In a production environment, you should plan on maintaining profiles for all of the deployed applications. The security policies are an integral part of your deployment. You should plan on taking steps to back up and restore security policy files, plan for software changes, and allow any needed modification of security policies that your environment dictates.
Because you take the time to make profiles, it makes sense to back them up. Backing up profiles might save you from having to reprofile all your programs after a disk crash. Also, if profiles are changed, you can easily restore previous settings by using the backed up files.
Back up profiles by copying the profile files to a specified directory.
You should first archive the files into one file.To do this, open a
terminal window and enter the following as root
:
tar zclpf profiles.tgz /etc/apparmor.d
The simplest method to ensure that your security policy files are
regularly backed up is to include the directory
/etc/apparmor.d
in the list of directories that
your backup system archives.
You can also use scp or a file manager like Konqueror or Nautilus to store the files on some kind of storage media, the network, or another computer.
Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 4.3, “Editing Profiles”.
When you add a new application version or patch to your system, you should always update the profile to fit your needs. You have several options that depend on your company's software deployment strategy. You can deploy your patches and upgrades into a test or production environment. The following explains how to do this with each method.
If you intend to deploy a patch or upgrade in a test environment, the best method for updating your profiles is one of the following:
Run the profiling wizard by selecting Section 4.1, “Adding a Profile Using the Wizard”.
in YaST. This creates a new profile for the added or patched application. For step-by-step instructions, refer to
Run aa-genprof by typing aa-genprof in a terminal
while logged in as root
. For detailed instructions, refer to
Section 5.6.3.4, “aa-genprof—Generating Profiles”.
If you intend to deploy a patch or upgrade directly into a production environment, the best method for updating your profiles is one of the following:
Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed using aa-logprof. For detailed instructions, refer to Section 5.6.3.5, “aa-logprof—Scanning the System Log”.
Run the YaST Section 4.5, “Updating Profiles from Log Entries”.
to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to