Novell has made significant strides in securing its Linux products, especially through its Application Armor (AppArmor) security suite. With its easy-to-use mandatory access control model (MAC), AppArmor can profile, monitor and restrict application behaviors for any server or workstation running SUSE. It can then create an overall security policy for run-time execution. And as a bonus for inexperienced administrators, AppArmor is much easier to handle than SELinux. This article will describe AppArmor and what it can do.
AppArmor is readily accessible through the YaST control center (YaST stands for Yet Another Setup Tool; Novell includes YaST in the SUSE Linux distribution and makes it available as free software under the GNU General Public License, or GPL).
SUSE simplifies and centralizes MAC management through AppArmor.
Add Profile Wizard
AppArmor has a user-friendly Profile Wizard. Once you specify and exercise a target binary, AppArmor will analyze the resulting system activity. Security profiling is pretty easy after AppArmor informs itself about an application's actions under normal operation.
AppArmor keeps a summary of scheduled reports with their activation intervals (hourly, daily, weekly, monthly) in the Security Event Report dialog. This panel sorts the three primary categories:
- Executive Security Summary
- Applications Audit
- Security Incident Reports
Each category is individually defined with parameters applied such that reports may be activated at alternate times, may include additional administrative email accounts and may reposition the log file path. Within this dialog, you can also view archived security logs and add, delete or edit reports.
By default, AppArmor contains a number of security profiles, including a variety of binaries and shared libraries neatly assorted in a listbox window. What you'll find in the window is just a small sampling of the many existing profiles. Within the window, binary access to file system paths may be added, deleted or modified to restrict actions. Advanced properties include profile, inherit and unconstrained.
Update Profile Wizard
With the Update Profile dialog, you can enhance default and recently established profiles. The wizard walks you through the steps to enhance control module entries to create more robust (and more optimized) security profiles based on suggestions presented during the creation process.
From a security policy perspective, events documented during the run-time execution of a targeted application are better defined through this interface. Beginning with the application, everything gets questioned: paths, binaries, documents and so forth. The wizard assigns severity levels to indicate the level of threat that an application could pose should it ever be abused, including the full path to said file or binary and four action buttons to indicate whether settings should be inherited, unconfined or denied.
AppArmor Control Panel
System administrators can enable or disable AppArmor functionality within the AppArmor Control Panel and configure the application to issue notifications for critical events. When an access violation occurs, security event notifications are triggered and delivered to an administrative email account according to the specified threshold. This time threshold can be in one to 30 minute intervals, or one day/week/month at a time, as the situation demands.
The final two categories are nearly self-explanatory. The Delete Profile dialog removes existing profiles, but you'll also find other opportunities to delete a profile during other related tasks.
Manually Add Profile
Profiles created elsewhere can be imported through the last dialog, Manually Add Profile. This interface provides great deal of flexibility, enabling administrators to share and reproduce security profiles across separate systems.
AppArmor is more than just a step in the right direction; it is a marching cadre of security functionality prepared to police application behaviors through well-defined event policies. Without this added protection, SUSE enterprise servers and workstations could remain exposed to a range of Internet-born maladies, from low-level exploit code to high-level application extension manipulations. With this added protection, systems can be hardened and locked down to meet strict security policy requirements.
Justin Korelc is a long-time Linux hacker and system administrator who concentrates on hardware and software security, virtualization and high-performance Linux systems. Ed Tittel is a full-time freelance writer based in Austin, Tex., who specializes in markup languages, information security, networking and IT certification. Justin and Ed have contributed to books on Home Theater PCs and the Linux-based MythTV environment, and they write regularly about Linux for various TomsHardware sites.