Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

AppArmor Admin Guide
Previous Page Table of Contents Next Page

5.1 Apache ChangeHat

Novell AppArmor provides a mod_apparmor module (package apache2-mod_apparmor) for the Apache program. This module makes the Apache Web server ChangeHat aware. Install it along with Apache.

When Apache is ChangeHat aware, it checks for the following customized Novell AppArmor security profiles in the order given for every URI request that it receives.

  • URI-specific hat (for example, ^phpsysinfo/templates/classic/images/bar_left.gif)

  • DEFAULT_URI

  • HANDLING_UNTRUSTED_INPUT

NOTE: Apache Configuration

If you install apache2-mod_apparmor without Novell AppArmor, make sure that the Apache load module has a command in the configuration file that loads the mod_apparmor module by adding apparmor to the list of modules to load in /etc/sysconfig/apache2:

APACHE_MODULES="apparmor"

Alternatively, add the following line to your Apache configuration file: 

LoadModule mod_apparmor modules/mod_apparmor.so

5.1.1 Managing ChangeHat-Aware Applications

As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Managing ChangeHat-aware applications from the command line is much more flexible, but the process is also more complicated. Both methods allow you to manage the hats for your application and populate them with profile entries.

The following steps are a demonstration that adds hats to an Apache profile using YaST. In the Add Profile Wizard, the Novell AppArmor profiling utilities prompt you to create new hats for distinct URI requests. Choosing to create a new hat allows you to create individual profiles for each URI. You can create very tight rules for each request.

If the URI that is processed does not represent significant processing or otherwise does not represent a significant security risk, safely select Use Default Hat to process this URI in the default hat, which is the default security profile.

This example creates a new hat for the URI phpsysinfo and its subsequent accesses. Using the profiling utilities, delegate what to add to this new hat. The resulting hat becomes a tight-security container that encompasses all the processing on the server that occurs when the phpsysinfo URI is passed to the Apache Web server.

The URI runs the application phpsysinfo (refer to https://phpsysinfo.sourceforge.net for more information). The phpsysinfo package is assumed to be installed in /srv/www/htdocs/phpsysinfo in a clean (new) installation of openSUSE and AppArmor.

  1. Once phpsysinfo is installed, you are ready to add hats to the Apache profile. From the Novell AppArmor GUI, select Add Profile Wizard.

    Add Profile Wizard

  2. In Application to Profile, enter httpd2-prefork.

  3. Click Create Profile.

    AppArmor Profiling Wizard

  4. Restart Apache by entering rcapache2 restart in a terminal window.

    Restart any program you are profiling at this point.

  5. Open https://localhost/phpsysinfo/ in a Web browser window. The browser window should display network usage and system information.

    NOTE: Data Caching

    To ensure that this request is processed by the server and you do not review cached data in your browser, refresh the page. To do this, click the browser Refresh button to make sure that Apache processes the request for the phpsysinfo URI.

  6. Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the aa-logprof tool, which scans the information learned in the previous step. It begins to prompt you with profile questions.

  7. aa-logprof first prompts with Add Requested Hat or Use Default Hat because it noticed that the phpsysinfo URI was accessed. Select Add Requested Hat.

    AppArmor Profile Wizard: Add requested hat

  8. Click Allow.

    Choosing Add Requested Hat in the previous step creates a new hat in the profile and specifies that the results of subsequent questions about the script's actions are added to the newly created hat rather than the default hat for this application.

    In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsysinfo hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined). For the case of the Profile option, a new profile is created for the program if one does not already exist.

    NOTE: Security Considerations

    Selecting Unconfined can create a significant security hole and should be done with caution.

    AppArmor Profile Wizard: Inherit

    1. Select Inherit for the /bin/bash path. This adds /bin/bash (accessed by Apache) to the phpsysinfo hat profile with the necessary permissions.

    2. Click Allow.

  9. The remaining questions prompt you to generate new hats and add entries to your profile and its hats. The process of adding entries to profiles is covered in detail in the Section 3.1, Adding a Profile Using the Wizard.

    When all profiling questions are answered, click Finish to save your changes and exit the wizard.

The following is an example phpsysinfo hat.

Example 5-1 Example phpsysinfo Hat

/usr/sbin/httpd2-prefork {
  ...
  ^phpsysinfo {
    #include <abstractions/bash>
    #include <abstractions/nameservice>

    /bin/basename                        ixr,
    /bin/bash                            ixr,
    /bin/df                              ixr,
    /bin/grep                            ixr,
    /bin/mount                           Ux,
    /bin/sed                             ixr,
    /dev/bus/usb/                        r,
    /dev/bus/usb/**                      r,
    /dev/null                            w,
    /dev/tty                             rw,
    /dev/urandom                         r,
    /etc/SuSE-release                    r,
    /etc/ld.so.cache                     r,
    /etc/lsb-release                     r,
    /etc/lsb-release.d/                  r,
    /lib/ld-2.6.1.so                     ixr,
    /proc/**                             r,
    /sbin/lspci                          ixr,
    /srv/www/htdocs/phpsysinfo/**        r,
    /sys/bus/pci/**                      r,
    /sys/bus/scsi/devices/               r,
    /sys/devices/**                      r,
    /usr/bin/cut                         ixr,
    /usr/bin/getopt                      ixr,
    /usr/bin/head                        ixr,
    /usr/bin/lsb_release                 ixr,
    /usr/bin/lsscsi                      ixr,
    /usr/bin/tr                          ixr,
    /usr/bin/who                         ixr,
    /usr/lib/lib*so*                     mr,
    /usr/lib/locale/**                   r,
    /usr/sbin/lsusb                      ixr,
    /usr/share/locale/**                 r,
    /usr/share/pci.ids                   r,
    /usr/share/usb.ids                   r,
    /var/log/apache2/access_log          w,
    /var/run/utmp                        kr,
   }
}

NOTE: Hat and Parent Profile Relationship

The profile ^phpsysinfo is only valid in the context of a process running under the parent profile httpd2-prefork.

5.1.2 Adding Hats and Entries to Hats

When you use the Edit Profile dialog (for instructions, refer to Section 3.3, Editing Profiles) or when you add a new profile using Manually Add Profile (for instructions, refer to Section 3.2, Manually Adding a Profile), you are given the option of adding hats (subprofiles) to your Novell AppArmor profiles. Add a ChangeHat subprofile from the AppArmor Profile Dialog window as in the following.

AppArmor profile dialog

  1. From the AppArmor Profile Dialog window, click Add Entry then select Hat. The Enter Hat Name dialog box opens:

    Enter hat name

  2. Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat.

  3. Click Create Hat. You are returned to the AppArmor Profile Dialog screen.

  4. After adding the new hat, click Done.

NOTE: For More Information

For an example of an Novell AppArmor profile, refer to Section 5-1, Example phpsysinfo Hat.

AppArmor Admin Guide
Previous Page Table of Contents Next Page

 
 
  Published under the terms fo the GNU General Public License Design by Interspire