|
|
|
|
42.3 Getting Started with Profiling Applications
Prepare a successful deployment of Novell AppArmor on your system by carefully
considering the following items:
42.3.1 Choosing the Applications to Profile
You only need to protect the programs that are exposed to attacks in
your
particular setup, so only use profiles for those applications you really
run. Use the following list to determine the most likely
candidates:
- Network Agents
-
Programs (servers and clients) have open network ports and network
agents are server programs that respond to those network ports. User
clients, such as mail clients and Web browsers, also have open network
ports and mediate privilege. Any attack on a user's Web browser or
e-mail client allows the attacker to steal private data from the user.
In addition to that, the attacker might use the access gained through
that attack as leverage to get more privileges on the system.
- Web Applications
-
CGI Perl scripts, PHP pages, and more complex Web applications can
be started through a Web browser.
- Cron Jobs
-
Programs that the cron daemon periodically run read input from a
variety of sources.
To find out which processes are currently running with open network
ports and might need a profile to confine them, run
aa-unconfined as root.
Example 42-1
Output of aa-unconfined
19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'
Each of the processes in the above example labeled not
confined might need a custom profile to confine it. Those
labeled confined by are already protected by
AppArmor.
HINT: For More Information
For more information about choosing the the right applications to
profile, refer to “Selecting Programs to Immunize” (↑Novell AppArmor 2.0 Administration Guide).
42.3.2 Building and Modifying Profiles
Novell AppArmor on SUSE Linux Enterprise ships with a preconfigured set of profiles for
the most important applications. In addition to that, you can use AppArmor to
create your own profiles for any application you want.
There are two ways of managing profiles. One is to use the graphical
front-end provided by the YaST Novell AppArmor modules and the other is to use the
command line tools provided by the AppArmor suite itself. Both methods
basically work the same way.
Running aa-unconfined as described in Section 42.3.1,
Choosing the Applications to Profile identifies a list of applications
that may need a profile to run in a safe mode.
For each application, perform the following steps to create a
profile:
-
As root, let AppArmor create a
rough outline of the application's profile by running aa-genprof
programname
or
Outline the basic profile by running and specifying the complete path
of the application to profile.
A basic profile is outlined and AppArmor is put into learning mode, which
means that it logs any activity of the program you are executing but
does not yet restrict it.
-
Run the full range of the application's actions to let AppArmor get a
very specific picture of its activities.
-
Let AppArmor analyze the log files generated in Step 2 by running typing
S in aa-genprof.
or
Analyze the logs by clicking in the
and following the instructions given
in the wizard until the profile is completed.
AppArmor scans the logs it recorded during the application's run and
asks you to set the access rights for each event that was logged. Either
set them for each file or use globbing.
-
Once all access permissions are set, your profile is set to enforce
mode. The profile is applied and AppArmor restricts the application
according to the profile just created.
If you started aa-genprof on an application that had an existing
profile that was in complain mode, this profile remains in learning
mode upon exit of this learning cycle. For more information about changing
the mode of a profile, refer to “aa-complain—Entering Complain or Learning Mode” (Chapter “Building Novell AppArmor Profiles”, ↑Novell AppArmor 2.0 Administration Guide) and “aa-enforce—Entering Enforce Mode” (Chapter “Building Novell AppArmor Profiles”, ↑Novell AppArmor 2.0 Administration Guide).
Test your profile settings by performing every task you need with the
application you just confined. Normally, the confined program runs
smoothly and you do not notice AppArmor activities at all. However, if you
notice certain misbehavior with your application, check the system logs and
see if AppArmor is too closely constricting your application. Depending on the
log mechanism used on your system, there are several places to look for
AppArmor log entries:
- /var/log/audit.log
-
If the audit package is
installed and auditd is running, AppArmor events are logged as
follows: type=APPARMOR msg=audit(1140325305.502:1407): REJECTING w access to
/usr/lib/firefox/update.test (firefox-bin(9469) profile
/usr/lib/firefox/firefox-bin active /usr/lib/firefox/firefox-bin)
- /var/log/messages
-
If auditd is not used, AppArmor events are logged in the standard
system log under /var/log/messages. An example
entry would look like the following:
Feb 22 18:29:14 dhcp-81 klogd: audit(1140661749.146:3): REJECTING w access
to /dev/console (mdnsd(3239) profile /usr/sbin/mdnsd active /usr/sbin/mdnsd)
- dmesg
-
If auditd is not running, AppArmor events can also be checked using the
dmesg command: audit(1140661749.146:3): REJECTING w access to /dev/console (mdnsd(3239)
profile /usr/sbin/mdnsd active /usr/sbin/mdnsd)
To adjust the profile, analyze the log messages relating this
application again as described in Step 3. Determine
the access rights or restrictions when prompted.
HINT: For More Information
For more information about profile building and modification, refer
to “Building Novell AppArmor Profiles” (↑Novell AppArmor 2.0 Administration Guide).
42.3.3 Configuring Novell AppArmor Event Notification and Reports
Set up event notification in Novell AppArmor so you can review security events.
Event Notification is an Novell AppArmor feature that informs a specified e-mail
recipient when systemic Novell AppArmor activity occurs under the chosen severity
level. This feature is currently available in the YaST interface.
To set up event notification in YaST, proceed as follows:
-
Make sure that a mail server is running on your system to deliver
the event notifications.
-
Log in as root and start
YaST. Then select ).
-
In ,
select .
-
For each record type (,
, and ), set a report
frequency, enter the e-mail address that should receive the reports, and determine
the severity of events to log. To include unknown events in
the event reports, check .
NOTE: Selecting Events to Log
Unless you are familiar with AppArmor's event categorization, choose to
be notified about events for all security levels.
-
Leave this dialog with to apply your settings.
Using Novell AppArmor reports, you can read important Novell AppArmor
security events reported in the log files without manually sifting through
the cumbersome messages only useful to the aa-logprof tool. You can
decrease the size of the report by filtering by date range or program
name.
To configure the AppArmor reports, proceed as follows:
-
Log in as root and start
YaST. Select .
-
Select the type of report to examine or configure from
, , and .
-
Edit the report generation frequency, e-mail address, export
format, and location of the reports by selecting
and providing the requested data.
-
To run a report of the selected type, click .
-
Browse through the archived reports of a given type by selecting
and specifying the report type.
or
Delete unneeded reports or add new ones.
HINT: For More Information
For more information about configuring event notification in Novell AppArmor,
refer to “Setting Up Event Notification” (Chapter “Managing Profiled Applications”, ↑Novell AppArmor 2.0 Administration Guide). Find more information about report
configuration in “Reports” (Chapter “Managing Profiled Applications”, ↑Novell AppArmor 2.0 Administration Guide).
42.3.4 Updating Your Profiles
Software and system configurations change over time. As a result of
that, your profile setup for AppArmor might need some fine-tuning from time to
time. AppArmor checks your system log for policy violations or other AppArmor
events and lets you adjust your profile set accordingly. Any application
behavior that is outside of any profile definition can also be addressed
using the .
To update your profile set, proceed as follows:
-
Log in as root and start
YaST.
-
Start .
-
Adjust access or execute rights to any resource
or for any executable that has been logged when prompted.
-
Leave YaST after you answer all questions. Your changes are
applied to the respective profiles.
HINT: For More Information
For more information about updating your profiles from the system
logs, refer to “Updating Profiles from Log Entries” (Chapter “Building Novell AppArmor Profiles”, ↑Novell AppArmor 2.0 Administration Guide).
|
|
|