User manual NOVELL APPARMOR 2.0 ADMINISTRATION GUIDE

[. . . ] Novell AppArmor 2. 0 August 28, 2006 www. novell. com Novell AppArmor 2. 0 Administration Guide Novell AppArmor 2. 0 Administration Guide List of Authors: Leona Beatrice Campbell, Jana Jaeger This publication is intellectual property of Novell Inc. Its contents can be duplicated, either in part or in whole, provided that a copyright label is visibly located on each copy. All information found in this book has been compiled with utmost attention to detail. Neither SUSE LINUX GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof. [. . . ] The learning or complain mode traces program behavior and enters it in the log. If a confined program forks and executes another program, aa-logprof sees this and asks the user which execution mode should be used when launching the child process. The execution modes ix, px, Px, ux, and Ux are options for starting the child process. If a separate profile exists for the child process, the default selection is px. Child processes with separate profiles have aa-autodep run on them and are loaded into AppArmor, if it is running. If the AppArmor module is running, the updated profiles are reloaded and, if any processes that generated security events are still running in the null-complain-profile, those processes are set to run under their proper profiles. To run aa-logprof, enter aa-logprof into a terminal window while logged in as root. The following options can be used for aa-logprof: Building Novell AppArmor Profiles 63 aa-logprof -d /path/to/profile/directory/ Specifies the full path to the location of the profiles if the profiles are not located in the standard directory, /etc/apparmor. d/. aa-logprof -f /path/to/logfile/ Specifies the full path to the location of the log file if the log file is not located in the default directory, /var/log/audit/audit. log or /var/log/ messages (if auditd is not running). aa-logprof -m "string marker in logfile" Marks the starting point for aa-logprof to look in the system log. aa-logprof ignores all events in the system log before the specified mark. If the mark contains spaces, it must be surrounded by quotes to work correctly. For example: aa-logprof -m"17:04:21" or logprof -m e2ff78636296f16d0b5301209a04430d aa-logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list. By default, aa-logprof looks for profiles in /etc/apparmor. d/ and scans the log in /var/log/messages. In many cases, running aa-logprof as root is enough to create the profile. However, there might be times when you need to search archived log files, such as if the program exercise period exceeds the log rotation window (when the log file is archived and a new log file is started). If this is the case, you can enter zcat -f `ls -1tr /var/log/messages*` | aa-logprof -f -. aa-logprof Example 1 The following is an example of how aa-logprof addresses httpd2-prefork accessing the file /etc/group. In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which includes a predefined set of Novell AppArmor rules. Selecting 1 to #include the name service package resolves all of 64 Novell AppArmor 2. 0 Administration Guide the future questions pertaining to DNS lookups and also makes the profile less brittle in that any changes to DNS configuration and the associated nameservice profile package can be made just once, rather than needing to revise many profiles. Profile: /usr/sbin/httpd2-prefork Path: /etc/group New Mode: r [1 - #include <abstractions/nameservice>] 2 - /etc/group [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish Select one of the following responses: Press Enter Allows access to the selected directory path. For more information about this, refer to Section 3. 7, "File Permission Access Modes" (page 71). [. . . ] It uses privilege confinement to prevent attackers from using malicious programs on the protected server and even using trusted applications in unintended ways. attack signature Pattern in system or network activity that signals a possible virus or hacker attack. Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. [. . . ]