Paranoid Penguin - An Introduction to Novell AppArmor
If you need to create a new profile from scratch, there are several ways to do so, all explained in detail in the aforementioned Admin Guide Using YaST and also in the AppArmor Advanced User's Guide (/usr/share/doc/packages/subdomain-docs/adv-ug-apparmor.pdf). Here, however, is the easiest method:
Run the Add Profile Wizard, being sure to specify the full path to the program you want to protect when prompted for the application name. You will be prompted to run the program, during which time AppArmor runs in “learn” mode, and builds a profile by observing the application's behavior.
After the Add Profile Wizard closes, restart your application (if a dæmon) and test it as thoroughly as possible. If everything works properly, you're done.
If anything failed in the previous step, run the Update Profile Wizard. Based on your answers to the Wizard's prompts, the AppArmor profile you just created (plus any other applicable profiles) will be updated.
Repeat steps two and three until the application works the way it did before you created its AppArmor profile. This may take more than two iterations.
That's basically it! The excellent documents in /usr/share/doc/packages/subdomain-docs explain not only the above procedure, but also how to use the Add Profile Manually applet and even how to create profiles from scratch using your text editor of choice.
Before I close this month's column, I leave you with a couple observations based on my experiences tinkering with AppArmor over the past couple of months. First, I must stress the importance of having a healthy local logging facility. As you can see, AppArmor relies heavily on /var/log/messages not only for providing you with a good audit trail, but also for providing its own wizards with crucial configuration intelligence. Therefore, if you have a customized system logger, make sure that there's at least a symbolic link from /var/log/messages to wherever your subdomain messages end up.
For example, on my chrooted syslog-ng installation, my subdomain messages are written to /var/syslog-ng/var/log/messages. Before AppArmor would work properly on this system, I had to create a symbolic link from /var/log/messages to this location. I also had to edit /etc/logrotate.d/syslog so that the “real” messages file would be rotated when too large or old; otherwise, the symbolic link was destroyed by my logrotate cron job. (Obviously, I should have updated logrotate.d/syslog already, back when I configured syslog-ng—by the time I got around to this, /var/syslog-ng/var/log/messages had grown to an embarrassing and unwieldy size.)
Also, I should point out that, just like all of YaST's modules, you don't need to be running the X Window System to run the Novell AppArmor YaST applets. You shouldn't be running X on Internet-connected servers, both because it's almost never necessary and because X has a very rich history of so-called local privilege escalation vulnerabilities. It may seem tempting to ignore such vulnerabilities if you're worried about non-local attackers, but “local” is a usually a misnomer. If attackers gain shell access via, for example, a buffer-overflow attack against some network dæmon, they often can exploit so-called local privilege escalation vulnerabilities to promote themselves to root.
I hope you'll forgive me, therefore, for using attractive screenshots of the X version of YaST in this article—I assure you that the content and functionality is identical in the text-only versions of these applets.
Finally, a tip—in the course of repeatedly running the Update Profile Wizard to make my guestbook PHP script work, AppArmor for some reason forgot I'd dealt with two particular events in /var/log/messages and prompted me over and over about these two events. The problem went away when I manually deleted the corresponding lines in /var/log/messages, and I haven't experienced that particular anomaly since. The problem may have had more to do with my weird syslog-ng behavior than with anything in AppArmor, but I mention it in case you experience anything similar. AppArmor's log messages always contain the string SubDomain.
Mick Bauer (firstname.lastname@example.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
- Two Pi R
- Readers' Choice Awards 2013
- AIDE—Developing for Android on Android
- Best. Cake. Ever.
- The Geek's Guide to the Coolest 2013 Holiday Gifts
- A Handy U-Boot Trick
- Sublime Text: One Editor to Rule Them All?
- Raspberry Pi: the Perfect Home Server
- RSS Feeds
- Tech Tip: Really Simple HTTP Server with Python
- Uber jealous
4 hours 36 min ago
- Reality is disapointing
15 hours 9 min ago
- Máy sấy quần áo
17 hours 55 min ago
- Services on GlusterFS
18 hours 4 min ago
- Reply to comment | Linux Journal
19 hours 45 min ago
- Definitely cool stuff here
20 hours 46 min ago
- thanks for the information
21 hours 57 min ago
- nice information thanks
22 hours 36 min ago
1 day 1 hour ago
- The lost opportunity of security
1 day 13 hours ago