Novell APPARMOR 1.2 ADMINISTRATION GUIDE

Download

Novell AppArmor

www.novell.com

1.2 09/29/2005

Novell AppArmor Powered by Immunix 1.2 Administration Guide

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specically disclaims any express or implied warranties of merchantability or tness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specically disclaims any express or implied warranties of merchantability or tness for any particular purpose. Further, Novell, Inc. reserves the right to make changes toany and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

You may not use, export, or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

Copyright © 2000 - 2004, 2005 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/

legal/patents/ and one or more additional patents or pending patent applications in the U.S.

and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get updates, see www.novell.com/documentation.

Novell Trademarks

AppArmor is a registered trademark of Novell, Inc. in the United States and other countries. Immunix is a trademark of Novell, Inc. in the United States and other countries. Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE LINUX Products GmbH, a Novell business.

Third-Party Materials

All third-party trademarks are the property of their respective owners. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Contents

Introduction to Novell AppArmor vii

1 Immunizing Programs 13

2 Selecting Programs to Immunize 15

2.1 Immunize Programs That Grant Privilege . . . . . . . . . . . . . . . 15

2.2 Inspect Open Ports to Immunize Programs . . . . . . . . . . . . . . 16

3 Building Novell AppArmor Proles 21

3.1 Prole Components and Syntax . . . . . . . . . . . . . . . . . . . 21

3.2 Building and Managing Novell AppArmor Proles . . . . . . . . . . . 24

3.3 Building Novell AppArmor Proles with the YaST GUI . . . . . . . . . . 26

3.4 Building Novell AppArmor Proles Using the Command Line Interface . . 49

3.5 Two Methods of Proling . . . . . . . . . . . . . . . . . . . . . . 54

3.6 Pathnames and Globbing . . . . . . . . . . . . . . . . . . . . . . 73

3.7 File Permission Access Modes . . . . . . . . . . . . . . . . . . . . 74

4 Managing Proled Applications 77

4.1 Monitoring Your Secured Applications . . . . . . . . . . . . . . . . 77

4.2 Setting Up Event Notication . . . . . . . . . . . . . . . . . . . . 78

4.3 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4.4 Reacting to Security Events . . . . . . . . . . . . . . . . . . . . 102

4.5 Maintaining Your Security Proles . . . . . . . . . . . . . . . . . 103

5 Proling Your Web Applications Using ChangeHat Apache 105

5.1 Apache ChangeHat . . . . . . . . . . . . . . . . . . . . . . . . 106

5.2 Apache Conguration for mod_change_hat . . . . . . . . . . . . . 113

6 Support 117

6.1 Updating Novell AppArmor Online . . . . . . . . . . . . . . . . . 117

6.2 Using the Man Pages . . . . . . . . . . . . . . . . . . . . . . . 117

6.3 For More Information . . . . . . . . . . . . . . . . . . . . . . 119

6.4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.5 Support for SUSE Linux . . . . . . . . . . . . . . . . . . . . . . 121

6.6 Reporting Bugs for AppArmor . . . . . . . . . . . . . . . . . . . 126

Glossary 129

Introduction to Novell AppArmor

Novell® AppArmor Powered by Immunix is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which les the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so can prevent attacks even if they are exploiting previously unknown vulnerabilities.

Novell AppArmor consists of:

• A library of AppArmor proles for common Linux* applications describing what les the program needs to access.

• A library of AppArmor prole foundation classes (prole building blocks) needed for common application activities, such as DNS lookup and user authentication.

• A tool suite for developing and enhancing AppArmor proles, so that you can change the existing proles to suit your needs and create new proles for your own local and custom applications.

• Several specially modied applications that are AppArmor enabled to provide enhanced security in the form of unique subprocess connement, including Apache.

• The Novell AppArmor–loadable kernel module and associated control scripts to enforce AppArmor policies on your SUSE® Linux system.

NOTE

Some distributions of SUSE Linux include a version of AppArmor that enforce policies for a limited set of programs. These policies can be modied to suit your particular environment using the included AppArmor tool set. To create AppArmor proles for additional programs, an upgrade to the full version of AppArmor is required.

1 Documentation Conventions

The following typographical conventions are used in this manual:

Menu Items, Field Names, and Screen Titles in GUIs

When using GUIs, eld names, menu and screen titles, and eld values are shown as File.

Keys

Key names are listed as they appear on your keyboard, as in Enter and Esc .

Command

Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type the word or phrase on the command line and press Enter to run the command.

Example 1

To use ls to view the contents in the current directory, enter ls in a terminal window.

Filename

Filenames, directory names, paths, and RPM package names are represented this way. This style should indicate that a particular le or directory exists by that name on your Linux system.

Placeholders

Replace placeholder with the actual value that matches your setup.

Examples, Notes, and Warnings

Examples use Example: when appropriate. Notes and pertinent information are shown with a Note or Warning ag, as in:

NOTE

Notes highlight information that might help better understand previous paragraphs. Warnings provide important information that might seriously affect the integrity of the product or your data.

Command Environment

viii

Computer Output

When you see text in this style, it indicates text displayed by the computer on the command line. You see responses to typed commands, error messages, and interactive prompts for your input during scripts or programs shown this way.

Example 2

Use the ls command to display the contents of a directory:

$ ls Desktop about.html logs Mail backupfiles mail

Trademarks

A trademark symbol (®, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.

Computer Output

2 Understanding This Guide

Immunizing Programs

Describes operation of Novell AppArmor Powered by Immunix.

Selecting Programs to Immunize

Describes the types of programs that should have Novell AppArmor proles created for them.

Building Novell AppArmor Proles

Describes how to use the Novell AppArmor tools to immunize your own programs and third-party programs that you may have installed on your SUSE Linux system. It also helps you to add, edit, or delete proles that have been created for your applications.

Managing Proled Applications

Describes how to perform Novell AppArmor prole maintenance, which involves tracking common issues and concerns.

Proling Your Web Applications Using ChangeHat Apache

Enables you to create subproles for the Apache Web server that allow you to tightly conne small sections of Web application processing.

Introduction to Novell AppArmor ix

Support

Indicates support options for this product.

Glossary

Provides a list of terms and their denitions.

3 Getting Started with Novell

AppArmor

Novell AppArmor Powered by Immunix (Novell AppArmor) provides you with technologies to protect your applications from their own vulnerabilities by creating Novell AppArmor proles for applications on your SUSE Linux system.

3.1 Launching Novell AppArmor through the YaST GUI

SUSE Linux offers the utility YaST. Using YaST, you can launch the Novell AppArmor interface. This is the recommended method for a novice Linux user. For the other available methods, refer to Section 3.2, “Building and Managing Novell AppArmor

Proles” (page 24).

To start YaST, select System → Control Center (YaST) from the SUSE menu.

•

YaST is launched as shown in Section 3.2, “Novell AppArmor Basics” (page x), below. You can refer to this section to navigate in Novell AppArmor.

NOTE

Alternately, you can launch the YaST GUI by opening a terminal window then entering yast2 while logged in as root.

3.2 Novell AppArmor Basics

Novell AppArmor enables you to manage proles through a simple user interface.

In the YaST Control Center, click Novell AppArmor in the left pane. The right from then shows the different Novell AppArmor conguration option. Select the appropriate Novell AppArmor conguration option by clicking the corresponding icon.

Depending on the conguration option you select, refer to one of the following locations in this guide:

Add Prole Wizard

For detailed steps, refer to Section 3.3.1, “Adding a Prole Using the Wizard” (page 27).

AppArmor Reports

For detailed steps, refer to Section 4.3, “Reports” (page 81).

Edit Prole

Edit an existing Novell AppArmor prole on your system. For detailed steps, refer to Section 3.3.3, “Editing a Prole” (page 39).

Update Prole Wizard

For detailed steps, refer to Section 3.3.5, “Updating Proles from Syslog Entries” (page 42).

Introduction to Novell AppArmor xi

AppArmor Control Panel

For detailed steps, refer to Section 3.3.6, “Managing Novell AppArmor and Secu-

rity Event Status” (page 47).

Delete Prole

Delete an existing Novell AppArmor prole from your system. For detailed steps, refer to Section 3.3.4, “Deleting a Prole” (page 41).

Manually Add Prole

Add a Novell AppArmor prole for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Prole” (page 34).

xii

Immunizing Programs

Novell® AppArmor provides immunization technologies that protect SUSE Linux applications from the inherent vulnerabilities they possess. After installing Novell AppArmor, setting up Novell AppArmor proles and rebooting the computer, your system becomes immunized because it begins to enforce the Novell AppArmor security policies. Protecting programs with Novell AppArmor is referred to as immunizing.

Novell AppArmor sets up a collection of default application proles to protect standard Linux services. To protect other applications, use the Novell AppArmor tools to create proles for the applications that you want protected. This chapter introduces you to the philosophy of immunizing programs. Proceed to Chapter 3, Building Novell AppArmor

Proles (page 21) if you are ready to build and manage Novell AppArmor proles.

Novell AppArmor provides streamlined access control for network services by specifying which les each program is allowed to read, write, and execute. This ensures that each program does what it is supposed to do and nothing else.

Novell AppArmor is host intrusion prevention, or a mandatory access control scheme, that is optimized for servers. Previously, access control schemes were centered around users because they were built for large timeshare systems. Alternatively, modern network servers largely do not permit users to log in, but instead provide a variety of network services for users, such as Web, mail, le, and print. Novell AppArmor controls the access given to network services and other programs to prevent weaknesses from being exploited.

Immunizing Programs 13

Selecting Programs to Immunize

Novell® AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process. You should inspect your ports to see which programs should be proled (refer to Section 2.2, “Inspect Open Ports to Immunize Pro-

grams” (page 16)) and prole all programs that grant privilege (Section 2.1, “Immunize Programs That Grant Privilege” (page 15)).

2.1 Immunize Programs That Grant Privilege

Programs that need proling are those that mediate privilege. The following programs have access to resources that the person using the program does not have, so they grant the privilege to the user when used:

cron jobs

Programs that are run periodically by cron. Such programs read input from a variety of sources and can run with special privileges, sometimes with as much as root privilege. For example, cron can run /usr/bin/updatedb daily to keep the locate database up to date with sufcient privilege to read the name of every le in the system. For instructions for nding these types of programs, refer to Sec-

tion 2.2.1, “Immunizing Cron Jobs” (page 18).

Web Applications

Programs that can be invoked through a Web browser, including CGI Perl scripts, PHP pages, and more complex Web applications. For instructions on nding these

Selecting Programs to Immunize 15

types of programs, refer to Section 2.2.2, “Immunizing Web Applications” (page 18).

Network Agents

Programs (servers and clients) that have open network ports. User clients such as mail clients and Web browsers, surprisingly, mediate privilege. These programs run with the privilege to write to the user's home directories and they process input from potentially hostile remote sources, such as hostile Web sites and e-mailed malicious code. For instructions on nding these types of programs, refer to Sec-

tion 2.2.3, “Immunizing Network Agents” (page 20).

Conversely, unprivileged programs do not need to be proled. For instance, a shell script might invoke the cp program to copy a le. Because cp does not have its own prole, it inherits the prole of the parent shell script, so can copy any les that the parent shell script's prole can read and write.

2.2 Inspect Open Ports to Immunize Programs

An automated method for nding network server daemons that should be proled is to use the unconned tool. You can also simply view a report of this information in the YaST GUI (refer to Section “Application Audit Report” (page 88) for instructions).

The unconned tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor proles that you have loaded. Unconned then reports these programs along with the Novell AppArmor prole associated with each program, or reports “none” if the program is not conned.

NOTE

If you create a new prole, you must restart the program that has been proled for unconned to detect and report the new proled state.

Below is a sample unconned output:

2325 /sbin/portmap not confined

3702❶ /usr/sbin/sshd❷ confined by '/usr/sbin/sshd❸ (enforce)'

4040 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)'

4373 /usr/lib/postfix/master confined by '/usr/lib/postfix/master (enforce)' 4505 /usr/sbin/httpd2-prefork confined by '/usr/sbin/httpd2-prefork (enforce)' 5274 /sbin/dhcpcd not confined 5592 /usr/bin/ssh not confined 7146 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (complain)'

The rst portion is a number. This number is the process ID number (PID) of the

❶

listening program.

The second portion is a string that represents the absolute path of the listening

❷

program

The nal portion indicates the prole conning the program, if any.

❸

NOTE

Unconned requires root privileges and should not be run from a shell that is conned by an AppArmor prole.

Unconned does not distinguish between one network interface and another, so it reports all unconned processes, even those that might be listening to an internal LAN interface.

Finding user network client applications is dependent on your user preferences. The unconned tool detects and reports network ports opened by client applications, but only those client applications that are running at the time the unconned analysis is performed. This is a problem because network services tend to be running all the time, while network client applications tend only to be running when the user is interested in them.

Applying Novell AppArmor proles to user network client applications is also dependent on user preferences, and Novell AppArmor is intended for servers rather than workstations. Therefore, we leave proling of user network client applications as an exercise for the user.

To aggressively conne desktop applications, the unconned command supports a paranoid option, which reports all processes running and the corresponding AppArmor proles that might or might not be associated with each process. The unconned user can then decide whether each of these programs needs an AppArmor prole.

Additional proles can be traded with other users and with the Novell® security development team on the user mailing list at http://mail.wirex.com/mailman/

listinfo/immunix-users.

Selecting Programs to Immunize 17

2.2.1 Immunizing Cron Jobs

To nd programs that are run by cron, you need to inspect your local cron conguration. Unfortunately, cron conguration is rather complex, so there are numerous les to inspect. Periodic cron jobs are run from these les:

/etc/crontab /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*

For root's cron jobs, you can edit the tasks with crontab -e and list root's cron tasks with crontab -l. You must be root for these to work.

Once you nd these programs, you can use the Add Prole Wizard to create proles for them. Refer to Section 3.3.1, “Adding a Prole Using the Wizard” (page 27).

2.2.2 Immunizing Web Applications

To nd Web applications, you should investigate your Web server conguration. The Apache Web server is highly congurable and Web applications can be stored in many directories, depending on your local conguration. SUSE Linux,by default, stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor prole.

Once you nd these programs, you can use the AppArmor Add Prole Wizard to create proles for them. Refer to Section 3.3.1, “Adding a Prole Using the Wizard” (page 27).

CGI Programs and Subprocess Connement in Web Applications

Because CGI programs are executed by the Apache Web server, the prole for Apache itself usr.sbin.httpd2-prefork (for Apache2 on SUSE Linux) must be modied to add execute permissions to each of these programs. For instance, adding the line /srv/www/cgi-bin/my_hit_counter.pl rpx grants Apache permission to execute the Perl script my_hit_counter.pl and requires that there be a dedicated prole for my_hit_counter.pl. If my_hit_counter.pl does not have a ded-

icated prole associated with it, the rule should say

/srv/www/cgi-bin/my_hit_counter.pl rix to cause my_hit_counter .pl to inherit the usr.sbin.httpd2-prefork prole.

Some users might nd it inconvenient to specify execute permission for every CGI script that Apache might invoke. Instead, the administrator can grant controlled access to collections of CGI scripts. For instance, adding the line /srv/www/cgi-bin/*.{pl,py,pyc} rix allows Apache to execute all les in /srv/www/cgi-bin/ ending in .pl (Perl scripts) and .py or .pyc (Python scripts). As above, the ix part of the rule causes the Python scripts to inherit the Apache prole, which is appropriate if you do not want to write individual proles for each Python script.

NOTE

If you want the subprocess connement module (mod_change_hat) functionality when Web applications handle Apache modules (mod_perl and mod _php), use the ChangeHat features when you add a prole in YaST or at the command line. To take advantage of the subprocess connement, refer to

Section 5.1, “Apache ChangeHat” (page 106).

Proling Web applications that use mod_perl and mod_php require slightly different handling. In this case, the “program” is a script interpreted directly by the module within the Apache process, so no exec happens. Instead, the Novell AppArmor version of Apache calls change_hat() naming a subprole (a “hat”) corresponding to the name of the URI requested.

NOTE

The name presented for the script to execute might not be the URI, depending on how Apache has been congured for where to look for module scripts. If you have congured your Apache to place scripts in a different place, the different names appear in syslog when Novell AppArmor complains about access violations. See Chapter 4, Managing Proled Applications (page 77).

For mod_perl and mod_php scripts, this is the name of the Perl script or the PHP page requested. For example, adding this subprole allows the localtime.php page to execute and access the local system time:

Selecting Programs to Immunize 19

/usr/sbin/httpd2-prefork^/cgi-bin localtime.php { /etc/localtime r, /srv/www/cgi-bin/localtime.php r, /usr/lib/locale/** r, }

If no subprole has been dened, the Novell AppArmor version of Apache applies the DEFAULT_URI hat. This subprole is basically sufcient to display an HTML Web page. The DEFAULT_URI hat that Novell AppArmor provides by default is the following:

/usr/sbin/suexec2 ixr, /var/log/apache2/** rwl, /home/*/public_html/** r, /srv/www/htdocs/** r, /srv/www/icons/*.{gif,jpg,png} r, /usr/share/apache2/** r,

If you want a single Novell AppArmor prole for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprole.

2.2.3 Immunizing Network Agents

To nd network server daemons that should be proled, you should inspect the open ports on your machine, consider the programs that are answering on those ports, and provide proles for as many of those programs as possible. If you provide proles for all programs with open network ports, an attacker cannot get to the le system on your machine without passing through a Novell AppArmor prole policy.

Scan your server for open network ports manually from outside the machine using a scanner, such as nmap, or from inside the machine using netstat. Then inspect the machine to determine which programs are answering on the discovered open ports.

Building Novell AppArmor Proles

This chapter explains how to build and manage Novell® AppArmor proles. You are ready to build Novell AppArmor proles after you select the programs to prole. For help with this, refer to Chapter 2, Selecting Programs to Immunize (page 15).

3.1 Prole Components and Syntax

This section details the syntax or makeup of Novell AppArmor proles. An example illustrating this syntax is presented in Section 3.1.1, “Breaking a Novell AppArmor

Prole into Its Parts” (page 21).

3.1.1 Breaking a Novell AppArmor Prole into Its Parts

Novell AppArmor prole components are called Novell AppArmor rules. Currently there are two main types of Novell AppArmor rules, path entries and capability entries. Path entries specify what the process can access in the le system and capability entries provide a more ne-grained control over what a conned process is allowed to do through other system calls that require privileges. Includes are a type of meta rule or directives that pull in path and capability entries from other les.

The easiest way of explaining what a prole consists of and how to create one is to show the details of a sample prole. Consider, for example, the following prole for the program /sbin/klogd:

Building Novell AppArmor Proles 21

# profile to confine klogd❶ /sbin/klogd ❷ {❸ #include <abstractions/base>❹ capability sys_admin,❺ /boot/* r❻,

/proc/kmsg r, /sbin/klogd r, /var/run/klogd.pid lw, }

A comment naming the program that is conned by this prole. Always precede

❶

comments like this with the # sign.

The absolute path to the program that is conned.

❷

The curly braces {} serve as a container for include statements of other proles

❸

as well as for path and capability entries.

This directive pulls in components of Novell AppArmor proles to simplify pro-

❹

les.

Capability entry statements enable each of the 29 POSIX.1e draft capabilities.

❺

A path entry specifying what areas of the le system the program can access. The

❻

rst part of a path entry species the absolute path of a le (including regular expression globbing) and the second part indicates permissible access modes (r for read, w for write, and x for execute). A white space of any kind (spaces or tabs) can precede pathnames or separate the pathname from the access modes. White space between the access mode and the trailing comma is optional.

When a prole is created for a program, the program can access only the les, modes, and POSIX capabilities specied in the prole. These restrictions are in addition to the native Linux access controls.

Example: To gain the capability CAP_CHOWN, the program must have both access to CAP_CHOWN under conventional Linux access controls (typically, be a root-owned process) and have capability chown in its prole. Similarly, to be able to write to the le /foo/bar the program must have both the correct user ID and mode bits set in the les attributes (see the chmod and chown man pages) and have /foo/bar w in its prole.

Attempts to violate Novell AppArmor rules are recorded in syslog. In many cases, Novell AppArmor rules prevent an attack from working because necessary les are not

accessible and, in all cases, Novell AppArmor connement restricts the damage that the attacker can do to the set of les permitted by Novell AppArmor.

3.1.2 #include

#include statements are directives that pull in components of other Novell AppArmor proles to simplify proles. Include les fetch access permissions for programs. By using an include, you can give the program access to directory paths or les that are also required by other programs. Using includes can reduce the size of a prole.

By default, the #include statement appends /etc/subdomain.d/, which is where it expects to nd the include le, to the beginning of the pathname. Unlike other prole statements (but similar to C programs), #include lines do not end with a comma.

To assist you in proling your applications, Novell AppArmor provides two classes of #includes, abstractions, and program chunks.

Abstractions

Abstractions are #includes that are grouped by common application tasks. These tasks include access to authentication mechanisms, access to name service routines, common graphics requirements, and system accounting. Files listed in these abstractions are specic to the named task; programs that require one of these les usually require some of the other les listed in the abstraction le (depending on the local conguration as well as the specic requirements of the program). Abstractions can be found in /etc/subdomain.d/abstractions/.

Program Chunks

Program chunks are access controls for specic programs that a system administrator might want to control based on local site policy. Each chunk is used by a single program. These are provided to ease local-site modications to policy and updates to policy provided by Novell AppArmor. Administrators can modify policy in these les to suit their own needs and leave the program proles unmodied, simplifying the task of merging policy updates from Novell AppArmor into enforced policy at each site.

Building Novell AppArmor Proles 23

The access restrictions in the program chunks are typically very liberal and are designed to allow your users access to their les in the least intrusive way possible while still allowing system resources to be protected. An exception to this rule is the postfix* series of program chunks. These proles are used to help abstract the location of the postx binaries. You probably do not want to reduce the permissions in the postfix* series. Programchunks can be found in /etc/subdomain.d/program-chunks/ .

3.1.3 Capability Entries (POSIX.1e)

Capabilities statements are simply the word “capability” followed by the name of the POSIX.1e capability as dened in the capabilities(7) man page.

3.2 Building and Managing Novell AppArmor Proles

There are three ways you can build and manage Novell AppArmor proles, depending on the type of computer environment you prefer. You can use the graphical YaST interface (YaST GUI), the text-based YaST ncurses mode (YaST ncurses), or the command line interface. All three options are effective for creating and maintaining proles while offering need-based options for users.

The command line interface requires knowledge of Linux commands and using terminal windows. All three methods use specialized Novell AppArmor tools for creating the proles so you do not need to do it manually, which would be quite time consuming.

3.2.1 Using the YaST GUI

To use the YaST GUI for building and managing Novell AppArmor proles, refer to

Section 3.3, “Building Novell AppArmor Proles with the YaST GUI” (page 26).

3.2.2 Using YaST ncurses

YaST ncurses can be used for building and managing Novell AppArmor proles and is better suited for users with limited bandwidth connections to their server. Access YaST ncurses by typing yast while logged in to a terminal window or console as root. YaST ncurses has the same features as the YaST GUI.

Refer to the instructions in Section 3.3, “Building Novell AppArmor Proles with the

YaST GUI” (page 26) to build and manage Novell AppArmor proles in YaST

ncurses, but be aware that the screens look different but function similarly.

3.2.3 Using the Command Line Interface

The command line interface requires knowledge of Linux commands and using terminal windows. To use the command line interface for building and managing Novell AppArmor proles, refer to Section 3.4, “Building Novell AppArmor Proles Using the

Command Line Interface” (page 49).

The command line interface offers access to a few tools that are not available using the other Novell AppArmor managing methods:

complain

Sets proles into complain mode. Set it back to enforce mode when you want the system to begin enforcing the rules of the proles, not just logging information. For more information about this tool, refer to Section “Complain or Learning Mode” (page 58).

enforce

Sets proles back to enforce mode and the system begins enforcing the rules of the proles, not just logging information. For more information about this tool, refer to Section “Enforce Mode” (page 59).

unconned

Performs a server audit to nd processes that are running and listening for network connections then reports whether they are proled.

autodep

Generates a prole skeleton for a program and loads it into the Novell AppArmor module in complain mode.

Building Novell AppArmor Proles 25

3.3 Building Novell AppArmor Proles with the YaST GUI

Open the YaST GUI displays from the SUSE menu with System → YaST → Novell AppArmor. Novell AppArmor opens in the YaST interface as shown below:

NOTE

You can also access the YaST GUI by opening a terminal window, logging in as root, and entering yast2.

In the right frame, yousee several Novell AppArmor option icons. If Novell AppArmor does not display in the left frame of the YaST window or if the Novell AppArmor icons do not display, you might want to reinstall Novell AppArmor. The following actions are available from Novell AppArmor.

Click one of the following Novell AppArmor icons and proceed to the section referenced below:

Add Prole Wizard

For detailed steps, refer to Section 3.3.1, “Adding a Prole Using the Wizard” (page 27).

Manually Add Prole

Add a Novell AppArmor prole for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Prole” (page 34).

Edit Prole

Edits an existing Novell AppArmor prole on your system. For detailed steps, refer to Section 3.3.3, “Editing a Prole” (page 39).

Delete Prole

Deletes an existing Novell AppArmor prole from your system. For detailed steps, refer to Section 3.3.4, “Deleting a Prole” (page 41).

Update Prole Wizard

For detailed steps, refer to Section 3.3.5, “Updating Proles from Syslog Entries” (page 42).

AppArmor Reports

For detailed steps, refer to Section 4.3, “Reports” (page 81).

AppArmor Control Panel

For detailed steps, refer to Section 3.3.6, “Managing Novell AppArmor and Secu-

rity Event Status” (page 47).

3.3.1 Adding a Prole Using the Wizard

The Add Prole Wizard is designed to set up Novell AppArmor proles using the Novell AppArmor proling tools, genprof (Generate Prole) and logprof (Update Proles From Learning Mode Log File). For more information about these tools, refer to Section 3.5.3, “Summary of Proling Tools” (page 56).

Stop the application before proling it to ensure that the application start-up is

included in the prole. To do this, make sure that the application or daemon is not running prior to proling it.

Building Novell AppArmor Proles 27

For example, enter /etc/init.d/PROGRAM stop in a terminal window while logged in as root, replacing PROGRAM is the name of the program to prole.

If you have not done so already, in the YaST GUI, click Novell AppArmor →

Add Prole Wizard.

Enter the name of the application or browse to the location of the program.

Click Create. This runs a Novell AppArmor tool named autodep, which performs

a static analysis of the program to prole and loads an approximate prole into Novell AppArmor module. For more information about autodep, refer to Section

“autodep” (page 57).

The AppArmor Proling Wizard window opens.

In the background, Novell AppArmor also sets the prole to learning mode. For more information about learning mode, refer to Section “Complain or Learning

Mode” (page 58).

Run the application that is being proled.

Perform as many of the application functions as possible so learning mode can

log the les and directories to which the program requires access to function properly.

Click Scan System Log for Entries to Add to Prole to parse the learning mode

log les. This generates a series of questions that you must answer to guide the wizard in generating the security prole.

NOTE

If requests to add hats appear, proceed to Chapter 5, Proling Your Web

Applications Using ChangeHat Apache (page 105).

The questions fall into two categories:

Building Novell AppArmor Proles 29

• A resource is requested by a proled program that is not in the prole (see

Figure 3.1, “Learning Mode Exception: Controlling Access to Specic Resources” (page 30)). The learning mode exception requires you to allow or

deny access to a specic resource.

• A program is executed by the proled program and the security domain transition has not been dened (see Figure 3.2, “Learning Mode Exception:

Dening Execute Permissions for an Entry” (page 31)). The learning mode

exception requires you to dene execute permissions for an entry.

Each of these cases results in a series of questions that you must answer to add the resource to the prole or to add the program into the prole. The following two gures show an example of each case. Subsequent steps describe your options in answering these questions.

The AppArmor Proling Wizard window opens.

Figure 3.1

Learning Mode Exception: Controlling Access to Specic Resources

Figure 3.2

The Add Prole Wizard begins suggesting directory path entries that have been

accessed by the application you are proling (as seen in Figure 3.1, “Learning

Mode Exception: Controlling Access to Specic Resources” (page 30)) or requir-

ing you to dene execute permissions for entries (as seen in Figure 3.2, “Learning

Mode Exception: Dening Execute Permissions for an Entry” (page 31)).

Learning Mode Exception: Dening Execute Permissions for an Entry

For Figure 3.1, “Learning Mode Exception: Controlling Access to Specic

Resources”: From the following options, select the one that satises the re-

quest for access, which could be a suggested include, a particular globbed version of the path, or the actual pathname. Note that all of these options are not always available.

#include

The section of a Novell AppArmor prole that refers to an include le. Include les procure access permissions for programs. By using an include, you can give the program access to directory paths or les that are also required by other programs. Using includes can reduce the size of a prole. It is good practice to select includes when suggested.

Building Novell AppArmor Proles 31

Globbed Version

Accessed by clicking Glob as described in the next step. For information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing” (page 73).

Actual Pathname

Literal path that the program needs access to so that it can run properly.

For Figure 3.2, “Learning Mode Exception: Dening Execute Permissions

for an Entry”: From the following options, select the one that satises the

request for access.

Inherit

Stay in the same security prole (parent's prole).

Prole

Requires that a separate prole exists for the executed program.

Unconned

Executes the program without a security prole.

WARNING

Unless absolutely necessary, do not run unconned. Choosing the Unconned option executes the new program without any protection from AppArmor.

After you select a directory path, you need to process it as an entry into the

Novell AppArmor prole by clicking Allow or Deny. If you are not satised with the directory path entry as it is displayed, you can also Glob or Edit it.

The following options are available to process the learning mode entries and to build the prole:

Allow

Grants the program access to the specied directory path entries. The Add Prole Wizard suggests le permission access. For more information about this, refer to Section 3.7, “File Permission Access Modes” (page 74).

Deny

Click Deny to prevent the program from accessing the specied directory path entries.

Glob

Clicking this modies the directory path (by using wild cards) to include all les in the suggested entry directory. Double-clicking it grants access to all les and subdirectories beneath the one shown.

For more information about globbing syntax, refer to Section 3.6, “Pathnames

and Globbing” (page 73).

Glob w/Ext

Modies the original directory path while retaining the lename extension. A single click causes /etc/apache2/file.ext to become /etc/ apache2/*.ext, adding the wild card (asterisk) in place of the le name. This allows the program to access all les in the suggested directories that end with the .ext extension. When you double-click it, access is granted to all les (with the particular extension) and subdirectories beneath the one shown.

Edit

Enables editing of the highlighted line. The new (edited) line appears at the bottom of the list.

Abort

Aborts logprof, dumping all rule changes entered so far and leaving all proles unmodied.

Finish

Closes logprof, saving all rule changes entered so far and modifying all proles.

Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor prole.

NOTE

The number of learning mode entries corresponds to the complexity of the application.

Building Novell AppArmor Proles 33

Repeat the previous steps if you need to execute more functionality of your application.

When you are done, click Finish. In the following pop-up, click Yes to exit the Prole Creation Wizard. The prole is saved and loaded into the Novell AppArmor module.

3.3.2 Manually Adding a Prole

Novell AppArmor enables you to create a Novell AppArmor prole by manually adding entries into the prole. You simply need to select the application for which to create a prole, then add entries.

To add a prole, open YaST → Novell AppArmor. The Novell AppArmor interface

opens.

In Novell AppArmor, click Manually Add Prole (see Figure 3.3, “Manually

Adding a Prole: Select Application” (page 34)).

Figure 3.3

Browse your system to nd the application for which to create a prole.

When you nd the prole, select it and click Open. A basic, empty prole appears

in the Novell AppArmor Prole Dialog window.

Manually Adding a Prole: Select Application

In the AppArmor Prole Dialog window, you can add, edit, or delete Novell

AppArmor prole entries by clicking the corresponding buttons and referring to the following sections: Section “Adding an Entry” (page 35), Section “Editing

an Entry” (page 38), or Section “Editing an Entry” (page 38).

When you are nished, click Done.

Adding an Entry

This section explains the Add Entry option that can be found in Section 3.3.2, “Manu-

ally Adding a Prole” (page 34) or Section 3.3.3, “Editing a Prole” (page 39). When

you select Add Entry, a drop-down list displays the types of entries you can add to the Novell AppArmor prole.

From the list, select one of the following:

•

File

In the pop-up window, specify the absolute path of a le, including the type of access permitted. When nished, click OK.

Building Novell AppArmor Proles 35

You can use globbing if necessary. For globbing information, refer to Sec-

tion 3.6, “Pathnames and Globbing” (page 73). For le access permission

information, refer to Section 3.7, “File Permission Access Modes” (page 74).

Editing an Entry

This section explains the Edit Entry option that can be found in Section 3.3.2, “Manu-

ally Adding a Prole” (page 34) or Section 3.3.3, “Editing a Prole” (page 39). When

you select Edit Entry, the le browser pop-up window opens. From here, you can edit the selected entry.

In the pop-up window, specify the absolute path of a le, including the type of access permitted. You can use globbing if necessary. When nished, click OK.

For globbing information, refer to Section 3.6, “Pathnames and Globbing” (page 73). For le access permission information, refer to Section 3.7, “File Permission Access

Modes” (page 74).

Deleting an Entry

This section explains the Delete Entry option that can be found in the Section 3.3.2,

“Manually Adding a Prole” (page 34) or Section 3.3.3, “Editing a Prole” (page 39).

When you select an entry then select Delete Entry, Novell AppArmor removes the prole entry that you have selected.

3.3.3 Editing a Prole

Novell AppArmor enables you to manually edit Novell AppArmor proles by adding, editing, or deleting entries. You simply need to select the prole then add, edit, or delete entries. To edit a prole, follow these steps:

Open YaST → Novell AppArmor.

In Novell AppArmor, click Edit Prole. The Edit Prole—Choose Prole to

Edit window opens.

Building Novell AppArmor Proles 39

From the list of proled programs, select the prole to edit.

Click Next. The AppArmor Prole Dialog window displays the prole.

In the AppArmor Prole Dialog window, you can add, edit, or delete Novell

AppArmor prole entries by clicking the corresponding buttons and referring to the following sections: Section “Adding an Entry” (page 35), Section “Editing

an Entry” (page 38), or Section “Deleting an Entry” (page 39).

When you are nished, click Done.

In the pop-up that appears, click Yes to conrm your changes to the prole.

3.3.4 Deleting a Prole

Novell AppArmor enables you to delete a Novell AppArmor prole manually. You simply need to select the application for which to delete a prole then delete it as follows:

Open the YaST → Novell AppArmor. The Novell AppArmor interface displays.

In Novell AppArmor, click Delete Prole icon. The Delete Prole—Choose

Prole to Delete window opens.

Select the prole to delete.

Click Next.

Building Novell AppArmor Proles 41

In the pop-up that opens, click Yes to delete the prole.

3.3.5 Updating Proles from Syslog Entries

The Novell AppArmor Prole wizard uses logprof, the tool that scans log les and enables you to update proles. logprof tracks messages from the Novell AppArmor module that represent exceptions for all proles running on your system. These exceptions represent the behavior of the proled application that is outside of the prole denition for the program. You can add the new behavior to the relevant prole by selecting the suggested prole entry.

Open YaST → Novell AppArmor. The Novell AppArmor interface displays.

In Novell AppArmor, click Update ProleWizard. The AppArmor ProleWizard

window displays.

Running the Update Prole Wizard (logprof) parses the learning mode log les. This generates a series of questions that you must answer to guide logprof to generate the security prole.

The questions fall into two categories:

• A resource is requested by a proled program that is not in the prole (see

Figure 3.4, “Learning Mode Exception: Controlling Access to Specic Resources” (page 43)).

• A program is executed by the proled program and the security domain transition has not been dened (see Figure 3.5, “Learning Mode Exception:

Dening Execute Permissions for an Entry” (page 44)).

Each of these cases results in a question that you must answer that enables you to add the resource or program into the prole. The following two gures show an example of each case. Subsequent steps describe your options in answering these questions.

Figure 3.4

Learning Mode Exception: Controlling Access to Specic Resources

Building Novell AppArmor Proles 43

Figure 3.5

logprof begins suggesting directory path entries that have been accessed by the

application you are proling (as seen in Figure 3.4, “Learning Mode Exception:

Controlling Access to Specic Resources” (page 43)) or requiring you to dene

execute permissions for entries (as seen in Figure 3.5, “Learning Mode Exception:

Dening Execute Permissions for an Entry” (page 44)).

Learning Mode Exception: Dening Execute Permissions for an Entry

For Figure 3.4, “Learning Mode Exception: Controlling Access to Specic

Resources” (page 43): From the following options, select the one that satis-

es the request for access, which could be a suggested include, a particular globbed version of the path, or the actual pathname. Note that all of these options are not always available.

#include

The section of a Novell AppArmor prole that refers to an include le. Include les fetch access permissions for programs. By using an include, you can give the program access to directory paths or les that are also required by other programs. Using includes can reduce the size of a prole. It is good practice to select includes when suggested.

Globbed Version

Accessed by clicking Glob as described in the next step. For information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing” (page 73).

Actual Pathname

This is the literal path to which the program needs access so that it can run properly.

For Figure 3.5, “Learning Mode Exception: Dening Execute Permissions

for an Entry” (page 44): Select the one that satises the request for access

by choosing one of the following:

Inherit

stay in the same security prole (parent's prole)

Prole

requires that a separate prole exists for the executed program

Unconned

program executed without a security prole

WARNING

Unless absolutely necessary, do not run unconned. Choosing the Unconned option executes the new program without any protection from AppArmor.

After you select a directory path, you need to process it as an entry into the

Novell AppArmor prole by clicking Allow or Deny. If you are not satised with the directory path entry as it is displayed, you can also Glob or Edit it.

The following options are available to process the learning mode entries and to build the prole:

Allow

Grant the program access to the specied directory path entries. The Prole Creation Wizard suggests le permission access. For more information about this, refer to Section 3.7, “File Permission Access Modes” (page 74).

Building Novell AppArmor Proles 45

Deny

Click Deny to prevent the program from accessing the specied directory path entries.

Glob

For more information about globbing syntax, refer to Section 3.6, “Pathnames

and Globbing” (page 73).

Glob w/Ext

Modify the original directory path while retaining the lename extension. A single click causes /etc/apache2/file.ext to become /etc/ apache2/*.ext, adding the wild card (asterisk) in place of the lename. This allows the program to access all les in the suggested directories that end with the .ext extension. When you double-click it, access is granted to all les (with the particular extension) and subdirectories beneath the one shown.

Edit

Enable editing of the highlighted line. The new (edited) line appears at the bottom of the list.

Abort

Abort logprof, dumping all rule changes entered so far and leaving all proles unmodied.

Finish

Close logprof, saving all rule changes entered so far and modifying all proles.

Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor prole.

NOTE

The number of learning mode entries corresponds to the complexity of the application.

Repeat the previous steps if you need to execute more functionality of your application.

When you are done, click Finish. In the following pop-up, click Yes to exit the Prole Creation Wizard. The prole is saved and loaded into the Novell AppArmor module.

3.3.6 Managing Novell AppArmor and Security Event Status

Novell AppArmor enables you to change the status of Novell AppArmor and congure event notication.

Changing Novell AppArmor Status

You can change the status of Novell AppArmor by enabling or disabling it. Enabling Novell AppArmor protects your system from potential program exploitation. Disabling Novell AppArmor, even if your proles have been set up, removes protection from your system.

Conguring Event Notication

You can determine how and when you are notied when system security events occur.

NOTE

You must set up a mail server on your SUSE Linux server that can send outgoing mail using the single mail transfer protocol (smtp). For example, postx or exim, in order for event notication to work.

To either congure event notication or change the status of Novell AppArmor, perform the following steps:

When you click Novell AppArmor Control Panel, the Novell AppArmor Congu-

ration window appears as shown below:

Building Novell AppArmor Proles 47

From the AppArmor Conguration screen, determine whether Novell AppArmor

and security event notication are running by looking for a status message that reads enabled.

• To change the status of Novell AppArmor, continue as described in Section

“Changing Novell AppArmor Status” (page 48).

• To congure security event notication, continue as described in Sec-

tion 4.2.2, “Conguring Security Event Notication” (page 79).

Changing Novell AppArmor Status

When you change the status of Novell AppArmor, you set it to enable or disable. When Novell AppArmor is enabled, it is installed, running and enforcing the Novell AppArmor security policies.

To enable Novell AppArmor, open YaST → Novell AppArmor. The Novell

AppArmor main menu opens.

In the Novell AppArmor main menu, click AppArmor Control Panel. The App-

Armor Conguration window appears.

In the Enable Novell AppArmor section of the window, click Congure. The

Enable Novell AppArmor dialog box opens.

Enable Novell AppArmor by selecting Enable or disable Novell AppArmor by

selecting Disable. Then click OK.

Click Done in the AppArmor Conguration window.

Click File → Quit in the YaST Control Center.

3.4 Building Novell AppArmor Proles Using the Command Line Interface

Novell AppArmor provides the ability to use a command line interface rather than the GUI to manage and congure your system security.

Building Novell AppArmor Proles 49

3.4.1 Checking the SubDomain Module Status

The SubDomain module can be in any one of three states:

Unloaded

The SubDomain module is not loaded into the kernel.

Running

The SubDomain module is loaded into the kernel and is enforcing Novell AppArmor program policies.

Stopped

The SubDomain module is loaded into the kernel, but there are no policies being enforced.

You can detect which of the three states that the SubDomain module is in by inspecting /subdomain/profiles. If cat /subdomain/profiles reports a list of proles, Novell AppArmor is running. If it is empty and returns nothing, SubDomain is stopped. If the le does not exist, SubDomain is unloaded.

The SubDomain module can be loaded and unloaded with the standard Linux module commands such as modprobe, insmod, lsmod, and rmmod, but this approach is not recommended. Instead, it is recommended to manage Novell AppArmor through the script rcsubdomain, which can perform the following operations:

rcsubdomain start

Has different behaviors depending on the SubDomain module state. If it was unloaded, start loads the module and starts it, putting it in the running state. If it was stopped, then start causes the module to rescan the Novell AppArmor proles usually found in /etc/subdomain.d and puts the module in the running state. If the module was already running, start reports a warning and takes no action.

rcsubdomain stop

Stops SubDomain module (if it was running) by removing all proles from kernel memory, effectively disabling all access controls, putting the module into the stopped state. If the SubDomain module was either unloaded or already stopped,

stop tries to unload the proles again, but nothing happens.

rcsubdomain restart

Causes SubDomain module to rescan the proles usually found in /etc/ subdomain.d without unconning running processes, adding new proles, and removing any proles that had been deleted from /etc/subdomain.d.

rcsubdomain kill

Unconditionally removes the SubDomain module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.

NOTE

Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from rescue media (such as CD 1 of SUSE Linux) to regain control.

To prevent such a problem, always ensure that you have a running, unconned, root login on the machine being congured when you restart the SubDomain module. If you damage your system to the point where logins are no longer possible (for example, by breaking the prole associated with the SSH daemon), you can repair the damage using your running root prompt and restarting the SubDomain module.

3.4.2 Building Novell AppArmor Proles

The SubDomain module prole denitions are stored in the directory /etc/ subdomain.d/ as plain text les.

WARNING

All les in the /etc/subdomain.d/ directory are interpreted as proles and are loaded as such. Renaming les in that directory is not an effective way of preventing proles from being loaded. You must remove proles from this directory to manage them effectively.

Building Novell AppArmor Proles 51

You can use a text editor, such as vim, to access and make changes to these proles. The following options contain detailed steps for building proles:

Adding or Creating Novell AppArmor Proles

Refer to Section 3.4.3, “Adding or Creating a Novell AppArmor Prole” (page 52)

Editing Novell AppArmor Proles

Refer to Section 3.4.4, “Editing a Novell AppArmor Prole” (page 53)

Deleting Novell AppArmor Proles

Refer to Section 3.4.5, “Deleting a Novell AppArmor Prole” (page 53)

Use vim to view and edit your prole by typing vim at a terminal window. To enable syntax coloring when you edit a Novell AppArmor prole in vim, use the commands :syntax on then :set syntax=subdomain. For more information about vim and syntax coloring, refer to Section “Subdomain.vim” (page 71).

NOTE

After making changes to a prole, use the rcsubdomain restart command, described in the previous section. This command causes the Novell AppArmor to reread the proles. For a detailed description of the syntax of these les, refer to Chapter 3, Building Novell AppArmor Proles (page 21).

3.4.3 Adding or Creating a Novell AppArmor Prole

To add or ceate a Novell AppArmor prole for an application, you can use a systemic or stand-alone proling method, depending on your needs.

Stand-Alone Proling

Suitable for proling small applications that have a nite run time, such as user client applications like mail clients. Refer to Section 3.5.1, “Stand-Alone Proling” (page 54).

Systemic Proling

Suitable for proling large numbers of programs all at once and for proling applications that might run for days, weeks, or continuously across reboots, such as

network server applications like Web servers and mail servers. Section 3.5.2,

“Systemic Proling” (page 55).

3.4.4 Editing a Novell AppArmor Prole

The following steps describe the procedure for editing a Novell AppArmor prole. To better understand what makes up a prole, refer to Section 3.1, “Prole Components

and Syntax” (page 21).

If you are not currently signed in as root, type su in a terminal window.

Enter the root password when prompted.

To go to the directory, enter cd /etc/subdomain.d/.

Enter ls to view all proles currently installed.

Open the prole to edit in a text editor, such as vim.

Make the necessary changes, then save the prole.

Restart Novell AppArmor by entering rcsubdomain restart in a terminal

window.

3.4.5 Deleting a Novell AppArmor Prole

The following steps describe the procedure for deleting a Novell AppArmor prole.

If you are not currently signed in as root, enter su in a terminal window.

Enter the root password when prompted.

To go to the Novell AppArmor directory, enter cd /etc/subdomain.d/.

Enter ls to view all the Novell AppArmor proles that are currently installed.

Delete the prole exiting prole with rm profilename.

Building Novell AppArmor Proles 53

Restart Novell AppArmor by entering rcsubdomain restart in a terminal

window.

3.5 Two Methods of Proling

Given the syntax for Novell AppArmor proles in Section 3.1, “Prole Components

and Syntax” (page 21), you could create proles without using the tools. However, the

effort involved would be substantial. To avoid such a hassle, use the Novell AppArmor tools to automate the creation and renement of proles.

There are two ways to approach creating Novell AppArmor proles, along with tools to support both methods.

Stand-Alone Proling

A method suitable for proling small applications that have a nite run time, such as user client applications like mail clients. For more information, refer to Sec-

tion 3.5.1, “Stand-Alone Proling” (page 54).

Systemic Proling

A method suitable for proling large numbers of programs all at once and for proling applications that may run for days, weeks, or continuously across reboots, such as network server applications like Web servers and mail servers. For more information, refer to Section 3.5.2, “Systemic Proling” (page 55).

Automated prole development becomes more manageablewith the Novell AppArmor tools:

Decide which proling method suits your needs.

Perform a static analysis. Run either genprof or autodep, depending on the pro-

ling method you have chosen.

Enable dynamic learning. Activate learning mode for all proled programs.

3.5.1 Stand-Alone Proling

Stand-alone prole generation and improvement is managed by a program called genprof. This method is easy because genprof takes care of everything, but is limited because

it requires genprof to run for the entire duration of the test run of your program (you cannot reboot the machine while you are still developing your prole).

To use genprof for the stand-alone method of proling, refer to Section “genprof” (page 60).

3.5.2 Systemic Proling

This method is called systemic proling because it updates all of the proles on the system at once, rather than focusing on the one or few being targeted by genprof or standalone proling.

With systemic proling, building and improving proles are somewhat less automated, but more exible. This method is suitable for proling long-running applications whose behavior continues after rebooting or a large numbers of programs to prole all at once.

Build a Novell AppArmor prole for a group of applications as follows:

Create proles for the individual programs that make up your application.

Even though this approach is systemic, Novell AppArmor still only monitors those programs with proles and their children. Thus, to get Novell AppArmor to consider a program, you must at least have autodep create an approximate prole for it. To create this approximate prole, refer to Section “autodep” (page 57).

Put relevant proles into learning or complain mode. Activate learning

or complain mode for all proled programs by entering complain /etc/subdomain.d/* in a terminal window while logged in as root.

When in learning mode, access requests are not blocked even if the prole dictates that they should be. This enables you to run through several tests (as shown in

Step 3 (page 55)) and learn the access needs of the program so it runs properly.

With this information, you can decide how secure to make the prole.

Refer to Section “Complain or Learning Mode” (page 58) for more detailed instructions for using learning or complain mode.

Exercise your application. Run your application and exercise its functional-

ity. How much to exercise the program is up to you, but you need the program to access each le representing its access needs. Because the execution is not

Building Novell AppArmor Proles 55

being supervised by genprof, this step can go on for days or weeks and can span complete system reboots.

Analyze the log. In systemic proling, run logprof directly instead of letting

genprof run it (as in stand-alone proling). The general form of logprof is:

logprof [ -d /path/to/profiles ] [ -f /path/to/logfile ]

Refer to Section “logprof” (page 65) for more information about using logprof.

Repeat Steps 3-4. This generates optimum proles. An iterative approach

captures smaller data sets that can be trained and reloaded into the policy engine. Subsequent iterations generate fewer messages and run faster.

Edit the proles. You might want to review the proles that have been gen-

erated. You can open and edit the proles in /etc/subdomain.d/ using vim. For help using vim to its fullest capacity, refer to Section “Subdomain.vim” (page 71).

Return to “enforce” mode. This is when the system goes back to enforcing

the rules of the proles, not just logging information. This can be done manually by removing the flags=(complain) text from the proles or automatically by using the enforce command, which works identically to the complain command, but sets the proles to enforce mode.

To ensure that all proles are taken out of complain mode and put into enforce mode, enter enforce /etc/subdomain.d/*.

Rescan all proles. To have Novell AppArmor rescan all of the proles and

change the enforcement mode in the kernel, enter /etc/init.d/subdomain restart.

3.5.3 Summary of Proling Tools

All of the Novell AppArmor proling utilities are provided by the subdomain-utils RPM package and most are stored in /usr/sbin. The following sections introduce each tool.

autodep

This creates an approximate prole for the program or application you are autodepping. You can generate approximate proles for binary executables and interpreted script programs. The resulting prole is called “approximate” because it does not necessarily contain all of the prole entries that the program needs to be properly conned by Novell AppArmor. The minimum autodep approximate prole has at least a base include directive, which contains basic prole entries needed by most programs. For certain types of programs, autodep generates a more expanded prole. The prole is generated by recursively calling ldd(1) on the executables listed on the command line.

To generate an approximate prole, use the autodep program. The program argument can be either the simple name of the program, which autodep nds by searching your shell's path variable, or it can be a fully qualied path. The program itself can be of any type (ELF binary, shell script, Perl script, etc.) and autodep generates an approximate prole, to be improved through the dynamic proling that follows.

The resulting approximate prole is written to the /etc/subdomain.d directory using the Novell AppArmor prole naming convention of naming the prole after the absolute path of the program, replacing the forward slash (/) characters in the path with period (.) characters. The general form of autodep is to enter the following in a terminal window when logged in as root:

autodep [ -d /path/to/profiles ] [program1 program2...]

If you do not enter the program name or names, you are prompted for them. /path/to/profiles overrides the default location of /etc/subdomain.d.

To begin proling, you must create proles for each main executable service that is part of your application (anything that might start without being a child of another program that already has a prole). Finding all such programs depends on the application in question. Here are several strategies for nding such programs:

Directories

If all of the programs you want to prole are in a directory and there are no other programs in that directory, the simple command autodep /path/to/your/programs/* creates nominal proles for all programs in that directory.

Building Novell AppArmor Proles 57

ps command

You can run your application and use the standard Linux ps command to nd all processes running. You then need to manually hunt down the location of these programs and run the autodep program for each one. If the programs are in your path, autodep nds them for you. If they are not in your path, the standard Linux command locate might be helpful in nding your programs. If locate does not work (it is not installed by default on SUSE Linux), use find . -name '*foo*' -print.

Complain or Learning Mode

The complain or learning mode tool detects violations of Novell AppArmor prole rules, such as the proled program accessing les not permitted by the prole. The violations are permitted, but also logged. To improve the prole, turn complain mode on, run the program through a suite of tests to generate log events that characterize the program's access needs then postprocess the log with the Novell AppArmor tools to transform log events into improved proles.

Manually activating the complain mode (using the command line) adds a ag to the top of the prole so that /bin/foo becomes /bin/foo flags=(complain). To use complain mode, open a terminal window and enter one of the following lines as a root user.

• If the example program (program1) is in your path, use:

complain [program1 program2 ...]

• If the program is not in your path, specify the entire path as follows:

complain /sbin/program1

• If the proles are not in /etc/subdomain.d, type the following to override the default location:

complain /path/to/profiles/ program1

• Specify the prole for program1, as follows:

complain /etc/subdomain.d/sbin.program1

Each of the above commands activates the complain mode for the proles/programs listed. The command can list either programs or proles. If the program name does not include its entire path, then complain searches $PATH for the program. So, for instance,

complain /usr/sbin/* nds proles associated with all of the programs in /usr/sbin and put them into complain mode, and complain /etc/subdomain.d/* puts all of the proles in /etc/subdomain.d into

complain mode.

Enforce Mode

The enforce mode tool detects violations of Novell AppArmor prole rules, such as the proled program accessing les not permitted by the prole. The violations are logged and not permitted. The default is for enforce mode to be turned on. Turn complain mode on when you want the Novell AppArmor proles to control the access of the program that is proled. Enforce toggles with complain mode.

Manually activating enforce mode (using the command line) adds a ag to the top of the prole so that /bin/foo becomes /bin/foo flags=(enforce). To use enforce mode, open a terminal window and enter one of the following lines as a root user.

• If the example program (program1) is in your path, use:

enforce [program1 program2 ...]

• If the program is not in your path, specify the entire path, as follows:

enforce /sbin/program1

• If the proles are not in /etc/subdomain.d, use the following to override the default location:

enforce /path/to/profiles/program1

• Specify the prole for program1, as follows:

enforce /etc/subdomain.d/sbin.program1

Each of the above commands activates the enforce mode for the proles and programs listed.

Building Novell AppArmor Proles 59

If you do not enter the program or prole names, you are prompted to enter one. /path/to/profiles overrides the default location of /etc/subdomain.d.

The argument can be either a list of programs or a list of proles. If the program name does not include its entire path, enforce searches $PATH for the program. For instance,

enforce /usr/sbin/* nds proles associated with all of the programs in /usr/ sbin and puts them into enforce mode. enforce /etc/subdomain.d/* puts all of the proles in /etc/subdomain.d into enforce mode.

genprof

genprof (or Generate Prole) is Novell AppArmor's prole generating utility. It runs autodep on the specied program, creating an approximate prole (if a prole does not already exist for it), sets it to complain mode, reloads it into Novell AppArmor, marks the syslog, and prompts the user to execute the program and exercise its functionality. Its syntax is as follows:

genprof [ -d /path/to/profiles ]program

If you were to create a prole for the the Apache Web server program httpd2-prefork, you would do the following in a root shell:

Enter rcapache2 stop.

Next, enter genprof httpd2-prefork.

Now genprof does the following:

• Resolves the full path of httpd2-prefork based on your shell's path variables. You can also specify a full path. On SUSE Linux, the full path is /usr/ sbin/httpd2-prefork.

• Checks to see if there is an existing prole for httpd2-prefork. If there is one, it updates it. If not, it creates one using the autodep program described in

Section 3.5.3, “Summary of Proling Tools” (page 56).

NOTE

There is a naming convention relating the full path of a program to its prole lename so that the various Novell AppArmor proling

tools can consistently manipulate them. The convention is to replace a forward slash (/) with period (.) so that the prole for /usr/

sbin/httpd2-prefork is stored in /etc/subdomain.d/usr .sbin.httpd2-prefork.

• Puts the prole for this program into learning or complain mode so that prole violations are logged but are permitted to proceed. A log event looks like this:

Oct 9 15:40:31 SubDomain: PERMITTING r access to /etc/apache2/httpd.conf (httpd2-prefork(6068) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork)

• Marks syslog with a beginning marker of log events to consider. Example:

Sep 13 17:48:52 h2o root: GenProf: e2ff78636296f16d0b5301209a04430d

When prompted by the tool, run the application to prole in another terminal

window and perform as many of the application functions as possible so learning mode can log the les and directories to which the program requires access in order to function properly. For example, in a new terminal window, enter rcapache2 start.

Select from the following options, which can be used after you have executed

the program functionality:

• S runs logprof against the system log from where it was marked when genprof was started and reloads the prole.

If system events exist in the log, Novell AppArmor parses the learning mode log les. This generates a series of questions that you must answer to guide genprof in generating the security prole.

• F exits the tool and returns to the main menu.

NOTE

If requests to add hats appear, proceed to Chapter 5, Proling Your Web

Applications Using ChangeHat Apache (page 105).

Building Novell AppArmor Proles 61

Answer two types of questions:

• A resource is requested by a proled program that is not in the prole (see

Example 3.1, “Learning Mode Exception: Controlling Access to Specic Resources” (page 62)).

• A program is executed by the proled program and the security domain transition has not been dened (see Example 3.2, “Learning Mode Exception:

Dening Execute Permissions for an Entry” (page 63)).

Each of these categories results in a series of questions that you must answer to add the resource to the prole or to add the program into the prole. The following two gures show an example of each one. Subsequent steps describe your options in answering these questions.

Example 3.1

Reading log entries from /var/log/messages. Updating subdomain profiles in /etc/subdomain.d.

Profile: /usr/sbin/xinetd Execute: /usr/sbin/vsftpd

[(I)nherit] / (P)rofile / (U)nconfined / (D)eny / Abo(r)t / (F)inish)

Learning Mode Exception: Controlling Access to Specic Resources

Dealing with execute accesses is complex. You must decide which of the three kinds of execute permissions to grant the program:

inherit (ix)

The child inherits the parent's prole, running with the same access controls as the parent. This mode is useful when a conned program needs to call another conned program without gaining the permissions of the target's prole or losing the permissions of the current prole. This mode is often used when the child program is a helper application, such as the /usr/bin/mail client using the less program as a pager or the Mozilla Web browser using the Acrobat program to display PDF les.

prole (px)

The child runs using its own prole, which must be loaded into the kernel. If the prole is not present, attempts to execute the child fails with permission denied. This is most useful if the parent program is invoking a global service, such as DNS lookups or sending mail via your system's MTA.

unconned (ux)

The child runs completely unconned without any Novell AppArmor prole being applied to the executed resource.

Example 3.2

Adding /bin/ps ix to profile.

Profile: /usr/sbin/xinetd Path: /etc/hosts.allow New Mode: r

[1 - /etc/hosts.allow]

[(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish

Learning Mode Exception: Dening Execute Permissions for an Entry

The above menu shows Novell AppArmor suggesting directory path entries that have been accessed by the application you are proling. It might also require you to dene execute permissions for entries.

Novell AppArmor provides one or more pathnames or includes. By clicking the option number, select from one or more of the following options, then proceed to the next step.

NOTE

All of these options are not always presented in the Novell AppArmor menu.

#include

This is the section of a Novell AppArmor prole that refers to an include le, which procures access permissions for programs. By using an include, you can give the program access to directory paths or les that are also required by other programs. Using includes can reduce the size of a prole. It is good practice to select includes when suggested.

Globbed Version

This is accessed by clicking Glob as described in the next step. For information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing” (page 73).

Building Novell AppArmor Proles 63

Actual Path Name

This is the literal path to which the program needs access so that it can run properly.

After you select the pathname or include, you can process it as an entry into the

Novell AppArmor prole by clicking Allow or Deny. If you are not satised with the directory path entry as it is displayed, you can also Glob or Edit it.

The following options are available to process the learning mode entries and to build the prole:

Press Enter

Allows access to the selected directory path.

Allow

Allows access to the specied directory path entries. Novell AppArmor suggests le permission access. For more information, refer to Section 3.7,

“File Permission Access Modes” (page 74)

Deny

Prevents the program from accessing the specied directory path entries. Novell AppArmor then moves on to the next event.

New

Prompts you to enter your own rule for this event, allowing you to specify whatever form of regular expression you want. If the expression you enter does not actually satisfy the event that prompted the question in the rst place, Novell AppArmor asks you for conrmation and lets you reenter the expression.

Glob

For more information on globbing syntax, refer to Section 3.6, “Pathnames

and Globbing” (page 73).

Glob w/Ext

Clicking this modies the original directory path while retaining the lename extension. For example, /etc/apache2/file.ext becomes /etc/

apache2/*.ext, adding the wild card (asterisk) in place of the lename. This allows the program to access all les in the suggested directory that end with the .ext extension. Double-clicking it grants access to all les (with the particular extension) and subdirectories beneath the one shown.

Edit

Lets you edit the selected line. The new edited line appears at the bottom of the list.

Abort

Aborts logprof, dumping all rule changes entered so far and leaving all proles unmodied.

Finish

Closes logprof, saving all rule changes entered so far and modifying all proles.

To view and edit your prole using vim, enter vim

/etc/subdomain.d/profilename in a terminal window. To enablesyntax coloring when you edit a Novell AppArmor prole in vim, use the commands :syntax on then :set syntax=subdomain. For more information about about vim and syntax coloring, refer to Section “Subdomain.vim” (page 71).

logprof

logprof is an interactive tool used to review the learning or complain mode output found in the syslog entries then generate new entries in Novell AppArmor security proles.

When you run logprof, it begins to scan the log les produced in learning or complain mode and, if there are new security events that are not covered by the existing prole set, it gives suggestions for modifying the prole. The learning or complain mode traces program behavior and enters it in syslog. logprof uses this information to observe program behavior.

If a conned program forks and execs another program, logprof sees this and asks the user which execution mode should be used when launching the child process. The following execution modes are options for starting the child process: ix, px, and ux. If a separate prole exists for the child process, the default selection is px. If one does not exist, the prole defaults to ix. Child processes with separate proles have autodep run on them and are loaded into Novell AppArmor, if it is running.

Building Novell AppArmor Proles 65

When logprof exits, proles are updated with the changes. If the SubDomain module is running, the updated proles are reloaded and if any processes that generated security events are still running in the null-complain-prole, those processes are set to run under their proper proles.

To run logprof, enter logprof into a terminal window while logged in as root. The following options can also be used for logprof:

logprof -d /path/to/profile/directory/

Species the full path to the location of the proles if the proles are not located in the standard directory, /etc/subdomain.d/.

logprof -f /path/to/logfile/

Species the full path to the location of the log le if the log le is not located in the default directory, /var/log/messages.

logprof -m "string marker in logfile"

Marks the starting point for logprof to look in the system log. logprof ignores all events in the system log before the specied mark is seen. If the mark contains spaces, it must be surrounded with quotes to work correctly. Example: logprof

-m e2ff78636296f16d0b5301209a04430d

logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list.

By default, logprof looks for proles in /etc/subdomain.d/ and scans the log in /var/log/messages so, in many cases, running logprof as root is enough to

create the prole.

However, there might times when you need to search archived log les, such as if the program exercise period exceeds the log rotation window (when the log le is archived and a new log le is started). If this is the case, you can enter zcat -f `ls -1tr /var/log/messages*` | logprof -f -.

logprof Example 1

Following is an example of how logprof addresses httpd2-prefork accessing the le /etc/group. The example uses [] to indicate the default option.

In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which pulls in a predened set of Novell AppArmor rules. Selecting 1 to #include the name service package resolves all of the future questions pertaining to DNS lookups and also makes the prole less brittle in that any changes to DNS conguration and the associated nameservice prole package can be made just once, rather than needing to revise many proles.

Profile: /usr/sbin/httpd2-prefork Path: /etc/group New Mode: r

[1 - #include <abstractions/nameservice>] 2 - /etc/group [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish

Select one of the following responses:

Press Enter

Allows access to the selected directory path.

Allow

Allows access to the specied directory path entries. Novell AppArmor suggests le permission access. For more information about this, refer to Section 3.7, “File

Permission Access Modes” (page 74).

Deny

Prevents the program from accessing the specied directory path entries. Novell AppArmor then moves on to the next event.

New

Glob

For more information about globbing syntax, refer to Section 3.6, “Pathnames and

Globbing” (page 73).

Building Novell AppArmor Proles 67

Glob w/Ext

Clicking this modies the original directory path while retaining the lename extension. For example, /etc/apache2/file.ext becomes /etc/apache2/ *.ext, adding the wild card (asterisk) in place of the lename. This allows the program to access all les in the suggested directory that end with the .ext extension. Double-clicking it grants access to all les (with the particular extension) and subdirectories beneath the one shown.

Edit

Lets you edit the selected line. The new edited line appears at the bottom of the list.

Abort

Aborts logprof, dumping all rule changes entered so far and leaving all proles unmodied.

Finish

Closes logprof, saving all rule changes entered so far and modifying all proles.

logprof Example 2

In an example from proling vsftpd, we see this question:

Profile: /usr/sbin/vsftpd Path: /y2k.jpg New Mode: r

[1 - /y2k.jpg]

(A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish

Several items of interest appear in this question. First, note that vsftpd is asking for a path entry at the top of the tree, even though vsftpd on SUSE Linux serves FTP les from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, Novell AppArmor sees le accesses in terms of the chroot environment rather than the global absolute path.

The second item of interest is that you might want to grant FTP read access to all of the JPEG les in the directory, so you could use Glob w/Ext and use the suggested path of /*.jpg. Doing so collapses all previous rules granting access to individual .jpg les and forestalls any future questions pertaining to access to .jpg les.

Finally, you might want to grant more general access to FTP les. If you select Glob in the last entry, logprof replaces the suggested path of /y2k.jpg with /*. Or you might want to grant even more access to the entire directory tree, in which case you could use the New path option and enter /**.jpg (which would grant access to all .jpg les in the entire directory tree) or /** (which would grant access to all les in the directory tree).

The above deal with read accesses. Write accesses are similar, except that it is good policy to be more conservative in your use of regular expressions for write accesses.

Dealing with execute accesses is more complex. You must decide which of the three kinds of execute permissions to grant:

Inherit (ix)

prole (px)

unconned (ux)

The child runs completely unconned without any Novell AppArmor prole applied to the executed resource.

In the following example, the /usr/bin/mail mail client is being proled and logprof has discovered that /usr/bin/mail executes /usr/bin/less as a helper application to “page” long mail messages. Consequently, it presents this prompt:

/usr/bin/nail -> /usr/bin/less (I)nherit / (P)rofile / (U)nconstrained / (D)eny

Building Novell AppArmor Proles 69

TIP

The actual executable le for /usr/bin/mail turns out to be /usr/bin/ nail, which is not a typographical error.

The program /usr/bin/less appears to be a simple one for scrolling through text that is more than one screen long and that is in fact what /usr/bin/mail is using it for. However, less is actually a large and powerful program that makes use of many other helper applications, such as tar and rpm.

TIP

Run less on a tar ball or an RPM le and it shows you the inventory of these containers.

You do not want to automatically run rpm when reading mail messages (that leads directly to a Microsoft* Outlook–style virus attacks, because rpm has the power to install and modify system programs) and so, in this case, the best choice is to use Inherit. This results in the less program executed from this context running under the prole for /usr/bin/mail. This has two consequences:

• You need to add all of the basic le accesses for /usr/bin/less to the prole for /usr/bin/mail.

• You can avoid adding the helper applications, such as tar and rpm, to the /usr/ bin/mail prole so that when /usr/bin/mail runs /usr/bin/mail/ less in this context, the less program is far less dangerous than it would be without

Novell AppArmor protection.

In other circumstances, you might instead want to use the Prole option. This has two effects on logprof:

• The rule written into the prole is px, which forces the transition to the child's own prole.

• logprof constructs a prole for the child and starts building it, in the same way that it built the parent prole, by ascribing events for the child process to the child's prole and asking the logprof user questions as above.

Finally, you might want to grant the child process very powerful access by specifying Unconned. This writes ux into the parent prole so that when the child runs, it runs without any Novell AppArmor prole being applied at all. This means running with no protection and should only be used when absolutely required.

Subdomain.vim

A syntax coloring le for the vim text editor highlights various features of an Novell AppArmor prole with colors. Using vim and the Novell AppArmor syntax mode for vim, you can see the semantic implications of your proles with color highlighting. Use vim to view and edit your prole by typing vim at a terminal window.

To enable the syntax coloring when you edit a Novell AppArmor prole in vim, use the commands :syntax on then :set syntax=subdomain. Alternatively, you can place these lines in your ~/.vimrc le:

syntax on set modeline set modelines=5

When you enable this feature, vim colors the lines of the prole for you:

Blue

#include lines that pull in other Novell AppArmor rules and comments that begin with #

White

Ordinary read access lines

Brown

Capability statements and complain ags

Yellow

Lines that grant write access

Green

Lines that grant execute permission (either ix or px)

Red

Lines that grant unconned access (ux)

Building Novell AppArmor Proles 71

Red background

Syntax errors that are not loading properly into the SubDomain modules

NOTE

There is a security risk when using these lines in your .vimrc le, because it causes vim to trust the syntax mode presented in les you are editing. It might enable an attacker to send you a le to open with vim that might do something unsafe.

Use the subdomain.vim and vim man pages and the :help syntax from within the vim editor for further vim help about syntax highlighting. The Novell AppArmor syntax is stored in /usr/share/vim/current/syntax/subdomain.vim.

Unconned

The unconfined command examines open network ports on your system, compares that to the set of proles loaded on your system, and reports network services that do not have Novell AppArmor proles. It requires root privilege and that it not be conned by a Novell AppArmor prole.

unconned must be run as root to retrieve the process executable link from the proc le system. This program is susceptible to the following race conditions:

• An unlinked executable is mishandled

• An executable started before a Novell AppArmor prole is loaded does not appear in the output, despite running without connement

• A process that dies between netstat(8) and further checks is mishandled

NOTE

This program lists processes using TCP and UDP only. In short, this program is unsuitable for forensics use and is provided only as an aid to proling all network-accessible processes in the lab.

For more information about the science and security of Novell AppArmor, refer to the following papers:

SubDomain: Parsimonious Server Security by Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor

Describes the initial design and implementation of Novell AppArmor. Published in the proceedings of the USENIX LISA Conference, December 2000, New Orleans, LA.

This paper is now out of date, describing syntax and features that are different from the current Novell AppArmor product. This paper should be used only for scientic background and not for technical documentation.

Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack by Crispin Cowan, Seth Arnold, Steve Beattie, Chris Wright, and John Viega

A good guide to strategic and tactical use of Novell AppArmor to solve severe security problems in a very short period of time. Published in the Proceedings of the DARPA Information Survivability Conference and Expo (DISCEX III), April 2003, Washington, DC.

3.6 Pathnames and Globbing

Globbing (or regular expression matching) is when you modify the directory path using wild cards to include a group of les or subdirectories. File resources can be specied with a globbing syntax similar to that used by popular shells, such as csh, bash, and zsh.

Substitutes for any number of characters, except /.

Example: An arbitrary number of path elements, including entire directories.

Substitutes for any number of characters, including /.

Example: an arbitrary number of path elements, including entire directories.

Substitutes for any single character, except /.?

Building Novell AppArmor Proles 73

Substitutes for the single character a, b, or c[abc]

Example: a rule that matches /home[01]/*/.plan allows a program to access .plan les for users in both /home0 and /home1.

Substitutes for the single character a, b, or c.[a-c]

{ab,cd}

Expand to one rule to match ab and one rule to match cd.

Example: A rule that matches /{usr,www}/pages/** to grant access to Web pages in both /usr/pages and /www/ pages.

3.7 File Permission Access Modes

File permission access modes consist of combinations of the following six modes:

read moder

write modew

discrete prole execute modepx

unconstrained execute modeux

inherit execute modeix

link model

3.7.1 Read Mode

Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace(2) (ptrace(2) is used by utilities such as strace(1), ltrace(1), and gdb(1)).

3.7.2 Write Mode

Allows the program to have write access to the resource. Files must have this permission if they are to be unlinked (removed).

3.7.3 Discrete Prole Execute Mode

This mode requires that a discrete security prole is dened for a resource executed at a Novell AppArmor domain transition. If there is no prole dened, the access is denied. Incompatible with inherit and unconstrained execute entries.

3.7.4 Unconstrained Execute Mode

Allows the program to execute the resource without any Novell AppArmor prole being applied to the executed resource. Requires listing execute mode as well. Incompatible with inherit and discrete prole execute entries.

This mode is useful when a conned program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to bypass the mandatory constraints imposed on all conned processes. For more information about what is constrained, see the subdomain(7) man page.

3.7.5 Inherit Execute Mode

Prevents the normal Novell AppArmor domain transition on execve(2) when the proled program executes the resource. Instead, the executed resource inherits the current prole. Incompatible with unconstrained and discrete prole execute entries.

Building Novell AppArmor Proles 75

This mode is useful when a conned program needs to call another conned program without gaining the permissions of the target’s prole or losing the permissions of the current prole. This mode is infrequently used.

3.7.6 Link Mode

The link mode mediates access to symlinks and hardlinks and the privilege to unlink (or delete) les. When a link is created, the le that is linked to must have the same access permissions as the link created (with the exception that the destination does not have to have link access).

Managing Proled Applications

After creating proles and immunizing your applications, SUSE Linux becomes more efcient and better protected if you perform Novell AppArmor prole maintenance, which involves tracking common issues and concerns. You can deal with common issues and concerns before they become a problem by setting up event notication by e-mail, running periodic reports, updating proles from system log entries (which is essentially running the logprof tool through YaST), and dealing with maintenance issues. Instructions for performing each of these tasks are available:

• Section 4.1, “Monitoring Your Secured Applications” (page 77)

• Section 4.5, “Maintaining Your Security Proles” (page 103).

4.1 Monitoring Your Secured Applications

Applications that are conned by Novell AppArmor security proles generate messages when applications execute in unexpected ways or outside of their specied prole. These messages can be monitored by event notication, generating periodic reports, or integration into a third-party reporting mechanism. The following sections provide details for using these features and nding additional resources.

• Section 4.2, “Setting Up Event Notication” (page 78)

• Section 4.3, “Reports” (page 81)

Managing Proled Applications 77

• Section 4.4, “Reacting to Security Events” (page 102)

4.2 Setting Up Event Notication

Security event notication is an Novell AppArmor feature that informs a specied email recipient when systemic Novell AppArmor activity occurs. This feature is currently available via YaST.

When you enter an e-mail address, you are notied via e-mail when Novell AppArmor security events occur. You can enable three types of notications, which are:

Terse

Terse notication summarizes the total number of system events without providing details. For example:

dhcp-101.up.wirex.com has had 10 security events since Tue Oct 12 11:10:00 2004

Summary Notication

The summary notication displays the logged Novell AppArmor security events and lists the number of individual occurrences, including the date of the last occurrence. For example:

SubDomain: PERMITTING access to capability ’setgid’ (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct 9 16:05:54 2004.

Verbose Notication

The verbose notication displays unmodied, logged Novell AppArmor security events. It tells you every time an event occurs and writes a new line in the verbose log. These security events include the date and time the event occurred, when the application prole permits and rejects access, and the type of le permission access that is permitted or rejected. Verbose notication also reports several messages that the logprof tool (see Section “logprof” (page 65)) uses to interpret proles. For example:

Oct 9 15:40:31 SubDomain: PERMITTING r access to /etc/apache2/httpd.conf (httpd2-prefork(6068) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork)

NOTE

To congure event notication, refer to Section 4.2.2, “Conguring Security

Event Notication” (page 79). After conguring security event notication,

read the reports and determine whether events require follow up. Follow up may include the procedures outlined in Section 4.4.1, “Receiving a Security

Event Rejection” (page 102).

4.2.1 Severity Level Notication

You can set up Novell AppArmor to send you event messages for things that are in the severity database and above the level that you select.These are numbered one through ten, ten being the most severe security incident. The severity.db le denes the severity level of potential security events. The severity levels are determined by the importance of different security events, such as certain resources accessed or services denied.

4.2.2 Conguring Security Event

Notication

Security event notication is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs. When you select a notication frequency (receiving daily notication, for example), you activate the notication. You are required to enter an e-mail address, so you can be notied via e-mail when Novell AppArmor security events occur.

NOTE

You must set up a mail server on your SUSE Linux that can send outgoing mail using the SMTP protocol (for example, postx or exim) for event notication to work.

In the Enable Security Event Notication section of the AppArmor Conguration

window, click Congure.

Managing Proled Applications 79

In the Security Event Notication window, you have the option to enable Terse,

Summary, or Verbose event notication, which are dened in Section 4.2.1,

“Severity Level Notication” (page 79). To be sent a notication e-mail outlining

recent Novell AppArmor security events, determine your notication type preference.

In each applicable notication type section, enter the e-mail addresses of those

who should receive notication in the eld provided. If notication is enabled, you must enter an e-mail address. Otherwise you receive an error message. Separate multiple e-mail addresses with commas.

For each notication type that you would like enabled, select the frequency of

notication.

Select a notication frequency from the following options:

• Disabled

• 1 minute

• 5 minutes

• 10 minutes

• 15 minutes

• 30 minutes

• 1 hour

• 1 day

• 1 week

For each selected notication type, select the lowest severity level for which a

notication should be sent. Security events are logged and the notications are sent at the time indicated by the interval when events are equal to or greater than the selected severity level. If the interval is 1 day, the notication is sent daily, if security events occur. Refer to Section 4.2.1, “Severity Level Notication” (page 79) for more information about severity levels.

Click OK.

Click Done in the Novell AppArmor Conguration window.

Click File → Quit in the YaST Control Center.

4.3 Reports

Novell AppArmor's reporting feature adds exibility by enhancing the way users can view security event data. The reporting tool performs the following:

• Creates on-demand reports

• Exports reports

• Schedules periodic reports for archiving

• E-mails periodic reports

• Filters report data by date

• Filters report data by other options, such as program name

Managing Proled Applications 81

Using reports, you can read important Novell AppArmor security events reported in the log les without manually sifting through the cumbersome messages only useful to the logprof tool. You can narrow down the size of the report by ltering by date range or program name. You can also export an html or csv le.

The following are the three types of reports available in Novell AppArmor:

Executive Security Summary

A combined report, consisting of one or more security incident reports from one or more machines. This report can provide a single view of security events on multiple machines. For more details, refer to Section “Executive Security Summary” (page 91).

Application Audit Report

An auditing tool that reports which application servers are running and whether the applications are conned by AppArmor. Application servers are applications that accept incoming network connections. For more details, refer to Section “Ap-

plication Audit Report” (page 88).

Security Incident Report

A report that displays application security for a single host. It reports policy violations for locally conned applications during a specic time period. You can edit and customize this report or add new versions. For more details, refer to Section

“Security Incident Report” (page 89).

To use the Novell AppArmor reporting features, proceed with the following steps:

To run reports, open YaST → Novell AppArmor. The Novell AppArmor interface

opens.

In Novell AppArmor, click AppArmor Reports. The AppArmor Security Event

Reports window appears. From the Reports window, select an option and proceed to the section for instructions:

View Archive

Displays all reports that have been run and stored in /var/log/ apparmor/reports-archived/. Select the report you want to see in

Managing Proled Applications 83

detail and click View. For View Archive instructions, proceed to Section 4.3.1,

“Viewing Archived Reports” (page 84).

Run Now

Produces an instant version of the selected report type. If you select a security incident report, it can be further ltered in various ways. For Run Now instructions, proceed to Section 4.3.2, “Run Now: Running On-Demand

Reports” (page 93).

Add

Creates a scheduled security incident report. For Add instructions, proceed to Section 4.3.3, “Adding New Reports” (page 95).

Edit

Edits a scheduled security incident report.

Delete

Deletes a scheduled security incident report. All stock or canned reports cannot be deleted.

Back

Returns you to the Novell AppArmor main screen.

Abort

Returns you to the Novell AppArmor main screen.

Performs the same function as the Run Now button.

4.3.1 Viewing Archived Reports

View Reports enables you to specify the location of a cumulation of reports from one or more systems, including the ability to lter by date or names of programs accessed and display them all together in one report.

From the AppArmor Security Event Report window, select View Archive.

Select the report type to view. Toggle between the different types (SIR (Security

Incident Report), App Aud (Application Audit), and ESS (Executive Security Summary).

You can alter the directory location of the archived reports in Location of Archived

Reports. Select Accept to use the current directory or select Browse to nd a new report location. The default directory is /var/log/apparmor/ reports-archived/.

To view all the reports in the archive, select View All. To view a specic report,

select a report le listed in the Report eld, then select View.

For Application Audit and Executive Security Summary reports, proceed to Step

9 (page 87).

The Report Conguration Dialog opens for Security Incident reports.

Managing Proled Applications 85

The Report Conguration dialog enables you to lter the reports selected in the

previous screen. Enter the desired lter details. The elds are:

Date Range

To display reports for a certain time period, select Filter By Date Range. Enter the start and end dates that dene the scope of the report.

Program Name

When you enter a program name or pattern that matches the name of the binary executable of the program of interest, the report displays security events that have occurred for a specic program.

Prole Name

When you enter the name of the prole, the report displays the security events that are generated for the specied prole. You can use this to see what is being conned by a specic prole.

PID Number

PID Number is a number that uniquely identies one specic process or running program (this number is valid only during the lifetime of that process).

Severity Level

Select the lowest severity level for security events to include in the report. The selected severity level and above are then included in the reports.

Detail

A source to which the prole has denied access. This includes capabilities and les. You can use this eld to report the resources to which proles prevent access.

Access Type

The access type describes what is actually happening with the security event. The options are: PERMITTING, REJECTING, or AUDITING.

Mode

The Mode is the permission that the prole grants to the program or process to which it is applied. The options are: r (read) w (write) l (link) x (execute).

Export Type

Enables you to export a CSV (comma separated values) or HTML le. The CSV le separates pieces of data in the log entries with commas using a standard data format for importing into table-oriented applications. You can enter a pathname for your exported report by typing the full pathname in the eld provided.

Location to Store Log

Enables you to change the location that the exported report is store. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the le system.

To see the report, ltered as desired, select Next. One of the three reports displays.

Refer the following sections for detailed information about each type of report.

• For the application audit report, refer to Section “Application Audit Report” (page 88).

• For the security incident report, refer to Section “Security Incident Report” (page 89).

Managing Proled Applications 87

• For the executive summary report, refer to Section “Executive Security

Summary” (page 91).

Application Audit Report

An auditing tool that reports which application servers are running and whether they are conned by AppArmor. Application servers are applications that accept incoming network connections. This report provides the host machine’s IP address, the date the application audit report ran, the name and path of the unconned program or application server, the suggested prole or a placeholder for a prole for an unconned program, the process ID number, the state of the program (conned or unconned), and the type of connement that the prole is performing (enforce or complain).

The following screen represents an application audit report:

The following are denitions for the elds in the application audit report:

Host

The machine protected by AppArmor for which the security events are being reported.

Date

The date during which security events occurred.

Program

The name of the executing process.

Prole

The absolute name of the security prole that is applied to the process.

PID

Process ID number is a number that uniquely identies one specic process or running program (this number is valid only during the lifetime of that process).

State

This eld reveals whether the program listed in the program eld is conned. If it is not conned, you might consider creating a prole for it.

Type

This eld reveals the type of connement the security event represents. It says either complain or enforce. If the application is not conned (state), no type of connement is reported.

Security Incident Report

A report that displays security events of interest to an administrator. The SIR reports policy violations for locally conned applications during the specied time period. The SIR reports policy exceptions and policy engine state changes. These two types of security events are dened as follows:

Policy Exceptions

When an application requests a resource that is not dened within its prole, a security event is triggered. A report is generated that displays security events of interest to an administrator. The SIR reports policy violations for locally conned applications during the specied time period. The SIR reports policy exceptions and policy engine state changes.

Policy Engine State Changes

Enforces policy for applications and maintains its own state, including when engines start or stop, when a policy is reloaded, and when global security feature are enabled or disabled.

Managing Proled Applications 89

The following screen represents an SIR report:

The following are denitions for the elds in the SIR report:

Host

The machine protected by AppArmor for which the security events are being reported.

Date

The date during which security events occurred.

Program

The name of the executing process.

Prole

The absolute name of the security prole that is applied to the process.

PID

Process ID number is a number that uniquely identies one specic process or running program (this number is valid only during the lifetime of that process).

Severity

Severity levels of events are reported from the severity database. The severity database denes the importance of potential security events and numbers them one through ten, ten being the most severe security incident. The severity levels are determined by the threat or importance of different security events, such as certain resources accessed or services denied.

Mode

The mode is the permission that the prole grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute).

Detail

A source to which the prole has denied access.This includes capabilities and les. You can use this eld to report the resources to which the prole prevents access.

Access Type

The access type describes what is actually happening with the security event. The options are PERMITTING, REJECTING, or AUDITING.

Executive Security Summary

A combined report consisting of one or more high-level reports from one or more machines. This report can provide a single view of security events on multiple machines if each machine's data is copied to the reports archive directory, which is /var/log/ apparmor/reports-archived. This report provides the host machine's IP address, the start and end dates of the polled events, total number of rejects, total number of events, average of severity levels reported, and the highest severity level reported. One line of the ESS report represents a range of SIR reports.

The following screen represents an executive security summary:

Managing Proled Applications 91

The following are denitions for the elds in the executive security summary:

Host

The machine protected by AppArmor for which the security events are being reported.

Start Date

The rst date in a range of dates during which security events are reported.

End Date

The last date in a range of dates during which security events are reported.

Num of Rejects

In the date range given, the total number of security events that are rejected access attempts.

Num of Events

In the date range given, the total number of security events.

Avg Severity

This is the average of the severity levels reported in the date range given. Unknown severities are disregarded in this gure.

High Severity

This is the severity of the highest severity event reported in the date range given.

4.3.2 Run Now: Running On-Demand Reports

The Run Now report feature enables you to instantly extract report information from the Novell AppArmor event logs without waiting for scheduled events. Return to the beginning of this section if you need help navigating to the main report screen (see

Section 4.3, “Reports” (page 81)). Perform the following steps to run a report from the

list of reports:

Select the report to run instantly from the list of reports in the Schedule Reports

window.

Select Run Now or Next. The next screen depends on which report you selected

in the previous step. For Application Audit and Executive Security Summary reports, proceed to Step 6 (page 95).

The Report Conguration Dialog displays for security incident reports.

Managing Proled Applications 93

The Report Conguration Dialog enables you to lter the reports selected in the

previous screen. Enter the desired lter details. The following lter options are available:

Date Range

To limit reports to a certain time period, select Filter By Date Range. Enter the start and end dates that determine the scope of the report.

Program Name

When you enter a program name or pattern that matches the name of the binary executable for the program of interest, the report displays security events that have occurred for the specied program only.

Prole Name

PID Number

Process ID number is a number that uniquely identies one specic process or running program (this number is valid only during the lifetime of that process).

Severity Level

Select the lowest severity level for security events to include in the report. The selected severity level and above are included in the reports.

Detail

A source to which the prole has denied access. This includes capabilities and les. You can use this eld to report the resources to which proles prevent access.

Access Type

The access type describes what is actually happening with the security event. The options are PERMITTING, REJECTING, or AUDITING.

Mode

The mode is the permission that the prole grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute).

Export Type

Location to Store Log

Enables you to change the location that the exported report is stored. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the le system.

To see the report, ltered as desired, select Next. One of the three reports displays.

Refer the following sections for detailed information about each type of report.

• For the application audit report, refer to Section “Application Audit Report” (page 88).

• For the recurity incident report, refer to Section “Security Incident Report” (page 89).

• For the executive summary report, refer to Section “Executive Security

Summary” (page 91).

4.3.3 Adding New Reports

Adding new reports enables you to create a scheduled security incident report that displays Novell AppArmor security events according to your preset lters. When a report is set up in Schedule Reports, it periodically launches a report of Novell AppArmor security events that have occurred on the system.

You can congure a daily, weekly, monthly, or hourly report to run for a specied period. You can set the report to display rejections for certain severity levels or to lter by program name, prole name, severity level, or denied resources. This report can be exported to an HTML (Hypertext Markup Language) or CSV (Comma Separated Values) le format.

Managing Proled Applications 95

NOTE

Return to the beginning of this section if you need help navigating to the main report screen (see Section 4.3, “Reports” (page 81)).

To add a new scheduled security incident report, proceed as follows:

Click Add to create a new security incident report. The rst page of Add Scheduled

SIR opens.

Fill in the elds with the following ltering information, as necessary:

Report Name

Specify the name of the report. Use names that easily discern one report from the next.

Day of Month

Select any day of the month to activate monthly ltering in reports. If you select All, monthly ltering is not performed.

Day of Week

Select the day of the week on which to schedule weekly reports, if desired. If you select ALL, weekly ltering is not performed. If monthly reporting is selected, this eld defaults to ALL.

Hour and Minute

Select the time. This species the hour and minute that you would like the reports to run. If you do not change the time, selected reports runs at midnight. If neither month nor day of week are selected, the report runs daily at the secied time.

E-Mail Target

You have the ability to send the scheduled security incident report via e-mail to up to three recipients. Just enter the e-mail addresses for those who require the security incident information.

Export Type

This option enables you to export a CSV (comma separated values) or HTML le. The CSV le separates pieces of data in the log entries with commas using a standard data format for importing into table-oriented applications. You can enter a pathname for your exported report by typing in the full pathname in the eld provided.

Location to Store Log

Click Next to proceed to the second page of Add Scheduled SIR.

Fill in the elds with the following ltering information, as necessary:

Managing Proled Applications 97

Program Name

You can specify a program name or pattern that matches the name of the binary executable for the program of interest. The report displays security events that have occurred for the specied program only.

Prole Name

You can specify the name of the prole for which the report should display security events. You can use this to see what is being conned by a specic prole.

PID Number

Process ID number is a number that uniquely identies one specic process or running program (this number is valid only during the lifetime of that process).

Detail

A source to which the prole has denied access. This includes capabilities and les. You can use this eld to create a report of resources to which proles prevent access.

Severity

Select the lowest severity level of security events to include in the report. The selected severity level and above are included in the reports.

Access Type

The access type describes what is actually happening with the security event. The options are PERMITTING, REJECTING, or AUDITING.

Mode

The mode is the permission that the prole grants to the program or process to which it is applied. The options are r (read), w (write), l (link), and x (execute).

Click Save to save this report. Novell AppArmor returns to the Scheduled Reports

main window where the newly scheduled report appears in the list of reports.

4.3.4 Editing Reports

From the AppArmor Reports screen, you can select and edit a report. The stock reports cannot be edited or deleted.

NOTE

Return to the beginning of this section if you need help navigating to the main report screen (see Section 4.3, “Reports” (page 81)).

Perform the following steps to run a report from the list of reports:

From the list of reports in the Schedule Reports window, select the report to edit.

Click Edit to edit the security incident report. The rst page of the Edit Scheduled

SIR displays.

Enter the following ltering information, as necessary:

Day of Month

Select any day of the month to activate monthly ltering in reports. If you select All, monthly ltering is not performed.

Day of Week

Select the day of the week on which to schedule the weekly reports. If you select All, weekly ltering is not performed. If monthly reporting is selected, this defaults to All.

Hour and Minute

Select the time. This species the hour and minute that you would like the reports to run. If you do not change the time, selected report runs at midnight. If neither the day of the month nor day of the week is selected, the report runs daily at the specied time.

Managing Proled Applications 99

E-Mail Target

You have the ability to send the scheduled security incident report via e-mail to up to three recipients. Just enter the e-mail addresses for those who require the security incident information.

Export Type

Location to Store Log

Enables you to change the location where the exported report is stored. The default location is /var/log/apparmor/reports-exported. When you change this location, select Accept. Select Browse to browse the le system.

Click Next to proceed to the next Edit Scheduled SIR page. The second page of

Edit Scheduled Reports opens.

100

Fill in the elds with the following ltering information, as necessary:

Program Name

Novell APPARMOR 1.2 ADMINISTRATION GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

Introduction to Novell AppArmor

1 Documentation Conventions

2 Understanding This Guide

3.1 Launching Novell AppArmor through the YaST GUI

3.2 Novell AppArmor Basics

2.1 Immunize Programs That Grant Privilege

2.2 Inspect Open Ports to Immunize Programs

2.2.1 Immunizing Cron Jobs

2.2.2 Immunizing Web Applications

2.2.3 Immunizing Network Agents

Abstractions

Program Chunks

3.1.3 Capability Entries (POSIX.1e)

3.2.1 Using the YaST GUI

3.2.2 Using YaST ncurses

3.2.3 Using the Command Line Interface

Adding an Entry

Editing an Entry

Deleting an Entry

3.3.6 Managing Novell AppArmor and Security Event Status

Changing Novell AppArmor Status

3.4.1 Checking the SubDomain Module Status

autodep

Complain or Learning Mode

Enforce Mode

genprof

logprof

logprof Example 1

logprof Example 2

Subdomain.vim

The unconfined command examines open network ports on your system, compares that to the set of proles loaded on your system, and reports network services that do not have Novell AppArmor proles. It requires root privilege and that it not be conned by a Novell AppArmor prole.

3.6 Pathnames and Globbing

3.7 File Permission Access Modes

3.7.1 Read Mode

3.7.2 Write Mode

3.7.4 Unconstrained Execute Mode

3.7.5 Inherit Execute Mode

3.7.6 Link Mode

4.1 Monitoring Your Secured Applications

4.3 Reports

4.3.1 Viewing Archived Reports

Application Audit Report

Security Incident Report

Executive Security Summary

4.3.2 Run Now: Running On-Demand Reports

4.3.3 Adding New Reports

4.3.4 Editing Reports