Securing Linux Systemswith AppArmorCrispin Cowan, PhDDirector of Software EngineeringSecurity Architect, SUSE Linux
AppArmor:Easy-to-use Security for Ubuntu LinuxCrispin Cowan, PhDSecurity Architect, SUSEWhat Is This AppArmor Thingand Why...
© Novell Inc. All rights reserved3AgendaOverviewA Closer Look at AppArmorDeployment ScenariosDemonstration of AppArmorComp...
© Novell Inc. All rights reserved4Software Security ProblemProblem: Imperfect software :-)– Reliable software does what it...
© Novell Inc. All rights reserved5AppArmor SolutionEnforce that applications only get to do what they aresupposed to doWha...
© Novell Inc. All rights reserved6What Would You Do With That?Make a server network secure:– Confine all programs with ope...
© Novell Inc. All rights reserved7Is that really secure?Hard to saySecurity is semi-decidable– You can only tell when some...
© Novell Inc. All rights reserved8Defcon CtF 2002-5 a la GhettohackersSome real-world red teamingPlay an Immunix server in...
© Novell Inc. All rights reserved9Basic Defcon CtF RulesPlayer Nodes
© Novell Inc. All rights reserved10Basic Defcon CtF RulesPlayer NodesScore’botPolls player nodes,Looking for req. services...
© Novell Inc. All rights reserved11Basic Defcon CtF RulesPlayer NodesScore’botPolls player nodes,Looking for req. services...
© Novell Inc. All rights reserved12Basic Defcon CtF RulesPlayer NodesScore’botPolls player nodes,Looking for req. services...
AppArmorA Closer Look
© Novell Inc. All rights reserved14Linux 2.6 KernelAppArmor ArchitectureLinux OSComponentDesktopApplicationServerApplicati...
© Novell Inc. All rights reserved15Critical Issue #1: Complete MediationMust not be possible to bypass HIPS system• Must b...
© Novell Inc. All rights reserved16Critical Issue #2: Security ModelMisuse prevention vs. anomaly prevention• Misuse preve...
© Novell Inc. All rights reserved17AppArmor Security ProfileWhenever a protectedprogram runs regardlessof UID, AppArmorcon...
© Novell Inc. All rights reserved18Automated Workflow/usr/sbin/ntpd {#include <abstractions/base>#include <abstractions/na...
© Novell Inc. All rights reserved19Native Unix Syntax, SemanticsAppArmor access controls reflect classic Unixpermission pa...
© Novell Inc. All rights reserved20Profile Building BlocksA set of “foundation class” rules that can be #included inyour p...
© Novell Inc. All rights reserved21Includes Default Set of Policies/etc/apparmor.d(default loaded)– netstat– ping– klogd– ...
AppArmor Demo
© Novell Inc. All rights reserved23Apache Profiling1. Local Apache web server running vulnerable PHF script2. Exploit PHF ...
© Novell Inc. All rights reserved24The Setup1. open a terminalwindow forcommands and type“demoreset.sh” toreset the demo.2...
© Novell Inc. All rights reserved25The Hack 1. click the “PHF”bookmark to pull upthe vulnerable PHFapplication2. click the...
© Novell Inc. All rights reserved26Choosing the Application1. in YaST, click theAdd Profile Wizard toselect the app to bep...
© Novell Inc. All rights reserved27Exercising Apache1. at the command line,restart apache asshown2. visit the homepage...3...
© Novell Inc. All rights reserved28Creating AppArmor Policy1. the Wizard asks us ifthe PHF app shouldhave its own profile....
© Novell Inc. All rights reserved29Creating AppArmor Policy 21. the Wizard asks about a fileaccessed by apache. We click t...
© Novell Inc. All rights reserved30Creating Apache Policy 31. apache accesses several libraries.We click on “Glob w/Ext” t...
© Novell Inc. All rights reserved31Blocking the Attack1. back at our website, we pull up thehomepage, try the hack and see...
© Novell Inc. All rights reserved32Reviewing our Apache Policy1. at the YaST control center, click on“Edit Profile” to bri...
© Novell Inc. All rights reserved33What Else Can I Do?Enable/Disable AppArmorand configure reportingand alertingView a rep...
© Novell Inc. All rights reserved34Sub-process ConfinementApache mod_perl and mod_php scripts– Apache mod_apparmor applies...
© Novell Inc. All rights reserved35YaST Integration
© Novell Inc. All rights reserved36Command-line InterfaceThere is also a command-line interface• for those of us allergic ...
© Novell Inc. All rights reserved37GAIM ProfileConsole Tools• Create the profile template– cd /opt/gnome/bin– genprof gaim...
© Novell Inc. All rights reserved38Network-secure a System
© Novell Inc. All rights reserved39Network-secure a System1.Pick an unconfined service from the list2.Confine it the way w...
Best Uses For AppArmor
© Novell Inc. All rights reserved41Best Targets for AppArmorAny Company whose networked servers arerunning mission critica...
© Novell Inc. All rights reserved42Best Targets for AppArmor● Isolate all programs interactingwith outside world● Auto-sca...
© Novell Inc. All rights reserved43So What Happened at CtF?2002– Target was Red Hat, easy to port to Immunix– Too focused ...
© Novell Inc. All rights reserved44So What Happened at CtF?2004:– Target Windows– A weekend is not enough time to port 5 a...
Comparisons
© Novell Inc. All rights reserved46Application Least Privilege for LinuxSELinuxType Enforcement– Assign users or programst...
© Novell Inc. All rights reserved47Label Splitting: SELinuxThink of SELinux as Post-it NoteTMsecurity– Label files & progr...
© Novell Inc. All rights reserved48AppArmorAppArmor uses explicit pathnames and regularexpressions to achieve the same thi...
© Novell Inc. All rights reserved49Network StorageSELinux can only do all/nothing access control for NFS-mounted volumes- ...
© Novell Inc. All rights reserved50AppArmor vs. SELinux:Creating PolicySELinux audit2allow1. Create a file at $SELINUX_SRC...
© Novell Inc. All rights reserved51AppArmor vs. SELinux:Compare Resulting PolicyAppArmor profilefor the sameprogram is abo...
© Novell Inc. All rights reserved52AppArmor vs. SELinux:Compare Resulting PolicyAppArmor profilefor the sameprogram is abo...
© Novell Inc. All rights reserved53SELinux New GUI ToolsAdvanced GUIs for enabling and disabling chunks of pre-written pol...
AppArmor Roadmap
© Novell Inc. All rights reserved55AppArmor Near Term DevelopmentNetwork Access Control – TCP/UDP based network access con...
© Novell Inc. All rights reserved56AppArmor Future DevelopmentDB Armor – access controls for database tables and filesDefa...
© Novell Inc. All rights reserved57AvailabilityAppArmor bundled with:– SLES10– SLED10– openSUSE 10.1, 10.2 ...AppArmor is ...
© Novell Inc. All rights reserved58AppArmor for UbuntuAppArmor ported to Ubuntu by Magnus Runesson– http://www.linuxalert....
© Novell Inc. All rights reserved59AppArmor for EveryonePorted to Gentoo by Mathew Snelham:– http://sigalrm.com/apparmor/a...
© Novell Inc. All rights reserved60AppArmor for DebianAppArmor has already been ported to Ubuntu byMagnus Runesson– http:/...
© Novell Inc. All rights reserved61AppArmor for Red HatAppArmor has been ported to RH variants multiple times– But the peo...
Dc 15-cowan
Upcoming SlideShare
Loading in...5
×

Dc 15-cowan

862

Published on

AppArmor Security vs SE Linux

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
862
On Slideshare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Dc 15-cowan"

  1. 1. Securing Linux Systemswith AppArmorCrispin Cowan, PhDDirector of Software EngineeringSecurity Architect, SUSE Linux
  2. 2. AppArmor:Easy-to-use Security for Ubuntu LinuxCrispin Cowan, PhDSecurity Architect, SUSEWhat Is This AppArmor Thingand Why Should I Care?
  3. 3. © Novell Inc. All rights reserved3AgendaOverviewA Closer Look at AppArmorDeployment ScenariosDemonstration of AppArmorCompetitive PositioningAppArmor Futures
  4. 4. © Novell Inc. All rights reserved4Software Security ProblemProblem: Imperfect software :-)– Reliable software does what it is supposed to do– Secure software does what it is supposed to do, and nothingelseSolution: only use perfect software... slight supply problem :-)
  5. 5. © Novell Inc. All rights reserved5AppArmor SolutionEnforce that applications only get to do what they aresupposed to doWhat means “do”?– At ultimate detail, this is the code itself– But we clearly cant get that right :-)– Need something simpler, more abstractResources:– Restrict the application to only access the OS resources itshould need
  6. 6. © Novell Inc. All rights reserved6What Would You Do With That?Make a server network secure:– Confine all programs with open network ports– If all open ports lead to confined processes, then you havecompletely defined policy for what a network user or attackercan do– Yet far from having created policy for thw whole system
  7. 7. © Novell Inc. All rights reserved7Is that really secure?Hard to saySecurity is semi-decidable– You can only tell when something is insecure– Hence all the Defcon talks on breaking something, and few on securingsomethingSo lets put it to a practical test– Put it in competition at Defcon and let people beat on it
  8. 8. © Novell Inc. All rights reserved8Defcon CtF 2002-5 a la GhettohackersSome real-world red teamingPlay an Immunix server in the DefconCapture the Flag (CtF) gamesAlmost no holds barred:– No flooding– No physical attacksNew gaming rig designed by theGhettohackers
  9. 9. © Novell Inc. All rights reserved9Basic Defcon CtF RulesPlayer Nodes
  10. 10. © Novell Inc. All rights reserved10Basic Defcon CtF RulesPlayer NodesScore’botPolls player nodes,Looking for req. servicesIf all services found ...
  11. 11. © Novell Inc. All rights reserved11Basic Defcon CtF RulesPlayer NodesScore’botPolls player nodes,Looking for req. servicesIf all services found,Score one point for theFlag currently on thatnode
  12. 12. © Novell Inc. All rights reserved12Basic Defcon CtF RulesPlayer NodesScore’botPolls player nodes,Looking for req. servicesIf all services found,Score one point for theFlag currently on thatnode… while each teamtries to replace others’ flags
  13. 13. AppArmorA Closer Look
  14. 14. © Novell Inc. All rights reserved14Linux 2.6 KernelAppArmor ArchitectureLinux OSComponentDesktopApplicationServerApplicationYaSTConsoleReporting& Alertinguser interfacesAppArmorAppArmorModuleLSM InterfaceReporting& AlertingApplicationProfiles
  15. 15. © Novell Inc. All rights reserved15Critical Issue #1: Complete MediationMust not be possible to bypass HIPS system• Must be in the kernelAppArmor uses LSM interface in 2.6 kernel• LSM (Linux Security Module) provides in-kernel mediation withouthaving to maintain a patched kernel• Provides an open standard API for access control module• Precise information on application behavior, accuracy, performance• Provides highest quality non-bypassable mediation
  16. 16. © Novell Inc. All rights reserved16Critical Issue #2: Security ModelMisuse prevention vs. anomaly prevention• Misuse prevention easier to manage• Anomaly prevention much more secure,traditionally hard to useAppArmor is easy anomaly prevention forapplication security• Focus on application security• Name-based access control for ease ofunderstanding policy• Hybrid white list/black list• White list within an application profile• Black list system-wideAppArmorPer - ApplicationSecurityDNSPrintWebCGIMailFile
  17. 17. © Novell Inc. All rights reserved17AppArmor Security ProfileWhenever a protectedprogram runs regardlessof UID, AppArmorcontrols:– The POSIX capabilitiesit can have (even if it isrunning as root)– The directories/files itcan read/write/execute/usr/sbin/ntpd {#include <abstractions/base>#include <abstractions/nameservice>capability ipc_lock,capability net_bind_service,capability sys_time,capability sys_chroot,capability setuid,/etc/ntp.conf r,/etc/ntp/drift* rwl,/etc/ntp/keys r,/etc/ntp/step-tickers r,/tmp/ntp* rwl,/usr/sbin/ntpd rix,/var/log/ntp w,/var/log/ntp.log w,/var/run/ntpd.pid w,/var/lib/ntp/drift rwl,/var/lib/ntp/drift.TEMP rwl,/var/lib/ntp/var/run/ntp/ntpd.pid w,/var/lib/ntp/drift/ntp.drift r,/drift/ntp.drift.TEMP rwl,/drift/ntp.drift rwl,}Example securityprofile for ntpd
  18. 18. © Novell Inc. All rights reserved18Automated Workflow/usr/sbin/ntpd {#include <abstractions/base>#include <abstractions/nameservice>capability ipc_lock,capability net_bind_service,capability sys_time,capability sys_chroot,capability setuid,/etc/ntp.conf r,/etc/ntp/drift* rwl,/etc/ntp/keys r,/etc/ntp/step-tickers r,/tmp/ntp* rwl,/usr/sbin/ntpd rix,/var/log/ntp w,/var/log/ntp.log w,/var/run/ntpd.pid w,
  19. 19. © Novell Inc. All rights reserved19Native Unix Syntax, SemanticsAppArmor access controls reflect classic Unixpermission patterns> Complements Unix permissions rather than overlaying a new paradigmRegular expressions in AppArmor rules> /dev/{,u}random matches /dev/random and/dev/urandom> /lib/ld-*.so* matches most of the libraries in /lib> /home/*/.plan matches everyone’s .plan file> /home/*/public_html/** matches everyone’s publicHTML directory tree
  20. 20. © Novell Inc. All rights reserved20Profile Building BlocksA set of “foundation class” rules that can be #included inyour profiles– base: needed by nearly all programs– authentication: program will authenticate users– console: program interacts with TTY consoles– kerberos: uses Kerberos cryptography– nameservice: program needs to look up domain names– wutmp: program updates user login logs
  21. 21. © Novell Inc. All rights reserved21Includes Default Set of Policies/etc/apparmor.d(default loaded)– netstat– ping– klogd– syslog– ldd– squid– traceroute– identd– mdnsd– named– nscd– ntpd/etc/apparmor/extras(not loaded, but available)– firefox– opera– evolution– gaim– realplay– postfix– acroread– mysqld– ethereal– postfix– sendmail– many more...
  22. 22. AppArmor Demo
  23. 23. © Novell Inc. All rights reserved23Apache Profiling1. Local Apache web server running vulnerable PHF script2. Exploit PHF vulnerability; deface web page3. Develop profiles for Apache and PHF app4. Try hack again; hack fails
  24. 24. © Novell Inc. All rights reserved24The Setup1. open a terminalwindow forcommands and type“demoreset.sh” toreset the demo.2. open a secondterminal window andtype the “tail”command shown toview the syslog3. open a browser andclick on the “DigitalAirlines” bookmark tobring up the demohomepage4. open YaST and clickon the AppArmoricon to bring up theAppArmor controlcenter
  25. 25. © Novell Inc. All rights reserved25The Hack 1. click the “PHF”bookmark to pull upthe vulnerable PHFapplication2. click the “Hack”bookmark to run thehack that defacesthe homepage.3. now click the “DigitalAirlines” bookmark toshow that thehomepage has beendefaced!4. click the “Unhack”bookmark to resetthe homepage, thenclick on the DigitalAirlines bookmark.
  26. 26. © Novell Inc. All rights reserved26Choosing the Application1. in YaST, click theAdd Profile Wizard toselect the app to beprofiled2. type the path toapache as shown (orbrowse to it)3. the wizard tells youto start the targetapp and exercise itsfunctionality
  27. 27. © Novell Inc. All rights reserved27Exercising Apache1. at the command line,restart apache asshown2. visit the homepage...3. ... and visit the PHFapplication. Now wehave a syslog full ofapache events.4. back in YaST, clickon the “Scan” buttonto start developingpolicy
  28. 28. © Novell Inc. All rights reserved28Creating AppArmor Policy1. the Wizard asks us ifthe PHF app shouldhave its own profile...we say “yes” byclicking on the“Profile” radio button,then “Allow”2. now the Wizardnotices apacheneeds a few POSIXcapabilities. We“Allow” all of them.
  29. 29. © Novell Inc. All rights reserved29Creating AppArmor Policy 21. the Wizard asks about a fileaccessed by apache. We click the“Glob” button twice to allow readaccess to all files in the apache2directory, then “Allow”2. the Wizard notices apache needsaccess to /etc/group and suggestswe “include” the nameserviceabstraction.
  30. 30. © Novell Inc. All rights reserved30Creating Apache Policy 31. apache accesses several libraries.We click on “Glob w/Ext” to giveapache read access to all libraries inthis directory.2. after several more questions, werefinished. We click on “Finish” andanswer “Yes” to exit.
  31. 31. © Novell Inc. All rights reserved31Blocking the Attack1. back at our website, we pull up thehomepage, try the hack and see thatthe home page remains intact!2. looking at the syslog, we see a“REJECT” entry telling us anattempted attack via the phfapplication was blocked by thenewly created AppArmor profiles.
  32. 32. © Novell Inc. All rights reserved32Reviewing our Apache Policy1. at the YaST control center, click on“Edit Profile” to bring up a list ofprofiles on the box, scroll down andhighlight the apache profile andclick “Next”2. the apache profile that we justcreated is shown here.
  33. 33. © Novell Inc. All rights reserved33What Else Can I Do?Enable/Disable AppArmorand configure reportingand alertingView a report showingAppArmor events and filterby program name, date,time, etc.Update loaded profilesbased on sysloggedactivity since last update
  34. 34. © Novell Inc. All rights reserved34Sub-process ConfinementApache mod_perl and mod_php scripts– Apache mod_apparmor applies new protection beforeinterpreting scripts– If a specific profile for that scrpt exists, it is used– If no specific profile exists, then a default script profile is used– Impact: dont need to run all CGIs with the full privilege ofApache just to get mod_perl efficiency– The only known way to defend PHP codeLogin Authentication– Add a similar module to PAM: pam_armor– Pre-authentication, sshd and logind are in a restrictive profile– Post-authentication, can transition to per-user profile
  35. 35. © Novell Inc. All rights reserved35YaST Integration
  36. 36. © Novell Inc. All rights reserved36Command-line InterfaceThere is also a command-line interface• for those of us allergic to mice :-)
  37. 37. © Novell Inc. All rights reserved37GAIM ProfileConsole Tools• Create the profile template– cd /opt/gnome/bin– genprof gaim• Exercise GAIM– start, chat, stop• Create profile entries– [S]can log for profile entries– [F]inish (GAIM profile is loaded)• View profile– vim opt.gnome.bin.gaim– syntax on– set syntax=subdomainMakes it safe totalk to strangers
  38. 38. © Novell Inc. All rights reserved38Network-secure a System
  39. 39. © Novell Inc. All rights reserved39Network-secure a System1.Pick an unconfined service from the list2.Confine it the way we confined Apache and GAIM3.Continue until all open ports lead to AppArmor profilesResult:– There is no way onto the machine except through anAppArmor profile– AppArmor policy completely controls network access to themachine– Nowhere near having profiled all software on the machine
  40. 40. Best Uses For AppArmor
  41. 41. © Novell Inc. All rights reserved41Best Targets for AppArmorAny Company whose networked servers arerunning mission critical applicationsAny organization with a high cost associated withcompromised dataAny organization faced with regulatorycompliance...Any Linux application is exposed to attack and thatmatters :-)
  42. 42. © Novell Inc. All rights reserved42Best Targets for AppArmor● Isolate all programs interactingwith outside world● Auto-scan tool finds applicationsthat should be profiled● Profiles represent your totalexposure – auditable policyNetworked Servers● Complex, not easily auditable forsecurity● May be closed source● Prevents attacks on onecomponent from spreading toother components or systemsBusiness Applications● Profiles for desktop applicationsthat process external data● Separates these programs fromother applications/data on thesystem● Protects high-risk programsCorporate Desktop● Isolate all programs interactingwith outside world● Comprehensive profile set definedfor specific uses● Limits misuse of machines● AppArmor profiles for usersession and executable appsPOS Terminals, Kiosks
  43. 43. © Novell Inc. All rights reserved43So What Happened at CtF?2002– Target was Red Hat, easy to port to Immunix– Too focused on Immunix, not enough on the game– Delayed launching any server until we had it running onImmunix– Placed 2ndnot bad for first try2003: Target OpenBSD– Target was OpenBSD, took longer to port– SQL injection attacks, AppArmor does not stop them– Placed 3rdhmmm ...
  44. 44. © Novell Inc. All rights reserved44So What Happened at CtF?2004:– Target Windows– A weekend is not enough time to port 5 applications fromWindows to Linux under fire :-)– Placed 4ththis trend does not look good2005:– Kenshoto takes over game from Ghettohackers– Target is now under Kenshotos control, so no more OSdefensive techniques– CtF game now focused on binary code reverse engineering... 2007 0tB/OtB brings focus back to OS
  45. 45. Comparisons
  46. 46. © Novell Inc. All rights reserved46Application Least Privilege for LinuxSELinuxType Enforcement– Assign users or programsto Domains– Label files with Types– Write policy in terms ofwhich Domains can accesswhich TypesAppArmorPathnames– Name a program by path– When it runs, it can onlyaccess the files specified bypathname– Generalize pathnames withshell syntax wild cards
  47. 47. © Novell Inc. All rights reserved47Label Splitting: SELinuxThink of SELinux as Post-it NoteTMsecurity– Label files & programs with colored stickers– Policy decides which colors can play togetherA single label in SELinux is an equivalence class– All files with that label are treated identically by security policyA human has to decide which files should have thesame label, and which files need a different labelWhen you get it wrong, must split the label– Relabel all affected files– Revise all polices that reference that label
  48. 48. © Novell Inc. All rights reserved48AppArmorAppArmor uses explicit pathnames and regularexpressions to achieve the same thingA profile rule of /srv/www/htdoc/**.html r is anequivalence class, with 2 differences– The class is evaluated at access time: new files are checkedagainst policy– The class is local to a single profile: dont need to re-label theworld to be able to distinguish 2 files that some other profiletreats as the same
  49. 49. © Novell Inc. All rights reserved49Network StorageSELinux can only do all/nothing access control for NFS-mounted volumes- SELinux depends on labels, which are stored in extendedattributes, which are not supported in NFS2 or NFS3- Applies a single label to the mount point- Policies either grant or deny access to the entire NFS volumeAppArmor does not use extended attributes- Can write fine-grained profiles that grant access to individualfiles that reside on NFS volumes
  50. 50. © Novell Inc. All rights reserved50AppArmor vs. SELinux:Creating PolicySELinux audit2allow1. Create a file at $SELINUX_SRC/domains/program/foo.te.2. Put the daemon domain macro call in the file.3. Create the file contexts file.4. Put the first list of file contexts in file.fc.5. Load the new policy with make load.6. Label the foo files.7. Start the daemon, service foo start.8. Examine your audit log for denial messages.9. Familiarize yourself with the errors the daemon is generating.10. Use audit2allow to start the first round of policy rules11. Look to see if the foo_t domain tries to create a networksocket12. Continue to iterate through the basic steps to generate all therules you need.13. If the domain tries to access port_t, which relates totclass=tcp_socket or tclass=udp_socket in the AVClog message, you need to determine what port number fooneeds to use.14. Iterate through the remaining AVC denials. When they areresolved with new policy, you can configure the unique portrequirements for the foo_t domain.15. With the daemon started, determine which port foo is using.16. Remove the generic port_t rule, replacing it with a specific rulefor a new port type based on the foo_t domain.AppArmor1. Open YaST Control Center2. Run Server Analyzer to determinewhich programs to profile3. Run the Profile Wizard to generate aprofile template4. Run the application through normaloperation5. Run the interactive optimizer tosynthesize log events into a profile
  51. 51. © Novell Inc. All rights reserved51AppArmor vs. SELinux:Compare Resulting PolicyAppArmor profilefor the sameprogram is about4x smaller SELinux################################### Rules for the ftpd_t domain#type ftp_port_t, port_type;type ftp_data_port_t, port_type;daemon_domain(ftpd, `, auth_chkpwd)type etc_ftpd_t, file_type, sysadmfile;can_network(ftpd_t)can_ypbind(ftpd_t)allow ftpd_t self:unix_dgram_socket create_socket_perms;allow ftpd_t self:unix_stream_socket create_socket_perms;allow ftpd_t self:process {getcap setcap};allow ftpd_t self:fifo_file rw_file_perms;allow ftpd_t bin_t:dir search;can_exec(ftpd_t, bin_t)allow ftpd_t { sysctl_t sysctl_kernel_t }:dir search;allow ftpd_t sysctl_kernel_t:file { getattr read };allow ftpd_t urandom_device_t:chr_file { getattr read };ifdef(`crond.te, `system_crond_entry(ftpd_exec_t, ftpd_t)can_exec(ftpd_t, { sbin_t shell_exec_t }))allow ftpd_t ftp_data_port_t:tcp_socket name_bind;ifdef(`ftpd_daemon, `define(`ftpd_is_daemon, `)) dnl end ftpd_daemonifdef(`ftpd_is_daemon, `rw_dir_create_file(ftpd_t, var_lock_t)allow ftpd_t ftp_port_t:tcp_socket name_bind;allow ftpd_t self:unix_dgram_socket { sendto };can_tcp_connect(userdomain, ftpd_t), `ifdef(`inetd.te, `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)ifdef(`tcpd.te, `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t))# Use sockets inherited from inetd.allow ftpd_t inetd_t:fd use;allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;# Send SIGCHLD to inetd on death.allow ftpd_t inetd_t:process sigchld;) dnl end inetd.te)dnl end (else) ftp_is_daemonifdef(`ftp_shm, `allow ftpd_t tmpfs_t:file { read write };allow ftpd_t { tmpfs_t initrc_t }:shm { read write unix_read unix_write associate };)# Use capabilities.allow ftpd_t ftpd_t:capability { net_bind_service setuid setgid fowner fsetid chown sys_resource sys_chroot };# Append to /var/log/wtmp.allow ftpd_t wtmp_t:file { getattr append };# allow access to /homeallow ftpd_t home_root_t:dir { getattr search };# Create and modify /var/log/xferlog.type xferlog_t, file_type, sysadmfile, logfile;file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)# Execute /bin/ls (can comment this out for proftpd)# also may need rules to allow tar etc...can_exec(ftpd_t, ls_exec_t)allow { ftpd_t initrc_t } etc_ftpd_t:file r_file_perms;allow ftpd_t { etc_t resolv_conf_t etc_runtime_t }:file { getattr read };allow ftpd_t proc_t:file { getattr read };)dnl end if ftp_home_dir AppArmor/usr/sbin/in.ftpd {#include <immunix-standard/base>#include <immunix-standard/nameservice>#include <immunix-standard/authentication>#include <user-custom/ftpd>/ r,/dev/urandom r,/etc/fstab r,/etc/ftpaccess r,/etc/ftpconversions r,/etc/ftphosts r,/etc/ftpusers r,/etc/shells r,/usr/sbin/in.ftpd r,/usr/share/ssl/certs/ca-bundle.crt r,/usr/share/ssl/certs/ftpd-rsa.pem r,/usr/share/ssl/private/ftpd-rsa-key.pem r,/usr/share/ssl/.rnd w,/var/log/xferlog w,/var/run wr,/var/run/ftp.{pids,rips}-all wr,}
  52. 52. © Novell Inc. All rights reserved52AppArmor vs. SELinux:Compare Resulting PolicyAppArmor profilefor the sameprogram is about4x smaller SELinux################################### Rules for the ftpd_t domain#type ftp_port_t, port_type;type ftp_data_port_t, port_type;daemon_domain(ftpd, `, auth_chkpwd)type etc_ftpd_t, file_type, sysadmfile;can_network(ftpd_t)can_ypbind(ftpd_t)allow ftpd_t self:unix_dgram_socket create_socket_perms;allow ftpd_t self:unix_stream_socket create_socket_perms;allow ftpd_t self:process {getcap setcap};allow ftpd_t self:fifo_file rw_file_perms;allow ftpd_t bin_t:dir search;can_exec(ftpd_t, bin_t)allow ftpd_t { sysctl_t sysctl_kernel_t }:dir search;allow ftpd_t sysctl_kernel_t:file { getattr read };allow ftpd_t urandom_device_t:chr_file { getattr read };ifdef(`crond.te, `system_crond_entry(ftpd_exec_t, ftpd_t)can_exec(ftpd_t, { sbin_t shell_exec_t }))allow ftpd_t ftp_data_port_t:tcp_socket name_bind;ifdef(`ftpd_daemon, `define(`ftpd_is_daemon, `)) dnl end ftpd_daemonifdef(`ftpd_is_daemon, `rw_dir_create_file(ftpd_t, var_lock_t)allow ftpd_t ftp_port_t:tcp_socket name_bind;allow ftpd_t self:unix_dgram_socket { sendto };can_tcp_connect(userdomain, ftpd_t), `ifdef(`inetd.te, `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)ifdef(`tcpd.te, `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t))# Use sockets inherited from inetd.allow ftpd_t inetd_t:fd use;allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;# Send SIGCHLD to inetd on death.allow ftpd_t inetd_t:process sigchld;) dnl end inetd.te)dnl end (else) ftp_is_daemonifdef(`ftp_shm, `allow ftpd_t tmpfs_t:file { read write };allow ftpd_t { tmpfs_t initrc_t }:shm { read write unix_read unix_write associate };)# Use capabilities.allow ftpd_t ftpd_t:capability { net_bind_service setuid setgid fowner fsetid chown sys_resource sys_chroot };# Append to /var/log/wtmp.allow ftpd_t wtmp_t:file { getattr append };# allow access to /homeallow ftpd_t home_root_t:dir { getattr search };# Create and modify /var/log/xferlog.type xferlog_t, file_type, sysadmfile, logfile;file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)# Execute /bin/ls (can comment this out for proftpd)# also may need rules to allow tar etc...can_exec(ftpd_t, ls_exec_t)allow { ftpd_t initrc_t } etc_ftpd_t:file r_file_perms;allow ftpd_t { etc_t resolv_conf_t etc_runtime_t }:file { getattr read };allow ftpd_t proc_t:file { getattr read };)dnl end if ftp_home_dirSELinux uses a custom programminglanguage to specify hard-to-managerules.ifdef(`ftpd_daemon, `define(`ftpd_is_daemon, `)) dnl end ftpd_daemonifdef(`ftpd_is_daemon, `rw_dir_create_file(ftpd_t, var_lock_t)allow ftpd_t ftp_port_t:tcp_socket name_bind;allow ftpd_t self:unix_dgram_socket { sendto };can_tcp_connect(userdomain, ftpd_t), `ifdef(`inetd.te, `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)ifdef(`tcpd.te, `domain_auto_trans(tcpd_t,ftpd_exec_t, ftpd_t))# Use sockets inherited from inetd.allow ftpd_t inetd_t:fd use;allow ftpd_t inetd_t:tcp_socketrw_stream_socket_perms;# Send SIGCHLD to inetd on death.allow ftpd_t inetd_t:process sigchld;) dnl end inetd.te)dnl end (else) ftp_is_daemonifdef(`ftp_shm, `allow ftpd_t tmpfs_t:file { read write };allow ftpd_t { tmpfs_t initrc_t }:shm { readwrite unix_read unix_write associate };).. AppArmor/usr/sbin/in.ftpd {#include <immunix-standard/base>#include <immunix-standard/nameservice>#include <immunix-standard/authentication>#include <user-custom/ftpd>/ r,/dev/urandom r,/etc/fstab r,/etc/ftpaccess r,/etc/ftpconversions r,/etc/ftphosts r,/etc/ftpusers r,/etc/shells r,/usr/sbin/in.ftpd r,/usr/share/ssl/certs/ca-bundle.crt r,/usr/share/ssl/certs/ftpd-rsa.pem r,/usr/share/ssl/private/ftpd-rsa-key.pem r,/usr/share/ssl/.rnd w,/var/log/xferlog w,/var/run wr,/var/run/ftp.{pids,rips}-all wr,}Classical Linux syntax withread/write/execute permissions:No new jargon/usr/sbin/in.ftpd {#include <immunix-standard/base>#include <immunix-standard/nameservice>#include <immunix-standard/authentication>#include <user-custom/ftpd>/ r,/dev/urandom r,/etc/fstab r,/etc/ftpaccess r,/etc/ftpconversions r,/etc/ftphosts r,/etc/ftpusers r,/etc/shells r,/usr/sbin/in.ftpd r,/usr/share/ssl/certs/ca-bundle.crt r,/usr/share/ssl/certs/ftpd-rsa.pem r,/usr/share/ssl/private/ftpd-rsa-key.pem r,/usr/share/ssl/.rnd w,/var/log/xferlog w,/var/run wr,/var/run/ftp.{pids,rips}-all wr,}
  53. 53. © Novell Inc. All rights reserved53SELinux New GUI ToolsAdvanced GUIs for enabling and disabling chunks of pre-written policies– No help for authoring new policiesWorks great for software that someone else has alreadyprofiled for you– Problematic for your in-house and 3rdparty softwareAppArmor:– Its not the GUI, it is the fundamental model
  54. 54. AppArmor Roadmap
  55. 55. © Novell Inc. All rights reserved55AppArmor Near Term DevelopmentNetwork Access Control – TCP/UDP based network access control perprocessProfile Merge Tool – allows two profiles to be merged into a single profileconsisting of union set of bothProfile Sharing – tools and portal for community sharing of AppArmor profilesTomcat Support – AppArmor containment for Java servletsPAM change_hat – strengthens security of AppArmors role-based shellfunctionality for applications that use PAM (e.g., sshd, gdm, ftp)CIM Providers – Standards based CIM instrumentation for Reporting, Alerting,Profile State
  56. 56. © Novell Inc. All rights reserved56AppArmor Future DevelopmentDB Armor – access controls for database tables and filesDefault Policy – system level list of resources that can only be accessesthrough an AppArmor profileDBUS Event Advertising – report security events via DBUSDBUS / HAL Event Mediation – containment for hardware abstraction layerIPC Mediation – mediate inter-process communicationEnterprise Management – integration with Novell enterprise managementsystemProfile Lint – tool for analyzing profiles for dangerous rulesResource Limits MediationCentralized Profile Development
  57. 57. © Novell Inc. All rights reserved57AvailabilityAppArmor bundled with:– SLES10– SLED10– openSUSE 10.1, 10.2 ...AppArmor is open source: GPL– http://opensuse.org/AppArmor– Mailing lists: apparmor-announce, apparmor-general,apparmor-dev– IRC irc.oftc.net/#apparmor
  58. 58. © Novell Inc. All rights reserved58AppArmor for UbuntuAppArmor ported to Ubuntu by Magnus Runesson– http://www.linuxalert.org/ubuntu/apparmor/AppArmor in Universe for Feisty FawnAppArmor going into Main for Gutsy GibbonUser feedback on profiles is very helpful
  59. 59. © Novell Inc. All rights reserved59AppArmor for EveryonePorted to Gentoo by Mathew Snelham:– http://sigalrm.com/apparmor/apparmor-ebuilds_20061013Debian:– Should be easy to generate from Ubuntu port– Need a maintainer– AppArmors ease of use makes it a good idea for a de factoLinux security standard
  60. 60. © Novell Inc. All rights reserved60AppArmor for DebianAppArmor has already been ported to Ubuntu byMagnus Runesson– http://www.linuxalert.org/ubuntu/apparmor/– In discussion for mainstream inclusion in futureUbuntu releasesand to Gentoo by Mathew Snelham– http://sigalrm.com/apparmor/apparmor-ebuilds_20061013Debian:– Should be easy to generate from Ubuntu port– Need a maintainer
  61. 61. © Novell Inc. All rights reserved61AppArmor for Red HatAppArmor has been ported to RH variants multiple times– But the people doing the work didnt want to be publicmaintainers, so no public repositorySteve Beattie @ SUSE ported to RHEL5– http://developer.novell.com/wiki/index.php/Special:Downloads/apparmor/Development_-_RHEL5_beta_2_packages/– http://software.opensuse.org/download/home:/steve-beattie/Fedora_Extras_6/Seeking a RH/Fedora user to maintain the package

×