Published on

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Code 10 First Class - Install and Use AppArmor Luis González Linux Impact Team [email_address]
  2. 2. AppArmor <ul><li>AppArmor Concepts </li></ul><ul><ul><li>AppArmor Overview </li></ul></ul><ul><ul><li>Lab: Installation of AppArmor </li></ul></ul><ul><ul><li>Lab: Activate AppArmor </li></ul></ul><ul><li>Working with AppArmor </li></ul><ul><ul><li>AppArmor Profiles </li></ul></ul><ul><ul><li>Profile States </li></ul></ul><ul><ul><li>Creation of Profiles </li></ul></ul><ul><ul><li>Lab: Create a Profile with YaST GUI </li></ul></ul><ul><ul><li>Lab: Create a Profile on the Command Line </li></ul></ul>
  3. 3. AppArmor Overview
  4. 4. AppArmor Overview <ul><li>AppArmor uses the Linux Security Modules Framework (LSM) to grant or deny access to system resources. </li></ul><ul><li>Access-control decisions are made in kernel space, so they are mandatory and cannot be bypassed by any user or application </li></ul>
  5. 5. AppArmor Overview
  6. 6. Benefits of AppArmor <ul><li>AppArmor is an access control system for network services. Using AppArmor you can specify which files each program is allowed to read, write or execute </li></ul><ul><li>AppArmor is a host intrusion prevention system which protects SUSE Linux applications </li></ul><ul><li>AppArmor sets up a predefined collection of applications profiles to protect all the standard Linux services (Postfix, OpenSSH, Apache, ...) </li></ul><ul><li>Easy creation of new profiles for other programs or services </li></ul>
  7. 7. Benefits of AppArmor <ul><li>Which Programs can be Protected? </li></ul><ul><ul><li>General recommendation: Protect every program that mediates privileges. </li></ul></ul><ul><ul><li>Network services: Every program (server and client) with open network ports should be protected. </li></ul></ul><ul><ul><li>Cron jobs: Some cron jobs run with privileges (e.g. root) and can be protected. </li></ul></ul><ul><ul><li>Web applications: CGI scripts, PHP scripts, Java applets, .... </li></ul></ul><ul><li>The main advantage of AppArmor is the simple configuration. The configuration of SELinux, which has similar goals, is far more time-consuming </li></ul>
  8. 8. AppArmor Profiles
  9. 9. <ul><ul><li>AppArmor Profiles </li></ul></ul><ul><li>At the heart of AppArmor are the application profiles. For each application you want to protect you can create a separate profile. A profile defines security rules for applications. </li></ul><ul><li>A profile contains: </li></ul><ul><ul><li>The full path to the program that is confined. </li></ul></ul><ul><ul><li>With the #include directive you can pull in components of other profiles </li></ul></ul><ul><ul><li>Add POSIX capabilities with the capability statement. You can get more information on linux capabilities with: man 7 capabilities </li></ul></ul><ul><ul><li>A path entry, specifying which part of the filesystem the program can access. The standard Linux permissions r, w and x can be used here. See man 5 subdomain.d </li></ul></ul>
  10. 10. <ul><ul><li>AppArmor Profiles </li></ul></ul>
  11. 11. Profile States
  12. 12. <ul><ul><li>Profile States </li></ul></ul><ul><li>An AppArmor profile can be in one of two states: </li></ul><ul><ul><li>1. complain (learning mode) The profile exists but rule violations are only reported and logged. This mode is especially useful in the developmental phase of new profiles. You can check whether your program is running without producing warnings in the logfile. </li></ul></ul><ul><ul><li>2. enforce Rules are enforced. Violations of rules are not permitted. </li></ul></ul>
  13. 13. <ul><ul><li>Profile States </li></ul></ul><ul><li>There is an easy way to see all loaded profiles and their corresponding state. </li></ul><ul><li>AppArmor creates a pseudo filesystem in /sys/kernel/security/apparmor where you can get information about the profile states: </li></ul><ul><li>cat /sys/kernel/security/apparmor/profiles </li></ul>
  14. 14. Creation of Profiles
  15. 15. <ul><ul><li>Creation of Profiles </li></ul></ul><ul><li>YaST GUI: </li></ul><ul><ul><li>Add a profile using the Wizard </li></ul></ul><ul><ul><li>Or manually add a profile </li></ul></ul>
  16. 16. <ul><ul><li>Creation of Profiles </li></ul></ul><ul><li>Command Line Tools: </li></ul><ul><ul><li>complain Sets a profile into complain mode. Only Violations of rules will be reported </li></ul></ul><ul><ul><li>enforce Sets a profile to enforce mode . Violations of rules are no longer permitted </li></ul></ul><ul><ul><li>unconfined Find processes that are listening for network connections and reports whether they are protected by AppArmor </li></ul></ul><ul><ul><li>genprof Generates a AppArmor profile </li></ul></ul><ul><ul><li>autodep Generates a profile skeleton for a program. It will be set to complain mode </li></ul></ul>
  17. 17. Labs
  18. 18. Lab: Installation of AppArmor <ul><li>Know which software packages are needed by AppArmor </li></ul><ul><li>Learn how to install all AppArmor packages </li></ul>
  19. 19. Lab: Activate AppArmor <ul><li>After all AppArmor components have been installed you need to activate AppArmor on your SUSE server </li></ul><ul><li>After a default installation, AppArmor should already be activated, but you should know how to activate or deactivate it </li></ul>
  20. 20. <ul><ul><li>Lab: Create a Profile With YaST GUI </li></ul></ul><ul><li>Learn how to create an AppArmor Profile with YaST </li></ul>
  21. 21. <ul><ul><li>Lab: Create a Profile on the Command Line </li></ul></ul><ul><li>Know the most important command line tools of AppArmor </li></ul>
  22. 23. <ul><li>Unpublished Work of Novell, Inc. All Rights Reserved. </li></ul><ul><li>This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. </li></ul><ul><li>General Disclaimer </li></ul><ul><li>This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. </li></ul>