37.3 Getting Started with Profiling Applications
Prepare a successful deployment of Novell AppArmor on your system by carefully
considering the following items:
37.3.1 Choosing the Applications to Profile
You only need to protect the programs that are exposed to attacks in
your particular setup, so only use profiles for those applications you
really run. Use the following list to determine the most likely
- Network Agents
Programs (servers and clients) that have open network ports. User
clients, such as mail clients and Web browsers, mediate privilege.
These programs run with the privilege to write to the user's home
directory and they process input from potentially hostile remote
sources, such as hostile Web sites and e-mailed malicious code.
- Web Applications
Programs that can be invoked through a Web browser, including CGI
Perl scripts, PHP pages, and more complex Web applications.
- Cron Jobs
Programs that the cron daemon periodically run read input from a
variety of sources.
To find out which processes are currently running with open network
ports and might need a profile to confine them, run
Example 37-1 Output of aa-unconfined
19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'
Each of the processes in the above example labeled not
confined might need a custom profile to confine it. Those
labeled confined by are already protected by AppArmor.
37.3.2 Building and Modifying Profiles
Novell AppArmor on openSUSE ships with a preconfigured set of profiles for
the most important applications. In addition to that, you can use AppArmor
to create your own profiles for any application you want.
There are two ways of managing profiles. One is to use the graphical
front-end provided by the YaST Novell AppArmor modules and the other is to use
the command line tools provided by the AppArmor suite itself. Both methods
basically work the same way.
Running aa-unconfined as described in
Section 37.3.1, Choosing the Applications to Profile identifies a list of
applications that may need a profile to run in a safe mode.
For each application, perform the following steps to create a profile:
As root, let AppArmor create a
rough outline of the application's profile by running
Outline the basic profile by running
and specifying the complete
path of the application to profile.
A basic profile is outlined and AppArmor is put into learning mode, which
means that it logs any activity of the program you are executing but
does not yet restrict it.
Run the full range of the application's actions to let AppArmor get a very
specific picture of its activities.
Let AppArmor analyze the log files generated in
Step 2 by typing S in
Analyze the logs by clicking
in the and
following the instructions given in the wizard until the profile is
AppArmor scans the logs it recorded during the application's run and asks
you to set the access rights for each event that was logged. Either
set them for each file or use globbing.
Depending on the complexity of your application, it might be necessary
to repeat Step 2 and
Step 3. Confine the application,
exercise it under the confined conditions, and process any new log
events. To properly confine the full range of an application's
capabilities, you might be required to repeat this procedure often.
Once all access permissions are set, your profile is set to enforce
mode. The profile is applied and AppArmor restricts the application
according to the profile just created.
If you started aa-genprof on an application that had an existing
profile that was in complain mode, this profile remains in learning
mode upon exit of this learning cycle. For more information about
changing the mode of a profile, refer to
aa-complain—Entering Complain or Learning Mode, (↑ Novell AppArmor Administration Guide )
aa-enforce—Entering Enforce Mode, (↑ Novell AppArmor Administration Guide ).
Test your profile settings by performing every task you need with the
application you just confined. Normally, the confined program runs
smoothly and you do not notice AppArmor activities at all. However, if you
notice certain misbehavior with your application, check the system logs
and see if AppArmor is too tightly confining your application. Depending on
the log mechanism used on your system, there are several places to look
for AppArmor log entries:
If the audit package is
installed and auditd is running, AppArmor events are logged as follows:
type=APPARMOR_DENIED msg=audit(1210347212.123:18): operation="inode_permission" requested_mask="::w" denied_mask="::w" fsuid=1000 name="/tmp/.X11-unix/X0" pid=9160 profile="/usr/bin/ksmserver
If auditd is not used, AppArmor events are logged in the standard system
log under /var/log/messages. An example entry
would look like the following:
May 9 17:39:56 neovirt klogd: type=1503 audit(1210347596.146:23): operation="inode_permission" requested_mask="::w" denied_mask="::w" fsuid=1000 name="/tmp/.X11-unix/X0" pid=9347 profile="/usr/bin/ksmserver"
If auditd is not running, AppArmor events can also be checked using the
type=1503 audit(1210347596.146:23): operation="inode_permission" requested_mask="::w" denied_mask="::w" fsuid=1000 name="/tmp/.X11-unix/X0" pid=9347 profile="/usr/bin/ksmserver"
To adjust the profile, analyze the log messages relating to this
application again as described in Step 3.
Determine the access rights or restrictions when prompted.
37.3.3 Configuring Novell AppArmor Event Notification and Reports
Set up event notification in Novell AppArmor so you can review security events.
Event Notification is an Novell AppArmor feature that informs a specified e-mail
recipient when systemic Novell AppArmor activity occurs under the chosen severity
level. This feature is currently available in the YaST interface.
To set up event notification in YaST, proceed as follows:
Make sure that a mail server is running on your system to deliver the
Start YaST. Then select .
In , select
For each record type (
, and ), set a
report frequency, enter the e-mail address that should receive the
reports, and determine the severity of events to log. To include
unknown events in the event reports, check .
NOTE: Selecting Events to Log
Unless you are familiar with AppArmor's event categorization, choose to
be notified about events for all security levels.
Leave this dialog with to apply your settings.
Using Novell AppArmor reports, you can read important Novell AppArmor security events
reported in the log files without manually sifting through the
cumbersome messages only useful to the aa-logprof tool. You can decrease
the size of the report by filtering by date range or program name.
To configure the AppArmor reports, proceed as follows:
Start YaST. Select .
Select the type of report to examine or configure from
, , and .
Edit the report generation frequency, e-mail address, export format,
and location of the reports by selecting and
providing the requested data.
To run a report of the selected type, click .
Browse through the archived reports of a given type by selecting
and specifying the report type.
Delete unneeded reports or add new ones.
37.3.4 Updating Your Profiles
Software and system configurations change over time. As a result of
that, your profile setup for AppArmor might need some fine-tuning from time
to time. AppArmor checks your system log for policy violations or other AppArmor
events and lets you adjust your profile set accordingly. Any application
behavior that is outside of any profile definition can also be addressed
To update your profile set, proceed as follows:
Adjust access or execute rights to any resource or for any executable
that has been logged when prompted.
Leave YaST after you answer all questions. Your changes are applied
to the respective profiles.