ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 26. Managing Profiled Applications</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.apparmor.html" title="Part IV. Confining Privileges with Novell AppArmor"><link rel="prev" href="cha.apparmor.pam.html" title="Chapter 25. Confining Users with pam_apparmor"><link rel="next" href="cha.apparmor.support.html" title="Chapter 27. Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 25. Confining Users with pam_apparmor" href="cha.apparmor.pam.html"><span>◀</span></a> <a accesskey="n" title="Chapter 27. Support" href="cha.apparmor.support.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 26. Managing Profiled Applications"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apparmor.managing"></a>Chapter 26. Managing Profiled Applications<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apparmor.managing">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apparmor.managing.html#sec.apparmor.managing.monitor">26.1. Monitoring Your Secured Applications</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.managing.html#sec.apparmor.managing.config_sen">26.2. Configuring Security Event Notification</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports">26.3. Configuring Reports</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.managing.html#sec.apparmor.managing.dmon">26.4. Configuring and Using the AppArmor Desktop Monitor Applet</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.managing.html#sec.apparmor.managing.react">26.5. Reacting to Security Event Rejections</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.managing.html#sec.apparmor.managing.maintain">26.6. Maintaining Your Security Profiles</a></span></dt></dl></div><p>
After creating profiles and immunizing your applications,
<span>openSUSE®</span>
becomes more efficient and better protected as long as you perform
Novell® AppArmor profile maintenance (which involves analyzing log files, refining
your profiles, backing up your set of profiles and keeping it up-to-date).
You can deal with these issues before they become a problem by setting up
event notification by e-mail, running periodic reports, updating profiles
from system log entries by running the aa-logprof tool through YaST, and
dealing with maintenance issues.
</p><div class="sect1" title="26.1. Monitoring Your Secured Applications"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.managing.monitor"></a>26.1. Monitoring Your Secured Applications<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.monitor">¶</a></span></h2></div></div></div><p>
Applications that are confined by Novell AppArmor security profiles generate
messages when applications execute in unexpected ways or outside of their
specified profile. These messages can be monitored by event notification,
periodic report generation, or integration into a third-party reporting
mechanism.
</p><p>
For reporting and alerting, AppArmor uses a userspace daemon
(<span class="command"><strong>/usr/sbin/aa-eventd</strong></span>). This daemon monitors log
traffic, sends out notifications, and runs scheduled reports. It does not
require any end user configuration and it is started automatically as
part of the security event notification through the YaST AppArmor Control
Panel or by the configuration of scheduled reports in the YaST AppArmor
Reports module.
</p><p>
Apart from transparently enabling and disabling aa-eventd with the YaST
modules, you can manually toggle its status with the
<span class="command"><strong>rcaaeventd</strong></span> init script. The AppArmor event daemon is not
required for proper functioning of the profiling process (such as
enforcement or learning). It is just required for reporting.
</p><p>
Find more details on security event notification in
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_sen" title="26.2. Configuring Security Event Notification">Section 26.2, “Configuring Security Event Notification”</a> and on scheduled
reports in <a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports" title="26.3. Configuring Reports">Section 26.3, “Configuring Reports”</a>.
</p><p>
If you prefer a simple way of being notified of any AppArmor reject events
that does not require you to check your e-mails or any log files, use the
AppArmor Desktop Monitor applet that integrates into the GNOME desktop. Refer
to <a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.dmon" title="26.4. Configuring and Using the AppArmor Desktop Monitor Applet">Section 26.4, “Configuring and Using the AppArmor Desktop Monitor Applet”</a> for details.
</p></div><div class="sect1" title="26.2. Configuring Security Event Notification"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.managing.config_sen"></a>26.2. Configuring Security Event Notification<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_sen">¶</a></span></h2></div></div></div><p>
Security event notification is a Novell AppArmor feature that informs you when
systemic Novell AppArmor activity occurs. Activate it by selecting a notification
frequency (receiving daily notification, for example). Enter an e-mail
address so you can be notified by e-mail when Novell AppArmor security events
occur. Select one of the following notification types:
</p><div class="variablelist"><dl><dt><span class="term">Terse</span></dt><dd><p>
Terse notification summarizes the total number of system events
without providing details. For example:
</p><pre class="screen">jupiter.example.com has had 41 security events since Mon Sep 10 14:53:16 2007.
</pre></dd><dt><span class="term">Summary Notification</span></dt><dd><p>
Summary notification displays the logged Novell AppArmor security events and
lists the number of individual occurrences, including the date of the
last occurrence. For example:
</p><pre class="screen">AppArmor: PERMITTING access to capability ’setgid’ (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct 9 16:05:54 2004.</pre></dd><dt><span class="term">Verbose Notification</span></dt><dd><p>
Verbose notification displays unmodified, logged Novell AppArmor security
events. It tells you every time an event occurs and writes a new line
in the verbose log. These security events include the date and time
the event occurred, when the application profile permits and rejects
access, and the type of file permission access that is permitted or
rejected. Verbose notification also reports several messages that the
aa-logprof tool (see
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary.logprof" title="23.6.3.5. aa-logprof—Scanning the System Log">Section 23.6.3.5, “aa-logprof—Scanning the System Log”</a>)
uses to interpret profiles. For example:
</p><pre class="screen">type=APPARMOR_DENIED msg=audit(1189428793.218:2880):
operation="file_permission" requested_mask="::w" denied_mask="::w" fsuid=1000 name="/var/log/apache2/error_log" pid=22969 profile="/usr/sbin/httpd2-prefork"
</pre></dd></dl></div><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
You must set up a mail server that can send outgoing mail using the SMTP
protocol (for example, postfix or exim) for event notification to work.
</p></td></tr></table></div><div class="procedure"><ol class="procedure" type="1"><li><p>
In the <span class="guimenu">Enable Security Event Notification</span> section of
the <span class="guimenu">AppArmor Configuration</span> window, click
<span class="guimenu">Configure</span>.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/eventnotif.png" width="100%" alt="Security event
notification window"></td></tr></table></div></div></li><li><p>
In the <span class="guimenu">Security Event Notification</span> window, enable
<span class="guimenu">Terse</span>, <span class="guimenu">Summary</span>, or
<span class="guimenu">Verbose</span> event notification.
</p><ol type="a" class="substeps"><li><p>
In each applicable notification type section, enter the e-mail
addresses of those who should receive notification in the field
provided. If notification is enabled, you must enter an e-mail
address. Separate multiple e-mail addresses with commas.
</p></li><li><p>
For each notification type enabled, select the frequency of
notification.
</p><p>
Select a notification frequency from the following options:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Disabled
</p></li><li class="listitem" style="list-style-type: disc"><p>
1 minute
</p></li><li class="listitem" style="list-style-type: disc"><p>
5 minutes
</p></li><li class="listitem" style="list-style-type: disc"><p>
10 minutes
</p></li><li class="listitem" style="list-style-type: disc"><p>
15 minutes
</p></li><li class="listitem" style="list-style-type: disc"><p>
30 minutes
</p></li><li class="listitem" style="list-style-type: disc"><p>
1 hour
</p></li><li class="listitem" style="list-style-type: disc"><p>
1 day
</p></li><li class="listitem" style="list-style-type: disc"><p>
1 week
</p></li></ul></div></li><li><p>
For each selected notification type, select the lowest severity level
for which a notification should be sent. Security events are logged
and the notifications are sent at the time indicated by the interval
when events are equal to or greater than the selected severity level.
If the interval is <span class="guimenu">1 day</span>, the notification is sent
daily, if security events occur.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Severity Levels"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Severity Levels</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Novell AppArmor sends out event messages for things that are in the severity
database and above the level selected. Severity levels are numbered
1 through 10, with 10 being the most severe security incident. The
<code class="filename">/etc/severity.db</code> file defines the severity
level of potential security events. The severity levels are
determined by the importance of different security events, such as
certain resources accessed or services denied.
</p></td></tr></table></div></li></ol></li><li><p>
Click <span class="guimenu">OK</span>.
</p></li><li><p>
Click <span class="guimenu">Done</span> in the <span class="guimenu">Novell AppArmor
Configuration</span> window.
</p></li><li><p>
Click <span class="guimenu">File</span>+<span class="guimenu">Quit</span> in the YaST Control Center.
</p></li></ol></div><p>
After configuring security event notification, read the reports and
determine whether events require follow up. Follow up may include the
procedures outlined in
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.react" title="26.5. Reacting to Security Event Rejections">Section 26.5, “Reacting to Security Event Rejections”</a>.
</p></div><div class="sect1" title="26.3. Configuring Reports"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.managing.config_reports"></a>26.3. Configuring Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports">¶</a></span></h2></div></div></div><p>
Novell AppArmor's reporting feature adds flexibility by enhancing the way users can
view security event data. The reporting tool performs the following:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Creates on-demand reports
</p></li><li class="listitem" style="list-style-type: disc"><p>
Exports reports
</p></li><li class="listitem" style="list-style-type: disc"><p>
Schedules periodic reports for archiving
</p></li><li class="listitem" style="list-style-type: disc"><p>
E-mails periodic reports
</p></li><li class="listitem" style="list-style-type: disc"><p>
Filters report data by date
</p></li><li class="listitem" style="list-style-type: disc"><p>
Filters report data by other options, such as program name
</p></li></ul></div><p>
Using reports, you can read important Novell AppArmor security events reported in
the log files without manually sifting through the messages only useful
to the aa-logprof tool. Narrow down the size of the report by filtering
by date range or program name. You can also export an
<code class="filename">html</code> or <code class="filename">csv</code> file.
</p><p>
The following are the three types of reports available in Novell AppArmor:
</p><div class="variablelist"><dl><dt><span class="term">Executive Security Summary</span></dt><dd><p>
A combined report, consisting of one or more security incident reports
from one or more machines. This report can provide a single view of
security events on multiple machines. For more details, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.ess" title="26.3.1.3. Executive Security Summary">Section 26.3.1.3, “Executive Security Summary”</a>.
</p></dd><dt><span class="term">Application Audit Report</span></dt><dd><p>
An auditing tool that reports which application servers are running
and whether the applications are confined by AppArmor. Application servers
are applications that accept incoming network connections. For more
details, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.audit" title="26.3.1.1. Application Audit Report">Section 26.3.1.1, “Application Audit Report”</a>.
</p></dd><dt><span class="term">Security Incident Report</span></dt><dd><p>
A report that displays application security for a single host. It
reports policy violations for locally confined applications during a
specific time period. You can edit and customize this report or add
new versions. For more details, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.sir" title="26.3.1.2. Security Incident Report">Section 26.3.1.2, “Security Incident Report”</a>.
</p></dd></dl></div><p>
To use the Novell AppArmor reporting features, proceed with the following steps:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Open <span class="guimenu">YaST</span>+<span class="guimenu">Novell AppArmor</span>.
</p></li><li><p>
In <span class="guimenu">Novell AppArmor</span>, click <span class="guimenu">AppArmor Reports</span>. The
<span class="guimenu">AppArmor Security Event Reports</span> window appears. From the
<span class="guimenu">Reports</span> window, select an option and proceed to the
respective section for instructions:
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/report1.png" width="100%" alt="Reports window"></td></tr></table></div></div><div class="variablelist"><dl><dt><span class="term">View Archive</span></dt><dd><p>
Displays all reports that have been run and stored in
<code class="filename">/var/log/apparmor/reports-archived/</code>. Select the
report you want to see in detail and click <span class="guimenu">View</span>.
For <span class="guimenu">View Archive</span> instructions, proceed to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view" title="26.3.1. Viewing Archived Reports">Section 26.3.1, “Viewing Archived Reports”</a>.
</p></dd><dt><span class="term">Run Now</span></dt><dd><p>
Produces an instant version of the selected report type. If you
select a security incident report, it can be further filtered in
various ways. For <span class="guimenu">Run Now</span> instructions, proceed
to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.on_demand" title="26.3.2. Run Now: Running On-Demand Reports">Section 26.3.2, “Run Now: Running On-Demand Reports”</a>.
</p></dd><dt><span class="term">Add</span></dt><dd><p>
Creates a scheduled security incident report. For
<span class="guimenu">Add</span> instructions, proceed to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.new" title="26.3.3. Adding New Reports">Section 26.3.3, “Adding New Reports”</a>.
</p></dd><dt><span class="term">Edit</span></dt><dd><p>
Edits a scheduled security incident report.
</p></dd><dt><span class="term">Delete</span></dt><dd><p>
Deletes a scheduled security incident report. All stock or canned
reports cannot be deleted.
</p></dd><dt><span class="term">Back</span></dt><dd><p>
Returns you to the Novell AppArmor main screen.
</p></dd><dt><span class="term">Abort</span></dt><dd><p>
Returns you to the Novell AppArmor main screen.
</p></dd><dt><span class="term">Next</span></dt><dd><p>
Performs the same function as the <span class="guimenu">Run Now</span> button.
</p></dd></dl></div></li></ol></div><div class="sect2" title="26.3.1. Viewing Archived Reports"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.config_reports.view"></a>26.3.1. Viewing Archived Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.view">¶</a></span></h3></div></div></div><p>
<span class="guimenu">View Reports</span> enables you to specify the location of a
collection of reports from one or more systems, including the ability to
filter by date or names of programs accessed and display them all
together in one report.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
From the <span class="guimenu">AppArmor Security Event Report</span> window, select
<span class="guimenu">View Archive</span>.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/reports_viewarch_pg1.png" width="100%" alt="Security Event Report"></td></tr></table></div></div></li><li><p>
Select the report type to view. Toggle between the different types:
<span class="guimenu">SIR</span> (Security Incident Report), <span class="guimenu">App
Aud</span> (Application Audit), and <span class="guimenu">ESS</span>
(Executive Security Summary).
</p></li><li><p>
You can alter the directory location of the archived reports in
<span class="guimenu">Location of Archived Reports</span>. Select
<span class="guimenu">Accept</span> to use the current directory or select
<span class="guimenu">Browse</span> to find a new report location. The default
directory is <code class="filename">/var/log/apparmor/reports-archived</code>.
</p></li><li><p>
To view all the reports in the archive, select <span class="guimenu">View
All</span>. To view a specific report, select a report file listed
in the <span class="guimenu">Report</span> field then select
<span class="guimenu">View</span>.
</p></li><li><p>
For <span class="guimenu">Application Audit</span> and <span class="guimenu">Executive
Security Summary</span> reports, proceed to
<a class="xref" href="cha.apparmor.managing.html#ste.apparmor.managing.config_reports.view.toc" title="Step 9">Step 9</a>.
</p></li><li><p>
The <span class="guimenu">Report Configuration Dialog</span> opens for
<span class="guimenu">Security Incident</span> reports.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/report_config.png" width="100%" alt="Report Configuration"></td></tr></table></div></div></li><li><p>
The <span class="guimenu">Report Configuration</span> dialog enables you to
filter the reports selected in the previous screen. Enter the desired
filter details. The fields are:
</p><div class="variablelist"><dl><dt><span class="term">Date Range</span></dt><dd><p>
To display reports for a certain time period, select
<span class="guimenu">Filter By Date Range</span>. Enter the start and end
dates that define the scope of the report.
</p></dd><dt><span class="term">Program Name</span></dt><dd><p>
When you enter a program name or pattern that matches the name of
the binary executable of the program of interest, the report
displays security events that have occurred for a specific program.
</p></dd><dt><span class="term">Profile Name</span></dt><dd><p>
When you enter the name of the profile, the report displays the
security events that are generated for the specified profile. You
can use this to see what is being confined by a specific profile.
</p></dd><dt><span class="term">PID Number</span></dt><dd><p>
<span class="guimenu">PID number</span> is a number that uniquely identifies
one specific process or running program (this number is valid only
during the lifetime of that process).
</p></dd><dt><span class="term">Severity</span></dt><dd><p>
Select the lowest severity level for security events to include in
the report. The selected severity level (and above) are then
included in the reports.
</p></dd><dt><span class="term">Detail</span></dt><dd><p>
A source to which the profile has denied access. This includes
capabilities and files. You can use this field to report the
resources to which profiles prevent access.
</p></dd><dt><span class="term">Access Type</span></dt><dd><p>
The access type describes what is actually happening with the
security event. The options are <code class="option">PERMITTING</code>,
<code class="option">REJECTING</code>, or <code class="option">AUDITING</code>.
</p></dd><dt><span class="term">Mode</span></dt><dd><p>
The <span class="guimenu">Mode</span> is the permission that the profile
grants to the program or process to which it is applied. The
options are <code class="option">all</code> (all modes without filtering),
<code class="option">r</code> (read), <code class="option">w</code> (write),
<code class="option">l</code> (link),<code class="option">x</code> (execute), and
<code class="option">m</code> (mmap).
</p></dd><dt><span class="term">Export Type</span></dt><dd><p>
Enables you to export a CSV (comma separated values) or HTML file.
The CSV file separates pieces of data in the log entries with
commas using a standard data format for importing into
table-oriented applications. You can enter a path for your exported
report by typing the full path in the field provided.
</p></dd><dt><span class="term">Location to Store Log</span></dt><dd><p>
Enables you to change the location at which to store the exported
report. The default location is
<code class="filename">/var/log/apparmor/reports-exported</code>. When you
change this location, select <span class="guimenu">Accept</span>. Select
<span class="guimenu">Browse</span> to browse the file system.
</p></dd></dl></div></li><li><p>
To see the report, filtered as desired, select
<span class="guimenu">Next</span>. One of the three reports displays.
</p></li><li id="ste.apparmor.managing.config_reports.view.toc"><p>
Refer to the following sections for detailed information about each
type of report.
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
For the application audit report, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.audit" title="26.3.1.1. Application Audit Report">Section 26.3.1.1, “Application Audit Report”</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
For the security incident report, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.sir" title="26.3.1.2. Security Incident Report">Section 26.3.1.2, “Security Incident Report”</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
For the executive summary report, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.ess" title="26.3.1.3. Executive Security Summary">Section 26.3.1.3, “Executive Security Summary”</a>.
</p></li></ul></div></li></ol></div><div class="sect3" title="26.3.1.1. Application Audit Report"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apparmor.managing.config_reports.view.audit"></a>26.3.1.1. Application Audit Report<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.view.audit">¶</a></span></h4></div></div></div><p>
An application audit report is an auditing tool that reports which
application servers are running and whether they are confined by AppArmor.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/reports_run_appaudit.png" width="100%" alt="Application audit report"></td></tr></table></div></div><p>
The following fields are provided in an application audit report:
</p><div class="variablelist"><dl><dt><span class="term">Host</span></dt><dd><p>
The machine protected by AppArmor for which the security events are
reported.
</p></dd><dt><span class="term">Date</span></dt><dd><p>
The date during which security events occurred.
</p></dd><dt><span class="term">Program</span></dt><dd><p>
The name and path of the executing process.
</p></dd><dt><span class="term">Profile</span></dt><dd><p>
The absolute name of the security profile that is applied to the
process.
</p></dd><dt><span class="term">PID</span></dt><dd><p>
A number that uniquely identifies one specific process or running
program (this number is valid only during the lifetime of that
process).
</p></dd><dt><span class="term">State</span></dt><dd><p>
This field reveals whether the program listed in the program field
is confined. If it is not confined, consider creating a profile for
it.
</p></dd><dt><span class="term">Type</span></dt><dd><p>
This field reveals the type of confinement the security event
represents (either complain or enforce). If the application is not
confined (state), no type of confinement is reported.
</p></dd></dl></div></div><div class="sect3" title="26.3.1.2. Security Incident Report"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apparmor.managing.config_reports.view.sir"></a>26.3.1.2. Security Incident Report<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.view.sir">¶</a></span></h4></div></div></div><p>
A security incident report displays security events of interest to an
administrator. The SIR reports policy violations for locally confined
applications during a specified time period. It also reports policy
exceptions and policy engine state changes. These two types of security
events are defined as follows:
</p><div class="variablelist"><dl><dt><span class="term">Policy Exceptions</span></dt><dd><p>
When an application requests a resource that is not defined within
its profile, a security event is triggered. A report is generated
that displays security events of interest to an administrator. The
SIR reports policy violations for locally confined applications
during a specified time period. The SIR reports policy exceptions
and policy engine state changes.
</p></dd><dt><span class="term">Policy Engine State Changes</span></dt><dd><p>
Enforces policy for applications and maintains its own state,
including when engines start or stop, when a policy is reloaded, and
when global security feature are enabled or disabled.
</p></dd></dl></div><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/reports_run_sir.png" width="100%" alt="Security incident report"></td></tr></table></div></div><p>
The fields in the SIR report have the following meanings:
</p><div class="variablelist"><dl><dt><span class="term">Host</span></dt><dd><p>
The machine protected by AppArmor for which the security events are
reported.
</p></dd><dt><span class="term">Date</span></dt><dd><p>
The date during which security events occurred.
</p></dd><dt><span class="term">Program</span></dt><dd><p>
The name of the executing process.
</p></dd><dt><span class="term">Profile</span></dt><dd><p>
The absolute name of the security profile that is applied to the
process.
</p></dd><dt><span class="term">PID</span></dt><dd><p>
A number that uniquely identifies one specific process or running
program (this number is valid only during the lifetime of that
process).
</p></dd><dt><span class="term">Severity</span></dt><dd><p>
Severity levels of events are reported from the severity database.
The severity database defines the importance of potential security
events and numbers them 1 through 10, 10 being the most severe
security incident. The severity levels are determined by the threat
or importance of different security events, such as certain
resources accessed or services denied.
</p></dd><dt><span class="term">Mode</span></dt><dd><p>
The mode is the permission that the profile grants to the program or
process to which it is applied. The options are <code class="option">r</code>
(read), <code class="option">w</code> (write), <code class="option">l</code> (link), and
<code class="option">x</code> (execute).
</p></dd><dt><span class="term">Detail</span></dt><dd><p>
A source to which the profile has denied access. This includes
capabilities and files. You can use this field to report the
resources to which the profile prevents access.
</p></dd><dt><span class="term">Access Type</span></dt><dd><p>
The access type describes what is actually happening with the
security event. The options are <code class="option">PERMITTING</code>,
<code class="option">REJECTING</code>, or <code class="option">AUDITING</code>.
</p></dd></dl></div></div><div class="sect3" title="26.3.1.3. Executive Security Summary"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apparmor.managing.config_reports.view.ess"></a>26.3.1.3. Executive Security Summary<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.view.ess">¶</a></span></h4></div></div></div><p>
A combined report consisting of one or more high-level reports from one
or more machines. This report can provide a single view of security
events on multiple machines as long as each machine's data is copied to
the report archive directory, which is
<code class="filename">/var/log/apparmor/reports-archived</code>. One line of
the ESS report represents a range of SIR reports.
</p><p>
The following fields are provided in an executive security summary:
</p><div class="variablelist"><dl><dt><span class="term">Host</span></dt><dd><p>
The machine protected by AppArmor for which the security events are
reported.
</p></dd><dt><span class="term">Start Date</span></dt><dd><p>
The first date in a range of dates during which security events are
reported.
</p></dd><dt><span class="term">End Date</span></dt><dd><p>
The last date in a range of dates during which security events are
reported.
</p></dd><dt><span class="term">Num Rejects</span></dt><dd><p>
In the date range given, the total number of security events that
are rejected access attempts.
</p></dd><dt><span class="term">Num Events</span></dt><dd><p>
In the date range given, the total number of security events.
</p></dd><dt><span class="term">Ave. Sev</span></dt><dd><p>
This is the average of the severity levels reported in the date
range given. Unknown severities are disregarded in this figure.
</p></dd><dt><span class="term">High Sev</span></dt><dd><p>
This is the severity of the highest severity event reported in the
date range given.
</p></dd></dl></div></div></div><div class="sect2" title="26.3.2. Run Now: Running On-Demand Reports"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.config_reports.on_demand"></a>26.3.2. Run Now: Running On-Demand Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.on_demand">¶</a></span></h3></div></div></div><p>
The <span class="guimenu">Run Now</span> report feature enables you to instantly
extract report information from the Novell AppArmor event logs without waiting for
scheduled events. If you need help navigating to the main report screen,
see
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports" title="26.3. Configuring Reports">Section 26.3, “Configuring Reports”</a>.
Perform the following steps to run a report from the list of reports:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Select the report to run instantly from the list of reports in the
<span class="guimenu">Schedule Reports</span> window.
</p></li><li><p>
Select <span class="guimenu">Run Now</span> or <span class="guimenu">Next</span>. The next
screen is dependent on which report you selected in the previous step.
As an example, select a security incident report.
</p></li><li><p>
The <span class="guimenu">Report Configuration Dialog</span> opens for security
incident reports.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/report_config.png" width="100%" alt="Report Configuration"></td></tr></table></div></div></li><li><p>
The <span class="guimenu">Report Configuration Dialog</span> enables you to
filter the reports selected in the previous screen. Enter the desired
filter details. The following filter options are available:
</p><div class="variablelist"><dl><dt><span class="term">Date Range</span></dt><dd><p>
To limit reports to a certain time period, select <span class="guimenu">Filter
By Date Range</span>. Enter the start and end dates that
determine the scope of the report.
</p></dd><dt><span class="term">Program Name</span></dt><dd><p>
When you enter a program name or pattern that matches the name of
the binary executable for the relevant program, the report displays
security events that have occurred for that program only.
</p></dd><dt><span class="term">Profile Name</span></dt><dd><p>
When you enter the name of the profile, the report displays the
security events that are generated for the specified profile. You
can use this to see what is confined by a specific profile.
</p></dd><dt><span class="term">PID Number</span></dt><dd><p>
A number that uniquely identifies one specific process or running
program (this number is valid only during the lifetime of that
process).
</p></dd><dt><span class="term">Severity</span></dt><dd><p>
Select the lowest severity level for security events to include in
the report. The selected severity level and above are included in
the reports.
</p></dd><dt><span class="term">Detail</span></dt><dd><p>
A source to which the profile has denied access. This includes
capabilities and files. You can use this field to report the
resources to which profiles prevent access.
</p></dd><dt><span class="term">Access Type</span></dt><dd><p>
The access type describes the action being taken with the security
event. The options are <code class="option">PERMITTING</code>,
<code class="option">REJECTING</code>, or <code class="option">AUDITING</code>.
</p></dd><dt><span class="term">Mode</span></dt><dd><p>
The mode is the permission that the profile grants to the program
or process to which it is applied. The options are
<code class="option">r</code> (read), <code class="option">w</code> (write),
<code class="option">l</code> (link), and <code class="option">x</code> (execute).
</p></dd><dt><span class="term">Export Type</span></dt><dd><p>
Enables you to export a CSV (comma separated values) or HTML file.
The CSV file separates pieces of data in the log entries with
commas, using a standard data format for importing into
table-oriented applications. Enter a path for your exported report
by typing in the full path in the field provided.
</p></dd><dt><span class="term">Location to Store Log</span></dt><dd><p>
Enables you to change the location that the exported report is
stored. The default location is
<code class="filename">/var/log/apparmor/reports-exported</code>. When you
change this location, select <span class="guimenu">Accept</span>. Select
<span class="guimenu">Browse</span> to browse the file system.
</p></dd></dl></div></li><li><p>
To see the report, filtered as desired, select
<span class="guimenu">Next</span>. One of the three reports displays.
</p></li></ol></div><p>
Refer the following sections for detailed information about each type of
report.
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
For the application audit report, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.audit" title="26.3.1.1. Application Audit Report">Section 26.3.1.1, “Application Audit Report”</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
For the security incident report, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.sir" title="26.3.1.2. Security Incident Report">Section 26.3.1.2, “Security Incident Report”</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
For the executive summary report, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports.view.ess" title="26.3.1.3. Executive Security Summary">Section 26.3.1.3, “Executive Security Summary”</a>.
</p></li></ul></div></div><div class="sect2" title="26.3.3. Adding New Reports"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.config_reports.new"></a>26.3.3. Adding New Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.new">¶</a></span></h3></div></div></div><p>
Adding new reports enables you to create a scheduled security incident
report that displays Novell AppArmor security events according to your preset
filters. When a report is set up in <span class="guimenu">Schedule Reports</span>,
it periodically launches a report of Novell AppArmor security events that have
occurred on the system.
</p><p>
You can configure a daily, weekly, monthly, or hourly report to run for
a specified period. You can set the report to display rejections for
certain severity levels or to filter by program name, profile name,
severity level, or denied resources. This report can be exported to an
HTML (Hypertext Markup Language) or CSV (Comma Separated Values) file
format.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
Return to the beginning of this section if you need help navigating to
the main report screen (see
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports" title="26.3. Configuring Reports">Section 26.3, “Configuring Reports”</a>).
</p></td></tr></table></div><p>
To add a new scheduled security incident report, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Click <span class="guimenu">Add</span> to create a new security incident report.
The first page of <span class="guimenu">Add Scheduled SIR</span> opens.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/reports_add_pg1.png" width="100%" alt="Add scheduled SIR"></td></tr></table></div></div></li><li><p>
Fill in the fields with the following filtering information, as
necessary:
</p><div class="variablelist"><dl><dt><span class="term">Report Name</span></dt><dd><p>
Specify the name of the report. Use names that easily distinguish
different reports.
</p></dd><dt><span class="term">Day of Month</span></dt><dd><p>
Select any day of the month to activate monthly filtering in
reports. If you select <code class="literal">All</code>, monthly filtering is
not performed.
</p></dd><dt><span class="term">Day of Week</span></dt><dd><p>
Select the day of the week on which to schedule weekly reports, if
desired. If you select <code class="literal">ALL</code>, weekly filtering is
not performed. If monthly reporting is selected, this field
defaults to <code class="literal">ALL</code>.
</p></dd><dt><span class="term">Hour and Minute</span></dt><dd><p>
Select the time. This specifies the hour and minute that you would
like the reports to run. If you do not change the time, selected
reports run at midnight. If neither month nor day of week are
selected, the report runs daily at the specified time.
</p></dd><dt><span class="term">E-Mail Target</span></dt><dd><p>
You have the ability to send the scheduled security incident report
via e-mail to up to three recipients. Just enter the e-mail
addresses for those who require the security incident information.
</p></dd><dt><span class="term">Export Type</span></dt><dd><p>
This option enables you to export a CSV (comma separated values) or
HTML file. The CSV file separates pieces of data in the log entries
with commas using a standard data format for importing into
table-oriented applications. Enter a path for your exported report
by typing in the full path in the field provided.
</p></dd><dt><span class="term">Location to Store Log</span></dt><dd><p>
Enables you to change the location where the exported report is
stored. The default location is
<code class="filename">/var/log/apparmor/reports-exported</code>. When you
change this location, select <span class="guimenu">Accept</span>. Select
<span class="guimenu">Browse</span> to browse the file system.
</p></dd></dl></div></li><li><p>
Click <span class="guimenu">Next</span> to proceed to the second page of
<span class="guimenu">Add Scheduled SIR</span>.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="50%"><tr><td><img src="images/reports_add_pg2.png" width="100%" alt="Add scheduled SIR, page 2"></td></tr></table></div></div></li><li><p>
Fill in the fields with the following filtering information, as
necessary:
</p><div class="variablelist"><dl><dt><span class="term">Program Name</span></dt><dd><p>
You can specify a program name or pattern that matches the name of
the binary executable for the program of interest. The report
displays security events that have occurred for the specified
program only.
</p></dd><dt><span class="term">Profile Name</span></dt><dd><p>
You can specify the name of the profile for which the report should
display security events. You can use this to see what is being
confined by a specific profile.
</p></dd><dt><span class="term">PID Number</span></dt><dd><p>
A number that uniquely identifies one specific process or running
program (this number is valid only during the lifetime of that
process).
</p></dd><dt><span class="term">Detail</span></dt><dd><p>
A source to which the profile has denied access. This includes
capabilities and files. You can use this field to create a report
of resources to which profiles prevent access.
</p></dd><dt><span class="term">Severity</span></dt><dd><p>
Select the lowest severity level of security events to include in
the report. The selected severity level and above are included in
the reports.
</p></dd><dt><span class="term">Access Type</span></dt><dd><p>
The access type describes the action being taken with the security
event. The options are <code class="option">PERMITTING</code>,
<code class="option">REJECTING</code>, or <code class="option">AUDITING</code>.
</p></dd><dt><span class="term">Mode</span></dt><dd><p>
The mode is the permission that the profile grants to the program
or process to which it is applied. The options are
<code class="literal">r</code> (read), <code class="literal">w</code> (write),
<code class="literal">l</code> (link), and <code class="literal">x</code> (execute).
</p></dd></dl></div></li><li><p>
Click <span class="guimenu">Save</span> to save this report. Novell AppArmor returns to
the <span class="guimenu">Scheduled Reports</span> main window where the newly
scheduled report appears in the list of reports.
</p></li></ol></div></div><div class="sect2" title="26.3.4. Editing Reports"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.config_reports.edit"></a>26.3.4. Editing Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.edit">¶</a></span></h3></div></div></div><p>
From the AppArmor <span class="guimenu">Reports</span> screen, you can select and edit
a report. The three pre-configured reports (<span class="emphasis"><em>stock
reports</em></span>) cannot be edited or deleted.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
Return to the beginning of this section if you need help navigating to
the main report screen (see
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports" title="26.3. Configuring Reports">Section 26.3, “Configuring Reports”</a>).
</p></td></tr></table></div><p>
Perform the following steps to modify a report from the list of reports:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
From the list of reports in the <span class="guimenu">Schedule Reports</span>
window, select the report to edit. This example assumes that you have
selected a security incident report.
</p></li><li><p>
Click <span class="guimenu">Edit</span> to edit the security incident report.
The first page of the <span class="guimenu">Edit Scheduled SIR</span> displays.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/reports_edit_pg1.png" width="100%" alt="Edit scheduled SIR"></td></tr></table></div></div></li><li><p>
Modify the following filtering information, as necessary:
</p><div class="variablelist"><dl><dt><span class="term">Day of Month</span></dt><dd><p>
Select any day of the month to activate monthly filtering in
reports. If you select <code class="literal">All</code>, monthly filtering is
not performed.
</p></dd><dt><span class="term">Day of Week</span></dt><dd><p>
Select the day of the week on which to schedule the weekly reports.
If you select <code class="option">All</code>, weekly filtering is not
performed. If monthly reporting is selected, this defaults to
<code class="option">All</code>.
</p></dd><dt><span class="term">Hour and Minute</span></dt><dd><p>
Select the time. This specifies the hour and minute that you would
like the reports to run. If you do not change the time, the
selected report runs at midnight. If neither the day of the month
nor day of the week is selected, the report runs daily at the
specified time.
</p></dd><dt><span class="term">E-Mail Target</span></dt><dd><p>
You have the ability to send the scheduled security incident report
via e-mail to up to three recipients. Just enter the e-mail
addresses for those who require the security incident information.
</p></dd><dt><span class="term">Export Type</span></dt><dd><p>
This option enables you to export a CSV (comma separated values) or
HTML file. The CSV file separates pieces of data in the log entries
with commas, using a standard data format for importing into
table-oriented applications. Enter a path for your exported report
by typing the full path in the field provided.
</p></dd><dt><span class="term">Location to Store Log</span></dt><dd><p>
Enables you to change the location where the exported report is
stored. The default location is
<code class="filename">/var/log/apparmor/reports-exported</code>. When you
change this location, select <span class="guimenu">Accept</span>. Select
<span class="guimenu">Browse</span> to browse the file system.
</p></dd></dl></div></li><li><p>
Click <span class="guimenu">Next</span> to proceed to the next <span class="guimenu">Edit
Scheduled SIR</span> page. The second page of <span class="guimenu">Edit
Scheduled Reports</span> opens.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="50%"><tr><td><img src="images/reports_edit_pg2.png" width="100%" alt="Edit scheduled reports, page two"></td></tr></table></div></div></li><li><p>
Modify the fields with the following filtering information, as
necessary:
</p><div class="variablelist"><dl><dt><span class="term">Program Name</span></dt><dd><p>
You can specify a program name or pattern that matches the name of
the binary executable for the program of interest. The report
displays security events that have occurred for the specified
program only.
</p></dd><dt><span class="term">Profile Name</span></dt><dd><p>
You can specify the name of the profile for which to display
security events. You can use this to see what is being confined by
a specific profile.
</p></dd><dt><span class="term">PID Number</span></dt><dd><p>
Process ID number is a number that uniquely identifies one specific
process or running program (this number is valid only during the
lifetime of that process).
</p></dd><dt><span class="term">Detail</span></dt><dd><p>
A source to which the profile has denied access. This includes
capabilities and files. You can use this field to create a report
of resources to which profiles prevent access.
</p></dd><dt><span class="term">Severity</span></dt><dd><p>
Select the lowest severity level for security events to include in
the report. The selected severity level and above are included in
the reports.
</p></dd><dt><span class="term">Access Type</span></dt><dd><p>
The access type describes the action being taken with the security
event. The options are <code class="option">PERMITTING</code>,
<code class="option">REJECTING</code>, or <code class="option">AUDITING</code>.
</p></dd><dt><span class="term">Mode</span></dt><dd><p>
The mode is the permission that the profile grants to the program
or process to which it is applied. The options are
<code class="literal">r</code> (read), <code class="literal">w</code> (write),
<code class="literal">l</code> (link), and <code class="literal">x</code> (execute).
</p></dd></dl></div></li><li><p>
Select <span class="guimenu">Save</span> to save the changes to this report.
Novell AppArmor returns to the <span class="guimenu">Scheduled Reports</span> main window
where the scheduled report appears in the list of reports.
</p></li></ol></div></div><div class="sect2" title="26.3.5. Deleting Reports"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.config_reports.del"></a>26.3.5. Deleting Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.config_reports.del">¶</a></span></h3></div></div></div><p>
<span class="guimenu">Delete a Report</span> enables you to permanently remove a
report from the list of Novell AppArmor scheduled reports. To delete a report,
follow these instructions:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
To remove a report from the list of reports, highlight the report and
click <span class="guimenu">Delete</span>.
</p></li><li><p>
From the confirmation pop-up, select <span class="guimenu">Cancel</span> if you
do not want to delete the selected report. If you are sure you want to
remove the report permanently from the list of reports, select
<span class="guimenu">Delete</span>.
</p></li></ol></div></div></div><div class="sect1" title="26.4. Configuring and Using the AppArmor Desktop Monitor Applet"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.managing.dmon"></a>26.4. Configuring and Using the AppArmor Desktop Monitor Applet<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.dmon">¶</a></span></h2></div></div></div><p>
The Linux audit framework contains a dispatcher that can send AppArmor events
to any consumer application via dbus. The GNOME AppArmor Desktop Monitor
applet is one example of an application that gathers AppArmor events via
dbus. To configure audit to use the dbus dispatcher, just set the
dispatcher in your audit configuration in
<code class="filename">/etc/audit/auditd.conf</code> to
<code class="literal">apparmor-dbus</code> and restart auditd:
</p><pre class="screen">dispatcher=/usr/bin/apparmor-dbus
</pre><p>
Once the dbus dispatcher is configured correctly, add the AppArmor Desktop
Monitor to the GNOME panel by right-clicking the panel and selecting
<span class="guimenu">Add to Panel</span>+<span class="guimenu">AppArmor Desktop
Monitor</span>. As soon as a <code class="literal">REJECT</code>
event is logged, the applet's panel icon changes appearance and you can
click the applet to see the number of reject events per confined
application. To view the exact log messages, refer to the audit log under
<code class="filename">/var/log/audit/audit.log</code>. React to any
<code class="literal">REJECT</code> events as described in
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.react" title="26.5. Reacting to Security Event Rejections">Section 26.5, “Reacting to Security Event Rejections”</a>.
</p></div><div class="sect1" title="26.5. Reacting to Security Event Rejections"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.managing.react"></a>26.5. Reacting to Security Event Rejections<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.react">¶</a></span></h2></div></div></div><p>
When you receive a security event rejection, examine the access violation
and determine if that event indicated a threat or was part of normal
application behavior. Application-specific knowledge is required to make
the determination. If the rejected action is part of normal application
behavior, run <span class="command"><strong>aa-logprof</strong></span> at the command line or the
<span class="guimenu">Update Profile Wizard</span> in Novell AppArmor to update your profile.
</p><p>
If the rejected action is not part of normal application behavior, this
access should be considered a possible intrusion attempt (that was
prevented) and this notification should be passed to the person
responsible for security within your organization.
</p></div><div class="sect1" title="26.6. Maintaining Your Security Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.managing.maintain"></a>26.6. Maintaining Your Security Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.maintain">¶</a></span></h2></div></div></div><p>
In a production environment, you should plan on maintaining profiles for
all of the deployed applications. The security policies are an integral
part of your deployment. You should plan on taking steps to back up and
restore security policy files, plan for software changes, and allow any
needed modification of security policies that your environment dictates.
</p><div class="sect2" title="26.6.1. Backing Up Your Security Profiles"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.maintain.backup"></a>26.6.1. Backing Up Your Security Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.maintain.backup">¶</a></span></h3></div></div></div><p>
Backing up profiles might save you from having to reprofile all your
programs after a disk crash. Also, if profiles are changed, you can
easily restore previous settings by using the backed up files.
</p><p>
Back up profiles by copying the profile files to a specified directory.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
You should first archive the files into one file. To do this, open a
terminal window and enter the following as <code class="systemitem">root</code>:
</p><pre class="screen">tar zclpf profiles.tgz /etc/apparmor.d</pre><p>
The simplest method to ensure that your security policy files are
regularly backed up is to include the directory
<code class="filename">/etc/apparmor.d</code> in the list of directories that
your backup system archives.
</p></li><li><p>
You can also use <span class="command"><strong>scp</strong></span> or a file manager like
Konqueror or Nautilus to store the files on some kind of storage
media, the network, or another computer.
</p></li></ol></div></div><div class="sect2" title="26.6.2. Changing Your Security Profiles"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.maintain.change"></a>26.6.2. Changing Your Security Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.maintain.change">¶</a></span></h3></div></div></div><p>
Maintenance of security profiles includes changing them if you decide
that your system requires more or less security for its applications. To
change your profiles in Novell AppArmor, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit" title="22.3. Editing Profiles">Section 22.3, “Editing Profiles”</a>.
</p></div><div class="sect2" title="26.6.3. Introducing New Software into Your Environment"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.managing.maintain.change.new_software"></a>26.6.3. Introducing New Software into Your Environment<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.managing.maintain.change.new_software">¶</a></span></h3></div></div></div><p>
When you add a new application version or patch to your system, you
should always update the profile to fit your needs. You have several
options, depending on your company's software deployment strategy. You
can deploy your patches and upgrades into a test or production
environment. The following explains how to do this with each method.
</p><p>
If you intend to deploy a patch or upgrade in a test environment, the
best method for updating your profiles is one of the following:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Run the profiling wizard by selecting <span class="guimenu">Add Profile
Wizard</span> in YaST. This creates a new profile for the added
or patched application. For step-by-step instructions, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.wizard" title="22.1. Adding a Profile Using the Wizard">Section 22.1, “Adding a Profile Using the Wizard”</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
Run aa-genprof by typing <span class="command"><strong>aa-genprof</strong></span> in a terminal
while logged in as <code class="systemitem">root</code>. For detailed instructions, refer to
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary.genprof" title="23.6.3.4. aa-genprof—Generating Profiles">Section 23.6.3.4, “aa-genprof—Generating Profiles”</a>.
</p></li></ul></div><p>
If you intend to deploy a patch or upgrade directly into a production
environment, the best method for updating your profiles is one of the
following:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Monitor the system frequently to determine if any new rejections
should be added to the profile and update as needed using aa-logprof.
For detailed instructions, refer to
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary.logprof" title="23.6.3.5. aa-logprof—Scanning the System Log">Section 23.6.3.5, “aa-logprof—Scanning the System Log”</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
Run the YaST <span class="guimenu">Update Profile Wizard</span> to learn the
new behavior (high security risk as all accesses are allowed and
logged, not rejected). For step-by-step instructions, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.update" title="22.5. Updating Profiles from Log Entries">Section 22.5, “Updating Profiles from Log Entries”</a>.
</p></li></ul></div></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 25. Confining Users with pam_apparmor" href="cha.apparmor.pam.html"><span>◀</span></a> <a accesskey="n" title="Chapter 27. Support" href="cha.apparmor.support.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018