After creating profiles and immunizing your applications, openSUSE® becomes more efficient and better protected as long as you perform AppArmor® profile maintenance (which involves analyzing log files, refining your profiles, backing up your set of profiles and keeping it up-to-date). You can deal with these issues before they become a problem by setting up event notification by e-mail, running periodic reports, updating profiles from system log entries by running the aa-logprof tool through YaST, and dealing with maintenance issues.
When you receive a security event rejection, examine the access violation and determine if that event indicated a threat or was part of normal application behavior. Application-specific knowledge is required to make the determination. If the rejected action is part of normal application behavior, run aa-logprof at the command line or the in AppArmor to update your profile.
If the rejected action is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.
In a production environment, you should plan on maintaining profiles for all of the deployed applications. The security policies are an integral part of your deployment. You should plan on taking steps to back up and restore security policy files, plan for software changes, and allow any needed modification of security policies that your environment dictates.
Backing up profiles might save you from having to reprofile all your programs after a disk crash. Also, if profiles are changed, you can easily restore previous settings by using the backed up files.
Back up profiles by copying the profile files to a specified directory.
You should first archive the files into one file. To do this, open a
terminal window and enter the following as root:
tar zclpf profiles.tgz /etc/apparmor.d
The simplest method to ensure that your security policy files are
regularly backed up is to include the directory
/etc/apparmor.d in the list of directories that
your backup system archives.
You can also use scp or a file manager like Konqueror or Nautilus to store the files on some kind of storage media, the network, or another computer.
Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in AppArmor, refer to Раздел 21.3, «Editing Profiles».
When you add a new application version or patch to your system, you should always update the profile to fit your needs. You have several options, depending on your company's software deployment strategy. You can deploy your patches and upgrades into a test or production environment. The following explains how to do this with each method.
If you intend to deploy a patch or upgrade in a test environment, the best method for updating your profiles is one of the following:
Run the profiling wizard by selecting in YaST. This creates a new profile for the added or patched application. For step-by-step instructions, refer to Раздел 21.1, «Adding a Profile Using the Wizard».
Run aa-genprof by typing aa-genprof in a terminal
while logged in as root. For detailed instructions, refer to
Раздел 22.6.3.4, «aa-genprof—Generating Profiles».
If you intend to deploy a patch or upgrade directly into a production environment, the best method for updating your profiles is one of the following:
Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed using aa-logprof. For detailed instructions, refer to Раздел 22.6.3.5, «aa-logprof—Scanning the System Log».
Run the YaST to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to Раздел 21.5, «Updating Profiles from Log Entries».