openSUSE 12.1: Глава 17. Getting Started

Глава 17. Getting Started¶

Содержание

17.1. Installing AppArmor
17.2. Enabling and Disabling AppArmor
17.3. Choosing the Applications to Profile
17.4. Building and Modifying Profiles
17.5. Updating Your Profiles

Prepare a successful deployment of AppArmor on your system by carefully considering the following items:

Determine the applications to profile. Read more on this in Раздел 17.3, «Choosing the Applications to Profile».
Build the needed profiles as roughly outlined in Раздел 17.4, «Building and Modifying Profiles». Check the results and adjust the profiles when necessary.
Update your profiles whenever your environment changes or you need to react to security events logged by AppArmor's reporting tool. Refer to Раздел 17.5, «Updating Your Profiles».

17.1. Installing AppArmor¶

AppArmor is installed and running on any installation of openSUSE® by default, regardless of what patterns are installed. The packages listed below are needed for a fully-functional instance of AppArmor

apparmor-docs
apparmor-parser
apparmor-profiles
apparmor-utils
audit
libapparmor1
perl-libapparmor
yast2-apparmor

17.2. Enabling and Disabling AppArmor¶

AppArmor is configured to run by default on any fresh installation of openSUSE. There are two ways of toggling the status of AppArmor:

Using YaST System Services (Runlevel): Disable or enable AppArmor by removing or adding its boot script to the sequence of scripts executed on system boot. Status changes are applied on reboot.
Using AppArmor Control Panel: Toggle the status of AppArmor in a running system by switching it off or on using the YaST AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.

To disable AppArmor permanently (by removing it from the sequence of scripts executed on system boot) proceed as follows:

Start YaST.
Select System+System Services (Runlevel).
Select Expert Mode.
Select boot.apparmor and click Set/Reset+Disable the service.
Exit the YaST Runlevel tool with Finish.

AppArmor will not be initialized on reboot, and stays inactive until you reenable it. Reenabling a service using the YaST Runlevel tool is similar to disabling it.

Toggle the status of AppArmor in a running system by using the AppArmor Control Panel. These changes take effect as soon as you apply them and survive a reboot of the system. To toggle AppArmor's status, proceed as follows:

Start YaST.
Select AppArmor+AppArmor Control Panel.
Select Enable AppArmor. To disable AppArmor, uncheck this option.
Exit the AppArmor Control Panel with Done.

17.3. Choosing the Applications to Profile¶

You only need to protect the programs that are exposed to attacks in your particular setup, so only use profiles for those applications you actually run. Use the following list to determine the most likely candidates:

Network Agents

Web Applications

Cron Jobs

To find out which processes are currently running with open network ports and might need a profile to confine them, run aa-unconfined as root.

Пример 17.1. Output of aa-unconfined¶

19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'

Each of the processes in the above example labeled not confined might need a custom profile to confine it. Those labeled confined by are already protected by AppArmor.

	For More Information
For more information about choosing the the right applications to profile, refer to Раздел 18.2, «Determining Programs to Immunize».

17.4. Building and Modifying Profiles¶

AppArmor on openSUSE ships with a preconfigured set of profiles for the most important applications. In addition, you can use AppArmor to create your own profiles for any application you want.

There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.

For each application, perform the following steps to create a profile:

As root, let AppArmor create a rough outline of the application's profile by running aa-genprof programname
or
Outline the basic profile by running YaST+AppArmor+Add Profile Wizard and specifying the complete path to the application you want to profile.
A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing, but does not yet restrict it.
Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.
Let AppArmor analyze the log files generated in Шаг 2 by typing S in aa-genprof.
or
Analyze the logs by clicking Scan System Log for AppArmor Events in the Add Profile Wizard and following the instructions given in the wizard until the profile is completed.
AppArmor scans the logs it recorded during the application's run and asks you to set the access rights for each event that was logged. Either set them for each file or use globbing.
Depending on the complexity of your application, it might be necessary to repeat Шаг 2 and Шаг 3. Confine the application, exercise it under the confined conditions, and process any new log events. To properly confine the full range of an application's capabilities, you might be required to repeat this procedure often.
Once all access permissions are set, your profile is set to enforce mode. The profile is applied and AppArmor restricts the application according to the profile just created.
If you started aa-genprof on an application that had an existing profile that was in complain mode, this profile remains in learning mode upon exit of this learning cycle. For more information about changing the mode of a profile, refer to Раздел 22.6.3.2, «aa-complain—Entering Complain or Learning Mode» and Раздел 22.6.3.3, «aa-enforce—Entering Enforce Mode».

Test your profile settings by performing every task you need with the application you just confined. Normally, the confined program runs smoothly and you do not notice AppArmor activities at all. However, if you notice certain misbehavior with your application, check the system logs and see if AppArmor is too tightly confining your application. Depending on the log mechanism used on your system, there are several places to look for AppArmor log entries:

/var/log/audit/audit.log

/var/log/messages

dmesg

To adjust the profile, analyze the log messages relating to this application again as described in Шаг 3. Determine the access rights or restrictions when prompted.

	For More Information
For more information about profile building and modification, refer to Глава 19, Profile Components and Syntax, Глава 21, Building and Managing Profiles with YaST, and Глава 22, Building Profiles from the Command Line.

17.5. Updating Your Profiles¶

Software and system configurations change over time. As a result, your profile setup for AppArmor might need some fine-tuning from time to time. AppArmor checks your system log for policy violations or other AppArmor events and lets you adjust your profile set accordingly. Any application behavior that is outside of any profile definition can also be addressed using the Update Profile Wizard.

To update your profile set, proceed as follows:

Start YaST and choose AppArmor+Update Profile Wizard.
Adjust access or execute rights to any resource or for any executable that has been logged when prompted.
Leave YaST after you have answered all questions. Your changes are applied to the respective profiles.

	For More Information
For more information about updating your profiles from the system logs, refer to Раздел 21.5, «Updating Profiles from Log Entries».