User manual NOVELL APPARMOR 2.0 ADMINISTRATION GUIDE

[. . . ] Novell AppArmor 2. 0 August 28, 2006 www. novell. com Novell AppArmor 2. 0 Administration Guide Novell AppArmor 2. 0 Administration Guide List of Authors: Leona Beatrice Campbell, Jana Jaeger This publication is intellectual property of Novell Inc. Its contents can be duplicated, either in part or in whole, provided that a copyright label is visibly located on each copy. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. [. . . ] The learning or complain mode traces program behavior and enters it in the log. aa-logprof uses this information to observe program behavior. If a confined program forks and executes another program, aa-logprof sees this and asks the user which execution mode should be used when launching the child process. The execution modes ix, px, Px, ux, and Ux are options for starting the child process. If a separate profile exists for the child process, the default selection is px. If one does not exist, the profile defaults to ix. Child processes with separate profiles have aa-autodep run on them and are loaded into AppArmor, if it is running. When aa-logprof exits, profiles are updated with the changes. If the AppArmor module is running, the updated profiles are reloaded and, if any processes that generated security events are still running in the null-complain-profile, those processes are set to run under their proper profiles. To run aa-logprof, enter aa-logprof into a terminal window while logged in as root. The following options can be used for aa-logprof: Building Novell AppArmor Profiles 63 aa-logprof -d /path/to/profile/directory/ Specifies the full path to the location of the profiles if the profiles are not located in the standard directory, /etc/apparmor. d/. aa-logprof -f /path/to/logfile/ Specifies the full path to the location of the log file if the log file is not located in the default directory, /var/log/audit/audit. log or /var/log/ messages (if auditd is not running). aa-logprof -m "string marker in logfile" Marks the starting point for aa-logprof to look in the system log. aa-logprof ignores all events in the system log before the specified mark. If the mark contains spaces, it must be surrounded by quotes to work correctly. For example: aa-logprof -m"17:04:21" or logprof -m e2ff78636296f16d0b5301209a04430d aa-logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list. By default, aa-logprof looks for profiles in /etc/apparmor. d/ and scans the log in /var/log/messages. In many cases, running aa-logprof as root is enough to create the profile. However, there might be times when you need to search archived log files, such as if the program exercise period exceeds the log rotation window (when the log file is archived and a new log file is started). If this is the case, you can enter zcat -f `ls -1tr /var/log/messages*` | aa-logprof -f -. aa-logprof Example 1 The following is an example of how aa-logprof addresses httpd2-prefork accessing the file /etc/group. The example uses [] to indicate the default option. [. . . ] Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks. Refers to a software front-end meant to provide an attractive and easy-to-use interface between a computer user and application. [. . . ]