Contents
Novell® AppArmor provides immunization technologies that protect applications from the inherent vulnerabilities they possess. After installing Novell AppArmor, setting up Novell AppArmor profiles, and rebooting the computer, your system becomes immunized because it begins to enforce the Novell AppArmor security policies. Protecting programs with Novell AppArmor is referred to as immunizing.
Novell AppArmor sets up a collection of default application profiles to protect standard Linux services. To protect other applications, use the Novell AppArmor tools to create profiles for the applications that you want protected. This chapter introduces the philosophy of immunizing programs. Proceed to Chapter 2, Profile Components and Syntax, Chapter 4, Building and Managing Profiles with YaST, or Chapter 5, Building Profiles from the Command Line if you are ready to build and manage Novell AppArmor profiles.
Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute, and which type of network it is allowed to access. This ensures that each program does what it is supposed to do and nothing else. Novell AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process.
Novell AppArmor is a host intrusion prevention or mandatory access control scheme. Previously, access control schemes were centered around users because they were built for large timeshare systems. Alternatively, modern network servers largely do not permit users to log in, but instead provide a variety of network services for users, such as Web, mail, file, and print servers. Novell AppArmor controls the access given to network services and other programs to prevent weaknesses from being exploited.
Background Information for Novell AppArmor | |
---|---|
To get a more in-depth overview of AppArmor and the overall concept behind it, refer to Chapter 9, Background Information on AppArmor Profiling. |
This section provides a very basic understanding of what is happening “behind the scenes” (and under the hood of the YaST interface) when you run AppArmor.
An AppArmor profile is a plain text file containing path entries and access permissions. See Section 2.1, “Breaking a Novell AppArmor Profile into Its Parts” for a detailed reference profile. The directives contained in this text file are then enforced by the AppArmor routines to quarantine the process or program.
The following tools interact in the building and enforcement of AppArmor profiles and policies:
aa-unconfined detects any application running on your system that listens for network connections and is not protected by an AppArmor profile. Refer to Section 5.6.3.8, “aa-unconfined—Identifying Unprotected Processes” for detailed information about this tool.
aa-autodep creates a basic skeleton of a profile that needs to be fleshed out before it is put to productive use. The resulting profile is loaded and put into complain mode, reporting any behavior of the application that is not (yet) covered by AppArmor rules. Refer to Section 5.6.3.1, “aa-autodep—Creating Approximate Profiles” for detailed information about this tool.
aa-genprof generates a basic profile and asks you to refine this profile by executing the application, generating log events that need to be taken care of by AppArmor policies. You are guided through a series of questions to deal with the log events that have been triggered during the application's execution. After the profile has been generated, it is loaded and put into enforce mode. Refer to Section 5.6.3.4, “aa-genprof—Generating Profiles” for detailed information about this tool.
aa-logprof interactively scans and reviews the log entries generated by an application that is confined by an AppArmor profile in complain mode. It assists you in generating new entries in the profile concerned. Refer to Section 5.6.3.5, “aa-logprof—Scanning the System Log” for detailed information about this tool.
aa-complain toggles the mode of an AppArmor profile from enforce to complain. Exceptions to rules set in a profile are logged, but the profile is not enforced. Refer to Section 5.6.3.2, “aa-complain—Entering Complain or Learning Mode” for detailed information about this tool.
aa-enforce toggles the mode of an AppArmor profile from complain to enforce. Exceptions to rules set in a profile are logged, but not permitted—the profile is enforced. Refer to Section 5.6.3.3, “aa-enforce—Entering Enforce Mode” for detailed information about this tool.
Once a profile has been built and is loaded, there are two ways in which it can get processed:
In complain mode, violations of AppArmor profile rules, such as the profiled program accessing files not permitted by the profile, are detected. The violations are permitted, but also logged. To improve the profile, turn complain mode on, run the program through a suite of tests to generate log events that characterize the program's access needs, then postprocess the log with the AppArmor tools (YaST or aa-logprof) to transform log events into improved profiles.
In enforce mode, violations of AppArmor profile rules, such as the profiled program accessing files not permitted by the profile, are detected. The violations are logged and not permitted. The default is for enforce mode to be enabled. To log the violations only, but still permit them, use complain mode. Enforce toggles with complain mode.