Chapter 22. Building and Managing Profiles with YaST

Chapter 22. Building and Managing Profiles with YaST¶

Contents

22.1. Adding a Profile Using the Wizard
22.2. Manually Adding a Profile
22.3. Editing Profiles
22.4. Deleting a Profile
22.5. Updating Profiles from Log Entries
22.6. Managing Novell AppArmor and Security Event Status

YaST provides an easy way to build profiles and manage Novell® AppArmor. It provides two interfaces: a graphical one and a text-based one. The text-based interface consumes less resources and bandwidth, making it a better choice for remote administration, or for times when a local graphical environment is inconvenient. Although the interfaces have differing appearances, they offer the same functionality in similar ways. Another alternative is to use AppArmor commands, which can control AppArmor from a terminal window or through remote connections. The command line tools are described in Chapter 23, Building Profiles from the Command Line.

Start YaST from the main menu and enter your root password when prompted for it. Alternatively, start YaST by opening a terminal window, logging in as root, and entering yast2 for the graphical mode or yast for the text-based mode.

Figure 22.1. YaST Controls for AppArmor

The right frame shows the AppArmor options:

Add Profile Wizard: For detailed steps, refer to Section 22.1, “Adding a Profile Using the Wizard”.
Manually Add Profile: Add a Novell AppArmor profile for an application on your system without the help of the wizard. For detailed steps, refer to Section 22.2, “Manually Adding a Profile”.
Edit Profile: Edits an existing Novell AppArmor profile on your system. For detailed steps, refer to Section 22.3, “Editing Profiles”.
Delete Profile: Deletes an existing Novell AppArmor profile from your system. For detailed steps, refer to Section 22.4, “Deleting a Profile”.
Update Profile Wizard: For detailed steps, refer to Section 22.5, “Updating Profiles from Log Entries”.
AppArmor Reports: For detailed steps, refer to Section 26.3, “Configuring Reports”.
AppArmor Control Panel: For detailed steps, refer to Section 22.6, “Managing Novell AppArmor and Security Event Status”.

22.1. Adding a Profile Using the Wizard¶

Add Profile Wizard is designed to set up Novell AppArmor profiles using the AppArmor profiling tools, aa-genprof (generate profile) and aa-logprof (update profiles from learning mode log file). For more information about these tools, refer to Section 23.6.3, “Summary of Profiling Tools”.

Stop the application before profiling it to ensure that application start-up is included in the profile. To do this, make sure that the application or daemon is not running.
For example, enter rcPROGRAM stop (or /etc/init.d/PROGRAM stop) in a terminal window while logged in as root, replacing PROGRAM with the name of the program to profile.
Start YaST and select Novell AppArmor+Add Profile Wizard.
Enter the name of the application or browse to the location of the program.
Click Create. This runs an AppArmor tool named aa-autodep, which performs a static analysis of the program to profile and loads an approximate profile into the AppArmor module. For more information about aa-autodep, refer to Section 23.6.3.1, “aa-autodep—Creating Approximate Profiles”.
Depending on whether the profile you are about to create already exists either in the local profile repository (see Section 21.1, “Using the Local Repository”) or in the external profile repository (see Chapter 21, AppArmor Profile Repositories) or whether it does not exist yet, proceed with one of the following options:
- Determine whether you want to use or fine-tune an already existing profile from your local profile repository, as outlined in Step 5.
- Determine whether you want to use or fine-tune an already existing profile from the external profile repository, as outlined in Step 6.
- Create the profile from scratch and proceed with Step 7 and beyond.
If the profile already exists in the local profile repository under /etc/apparmor/profiles/extra, YaST informs you that there is an inactive profile which you can either use as a base for your own efforts or which you can just accept as is.
Alternatively, you can choose not to use the local version at all and start creating the profile from scratch. In any case, proceed with Step 7.
If the profile already exists in the external profile repository and this is the first time you tried to create a profile that already exists in the repository, configure your access to the server and determine how to use it:
1. Determine whether you want to enable access to the external repository or postpone this decision. In case you have selected Enable Repository, determine the access mode (download/upload) in a next step. In case you want to postpone the decision, select Ask Me Later and proceed directly to Step 7.
2. Provide username and password for your account on the profile repository server and register at the server.
3. Select the profile to use and proceed to Step 7.
Run the application to profile.
Perform as many of the application functions as possible, so that learning mode can log the files and directories to which the program requires access to function properly. Be sure to include restarting and stopping the program in the exercised functions. AppArmor needs to handle these events, as well as any other program function.
Click Scan system log for AppArmor events to parse the learning mode log files. This generates a series of questions that you must answer to guide the wizard in generating the security profile.
If requests to add hats appear, proceed to Chapter 24, Profiling Your Web Applications Using ChangeHat.
The questions fall into two categories:
- A resource is requested by a profiled program that is not in the profile (see Figure 22.2, “Learning Mode Exception: Controlling Access to Specific Resources”). Allow or deny access to a specific resource.
- A program is executed by the profiled program and the security domain transition has not been defined (see Figure 22.3, “Learning Mode Exception: Defining Execute Permissions for an Entry”). Define execute permissions for an entry.
Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program to the profile. For an example of each case, see Figure 22.2, “Learning Mode Exception: Controlling Access to Specific Resources” and Figure 22.3, “Learning Mode Exception: Defining Execute Permissions for an Entry”. Subsequent steps describe your options in answering these questions.
Varying Processing Options
Depending on the type of entry processed, the available options vary.
Figure 22.2. Learning Mode Exception: Controlling Access to Specific Resources¶

Figure 22.3. Learning Mode Exception: Defining Execute Permissions for an Entry¶

	Varying Processing Options
Depending on the type of entry processed, the available options vary.

The Add Profile Wizard begins suggesting directory path entries that have been accessed by the application profiled (as seen in Figure 22.2, “Learning Mode Exception: Controlling Access to Specific Resources”) or requires you to define execute permissions for entries (as seen in Figure 22.3, “Learning Mode Exception: Defining Execute Permissions for an Entry”).

For Figure 22.2: Learning Mode Exception: Controlling Access to Specific Resources: Select the option that satisfies the request for access, which could be a suggested include, a particular globbed version of the path, or the actual pathname. Depending on the situation, these options are available:
#include
The section of a Novell AppArmor profile that refers to an include file. Include files give access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs. Using includes can reduce the size of a profile. It is good practice to select includes when suggested.
Globbed Version
Accessed by clicking Glob. For information about globbing syntax, refer to Section 20.6, “Paths and Globbing”.
Actual Pathname
Literal path that the program needs to access to run properly.
After selecting a directory path, process it as an entry to the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.
The following options are available to process the learning mode entries and build the profile:
Allow
Grant the program access to the specified directory path entries. The Add Profile Wizard suggests file permission access. For more information about this, refer to Section 20.7, “File Permission Access Modes”.
Deny
Click Deny to prevent the program from accessing the specified paths.
Glob
Clicking this modifies the directory path (using wild cards) to include all files in the suggested directory. Double-clicking it grants access to all files and subdirectories beneath the one shown. For more information about globbing syntax, refer to Section 20.6, “Paths and Globbing”.
Glob w/Ext
Modify the original directory path while retaining the filename extension. A single click causes /etc/apache2/file.ext to become /etc/apache2/*.ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directories that end with the .ext extension. When you double-click it, access is granted to all files with the particular extension and subdirectories beneath the one shown.
Edit
Edit the highlighted line. The new edited line appears at the bottom of the list.
Abort
Abort aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.
Finish
Close aa-logprof, saving all rule changes entered so far and modifying all profiles.
Click Allow or Deny for each learning mode entry. These help build the Novell AppArmor profile.
The number of learning mode entries corresponds to the complexity of the application.

For Figure 22.3: Learning Mode Exception: Defining Execute Permissions for an Entry: From the following options, select the one that satisfies the request for access. For detailed information about the options available, refer to Section 20.7, “File Permission Access Modes”.

Inherit

Stay in the same security profile (parent's profile).

Profile

Require a separate profile to exist for the executed program. When selecting this option, also select whether AppArmor should sanitize the environment when switching profiles by removing certain environment variables that can modify the execution behavior of the child process. Unless these variables are absolutely required to properly execute the child process, always choose the more secure, sanitized option.

Unconfined

Execute the program without a security profile. When prompted, have AppArmor sanitize the environment to avoid adding security risks by inheriting certain environmental variables from the parent process.

	Risks of Running Unconfined
Unless absolutely necessary, do not run unconfined. Choosing the Unconfined option executes the new program without any protection from AppArmor.

Deny

Click Deny to prevent the program from accessing the specified paths.

Abort

Abort aa-logprof, losing all rule changes entered so far, and leaving all profiles unmodified.

Finish

Close aa-logprof, saving all rule changes entered so far, and modifying all profiles.

Repeat the previous steps if you need to execute more functionality of the application.
When you are done, click Finish. Choose to apply your changes to the local profile set. If you have previously chosen to upload your profile to the external profile repository, provide a brief change log entry describing your work and upload the profile. If you had postponed the decision on whether to upload the profile or not, YaST asks you again and you can create an account the upload the profile now or not upload it at all.
As soon as you exit the Profile Creation Wizard, the profile is saved both locally and on the repository server, if you have chosen to upload it. The profile is then loaded into the AppArmor module.

22.2. Manually Adding a Profile¶

Novell AppArmor enables you to create a Novell AppArmor profile by manually adding entries into the profile. Select the application for which to create a profile then add entries.

Start YaST and select Novell AppArmor+Manually Add Profile.
Browse your system to find the application for which to create a profile.
When you find the application, select it and click Open. A basic, empty profile appears in the AppArmor Profile Dialog window.
In AppArmor Profile Dialog, add, edit, or delete AppArmor profile entries by clicking the corresponding buttons and referring to Section 22.3.1, “Adding an Entry”, Section 22.3.2, “Editing an Entry”, or Section 22.3.3, “Deleting an Entry”.
When finished, click Done.

22.3. Editing Profiles¶

AppArmor enables you to edit Novell AppArmor profiles manually by adding, editing, or deleting entries. To edit a profile, proceed as follows:

Start YaST and select Novell AppArmor+Edit Profile.
From the list of profiled applications, select the profile to edit.
Click Next. The AppArmor Profile Dialog window displays the profile.
In the AppArmor Profile Dialog window, add, edit, or delete Novell AppArmor profile entries by clicking the corresponding buttons and referring to Section 22.3.1, “Adding an Entry”, Section 22.3.2, “Editing an Entry”, or Section 22.3.3, “Deleting an Entry”.
When you are finished, click Done.
In the pop-up that appears, click Yes to confirm your changes to the profile and reload the AppArmor profile set.

	Syntax Checking in AppArmor
AppArmor contains a syntax check that notifies you of any syntax errors in profiles you are trying to process with the YaST AppArmor tools. If an error occurs, edit the profile manually as `root` and reload the profile set with rcapparmor `reload`.

22.3.1. Adding an Entry¶

The Add Entry option can be found in Section 22.2, “Manually Adding a Profile” or Section 22.3, “Editing Profiles”. When you select Add Entry, a list shows the types of entries you can add to the Novell AppArmor profile.

From the list, select one of the following:

File

In the pop-up window, specify the absolute path of a file, including the type of access permitted. When finished, click OK.

You can use globbing if necessary. For globbing information, refer to Section 20.6, “Paths and Globbing”. For file access permission information, refer to Section 20.7, “File Permission Access Modes”.

Directory

In the pop-up window, specify the absolute path of a directory, including the type of access permitted. You can use globbing if necessary. When finished, click OK.

For globbing information, refer to Section 20.6, “Paths and Globbing”. For file access permission information, refer to Section 20.7, “File Permission Access Modes”.

Network Rule

In the pop-up window, select the appropriate network family and the socket type. For more information, refer to Section 20.5, “Network Access Control”.

Capability

In the pop-up window, select the appropriate capabilities. These are statements that enable each of the 32 POSIX.1e capabilities. Refer to Section 20.4, “Capability Entries (POSIX.1e)” for more information about capabilities. When finished making your selections, click OK.

Include

In the pop-up window, browse to the files to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more information, refer to Section 20.3, “#include Statements”.

Hat

In the pop-up window, specify the name of the subprofile (hat) to add to your current profile and click Create Hat. For more information, refer to Chapter 24, Profiling Your Web Applications Using ChangeHat.

22.3.2. Editing an Entry¶

When you select Edit Entry, the file browser pop-up window opens. From here, edit the selected entry.

In the pop-up window, specify the absolute path of a file, including the type of access permitted. You can use globbing if necessary. When finished, click OK.

For globbing information, refer to Section 20.6, “Paths and Globbing”. For file access permission information, refer to Section 20.7, “File Permission Access Modes”.

22.3.3. Deleting an Entry¶

To delete an entry in a given profile, select Delete Entry. AppArmor removes the selected profile entry.

22.4. Deleting a Profile¶

AppArmor enables you to delete an AppArmor profile manually. Simply select the application for which to delete a profile then delete it as follows:

Start YaST and select Novell AppArmor+Delete Profile.
Select the profile to delete.
Click Next.
In the pop-up that opens, click Yes to delete the profile and reload the AppArmor profile set.

22.5. Updating Profiles from Log Entries¶

The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files and enables you to update profiles. aa-logprof tracks messages from the Novell AppArmor module that represent exceptions for all profiles running on your system. These exceptions represent the behavior of the profiled application that is outside of the profile definition for the program. You can add the new behavior to the relevant profile by selecting the suggested profile entry.

	Support for the External Profile Repository
Similar to the Add Profile Wizard, the Update Profile Wizard also supports profile exchange with the external repository server. For background information on the use of the external AppArmor profile repository, refer to Chapter 21, AppArmor Profile Repositories. For details on how to configure access and access mode to the server, check the procedure described under Section 22.1, “Adding a Profile Using the Wizard”.

Support for the External Profile Repository

Similar to the Add Profile Wizard, the Update Profile Wizard also supports profile exchange with the external repository server. For background information on the use of the external AppArmor profile repository, refer to Chapter 21, AppArmor Profile Repositories. For details on how to configure access and access mode to the server, check the procedure described under Section 22.1, “Adding a Profile Using the Wizard”.

Start YaST and select Novell AppArmor+Update Profile Wizard.
Running Update Profile Wizard (aa-logprof) parses the learning mode log files. This generates a series of questions that you must answer to guide aa-logprof to generate the security profile. The exact procedure is the same as with creating a new profile. Refer to Step 9 in Section 22.1, “Adding a Profile Using the Wizard” for details.
When you are done, click Finish. In the following pop-up, click Yes to exit the Add Profile Wizard. The profile is saved and loaded into the Novell AppArmor module.

22.6. Managing Novell AppArmor and Security Event Status¶

You can change the status of AppArmor by enabling or disabling it. Enabling AppArmor protects your system from potential program exploitation. Disabling AppArmor, even if your profiles have been set up, removes protection from your system. You can determine how and when you are notified when system security events occur.


For event notification to work, you must set up a mail server on your system that can send outgoing mail using the single mail transfer protocol (SMTP), such as postfix or exim.

To configure event notification or change the status of AppArmor, start YaST and select Novell AppArmor+Novell AppArmor Control Panel.

From the AppArmor Configuration screen, determine whether Novell AppArmor and security event notification are running by looking for a status message that reads enabled or configure the mode of individual profiles.

To change the status of Novell AppArmor, continue as described in Section 22.6.1, “Changing Novell AppArmor Status”. To change the mode of individual profiles, continue as described in Section 22.6.2, “Changing the Mode of Individual Profiles”. To configure security event notification, continue as described in Section 26.2, “Configuring Security Event Notification”.

22.6.1. Changing Novell AppArmor Status¶

When you change the status of AppArmor, set it to enabled or disabled. When AppArmor is enabled, it is installed, running, and enforcing the AppArmor security policies.

Start YaST and select Novell AppArmor+AppArmor Control Panel.
Enable AppArmor by checking Enable AppArmor or disable AppArmor by deselecting it.
Click Done in the AppArmor Configuration window.
Click File+Quit in the YaST Control Center.

22.6.2. Changing the Mode of Individual Profiles¶

AppArmor can apply profiles in two different modes. In complain or learning mode, violations of AppArmor profile rules, such as the profiled program accessing files not permitted by the profile, are detected. The violations are permitted, but also logged. This mode is convenient for developing profiles and is used by the AppArmor tools for generating profiles. Loading a profile in enforce mode enforces the policy defined in the profile and reports policy violation attempts to syslogd.

The Profile Modes dialog allows you to view and edit the mode of currently loaded AppArmor profiles. This feature is useful for determining the status of your system during profile development. During the course of systemic profiling (see Section 23.6.2, “Systemic Profiling”), you can use this tool to adjust and monitor the scope of the profiles for which you are learning behavior.

To edit an application's profile mode, proceed as follows:

Start YaST and select Novell AppArmor+AppArmor Control Panel.
In the Configure Profile Modes section, select Configure.
Select the profile for which to change the mode.
Select Toggle Mode to set this profile to complain mode or to enforce mode.
Apply your settings and leave YaST with Done.

To change the mode of all profiles, use Set All to Enforce or Set All to Complain.

	Listing the Profiles Available
By default, only active profiles are listed (any profile that has a matching application installed on your system). To set up a profile before installing the respective application, click Show All Profiles and select the profile to configure from the list that appears.


The number of learning mode entries corresponds to the complexity of the application.