 01 plan allows a program to access plan files for users in both home0 and home1 Substitutes for the single character a b or c a c Expands to one rule to match ab and one rule to m...

Page 25: ...de l Read Mode r Allows the program to have read access to the resource Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace 2 ptrace 2 is used by utilities like strace 1 ltrace 1 and gdb 1 Write Mode w Allows the program to have write access to the resource Files must have this per mission if the...

Page 26: ...n If there is no profile defined the access is denied WARNING Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD As a result the calling domain may have an undue amount of influence over the called item Incompatible with Ux ux Px and ix Discrete Profile Execute Mode Px Clean Exec Px allows the named program to run in px mode but AppArmor invok...

Page 27: ...ux kernel s unsafe_exec routines to scrub the environment similar to setuid pro grams See ld so 8 for some information about setuid and setgid environment scrubbing WARNING Using Unconstrained Execute Mode Ux Use Ux only in very special cases It enables the designated child processes to run without any AppArmor protection Use this mode only if the child absolutely must be run unconfined Use at you...

Page 28: ...Mode The link mode mediates access to hard links When a link is created the target file must have the same access permissions as the link created with the exception that the destination does not need link access When choosing one of the Ux or Px file permission access modes take into account that the following environment variables are removed from the environment before the child process inherits...

Page 29: ... the program access to directory paths or files that are also required by other programs Using includes can reduce the size of a profile By default AppArmor adds etc apparmor d to the path in the include statement AppArmor expects the include files to be located in etc apparmor d Unlike other profile statements but similar to C programs include lines do not end with a comma To assist you in profil...

Page 30: ... for use in profiles by the profile wizards aa logprof and aa genprof Currently program chunks are only available for the postfix program suite 2 3 Capability Entries POSIX 1e Capabilities statements are simply the word capability followed by the name of the POSIX 1e capability as defined in the capabilities 7 man page 2 4 Using the Local AppArmor Profile Repository AppArmor ships a set of profile...

Page 31: ...mor users as well as uploading your own Find the profile repository at http apparmor opensuse org NOTE Using the AppArmor Profile Repository When using the profile repository in your deployment bear in mind that the profiles maintained in the repository are primarily targeted at profile developers and might probably need fine tuning before they suit your particular needs Please test the downloaded...

Page 32: ...guration files etc apparmor logprof conf and etc apparmor respository conf The etc apparmor logprof conf file contains a section called repository distro determines the version of openSUSE used on your system for which the AppArmor tools should search profiles on the server url holds the server URL and preferred_user tells the AppArmor tools to prefer profiles created by the novell user Those prof...

Page 33: ... your own one from scratch 2 5 3 Uploading Your own Profile After a profile has been created or updated the AppArmor tools that a profile also present in the repository has been changed or that a new one has been created If your system is configured to upload profiles to the repository you are prompted to provide a ChangeLog to document your changes before the changes are uploaded to the server Th...

Page 34: ...or the root so profiles are easier to manage For example the profile for the program usr sbin ntpd is named usr sbin ntpd etc apparmor d abstractions Location of abstractions etc apparmor d program chunks Location of program chunks proc attr current Check this file to review the confinement status of a process and the profile that is used to confine the process The ps auxZ command retrieves this i...

Page 35: ...erfaces have differing appearances they offer the same functionality in similar ways Another alternative is to use AppArmor commands which can control AppArmor from a terminal window or through remote connections The command line tools are described in Chapter 4 Building Profiles from the Command Line page 49 Start YaST from the main menu and enter your root password when prompted for it Alternati...

Page 36: ...ication on your system without the help of the wizard For detailed steps refer to Section 3 2 Manually Adding a Profile page 37 Edit Profile Edits an existing Novell AppArmor profile on your system For detailed steps refer to Section 3 3 Editing Profiles page 38 Delete Profile Deletes an existing Novell AppArmor profile from your system For detailed steps refer to Section 3 4 Deleting a Profile pa...

Page 37: ...rofiling tools aa genprof generate profile and aa logprof update profiles from learning mode log file For more information about these tools refer to Section 4 6 3 Summary of Profiling Tools page 56 1 Stop the application before profiling it to ensure that application start up is included in the profile To do this make sure that the application or daemon is not running For example enter rcPROGRAM ...

Page 38: ...page 22 or in the external profile repository see Sec tion 2 5 Using the External AppArmor Profile Repository page 23 or whether it does not exist yet proceed with one of the following options Determine whether you want to use or fine tune an already existing profile from your local profile repository as outlined in Step 5 page 30 Determine whether you want to use of fine tune an already existing ...

Page 39: ...oceed directly to Step 7 page 31 6b Provide username and password for your account on the profile repository server and register at the server 6c Select the profile to use and proceed to Step 7 page 31 7 Run the application to profile 8 Perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access to function proper...

Page 40: ...y Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program to the profile For an ex ample of each case see Figure 3 2 Learning Mode Exception Controlling Access to Specific Resources page 32 and Figure 3 3 Learning Mode Exception Defining Execute Permissions for an Entry page 33 Subsequent steps describe your options in answ...

Page 41: ...ng Mode Exception Controlling Access to Specific Resources Select the option that satisfies the request for access which could be a suggested include a particular globbed version of the path or the actual pathname Depending on the situation these options are avail able include The section of a Novell AppArmor profile that refers to an include file Include files give access permissions for programs...

Page 42: ...on 2 1 3 File Permission Access Modes page 17 Deny Click Deny to prevent the program from accessing the specified paths Glob Clicking this modifies the directory path using wild cards to include all files in the suggested directory Double clicking it grants access to all files and subdirectories beneath the one shown For more infor mation about globbing syntax refer to Section 2 1 2 Paths and Glob...

Page 43: ...s for an Entry From the following options select the one that satisfies the request for access For detailed information about the options available refer to Section 2 1 3 File Permission Access Modes page 17 Inherit Stay in the same security profile parent s profile Profile Require a separate profile to exist for the executed program When selecting this option also select whether AppArmor should s...

Page 44: ... changes entered so far and modifying all profiles 11 Repeat the previous steps if you need to execute more functionality of the application When you are done click Finish Choose to apply your changes to the local profile set If you have previously chosen to upload your profile to the external profile repository provide a brief change log entry describing your work and upload the profile If you ha...

Page 45: ... find the application for which to create a profile 3 When you find the application select it and click Open A basic empty profile appears in the AppArmor Profile Dialog window 4 In AppArmor Profile Dialog add edit or delete AppArmor profile entries by clicking the corresponding buttons and referring to Section 3 3 1 Adding an Entry page 40 Section 3 3 2 Editing an Entry page 42 or Section 3 3 3 D...

Page 46: ... editing or deleting entries To edit a profile proceed as follows 1 Start YaST and select Novell AppArmor Edit Profile 2 From the list of profiled applications select the profile to edit 3 Click Next The AppArmor Profile Dialog window displays the profile 38 Novell AppArmor Administration Guide ...

Page 47: ... 5 When you are finished click Done 6 In the pop up that appears click Yes to confirm your changes to the profile and reload the AppArmor profile set TIP Syntax Checking in AppArmor AppArmor contains a syntax check that notifies you of any syntax errors in profiles you are trying to process with the YaST AppArmor tools If an error occurs edit the profile manually as root and reload the profile set...

Page 48: ...shed click OK You can use globbing if necessary For globbing information refer to Section 2 1 2 Paths and Globbing page 15 For file access permission information refer to Section 2 1 3 File Permission Access Modes page 17 Directory In the pop up window specify the absolute path of a directory including the type of access permitted You can use globbing if necessary When finished click OK For globbi...

Page 49: ...e into Its Parts page 12 for more information about capabilities When finished making your selections click OK Include In the pop up window browse to the files to use as includes Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles For more information refer to Section 2 2 include Statements page 21 Building and Managing Profiles with YaST 41 ...

Page 50: ...ing Your Web Applications Using ChangeHat page 75 3 3 2 Editing an Entry When you select Edit Entry the file browser pop up window opens From here edit the selected entry In the pop up window specify the absolute path of a file including the type of access permitted You can use globbing if necessary When finished click OK 42 Novell AppArmor Administration Guide ...

Page 51: ...try AppArmor removes the selected profile entry 3 4 Deleting a Profile AppArmor enables you to delete an AppArmor profile manually Simply select the application for which to delete a profile then delete it as follows 1 Start YaST and select Novell AppArmor Delete Profile 2 Select the profile to delete 3 Click Next 4 In the pop up that opens click Yes to delete the profile and reload the AppArmor p...

Page 52: ...dd Profile Wizard the Update Profile Wizard also supports profile exchange with the external repository server For background information on the use of the external AppArmor profile repository refer to Section 2 5 Using the External AppArmor Profile Repository page 23 For details on how to configure access and access mode to the server check the procedure described under Section 3 1 Adding a Profi...

Page 53: ... AppArmor protects your system from potential program exploitation Disabling AppArmor even if your profiles have been set up removes protection from your system You can deter mine how and when you are notified when system security events occur NOTE For event notification to work you must set up a mail server on your system that can send outgoing mail using the single mail transfer protocol SMTP su...

Page 54: ... Changing the Mode of Individual Profiles page 47 To configure security event notification continue as described in Section 6 2 Configuring Security Event Notification page 88 3 6 1 Changing Novell AppArmor Status When you change the status of AppArmor set it to enabled or disabled When AppArmor is enabled it is installed running and enforcing the AppArmor security policies 1 Start YaST and select...

Page 55: ...uring the course of systemic profiling see Section 4 6 2 Systemic Profiling page 54 you can use this tool to adjust and monitor the scope of the profiles for which you are learning behavior To edit an application s profile mode proceed as follows 1 Start YaST and select Novell AppArmor AppArmor Control Panel 2 In the Configure Profile Modes section select Configure 3 Select the profile for which t...

Page 56: ......

Page 57: ...Information Before starting to manage your profiles using the AppArmor command line tools check out the general introduction to AppArmor given in Chapter 1 Immunizing Programs page 1 and Chapter 2 Profile Components and Syntax page 11 4 1 Checking the AppArmor Module Status An AppArmor module can be in any one of three states Unloaded The AppArmor module is not loaded into the kernel Running The A...

Page 58: ...ule in the running state If the module is already running start reports a warning and takes no action rcapparmor stop Stops the AppArmor module if it is running by removing all profiles from kernel memory effectively disabling all access controls and putting the module into the stopped state If the AppArmor module is unloaded or already stopped stop tries to unload the profiles again but nothing h...

Page 59: ... apparmor d di rectory as plain text files For a detailed description of the syntax of these files refer to Chapter 2 Profile Components and Syntax page 11 All files in the etc apparmor d directory are interpreted as profiles and are loaded as such Renaming files in that directory is not an effective way of preventing profiles from being loaded You must remove profiles from this directory to preve...

Page 60: ...dow 2 Enter the root password when prompted 3 Go to the profile directory with cd etc apparmor d 4 Enter ls to view all profiles currently installed 5 Open the profile to edit in a text editor such as vim 6 Make the necessary changes then save the profile 7 Restart AppArmor by entering rcapparmor restart in a terminal window 4 5 Deleting an AppArmor Profile The following steps describe the procedu...

Page 61: ...ling small applications that have a finite run time such as user client applications like mail clients For more information refer to Sec tion 4 6 1 Stand Alone Profiling page 54 Systemic Profiling A method suitable for profiling large numbers of programs all at once and for profiling applications that may run for days weeks or continuously across reboots such as network server applications like We...

Page 62: ...or continues after rebooting or a large number of programs all at once Build an AppArmor profile for a group of applications as follows 1 Create profiles for the individual programs that make up your application Although this approach is systemic AppArmor only monitors those programs with profiles and their children To get AppArmor to consider a program you must at least have aa autodep create an ...

Page 63: ... logprof is aa logprof d path to profiles f path to logfile Refer to Section aa logprof Scanning the System Log page 67 for more information about using aa logprof 5 Repeat Step 3 page 55 and Step 4 page 55 This generates optimum profiles An iterative approach captures smaller data sets that can be trained and reloaded into the policy engine Subsequent iterations generate fewer messages and run fa...

Page 64: ...y AppArmor The minimum aa autodep approximate profile has at least a base include directive which contains basic profile entries needed by most programs For certain types of programs aa autodep generates a more expanded profile The profile is generated by recursively calling ldd 1 on the executables listed on the command line To generate an approximate profile use the aa autodep program The progra...

Page 65: ... programs and run the aa autodep for each one If the programs are in your path aa autodep finds them for you If they are not in your path the standard Linux command find might be helpful in finding your programs Execute find name my_application print to determine an application s path my_application being an example application You may use wild cards if appropriate aa complain Entering Complain or...

Page 66: ...e aa complain etc apparmor d puts all of the profiles in etc apparmor d into complain mode TIP Toggling Profile Mode with YaST YaST offers a graphical front end for toggling complain and enforce mode See Section 3 6 2 Changing the Mode of Individual Profiles page 47 for infor mation aa enforce Entering Enforce Mode The enforce mode detects violations of AppArmor profile rules such as the profiled ...

Page 67: ...tc apparmor d The argument can be either a list of programs or a list of profiles If the program name does not include its entire path aa enforce searches PATH for the program TIP Toggling Profile Mode with YaST YaST offers a graphical front end for toggling complain and enforce mode See Section 3 6 2 Changing the Mode of Individual Profiles page 47 for infor mation aa genprof Generating Profiles ...

Page 68: ... proceed A log event looks like this see var log audit audit log type APPARMOR_ALLOWED msg audit 1189682639 184 20816 operation file_mmap requested_mask r denied_mask r name srv www htdocs index html pid 27471 profile null complain profile If you are not running the audit daemon the AppArmor events are logged to var log messages Sep 13 13 20 30 K23 kernel audit 1189682430 672 20810 operation file_...

Page 69: ...ns that you must answer to guide aa genprof in generating the security profile F exits the tool and returns to the main menu NOTE If requests to add hats appear proceed to Chapter 5 Profiling Your Web Applications Using ChangeHat page 75 5 Answer two types of questions A resource is requested by a profiled program that is not in the profile see Example 4 1 Learning Mode Exception Controlling Acces...

Page 70: ...her confined program without gaining the permissions of the target s profile or losing the permissions of the current profile This mode is often used when the child program is a helper application such as the usr bin mail client using less as a pager or the Mozilla Web browser using Adobe Acrobat to display PDF files Profile px The child runs using its own profile which must be loaded into the ker...

Page 71: ...essing the specified directory path entries AppArmor then continues to the next event Abort Aborts aa logprof losing all rule changes entered so far and leaving all profiles unmodified Finish Closes aa logprof saving all rule changes entered so far and modifying all profiles Example 4 2 Learning Mode Exception Defining Execute Permissions for an Entry page 63 shows AppArmor suggesting directory pa...

Page 72: ...lobbing syntax refer to Section 2 1 2 Paths and Globbing page 15 Actual Path This is the literal path to which the program needs access so that it can run properly After you select the path or include process it as an entry into the AppArmor profile by selecting Allow or Deny If you are not satisfied with the directory path entry as it is displayed you can also Glob it The following options are av...

Page 73: ...For example etc apache2 file ext becomes etc apache2 ext adding the wild card asterisk in place of the file name This allows the program to access all files in the suggested direc tory that end with the ext extension Abort Aborts aa logprof losing all rule changes entered so far and leaving all profiles unmodified Finish Closes aa logprof saving all rule changes entered so far and modifying all pr...

Page 74: ...eration procedure outlined above to create the profile from scratch 3 Leave aa genprof by hitting F Finish when you are done and save your changes To use the remote AppArmor profile repository with aa genprof proceed as follows 1 Start aa genprof as described above If aa genprof detects a suitable profile on the repository server the following lines appear on your terminal window Repository http a...

Page 75: ...o ignore the existing profile hit C Create New Profile and follow the profile generation procedure outlined above to create the profile from scratch 6 Leave aa genprof by hitting F Finish when you are done and save the profile If you opted for uploading your profile provide a short change log and push it to the repository aa logprof Scanning the System Log aa logprof is an interactive tool used to...

Page 76: ...rofile exchange with the external repository server For background information on the use of the exter nal AppArmor profile repository refer to Section 2 5 Using the External AppArmor Profile Repository page 23 For details on how to configure access and access mode to the server check the procedure described under Section aa genprof Generating Profiles page 59 To run aa logprof enter aa logprof in...

Page 77: ...g messages aa logprof f aa logprof Example 1 The following is an example of how aa logprof addresses httpd2 prefork accessing the file etc group indicates the default option In this example the access to etc group is part of httpd2 prefork accessing name services The appropriate response is 1 which includes a predefined set of AppArmor rules Selecting 1 to include the name service package resolves...

Page 78: ...u reenter the expression Glob Select either a specific path or create a general rule using wild cards that matches on a broader set of paths To select any of the offered paths enter the number that is printed in front of the paths then decide how to proceed with the selected item For more information about globbing syntax refer to Section 2 1 2 Paths and Globbing page 15 Glob w Ext This modifies t...

Page 79: ...es Finally you might want to grant more general access to FTP files If you select Glob in the last entry aa logprof replaces the suggested path of y2k jpg with Alter natively you might want to grant even more access to the entire directory tree in which case you could use the New path option and enter jpg which would grant access to all jpg files in the entire directory tree or which would grant a...

Page 80: ...herit This results in the less program executed from this context running under the profile for usr bin mail This has two consequences You need to add all of the basic file accesses for usr bin less to the profile for usr bin mail You can avoid adding the helper applications such as tar and rpm to the usr bin mail profile so that when usr bin mail runs usr bin less in this context the less program...

Page 81: ...ecommended and should only be used in cases where there is no other option to generate a profile for a program reliably Selecting unconfined opens a warning dialog asking for confirmation of the choice If you are sure and choose Yes a second dialog ask whether to sanitize the environment Choosing Yes uses the execution mode Ux in your profile Choosing No uses the execution mode ux for your profile...

Page 82: ...ks is mishandled NOTE This program lists processes using TCP and UDP only In short this program is unsuitable for forensics use and is provided only as an aid to profiling all net work accessible processes in the lab 74 Novell AppArmor Administration Guide ...

Page 83: ...ions are the Apache Web server and Tomcat A profile can have an arbitrary number of subprofiles but there are only two levels a subprofile cannot have further sub subprofiles A subprofile is written as a separate profile and named as the containing profile followed by the subprofile name separated by a Subprofiles must be stored in the same file as the parent profile Note that the security of hats...

Page 84: ...hangeHat aware Install it along with Apache When Apache is ChangeHat aware it checks for the following customized Novell AppArmor security profiles in the order given for every URI request that it receives URI specific hat for example phpsysinfo templates classic images bar_left gif DEFAULT_URI HANDLING_UNTRUSTED_INPUT NOTE Apache Configuration If you install apache2 mod_apparmor without Novell Ap...

Page 85: ...ocessed does not represent significant processing or otherwise does not represent a significant security risk safely select Use Default Hat to process this URI in the default hat which is the default security profile This example creates a new hat for the URI phpsysinfo and its subsequent accesses Using the profiling utilities delegate what to add to this new hat The resulting hat be comes a tight...

Page 86: ...n to Profile enter httpd2 prefork 3 Click Create Profile 4 Restart Apache by entering rcapache2 restart in a terminal window Restart any program you are profiling at this point 78 Novell AppArmor Administration Guide ...

Page 87: ...dd to Profiles Novell AppArmor launches the aa logprof tool which scans the information learned in the previous step It begins to prompt you with profile questions 7 aa logprof first prompts with Add Requested Hat or Use Default Hat because it noticed that the phpsysinfo URI was accessed Select Add Requested Hat 8 Click Allow Choosing Add Requested Hat in the previous step creates a new hat in the...

Page 88: ...ity Considerations Selecting Unconfined can create a significant security hole and should be done with caution 8a Select Inherit for the bin bash path This adds bin bash accessed by Apache to the phpsysinfo hat profile with the necessary permissions 8b Click Allow 9 The remaining questions prompt you to generate new hats and add entries to your profile and its hats The process of adding entries to...

Page 89: ...E release r etc ld so cache r etc lsb release r etc lsb release d r lib ld 2 6 1 so ixr proc r sbin lspci ixr srv www htdocs phpsysinfo r sys bus pci r sys bus scsi devices r sys devices r usr bin cut ixr usr bin getopt ixr usr bin head ixr usr bin lsb_release ixr usr bin lsscsi ixr usr bin tr ixr usr bin who ixr usr lib lib so mr usr lib locale r usr sbin lsusb ixr usr share locale r usr share pc...

Page 90: ...ting Profiles page 38 or when you add a new profile using Manually Add Profile for instructions refer to Section 3 2 Manually Adding a Profile page 37 you are given the option of adding hats subprofiles to your Novell AppArmor profiles Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following 1 From the AppArmor Profile Dialog window click Add Entry then select Hat The...

Page 91: ...tion files The main configuration file is usually httpd conf When you compile Apache you can indicate the location of this file Directives can be placed in any of these configuration files to alter the way Apache behaves When you make changes to the main configuration files you need to start or restart Apache so the changes are recognized 5 2 1 Virtual Host Directives Virtual host directives contr...

Page 92: ... 2 A hat named by the entire URI path 3 A default server hat as specified by the AADefaultHatName keyword 4 DEFAULT_URI if none of those exist it goes back to the parent Apache hat 5 2 2 Location and Directory Directives Location and directory directives specify hat names in the program configuration file so the program calls the hat regarding its security For Apache you can find documen tation ab...

Page 93: ...the following text to it Location phpsysinfo AAHatName phpsysinfo Location The following hat should then work for phpsysinfo usr sbin httpd2 prefork phpsysinfo include abstractions bash include abstractions nameservice bin basename ixr bin bash ixr bin df ixr bin grep ixr bin mount Ux bin sed ixr dev bus usb r dev bus usb r dev null w dev tty rw dev urandom r etc SuSE release r etc ld so cache r e...

Page 94: ...ccess_log w var run utmp kr 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root 4 Restart Apache by entering rcapache2 restart at a terminal window as root 5 Enter http hostname phpsysinfo into a browser to receive the system information that phpsysinfo delivers 6 Locate configuration errors by going to var log audit audit log or running dmesg and looking ...

Page 95: ...Monitoring Your Secured Applications Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their specified profile These messages can be monitored by event notification periodic report generation or integration into a third party reporting mechanism For reporting and alerting AppArmor uses a userspace daemon...

Page 96: ...s 6 2 Configuring Security Event Notification Security event notification is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs Activate it by selecting a notification frequency receiving daily notification for example Enter an e mail address so you can be noti fied by e mail when Novell AppArmor security events occur Select one of the following notification t...

Page 97: ...ee Section aa logprof Scanning the System Log page 67 uses to interpret profiles For example type APPARMOR_DENIED msg audit 1189428793 218 2880 operation file_permission requested_mask w denied_mask w name var log apache2 error_log pid 22969 profile usr sbin httpd2 prefork NOTE You must set up a mail server that can send outgoing mail using the SMTP protocol for example postfix or exim for event n...

Page 98: ...ect the lowest severity level for which a notification should be sent Security events are logged and the notifications are sent at the time indicated by the interval when events are equal to or greater than the selected severity level If the interval is 1 day the notification is sent daily if security events occur NOTE Severity Levels Novell AppArmor sends out event messages for things that are in...

Page 99: ...lity by enhancing the way users can view security event data The reporting tool performs the following Creates on demand reports Exports reports Schedules periodic reports for archiving E mails periodic reports Filters report data by date Filters report data by other options such as program name Using reports you can read important Novell AppArmor security events reported in the log files without ...

Page 100: ...e details refer to Section Ap plication Audit Report page 97 Security Incident Report A report that displays application security for a single host It reports policy viola tions for locally confined applications during a specific time period You can edit and customize this report or add new versions For more details refer to Section Security Incident Report page 99 To use the Novell AppArmor repor...

Page 101: ...cted report type If you select a secu rity incident report it can be further filtered in various ways For Run Now instructions proceed to Section 6 3 2 Run Now Running On Demand Reports page 102 Add Creates a scheduled security incident report For Add instructions proceed to Section 6 3 3 Adding New Reports page 105 Edit Edits a scheduled security incident report Delete Deletes a scheduled securit...

Page 102: ...ion of a collection of reports from one or more systems including the ability to filter by date or names of programs accessed and display them all together in one report 1 From the AppArmor Security Event Report window select View Archive 2 Select the report type to view Toggle between the different types SIR Security Incident Report App Aud Application Audit and ESS Executive Security Summary 94 ...

Page 103: ...rt file listed in the Report field then select View 5 For Application Audit and Executive Security Summary reports proceed to Step 9 page 97 6 The Report Configuration Dialog opens for Security Incident reports 7 The Report Configuration dialog enables you to filter the reports selected in the previous screen Enter the desired filter details The fields are Date Range To display reports for a certa...

Page 104: ...bove are then included in the reports Detail A source to which the profile has denied access This includes capabilities and files You can use this field to report the resources to which profiles prevent access Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Mode The Mode is the permission that the profile gra...

Page 105: ...fer the following sections for detailed information about each type of report For the application audit report refer to Section Application Audit Report page 97 For the security incident report refer to Section Security Incident Report page 99 For the executive summary report refer to Section Executive Security Summary page 101 Application Audit Report An application audit report is an auditing to...

Page 106: ...e executing process Profile The absolute name of the security profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process State This field reveals whether the program listed in the program field is confined If it is not confined you might consider creating a profile for it 98 Nove...

Page 107: ...wo types of security events are defined as follows Policy Exceptions When an application requests a resource that is not defined within its profile a se curity event is triggered A report is generated that displays security events of interest to an administrator The SIR reports policy violations for locally confined applica tions during the specified time period The SIR reports policy exceptions a...

Page 108: ...ity profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Severity Severity levels of events are reported from the severity database The severity database defines the importance of potential security events and numbers them 1 through 10 10 being the most severe security inci...

Page 109: ... report the resources to which the profile prevents access Access Type The access type describes what is actually happening with the security event The options are PERMITTING REJECTING or AUDITING Executive Security Summary A combined report consisting of one or more high level reports from one or more ma chines This report can provide a single view of security events on multiple machines if each ...

Page 110: ... Unknown severities are disregarded in this figure High Sev This is the severity of the highest severity event reported in the date range given 6 3 2 Run Now Running On Demand Reports The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events If you need help navigating to the main report screen see Sectio...

Page 111: ...Program Name When you enter a program name or pattern that matches the name of the bi nary executable for the program of interest the report displays security events that have occurred for the specified program only Profile Name When you enter the name of the profile the report displays the security events that are generated for the specified profile You can use this to see what is confined by a s...

Page 112: ...separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table oriented applications Enter a path for your exported report by typing in the full path in the field provided Location to Store Log Enables you to change the location that the exported report is stored The default location is var log apparmor repor...

Page 113: ...onthly or hourly report to run for a specified pe riod You can set the report to display rejections for certain severity levels or to filter by program name profile name severity level or denied resources This report can be exported to an HTML Hypertext Markup Language or CSV Comma Separated Values file format NOTE Return to the beginning of this section if you need help navigating to the main rep...

Page 114: ...ected the report runs daily at the specified time E Mail Target You have the ability to send the scheduled security incident report via e mail to up to three recipients Just enter the e mail addresses for those who require the security incident information Export Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entrie...

Page 115: ... events You can use this to see what is being confined by a specific profile PID Number A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Detail A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent acc...

Page 116: ...ting Reports From the AppArmor Reports screen you can select and edit a report The three pre configured reports stock reports cannot be edited or deleted NOTE Return to the beginning of this section if you need help navigating to the main report screen see Section 6 3 Configuring Reports page 91 Perform the following steps to modify a report from the list of reports 1 From the list of reports in t...

Page 117: ...e the ability to send the scheduled security incident report via e mail to up to three recipients Just enter the e mail addresses for those who require the security incident information Export Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into table ori...

Page 118: ...is to see what is being confined by a specific profile PID Number Process ID number is a number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Detail A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent acce...

Page 119: ...follow these instructions 1 To remove a report from the list of reports highlight the report and click Delete 2 From the confirmation pop up select Cancel if you do not want to delete the selected report If you are sure you want to remove the report permanently from the list of reports select Delete 6 4 Configuring and Using the AppArmor Desktop Monitor Applet The Linux audit framework contains a ...

Page 120: ... at the command line or the Update Profile Wizard in Novell AppArmor to update your profile If the rejected action is not part of normal application behavior this access should be considered a possible intrusion attempt that was prevented and this notification should be passed to the person responsible for security within your organization 6 6 Maintaining Your Security Profiles In a production env...

Page 121: ...or refer to Section 3 3 Editing Profiles page 38 6 6 3 Introducing New Software into Your Environment When you add a new application version or patch to your system you should always update the profile to fit your needs You have several options that depend on your company s software deployment strategy You can deploy your patches and upgrades into a test or production environment The following exp...

Page 122: ...uld be added to the profile and update as needed using aa logprof For detailed instructions refer to Section aa logprof Scanning the System Log page 67 Run the YaST Update Profile Wizard to learn the new behavior high security risk as all accesses are allowed and logged not rejected For step by step instructions refer to Section 3 5 Updating Profiles from Log Entries page 44 114 Novell AppArmor Ad...

Page 123: ...cement requests for Novell AppArmor following the instructions in this chapter 7 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for openSUSE Retrieve and apply them exactly like for any other package that ships as part of openSUSE 7 2 Using the Man Pages There are man pages available for your use In a terminal enter man appar...

Page 124: ...h level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 describes the exit C library function The Novell AppArmor man pages are unconfined 8 autodep 1 complain 1 enforce 1 genprof 1 logprof 1 change_hat 2 logprof conf 5 116 Novell AppArmor Administration Guide ...

Page 125: ...ell com mailto apparmor general forge novell com This is a mailing list for end users of AppArmor It is a good place for questions about how to use AppArmor to protect your applications apparmor dev forge novell com mailto apparmor dev forge novell com This is a developer mailing list for AppArmor developers and community members This list is for questions about development of core AppArmor featur...

Page 126: ... restricted by AppArmor update your profile to properly handle your use case of the application Do this with the Update Profile Profile Wizard in YaST as described in Section 3 5 Updating Profiles from Log Entries page 44 If you decide to run your application or service without AppArmor protection remove the application s profile from etc apparmor d or move it to another location 7 4 2 My Profiles...

Page 127: ...ge 14 might cause application misbehavior or even stop applications from working If you notice a network related application behaving strangely check the log file under var log audit audit log for entries like the following type APPARMOR_DENIED msg audit 1188894313 206 9123 operation socket_create family inet sock_type raw protocol 1 pid 23810 profile bin ping This log entry means that our example...

Page 128: ...ched by the asterisk but as foo is a file or directory under dir it cannot be accessed proc net r To get the same behavior using the new syntax you need two rules instead of one The first allows access to file under proc net and the second allows access to directories under proc net Directory access can only be used for listing the contents not to actually access files or directories underneath th...

Page 129: ...old syntax this rule would have applied to both files and directories proc net foo r proc net foo r proc net foo bar r To find and resolve issues related to syntax changes take some time after the update to check the profiles you want to keep and proceed as follows for each application you kept the profile for 1 Make sure that AppArmor is running and that the application s profile is loaded 2 Star...

Page 130: ... and AppArmor cannot distinguish an individual application s process from the rest create one huge profile to confine the entire desktop all at once This approach is only feasible if your setup is a very limited kiosk type one Maintaining such a profile for a standard KDE desktop including all of its applications would be close to impossible Modify KDE s process handling Use KDE_EXEC_SLAVES 1 and ...

Page 131: ...sider the mail size limits and check the archives if e mails have not been received 7 4 6 How to Exclude Certain Profiles from the List of Profiles Used AppArmor always loads and applies all profiles that are available in its profile directory etc apparmor d If you decide not to apply a profile to a certain application delete the appropriate profile or move it to another location where AppArmor wo...

Page 132: ...or d usr sbin squid failed to load failed Using the AppArmor YaST tools a graphical error message indicates which profile contained the error and requests you to fix it To fix a syntax error log in to a terminal window as root open the profile and correct the syntax Reload the profile set with rcapparmor reload 7 5 Reporting Bugs for AppArmor The developers of AppArmor are eager to deliver product...

Page 133: ...iven product and keyword or use the Advanced Search 4 If your problem has already been reported check this bug report and add extra information to it if necessary 5 If your problem has not been reported yet select New from the top navigation bar and proceed to the Enter Bug page 6 Select the product against which to file the bug In your case this would be your product s release Click Submit 7 Sele...

Page 134: ......

Page 135: ...mentation Defcon Capture the Flag Defending Vulnerable Code from Intense Attack by Crispin Cowan Seth Arnold Steve Beattie Chris Wright and John Viega A good guide to strategic and tactical use of Novell AppArmor to solve severe se curity problems in a very short period of time Published in the Proceedings of the DARPA Information Survivability Conference and Expo DISCEX III April 2003 Washington ...

Page 136: ......

Page 137: ... you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must give the recipients all...

Page 138: ...ot apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section...

Page 139: ... in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is ...

Page 140: ...pyright disclaimer for the program if necessary Here is a sample alter the names Yoyodyne Inc hereby disclaims all copyright interest in the program Gnomovision which makes passes at compilers written by James Hacker signature of Ty Coon 1 April 1989 Ty Coon President of Vice This General Public License does not permit incorporating your program into proprietary programs If your program is a subro...

Page 141: ...t if used for any substantial amount of text A copy that is not Transparent is called Opaque Examples of suitable formats for Transparent copies include plain ASCII without markup Texinfo input format LaTeX input format SGML or XML using a publicly available DTD and standard conforming simple HTML PostScript or PDF designed for human modification Examples of transparent image formats include PNG X...

Page 142: ...ons and required Cover Texts given in the Document s license notice H Include an unaltered copy of this License I Preserve the section Entitled History Preserve its Title and add to it an item stating at least the title year new authors and publisher of the Modified Version as given on the Title Page If there is no section Entitled History in the Document create one stating the title year authors ...

Page 143: ...opies of the Document then if the Document is less than one half of the entire aggregate the Document s Cover Texts may be placed on covers that bracket the Document within the aggregate or the electronic equivalent of covers if the Document is in electronic form Otherwise they must appear on printed covers that bracket the whole aggregate TRANSLATION Translation is considered a kind of modificati...

Page 144: ...ack Cover Texts replace the with Texts line with this with the Invariant Sections being LIST THEIR TITLES with the Front Cover Texts being LIST and with the Back Cover Texts being LIST If you have Invariant Sections without Cover Texts or some other combination of the three merge those two alternatives to suit the situation If your document contains nontrivial examples of program code we recommend...

Page 145: ...ally malicious activity By not relying on attack signatures Novell AppArmor provides proactive instead of reactive defense from attacks This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks GUI Graphical user interface Refers to a software front end meant to ...

Page 146: ...d access control Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read write and execute This ensures that each program does what it is supposed to do and nothing else URI Universal resource identifier The generic term for all types of names and addresses that refer to objects on the World Wide Web A URL is one kind of UR...

Page 147: ...weaknesses or flaws in hardware firmware or software If ex ploited a vulnerability could lead to an unacceptable impact in the form of unau thorized access to information or disruption of critical processing Glossary 139 ...

Page 148: ......