SUSE Linux Documentation > Installation and Administration > Security >

Chapter 48. Confining Privileges with AppArmor

Contents

48.1. Installing Novell AppArmor
48.2. Enabling and Disabling Novell AppArmor
48.3. Getting Started with Profiling Applications

Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privilege that some attacker would like to have. The program fails to keep that trust if there is a bug in the program that allows the attacker to acquire that privilege.

Novell® AppArmor is an application security solution designed specifically to provide least privilege confinement to suspect programs. AppArmor allows the administrator to specify the domain of activities the program can perform by developing a security profile for that application—a listing of files that the program may access and the operations the program may perform.

Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer. AppArmor profiles enforce policies to make sure that programs do what they are supposed to do, but nothing else.

Administrators only need to care about the applications that are vulnerable to attacks and generate profiles for these. Hardening a system thus comes down to building and maintaining the AppArmor profile set and monitoring any policy violations or exceptions logged by AppArmor's reporting facility.

Building AppArmor profiles to confine an application is very straightforward and intuitive. AppArmor ships with several tools that assist in profile creation. It does not require you to do any programming or script handling. The only task that is required from the administrator is to determine a policy of strictest access and execute permissions for each application that needs to be hardened.

Updates or modifications to the application profiles are only required if the software configuration or the desired range of activities changes. AppArmor offers intuitive tools to handle profile updates or modifications.

Users should not notice AppArmor at all. It runs behind the scenes and does not require any user interaction. Performance is not affected noticeably by AppArmor. If some activity of the application is not covered by an AppArmor profile or if some activity of the application is prevented by AppArmor, the administrator needs to adjust the profile of this application to cover this kind of behavior.

This guide outlines the basic tasks that need to be performed with AppArmor to effectively harden a system. For more in-depth information, refer to Novell AppArmor Administration Guide.

48.1. Installing Novell AppArmor

Novell AppArmor is installed and running by default on any installation of SUSE Linux Enterprise® regardless of what patterns are installed. The packages listed below are needed for a fully functional instance of AppArmor

  • apparmor-parser

  • libapparmor

  • apparmor-docs

  • yast2-apparmor

  • apparmor-profiles

  • apparmor-utils

  • audit

48.2. Enabling and Disabling Novell AppArmor

Novell AppArmor is configured to run by default on any fresh installation of SUSE Linux Enterprise. There are two ways of toggling the status of AppArmor:

Using YaST System Services (Runlevel)

Disable or enable AppArmor by removing or adding its boot script to the sequence of scripts executed on system boot. Status changes are applied at the next system boot.

Using Novell AppArmor Control Panel

Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.

To disable AppArmor permanently by removing it from the sequence of scripts executed on system boot, proceed as follows:

  1. Log in as root and start YaST.

  2. Select System+System Services (Runlevel).

  3. Select Expert Mode.

  4. Select boot.apparmor and click Set/Reset+Disable the service.

  5. Exit the YaST Runlevel tool with Finish.

AppArmor will not be initialized on the next system boot and stays inactive until you explicitly reenable it. Reenabling a service using the YaST Runlevel tool is similar to disabling it.

Toggle the status of AppArmor in a running system by using the AppArmor Control Panel. These changes take effect as soon as you apply them and survive a reboot of the system. To toggle AppArmor's status, proceed as follows:

  1. Log in as root and start YaST.

  2. Select Novell AppArmor+AppArmor Control Panel.

  3. Select Enable AppArmor. To disable AppArmor, uncheck this option.

  4. Exit the AppArmor Control Panel with Done.

48.3. Getting Started with Profiling Applications

Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items:

  1. Determine the applications to profile. Read more on this in Section 48.3.1, “Choosing the Applications to Profile”.

  2. Build the needed profiles as roughly outlined in Section 48.3.2, “Building and Modifying Profiles”. Check the results and adjust the profiles when necessary.

  3. Keep track of what is happening on your system by running AppArmor reports and dealing with security events. Refer to Section 48.3.3, “Configuring Novell AppArmor Event Notification and Reports”.

  4. Update your profiles whenever your environment changes or you need to react to security events logged by AppArmor's reporting tool. Refer to Section 48.3.4, “Updating Your Profiles”.

48.3.1. Choosing the Applications to Profile

You only need to protect the programs that are exposed to attacks in your particular setup, so only use profiles for those applications you really run. Use the following list to determine the most likely candidates:

Network Agents

Programs (servers and clients) that have open network ports. User clients, such as mail clients and Web browsers, mediate privilege. These programs run with the privilege to write to the user's home directory and they process input from potentially hostile remote sources, such as hostile Web sites and e-mailed malicious code.

Web Applications

Programs that can be invoked through a Web browser, including CGI Perl scripts, PHP pages, and more complex Web applications.

Cron Jobs

Programs that the cron daemon periodically run read input from a variety of sources.

To find out which processes are currently running with open network ports and might need a profile to confine them, run aa-unconfined as root.

Example 48.1. Output of aa-unconfined

19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'

Each of the processes in the above example labeled not confined might need a custom profile to confine it. Those labeled confined by are already protected by AppArmor.

[Tip]For More Information

For more information about choosing the the right applications to profile, refer to Section “Determining Programs to Immunize” (Chapter 1, Immunizing Programs, ↑Novell AppArmor Administration Guide).

48.3.2. Building and Modifying Profiles

Novell AppArmor on SUSE Linux Enterprise ships with a preconfigured set of profiles for the most important applications. In addition to that, you can use AppArmor to create your own profiles for any application you want.

There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.

Running aa-unconfined as described in Section 48.3.1, “Choosing the Applications to Profile” identifies a list of applications that may need a profile to run in a safe mode.

For each application, perform the following steps to create a profile:

  1. As root, let AppArmor create a rough outline of the application's profile by running aa-genprof programname

    or

    Outline the basic profile by running YaST+Novell AppArmor+Add Profile Wizard and specifying the complete path of the application to profile.

    A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing but does not yet restrict it.

  2. Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.

  3. Let AppArmor analyze the log files generated in Step 2 by running typing S in aa-genprof.

    or

    Analyze the logs by clicking Scan system log for AppArmor events in the Add Profile Wizard and following the instructions given in the wizard until the profile is completed.

    AppArmor scans the logs it recorded during the application's run and asks you to set the access rights for each event that was logged. Either set them for each file or use globbing.

  4. Depending on the complexity of your application, it might be necessary to repeat Step 2 and Step 3. Confine the application, exercise it under the confined conditions, and process any new log events. To properly confine the full range of an application's capabilities, you might be required to repeat this procedure often.

  5. Once all access permissions are set, your profile is set to enforce mode. The profile is applied and AppArmor restricts the application according to the profile just created.

    If you started aa-genprof on an application that had an existing profile that was in complain mode, this profile remains in learning mode upon exit of this learning cycle. For more information about changing the mode of a profile, refer to Section “aa-complain—Entering Complain or Learning Mode” (Chapter 4, Building Profiles from the Command Line, ↑Novell AppArmor Administration Guide) and Section “aa-enforce—Entering Enforce Mode” (Chapter 4, Building Profiles from the Command Line, ↑Novell AppArmor Administration Guide).

Test your profile settings by performing every task you need with the application you just confined. Normally, the confined program runs smoothly and you do not notice AppArmor activities at all. However, if you notice certain misbehavior with your application, check the system logs and see if AppArmor is too tightly confining your application. Depending on the log mechanism used on your system, there are several places to look for AppArmor log entries:

/var/log/audit/audit.log

If the audit package is installed and auditd is running, AppArmor events are logged as follows:

type=APPARMOR msg=audit(1140325305.502:1407): REJECTING w access to
/usr/lib/firefox/update.test (firefox-bin(9469) profile
/usr/lib/firefox/firefox-bin active /usr/lib/firefox/firefox-bin)
/var/log/messages

If auditd is not used, AppArmor events are logged in the standard system log under /var/log/messages. An example entry would look like the following: 

Feb 22 18:29:14 dhcp-81 klogd: audit(1140661749.146:3): REJECTING w access
to /dev/console (mdnsd(3239) profile /usr/sbin/mdnsd active /usr/sbin/mdnsd)
dmesg

If auditd is not running, AppArmor events can also be checked using the dmesg command:

audit(1140661749.146:3): REJECTING w access to /dev/console (mdnsd(3239)
profile /usr/sbin/mdnsd active /usr/sbin/mdnsd)

To adjust the profile, analyze the log messages relating to this application again as described in Step 3. Determine the access rights or restrictions when prompted.

[Tip]For More Information

For more information about profile building and modification, refer to Chapter Profile Components and Syntax (↑Novell AppArmor Administration Guide), Chapter Building and Managing Profiles with YaST (↑Novell AppArmor Administration Guide), and Chapter Building Profiles from the Command Line (↑Novell AppArmor Administration Guide).

48.3.3. Configuring Novell AppArmor Event Notification and Reports

Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.

To set up event notification in YaST, proceed as follows:

  1. Make sure that a mail server is running on your system to deliver the event notifications.

  2. Log in as root and start YaST. Then select Novell AppArmor+AppArmor Control Panel).

  3. In Enable Security Event Notification, select Configure.

  4. For each record type (Terse, Summary, and Verbose), set a report frequency, enter the e-mail address that should receive the reports, and determine the severity of events to log. To include unknown events in the event reports, check Include Unknown Severity Events.

    [Note]Selecting Events to Log

    Unless you are familiar with AppArmor's event categorization, choose to be notified about events for all security levels.

  5. Leave this dialog with OK+Done to apply your settings.

Using Novell AppArmor reports, you can read important Novell AppArmor security events reported in the log files without manually sifting through the cumbersome messages only useful to the aa-logprof tool. You can decrease the size of the report by filtering by date range or program name.

To configure the AppArmor reports, proceed as follows:

  1. Log in as root and start YaST. Select Novell AppArmor+AppArmor Reports.

  2. Select the type of report to examine or configure from Executive Security Summary, Applications Audit, and Security Incident Report.

  3. Edit the report generation frequency, e-mail address, export format, and location of the reports by selecting Edit and providing the requested data.

  4. To run a report of the selected type, click Run Now.

  5. Browse through the archived reports of a given type by selecting View Archive and specifying the report type.

    or

    Delete unneeded reports or add new ones.

[Tip]For More Information

For more information about configuring event notification in Novell AppArmor, refer to Section “Configuring Security Event Notification” (Chapter 6, Managing Profiled Applications, ↑Novell AppArmor Administration Guide). Find more information about report configuration in Section “Configuring Reports” (Chapter 6, Managing Profiled Applications, ↑Novell AppArmor Administration Guide).

48.3.4. Updating Your Profiles

Software and system configurations change over time. As a result of that, your profile setup for AppArmor might need some fine-tuning from time to time. AppArmor checks your system log for policy violations or other AppArmor events and lets you adjust your profile set accordingly. Any application behavior that is outside of any profile definition can also be addressed using the Update Profile Wizard.

To update your profile set, proceed as follows:

  1. Log in as root and start YaST.

  2. Start Novell AppArmor+Update Profile Wizard.

  3. Adjust access or execute rights to any resource or for any executable that has been logged when prompted.

  4. Leave YaST after you answer all questions. Your changes are applied to the respective profiles.

[Tip]For More Information

For more information about updating your profiles from the system logs, refer to Section “Updating Profiles from Log Entries” (Chapter 3, Building and Managing Profiles with YaST, ↑Novell AppArmor Administration Guide).

SUSE Linux Documentation > Installation and Administration > Security >