User manual NOVELL APPARMOR 2.1 ADMINISTRATION GUIDE

[. . . ] AppArmor 2. 1 September 27, 2007 www. novell. com Novell AppArmor Administration Guide Novell AppArmor Administration Guide Copyright © 2006-2007 Novell, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1. 2 or any later version published by the Free Software Foundation; with the Invariant Section being this copyright notice and license. A copy of the license is included in the section entitled "GNU Free Documentation License". SUSE®, openSUSE®, the openSUSE® logo, Novell®, the Novell® logo, the N® logo, are registered trademarks of Novell, Inc. [. . . ] However, there might be times when you need to search archived log files, such as if the program exercise period exceeds the log rotation window (when the log file is archived and a new log file is started). If this is the case, you can enter zcat -f `ls -1tr /var/log/messages*` | aa-logprof -f -. aa-logprof Example 1 The following is an example of how aa-logprof addresses httpd2-prefork accessing the file /etc/group. In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which includes a predefined set of AppArmor rules. Selecting 1 to #include the name service package resolves all of the future questions pertaining to DNS lookups and also makes the profile less brittle in that any changes to DNS configuration and the associated name service profile package can be made just once, rather than needing to revise many profiles. Profile: /usr/sbin/httpd2-prefork Path: /etc/group New Mode: r [1 - #include <abstractions/nameservice>] 2 - /etc/group [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish Select one of the following responses: Building Profiles from the Command Line 69 Select Enter Triggers the default action, which is, in this example, allowing access to the specified directory path entry. For more information about this, refer to Section 2. 1. 3, "File Permission Access Modes" (page 17). Deny Prevents the program from accessing the specified directory path entries. New Prompts you to enter your own rule for this event, allowing you to specify whatever form of regular expression you want. If the expression entered does not actually satisfy the event that prompted the question in the first place, AppArmor asks for confirmation and lets you reenter the expression. Glob Select either a specific path or create a general rule using wild cards that matches on a broader set of paths. To select any of the offered paths, enter the number that is printed in front of the paths then decide how to proceed with the selected item. For more information about globbing syntax, refer to Section 2. 1. 2, "Paths and Globbing" (page 15). Glob w/Ext This modifies the original directory path while retaining the filename extension. For example, /etc/apache2/file. ext becomes /etc/apache2/*. ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directory that end with the . ext extension. Abort Aborts aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified. Finish Closes aa-logprof, saving all rule changes entered so far and modifying all profiles. 70 Novell AppArmor Administration Guide aa-logprof Example 2 For example, when profiling vsftpd, see this question: Profile: /usr/sbin/vsftpd Path: /y2k. jpg New Mode: r [1 - /y2k. jpg] (A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish Several items of interest appear in this question. First, note that vsftpd is asking for a path entry at the top of the tree, even though vsftpd on openSUSE serves FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path. The second item of interest is that you might want to grant FTP read access to all JPEG files in the directory, so you could use Glob w/Ext and use the suggested path of /*. jpg. Doing so collapses all previous rules granting access to individual . jpg files and forestalls any future questions pertaining to access to . jpg files. If you select Glob in the last entry, aa-logprof replaces the suggested path of /y2k. jpg with /*. [. . . ] application firewalling Novell AppArmor contains applications and limits the actions they are permitted to take. It uses privilege confinement to prevent attackers from using malicious programs on the protected server and even using trusted applications in unintended ways. attack signature Pattern in system or network activity that signals a possible virus or hacker attack. Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. [. . . ]