3.3. Building Novell AppArmor Profiles with the YaST GUI

Open the YaST GUI from the menu with YaST. You can also access the YaST GUI by opening a terminal window, logging in as root, and entering yast2. Select Novell AppArmor from the right panel.

YaST's main controls for
      Novell AppArmor

If Novell AppArmor is not available, try installing or reinstalling the Novell AppArmor software. The right frame shows the Novell AppArmor options:

Add Profile Wizard

For detailed steps, refer to Section 3.3.1, “Adding a Profile Using the Wizard”.

Manually Add Profile

Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Profile”.

Edit Profile

Edits an existing Novell AppArmor profile on your system. For detailed steps, refer to Section 3.3.3, “Editing a Profile”.

Delete Profile

Deletes an existing Novell AppArmor profile from your system. For detailed steps, refer to Section 3.3.4, “Deleting a Profile”.

Update Profile Wizard

For detailed steps, refer to Section 3.3.5, “Updating Profiles from Log Entries”.

AppArmor Reports

For detailed steps, refer to Section 4.3, “Reports”.

AppArmor Control Panel

For detailed steps, refer to Section 3.3.6, “Managing Novell AppArmor and Security Event Status”.

3.3.1. Adding a Profile Using the Wizard

The Add Profile Wizard is designed to set up Novell AppArmor profiles using the Novell AppArmor profiling tools, aa-genprof (Generate Profile) and aa-logprof (Update Profiles from Learning Mode Log File). For more information about these tools, refer to Section 3.5.3, “Summary of Profiling Tools”.

  1. Stop the application before profiling it to ensure that the application start-up is included in the profile. To do this, make sure that the application or daemon is not running.

    For example, enter /etc/init.d/PROGRAM stop in a terminal window while logged in as root, replacing PROGRAM with the name of the program to profile.

  2. If you have not done so already, click Novell AppArmor+Add Profile Wizard in the YaST GUI.

    Choose the application to
	 profile
  3. Enter the name of the application or browse to the location of the program.

  4. Click Create. This runs a Novell AppArmor tool named aa-autodep, which performs a static analysis of the program to profile and loads an approximate profile into Novell AppArmor module. For more information about aa-autodep, refer to Section 3.5.3.1, “aa-autodep—Creating Approximate Profiles”.

    The AppArmor Profile Wizard window opens.

    The Novell AppArmor Profile
	 Wizard

    In the background, Novell AppArmor also sets the profile to learning mode. For more information about learning mode, refer to Section 3.5.3.2, “aa-complain—Entering Complain or Learning Mode”.

  5. Run the application to profile.

  6. Perform as many of the application functions as possible so learning mode can log the files and directories to which the program requires access to function properly. Be sure to include restarting and stopping the program in the exercised functions. AppArmor needs to handle these events as well as any other program function.

  7. Click Scan system log for AppArmor events to parse the learning mode log files. This generates a series of questions that you must answer to guide the wizard in generating the security profile.

    If requests to add hats appear, proceed to Chapter 5, Profiling Your Web Applications Using ChangeHat Apache.

    The questions fall into two categories:

    Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program into the profile. The following two figures show an example of each case. Subsequent steps describe your options in answering these questions.

    [Note]Varying Processing Options

    Not all of the options introduced below are always present. The options displayed depend on the type of entry processed.

    Figure 3.1. Learning Mode Exception: Controlling Access to Specific Resources

    Learning Mode Exception: Controlling Access to Specific Resources

    Figure 3.2. Learning Mode Exception: Defining Execute Permissions for an Entry

    Learning Mode Exception: Defining Execute Permissions for an Entry
  8. The Add Profile Wizard begins suggesting directory path entries that have been accessed by the application you are profiling (as seen in Figure 3.1, “Learning Mode Exception: Controlling Access to Specific Resources”) or requires you to define execute permissions for entries (as seen in Figure 3.2, “Learning Mode Exception: Defining Execute Permissions for an Entry”).

    1. For Figure 3.1: Learning Mode Exception: Controlling Access to Specific Resources: From the following options, select the one that satisfies the request for access, which could be a suggested include, a particular globbed version of the path, or the actual pathname. Note that all of these options are not always available.

      #include

      The section of a Novell AppArmor profile that refers to an include file. Include files give access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs. Using includes can reduce the size of a profile. It is good practice to select includes when suggested.

      Globbed Version

      Accessed by clicking Glob. For information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing”.

      Actual Pathname

      Literal path that the program needs to access to run properly.

      After you select a directory path, process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.

      The following options are available to process the learning mode entries and build the profile:

      Allow

      Grant the program access to the specified directory path entries. The Add Profile Wizard suggests file permission access. For more information about this, refer to Section 3.7, “File Permission Access Modes”.

      Deny

      Click Deny to prevent the program from accessing the specified paths.

      Glob

      Clicking this modifies the directory path (by using wild cards) to include all files in the suggested directory. Double-clicking it grants access to all files and subdirectories beneath the one shown.

      For more information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing”.

      Glob w/Ext

      Modify the original directory path while retaining the filename extension. A single click causes /etc/apache2/file.ext to become /etc/apache2/*.ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directories that end with the .ext extension. When you double-click it, access is granted to all files (with the particular extension) and subdirectories beneath the one shown.

      Edit

      Edit the highlighted line. The new (edited) line appears at the bottom of the list.

      Abort

      Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.

      Finish

      Close aa-logprof, saving all rule changes entered so far and modifying all profiles.

      Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile.

      [Note]Note

      The number of learning mode entries corresponds to the complexity of the application.

    2. For Figure 3.2: Learning Mode Exception: Defining Execute Permissions for an Entry: From the following options, select the one that satisfies the request for access. For detailed information about the options available, refer to Section 3.7, “File Permission Access Modes”.

      Inherit

      Stay in the same security profile (parent's profile).

      Profile

      Require a separate profile to exist for the executed program. When selecting this option, also select whether AppArmor should sanitize the environment when switching profiles by removing certain environment variables that can modify the execution behavior of the child process. Unless these variables are absolutely required to properly execute the child process, always choose the more secure, sanitized option.

      Unconfined

      Execute the program without a security profile. When prompted, let AppArmor sanitize the environment to avoid adding security risks by inheriting certain environment variables from the parent process.

      [Warning]Warning

      Unless absolutely necessary, do not run unconfined. Choosing the Unconfined option executes the new program without any protection from AppArmor.

      Deny

      Click Deny to prevent the program from accessing the specified paths.

      Abort

      Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.

      Finish

      Close aa-logprof, saving all rule changes entered so far and modifying all profiles.

  9. Repeat the previous steps if you need to execute more functionality of the application.

    When you are done, click Finish. In the following pop-up, click Yes to exit the Profile Creation Wizard. The profile is saved and loaded into the Novell AppArmor module.

3.3.2. Manually Adding a Profile

Novell AppArmor enables you to create a Novell AppArmor profile by manually adding entries into the profile. Select the application for which to create a profile then add entries.

  1. To add a profile, open YaST+Novell AppArmor. The Novell AppArmor category opens.

  2. In Novell AppArmor, click Manually Add Profile.

  3. Browse your system to find the application for which to create a profile.

  4. When you find the application, select it and click Open. A basic, empty profile appears in the Novell AppArmor Profile Dialog window.

    Manually creating a profile
  5. In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 3.3.2.1, “Adding an Entry”, Section 3.3.2.2, “Editing an Entry”, or Section 3.3.2.3, “Deleting an Entry”.

  6. When you are finished, click Done.

3.3.2.1. Adding an Entry

The Add Entry option can be found in Section 3.3.2, “Manually Adding a Profile” or Section 3.3.3, “Editing a Profile”. When you select Add Entry, a drop-down list displays the types of entries you can add to the Novell AppArmor profile.

From the list, select one of the following:

File

In the pop-up window, specify the absolute path of a file, including the type of access permitted. When finished, click OK.

You can use globbing if necessary. For globbing information, refer to Section 3.6, “Pathnames and Globbing”. For file access permission information, refer to Section 3.7, “File Permission Access Modes”.

Select a file to add
Directory

In the pop-up window, specify the absolute path of a directory, including the type of access permitted. You can use globbing if necessary. When finished, click OK.

For globbing information, refer to Section 3.6, “Pathnames and Globbing”. For file access permission information, refer to Section 3.7, “File Permission Access Modes”.

Select a directory to
	   add
Capability

In the pop-up window, select the appropriate capabilities. These are statements that enable each of the 32 POSIX.1e capabilities. Refer to Section 3.1.1, “Breaking a Novell AppArmor Profile into Its Parts” for more information about capabilities. When finished making your selections, click OK.

Select capabilities
Include

In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 3.1.2, “#include.

Select includes
Hat

In the pop-up window, specify the name of the subprofile (hat) to add to your current profile and click Create Hat. For more information, refer to Chapter 5, Profiling Your Web Applications Using ChangeHat Apache.

3.3.2.2. Editing an Entry

The Edit Entry option can be found in Section 3.3.2, “Manually Adding a Profile” or Section 3.3.3, “Editing a Profile”. When you select Edit Entry, the file browser pop-up window opens. From here, you can edit the selected entry.

In the pop-up window, specify the absolute path of a file, including the type of access permitted. You can use globbing if necessary. When finished, click OK.

For globbing information, refer to Section 3.6, “Pathnames and Globbing”. For file access permission information, refer to Section 3.7, “File Permission Access Modes”.

Edit an entry

3.3.2.3. Deleting an Entry

The Delete Entry option can be found in Section 3.3.2, “Manually Adding a Profile” or Section 3.3.3, “Editing a Profile”. When you select an entry then select Delete Entry, Novell AppArmor removes the selected profile entry.

3.3.3. Editing a Profile

Novell AppArmor enables you to manually edit Novell AppArmor profiles by adding, editing, or deleting entries. Simply select the profile then add, edit, or delete entries. To edit a profile, follow these steps:

  1. Open YaST+Novell AppArmor.

  2. In Novell AppArmor, click Edit Profile. The Edit Profile—Choose profile to edit window opens.

    Choose profile to edit
  3. From the list of profiled programs, select the profile to edit.

  4. Click Next. The AppArmor Profile Dialog window displays the profile.

    AppArmor profile dialog
  5. In the AppArmor Profile Dialog window, you can add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 3.3.2.1, “Adding an Entry”, Section 3.3.2.2, “Editing an Entry”, or Section 3.3.2.3, “Deleting an Entry”.

  6. When you are finished, click Done.

  7. In the pop-up that appears, click Yes to confirm your changes to the profile and reload the AppArmor profile set.

3.3.4. Deleting a Profile

Novell AppArmor enables you to delete a Novell AppArmor profile manually. Simply select the application for which to delete a profile then delete it as follows:

  1. Open YaST+Novell AppArmor.

  2. In Novell AppArmor, click Delete Profile.

  3. Select the profile to delete.

  4. Click Next.

  5. In the pop-up that opens, click Yes to delete the profile and reload the AppArmor profile set.

3.3.5. Updating Profiles from Log Entries

The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These exceptions represent the behavior of the profiled application that is outside of the profile definition for the program. You can add the new behavior to the relevant profile by selecting the suggested profile entry.

  1. Open YaST+Novell AppArmor.

  2. In Novell AppArmor, click Update Profile Wizard.

    The AppArmor profile wizard

    Running Update Profile Wizard (aa-logprof) parses the learning mode log files. This generates a series of questions that you must answer to guide aa-logprof to generate the security profile.

    The questions fall into two categories:

    Each of these cases results in a question that you must answer to add the resource or program into the profile. The following two figures show an example of each case. Subsequent steps describe your options in answering these questions.

    [Note]Varying Processing Options

    Not all of the options introduced below are always present. The options displayed depend on the type of entry being processed.

    Figure 3.3. Learning Mode Exception: Controlling Access to Specific Resources

    Learning Mode Exception: Controlling Access to Specific Resources

    Figure 3.4. Learning Mode Exception: Defining Execute Permissions for an Entry

    Learning Mode Exception: Defining Execute Permissions for an Entry
  3. aa-logprof begins suggesting directory path entries that have been accessed by the application profiled (as seen in Figure 3.3, “Learning Mode Exception: Controlling Access to Specific Resources”) or requiring you to define execute permissions for entries (as seen in Figure 3.4, “Learning Mode Exception: Defining Execute Permissions for an Entry”).

    1. For Figure 3.3, “Learning Mode Exception: Controlling Access to Specific Resources”: From the following options, select the one that satisfies the request for access, which could be a suggested include, a particular globbed version of the path, or the actual path. Note that all of these options are not always available.

      #include

      The section of a Novell AppArmor profile that refers to an include file. Include files fetch access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs. Using includes can reduce the size of a profile. It is good practice to select includes when suggested.

      Globbed Version

      Accessed by clicking Glob. For information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing”.

      Actual Pathname

      This is the literal path to which the program needs access so that it can run properly.

      After you select a directory path, process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.

      The following options are available to process the learning mode entries and to build the profile:

      Allow

      Grant the program access to the specified directory path entries. The AppArmor Profile Wizard suggests file permission access. For more information about this, refer to Section 3.7, “File Permission Access Modes”.

      Deny

      Prevent the program from accessing the specified directory path entries.

      Glob

      Modify the directory path (by using wild cards) to include all files in the suggested entry directory with a single click. Double-click to grant access to all files and subdirectories beneath the one shown.

      For more information about globbing syntax, refer to Section 3.6, “Pathnames and Globbing”.

      Glob w/Ext

      Modify the original directory path while retaining the filename extension. A single click causes /etc/apache2/file.ext to become /etc/apache2/*.ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directories that end with the .ext extension. When you double-click it, access is granted to all files with the particular extension and subdirectories beneath the one shown.

      Edit

      Enable editing of the highlighted line. The new (edited) line appears at the bottom of the list.

      Abort

      Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.

      Finish

      Close aa-logprof, saving all rule changes entered so far and modifying all profiles.

      Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile.

      [Note]Note

      The number of learning mode entries corresponds to the complexity of the application.

    2. For Figure 3.4, “Learning Mode Exception: Defining Execute Permissions for an Entry”: Select the one that satisfies the request for access by choosing one of the following options. For detailed information about the options available, refer to Section 3.7, “File Permission Access Modes”.

      Inherit

      Stay in the same security profile (parent's profile).

      Profile

      Require a separate profile to exist for the executed program. When selecting this option, select whether AppArmor should sanitize the environment when switching profiles by removing certain environment variables that can modify the execution behavior of the child process. Unless these variables are absolutely required to properly execute the child process, always choose the more secure, sanitized option.

      Unconfined

      Execute the program without a security profile. When prompted, let AppArmor sanitize the environment to avoid adding security risks by inheriting certain environment variables from the parent process.

      [Warning]Warning

      Unless absolutely necessary, do not run unconfined. Choosing the Unconfined option executes the new program without any protection from AppArmor.

      Deny

      Prevent the program from accessing the specified directory path entries.

      Abort

      Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.

      Finish

      Close aa-logprof, saving all rule changes entered so far and modifying all profiles.

  4. Repeat the previous steps if you need to execute more functionality of your application.

    When you are done, click Finish. In the following pop-up, click Yes to exit the Add Profile Wizard. The profile is saved and loaded into the Novell AppArmor module.

3.3.6. Managing Novell AppArmor and Security Event Status

You can change the status of Novell AppArmor by enabling or disabling it. Enabling Novell AppArmor protects your system from potential program exploitation. Disabling Novell AppArmor, even if your profiles have been set up, removes protection from your system. You can determine how and when you are notified when system security events occur.

[Note]Note

For event notification to work, you must set up a mail server on your SUSE Linux server that can send outgoing mail using the single mail transfer protocol (SMTP), such as postfix or exim.

To configure event notification or change the status of Novell AppArmor, perform the following steps:

  1. Open YaST+Novell AppArmor.

  2. Select Novell AppArmor Control Panel.

    The AppArmor control
	 panel
  3. From the AppArmor Configuration screen, determine whether Novell AppArmor and security event notification are running by looking for a status message that reads enabled.

3.3.6.1. Changing Novell AppArmor Status

When you change the status of Novell AppArmor, set it to enabled or disabled. When Novell AppArmor is enabled, it is installed, running, and enforcing the Novell AppArmor security policies.

  1. Start YaST+Novell AppArmor.

  2. In the Novell AppArmor main menu, click AppArmor Control Panel.

  3. In the Enable naa; section of the window, click Configure. The Enable AppArmor dialog box opens.

    Enable AppArmor
  4. Enable Novell AppArmor by selecting Enabled or disable Novell AppArmor by selecting Disabled. Then click OK.

  5. Click Done in the AppArmor Configuration window.

  6. Click File+Quit in the YaST Control Center.