User manual NOVELL APPARMOR 1.2 ADMINISTRATION GUIDE

[. . . ] Novell AppArmor Powered by Immunix Administration Guide www. novell. com 1. 2 09/29/2005 Novell AppArmor Powered by Immunix 1. 2 Administration Guide Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. [. . . ] The following execution modes are options for starting the child process: ix, px, and ux. If a separate profile exists for the child process, the default selection is px. Child processes with separate profiles have autodep run on them and are loaded into Novell AppArmor, if it is running. Building Novell AppArmor Profiles 65 When logprof exits, profiles are updated with the changes. If the SubDomain module is running, the updated profiles are reloaded and if any processes that generated security events are still running in the null-complain-profile, those processes are set to run under their proper profiles. To run logprof, enter logprof into a terminal window while logged in as root. The following options can also be used for logprof: logprof -d /path/to/profile/directory/ Specifies the full path to the location of the profiles if the profiles are not located in the standard directory, /etc/subdomain. d/. logprof -f /path/to/logfile/ Specifies the full path to the location of the log file if the log file is not located in the default directory, /var/log/messages. logprof -m "string marker in logfile" Marks the starting point for logprof to look in the system log. logprof ignores all events in the system log before the specified mark is seen. If the mark contains spaces, it must be surrounded with quotes to work correctly. Example: logprof -m e2ff78636296f16d0b5301209a04430d logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list. By default, logprof looks for profiles in /etc/subdomain. d/ and scans the log in /var/log/messages so, in many cases, running logprof as root is enough to create the profile. However, there might times when you need to search archived log files, such as if the program exercise period exceeds the log rotation window (when the log file is archived and a new log file is started). If this is the case, you can enter zcat -f `ls -1tr /var/log/messages*` | logprof -f -. logprof Example 1 Following is an example of how logprof addresses httpd2-prefork accessing the file /etc/group. The example uses [] to indicate the default option. 66 In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which pulls in a predefined set of Novell AppArmor rules. Selecting 1 to #include the name service package resolves all of the future questions pertaining to DNS lookups and also makes the profile less brittle in that any changes to DNS configuration and the associated nameservice profile package can be made just once, rather than needing to revise many profiles. Profile: /usr/sbin/httpd2-prefork Path: /etc/group New Mode: r [1 - #include <abstractions/nameservice>] 2 - /etc/group [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish Select one of the following responses: Press Enter Allows access to the selected directory path. For more information about this, refer to Section 3. 7, "File Permission Access Modes" (page 74). Deny Prevents the program from accessing the specified directory path entries. New Prompts you to enter your own rule for this event, allowing you to specify whatever form of regular expression you want. If the expression you enter does not actually satisfy the event that prompted the question in the first place, Novell AppArmor asks you for confirmation and lets you reenter the expression. [. . . ] It uses privilege confinement to prevent attackers from using malicious programs on the protected server and even using trusted applications in unintended ways. attack signature Pattern in system or network activity that signals a possible virus or hacker attack. Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. [. . . ]