ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 18. Getting Started</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.apparmor.html" title="Part IV. Confining Privileges with Novell AppArmor"><link rel="prev" href="cha.apparmor.intro.html" title="Chapter 17. Introducing AppArmor"><link rel="next" href="cha.apparmor.concept.html" title="Chapter 19. Immunizing Programs"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 17. Introducing AppArmor" href="cha.apparmor.intro.html"><span>◀</span></a> <a accesskey="n" title="Chapter 19. Immunizing Programs" href="cha.apparmor.concept.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 18. Getting Started"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apparmor.start"></a>Chapter 18. Getting Started<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apparmor.start">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apparmor.start.html#sec.apparmor.start.install">18.1. Installing Novell AppArmor</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.start.html#sec.apparmor.start.enable">18.2. Enabling and Disabling Novell AppArmor</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.start.html#sec.apparmor.start.choose">18.3. Choosing the Applications to Profile</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.start.html#sec.apparmor.start.build">18.4. Building and Modifying Profiles</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.start.html#sec.apparmor.start.report">18.5. Configuring Novell AppArmor Event Notification and Reports</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.start.html#sec.apparmor.start.update">18.6. Updating Your Profiles</a></span></dt></dl></div><p>
Prepare a successful deployment of Novell AppArmor on your system by carefully
considering the following items:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Determine the applications to profile. Read more on this in
<a class="xref" href="cha.apparmor.start.html#sec.apparmor.start.choose" title="18.3. Choosing the Applications to Profile">Section 18.3, “Choosing the Applications to Profile”</a>.
</p></li><li><p>
Build the needed profiles as roughly outlined in
<a class="xref" href="cha.apparmor.start.html#sec.apparmor.start.build" title="18.4. Building and Modifying Profiles">Section 18.4, “Building and Modifying Profiles”</a>. Check the results and adjust
the profiles when necessary.
</p></li><li><p>
Keep track of what is happening on your system by running AppArmor reports
and dealing with security events. Refer to
<a class="xref" href="cha.apparmor.start.html#sec.apparmor.start.report" title="18.5. Configuring Novell AppArmor Event Notification and Reports">Section 18.5, “Configuring Novell AppArmor Event Notification and Reports”</a>.
</p></li><li><p>
Update your profiles whenever your environment changes or you need to
react to security events logged by AppArmor's reporting tool. Refer to
<a class="xref" href="cha.apparmor.start.html#sec.apparmor.start.update" title="18.6. Updating Your Profiles">Section 18.6, “Updating Your Profiles”</a>.
</p></li></ol></div><div class="sect1" title="18.1. Installing Novell AppArmor"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.start.install"></a>18.1. Installing Novell AppArmor<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.start.install">¶</a></span></h2></div></div></div><p>
Novell AppArmor is installed and running on any installation of openSUSE® by
default, regardless of what patterns are installed. The packages listed
below are needed for a fully-functional instance of AppArmor
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet" compact><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor-docs</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor-parser</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor-profiles</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor-utils</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">audit</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">libapparmor1</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">perl-libapparmor</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">yast2-apparmor</code>
</p></li></ul></div></div><div class="sect1" title="18.2. Enabling and Disabling Novell AppArmor"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.start.enable"></a>18.2. Enabling and Disabling Novell AppArmor<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.start.enable">¶</a></span></h2></div></div></div><p>
Novell AppArmor is configured to run by default on any fresh installation of
openSUSE. There are two ways of toggling the status of AppArmor:
</p><div class="variablelist"><dl><dt><span class="term">Using YaST System Services (Runlevel)</span></dt><dd><p>
Disable or enable AppArmor by removing or adding its boot script to the
sequence of scripts executed on system boot. Status changes are
applied on reboot.
</p></dd><dt><span class="term">Using Novell AppArmor Control Panel</span></dt><dd><p>
Toggle the status of Novell AppArmor in a running system by switching it off or
on using the YaST Novell AppArmor Control Panel. Changes made here are applied
instantaneously. The Control Panel triggers a stop or start event for
AppArmor and removes or adds its boot script in the system's boot
sequence.
</p></dd></dl></div><p>
To disable AppArmor permanently (by removing it from the sequence of scripts
executed on system boot) proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST.
</p></li><li><p>
Select <span class="guimenu">System</span>+<span class="guimenu">System Services
(Runlevel)</span>.
</p></li><li><p>
Select <span class="guimenu">Expert Mode</span>.
</p></li><li><p>
Select <code class="literal">boot.apparmor</code> and click <span class="guimenu">Set/Reset</span>+<span class="guimenu">Disable the service</span>.
</p></li><li><p>
Exit the YaST Runlevel tool with <span class="guimenu">Finish</span>.
</p></li></ol></div><p>
AppArmor will not be initialized on reboot, and stays inactive until you
reenable it. Reenabling a service using the YaST Runlevel tool is
similar to disabling it.
</p><p>
Toggle the status of AppArmor in a running system by using the AppArmor Control
Panel. These changes take effect as soon as you apply them and survive a
reboot of the system. To toggle AppArmor's status, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST.
</p></li><li><p>
Select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">AppArmor Control
Panel</span>.
</p></li><li><p>
Select <span class="guimenu">Enable AppArmor</span>. To
disable AppArmor, uncheck this option.
</p></li><li><p>
Exit the AppArmor Control Panel with <span class="guimenu">Done</span>.
</p></li></ol></div></div><div class="sect1" title="18.3. Choosing the Applications to Profile"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.start.choose"></a>18.3. Choosing the Applications to Profile<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.start.choose">¶</a></span></h2></div></div></div><p>
You only need to protect the programs that are exposed to attacks in your
particular setup, so only use profiles for those applications you
actually run. Use the following list to determine the most likely
candidates:
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>Network Agents</td></tr><tr><td>Web Applications</td></tr><tr><td>Cron Jobs</td></tr></table><p>
To find out which processes are currently running with open network ports
and might need a profile to confine them, run
<span class="command"><strong>aa-unconfined</strong></span> as <code class="systemitem">root</code>.
</p><div class="example"><a name="ex.unconfined"></a><p class="title"><b>Example 18.1. Output of <span class="command">aa-unconfined</span></b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.unconfined">¶</a></span></p><div class="example-contents"><pre class="screen">19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'</pre></div></div><br class="example-break"><p>
Each of the processes in the above example labeled <code class="literal">not
confined</code> might need a custom profile to confine it. Those
labeled <code class="literal">confined by</code> are already protected by AppArmor.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: For More Information"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
For more information about choosing the the right applications to
profile, refer to <a class="xref" href="cha.apparmor.concept.html#sec.apparmor.concept.determine" title="19.2. Determining Programs to Immunize">Section 19.2, “Determining Programs to Immunize”</a>.
</p></td></tr></table></div></div><div class="sect1" title="18.4. Building and Modifying Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.start.build"></a>18.4. Building and Modifying Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.start.build">¶</a></span></h2></div></div></div><p>
Novell AppArmor on openSUSE ships with a preconfigured set of profiles for the
most important applications. In addition, you can use AppArmor to create your
own profiles for any application you want.
</p><p>
There are two ways of managing profiles. One is to use the graphical
front-end provided by the YaST Novell AppArmor modules and the other is to use
the command line tools provided by the AppArmor suite itself. Both methods
basically work the same way.
</p><p>
For each application, perform the following steps to create a profile:
</p><div class="procedure"><a name="proc.genprof"></a><ol class="procedure" type="1"><li id="st.genprof1"><p>
As <code class="systemitem">root</code>, let AppArmor create a rough outline of the application's
profile by running <span class="command"><strong>aa-genprof
<em class="replaceable"><code>programname</code></em></strong></span>
</p><p>
<span class="emphasis"><em>or</em></span>
</p><p>
Outline the basic profile by running <span class="guimenu">YaST</span>+<span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Add Profile
Wizard</span> and specifying the complete path to the
application you want to profile.
</p><p>
A basic profile is outlined and AppArmor is put into learning mode, which
means that it logs any activity of the program you are executing, but
does not yet restrict it.
</p></li><li id="st.genprof2"><p>
Run the full range of the application's actions to let AppArmor get a very
specific picture of its activities.
</p></li><li id="st.genprof3"><p>
Let AppArmor analyze the log files generated in
<a class="xref" href="cha.apparmor.start.html#st.genprof2" title="Step 2">Step 2</a> by typing <span class="keycap">S</span> in
aa-genprof.
</p><p>
<span class="emphasis"><em>or</em></span>
</p><p>
Analyze the logs by clicking <span class="guimenu">Scan System Log for AppArmor
Events</span> in the <span class="guimenu">Add Profile Wizard</span> and
following the instructions given in the wizard until the profile is
completed.
</p><p>
AppArmor scans the logs it recorded during the application's run and asks
you to set the access rights for each event that was logged. Either set
them for each file or use globbing.
</p></li><li><p>
Depending on the complexity of your application, it might be necessary
to repeat <a class="xref" href="cha.apparmor.start.html#st.genprof2" title="Step 2">Step 2</a> and
<a class="xref" href="cha.apparmor.start.html#st.genprof3" title="Step 3">Step 3</a>. Confine the application, exercise it
under the confined conditions, and process any new log events. To
properly confine the full range of an application's capabilities, you
might be required to repeat this procedure often.
</p></li><li id="st.genprof4"><p>
Once all access permissions are set, your profile is set to enforce
mode. The profile is applied and AppArmor restricts the application
according to the profile just created.
</p><p>
If you started aa-genprof on an application that had an existing
profile that was in complain mode, this profile remains in learning
mode upon exit of this learning cycle. For more information about
changing the mode of a profile, refer to
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary.complain" title="23.6.3.2. aa-complain—Entering Complain or Learning Mode">Section 23.6.3.2, “aa-complain—Entering Complain or Learning Mode”</a>
and
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary.enforce" title="23.6.3.3. aa-enforce—Entering Enforce Mode">Section 23.6.3.3, “aa-enforce—Entering Enforce Mode”</a>.
</p></li></ol></div><p>
Test your profile settings by performing every task you need with the
application you just confined. Normally, the confined program runs
smoothly and you do not notice AppArmor activities at all. However, if you
notice certain misbehavior with your application, check the system logs
and see if AppArmor is too tightly confining your application. Depending on
the log mechanism used on your system, there are several places to look
for AppArmor log entries:
</p><table border="0" summary="Simple list" class="simplelist"><tr><td><code class="filename">/var/log/audit/audit.log</code>
</td></tr><tr><td><code class="filename">/var/log/messages</code>
</td></tr><tr><td><code class="filename">dmesg</code>
</td></tr></table><p>
To adjust the profile, analyze the log messages relating to this
application again as described in <a class="xref" href="cha.apparmor.start.html#st.genprof3" title="Step 3">Step 3</a>.
Determine the access rights or restrictions when prompted.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: For More Information"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
For more information about profile building and modification, refer to
<a class="xref" href="cha.apparmor.profiles.html" title="Chapter 20. Profile Components and Syntax">Chapter 20, <i>Profile Components and Syntax</i></a>,
<a class="xref" href="cha.apparmor.yast.html" title="Chapter 22. Building and Managing Profiles with YaST">Chapter 22, <i>Building and Managing Profiles with YaST</i></a>, and
<a class="xref" href="cha.apparmor.commandline.html" title="Chapter 23. Building Profiles from the Command Line">Chapter 23, <i>Building Profiles from the Command Line</i></a>.
</p></td></tr></table></div></div><div class="sect1" title="18.5. Configuring Novell AppArmor Event Notification and Reports"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.start.report"></a>18.5. Configuring Novell AppArmor Event Notification and Reports<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.start.report">¶</a></span></h2></div></div></div><p></p><p>
Set up event notification in Novell AppArmor so you can review security events.
Event Notification is an Novell AppArmor feature that informs a specified e-mail
recipient when systemic Novell AppArmor activity occurs under the chosen severity
level. This feature is currently available in the YaST interface.
</p><p>
To set up event notification in YaST, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Make sure that a mail server is running on your system to deliver the
event notifications.
</p></li><li><p>
Start YaST. Then select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">AppArmor Control Panel</span>. In
<span class="guimenu">Security Event Notification</span>, select
<span class="guimenu">Configure</span>.
</p></li><li><p>
For each record type (<span class="guimenu">Terse</span>,
<span class="guimenu">Summary</span>, and <span class="guimenu">Verbose</span>), set a
report frequency, enter the e-mail address that should receive the
reports, and determine the severity of events to log. To include
unknown events in the event reports, check <span class="guimenu">Include Unknown
Severity Events</span>.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Selecting Events to Log"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Selecting Events to Log</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Unless you are familiar with AppArmor's event categorization, choose to be
notified about events for all security levels.
</p></td></tr></table></div></li><li><p>
Leave this dialog with <span class="guimenu">OK</span>+<span class="guimenu">Done</span> to apply your settings.
</p></li></ol></div><p>
Using Novell AppArmor reports, you can read important Novell AppArmor security events
reported in the log files without manually sifting through the cumbersome
messages only useful to the aa-logprof tool. You can decrease the size of
the report by filtering by date range or program name.
</p><p>
To configure the AppArmor reports, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST. Select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">AppArmor Reports</span>.
</p></li><li><p>
Select the type of report to examine or configure from
<span class="guimenu">Executive Security Summary</span>, <span class="guimenu">Applications
Audit</span>, and <span class="guimenu">Security Incident Report</span>.
</p></li><li><p>
Edit the report generation frequency, e-mail address, export format,
and location of the reports by selecting <span class="guimenu">Edit</span> and
providing the requested data.
</p></li><li><p>
To run a report of the selected type, click <span class="guimenu">Run Now</span>.
</p></li><li><p>
Browse through the archived reports of a given type by selecting
<span class="guimenu">View Archive</span> and specifying the report type.
</p><p>
<span class="emphasis"><em>or</em></span>
</p><p>
Delete unneeded reports or add new ones.
</p></li></ol></div><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: For More Information"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
For more information about configuring event notification in Novell AppArmor,
refer to <a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_sen" title="26.2. Configuring Security Event Notification">Section 26.2, “Configuring Security Event Notification”</a>. Find more
information about report configuration in
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports" title="26.3. Configuring Reports">Section 26.3, “Configuring Reports”</a>.
</p></td></tr></table></div></div><div class="sect1" title="18.6. Updating Your Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.start.update"></a>18.6. Updating Your Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.start.update">¶</a></span></h2></div></div></div><p>
Software and system configurations change over time. As a result, your
profile setup for AppArmor might need some fine-tuning from time to time.
AppArmor checks your system log for policy violations or other AppArmor events
and lets you adjust your profile set accordingly. Any application
behavior that is outside of any profile definition can also be addressed
using the <span class="guimenu">Update Profile Wizard</span>.
</p><p>
To update your profile set, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and choose <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Update Profile Wizard</span>.
</p></li><li><p>
Adjust access or execute rights to any resource or for any executable
that has been logged when prompted.
</p></li><li><p>
Leave YaST after you have answered all questions. Your changes are
applied to the respective profiles.
</p></li></ol></div><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: For More Information"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
For more information about updating your profiles from the system logs,
refer to <a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.update" title="22.5. Updating Profiles from Log Entries">Section 22.5, “Updating Profiles from Log Entries”</a>.
</p></td></tr></table></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 17. Introducing AppArmor" href="cha.apparmor.intro.html"><span>◀</span></a> <a accesskey="n" title="Chapter 19. Immunizing Programs" href="cha.apparmor.concept.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018