------------------------------------------------------------
revno: 3640
committer: Adam Sommer <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Mon 2007-12-10 01:31:28 -0500
message:
Reorganized the Security section adding a section on AppArmor. Content based
on https://help.ubuntu.com/community/AppArmor originally written by Mathias Gug.
modified:
generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml'
--- a/generic/server/C/security.xml 2007-04-05 10:38:17 +0000
+++ b/generic/server/C/security.xml 2007-12-10 06:31:28 +0000
@@ -20,7 +20,9 @@
which is used to manipulate or decide the fate of
network traffic headed into or through
your server. All modern Linux firewall solutions use
this system for packet filtering.
</para>
- <sect1 id="firewall-introduction" status="complete">
+ <sect1 id="firewall" status="review">
+ <title>Firewall</title>
+ <sect2 id="firewall-introduction" status="complete">
<title>Firewall Introduction</title>
<para>
The kernel's packet filtering system would be of little use to
administrators without
@@ -30,8 +32,8 @@
iptables. Thus, iptables is all you need to manage
your firewall if you're familiar
with it, but many frontends are available to simplify
the task.
</para>
- </sect1>
- <sect1 id="ip-masquerading" status="complete">
+ </sect2>
+ <sect2 id="ip-masquerading" status="complete">
<title>IP Masquerading</title>
<para>
The purpose of IP Masquerading is to allow machines with
private, non-routable IP
@@ -78,8 +80,8 @@
Internet and all traffic related to those connections
to return to the machine
that initiated them.
</para>
- </sect1>
- <sect1 id="firewall-tools" status="complete">
+ </sect2>
+ <sect2 id="firewall-tools" status="complete">
<title>Tools</title>
<para>
There are many tools available to help you construct a complete
firewall without
@@ -99,8 +101,8 @@
clients (GTK or QT), and behaves like many popular
interactive firewall
applications for Windows.
</para>
- </sect1>
- <sect1 id="firewall-logs" status="complete">
+ </sect2>
+ <sect2 id="firewall-logs" status="complete">
<title>Logs</title>
<para>
Firewall logs are essential for recognizing attacks,
troubleshooting your
@@ -129,6 +131,341 @@
analyzing tool such as
<application>fwanalog</application>, <application>
fwlogwatch</application>, or
<application>lire</application>.
</para>
- </sect1>
+ </sect2>
+ </sect1>
+ <sect1 id="apparmor" status="review">
+ <title>AppArmor</title>
+ <para>
+ <application>AppArmor</application> is a Linux Security Module
implementation of name-based mandatory access controls.
+ AppArmor confines individual programs to a set of listed files and
posix 1003.1e draft capabilities.
+ </para>
+ <para>
+ <application>AppArmor</application> is installed and loaded by
default. It uses <emphasis>profiles</emphasis> of
+ an application to determine what files and permissions the
application requires. Some packages will install their own profiles,
+ and additional profiles can found in the
<application>apparmor-profiles</application> package.
+ </para>
+ <para>
+ To install the <application>apparmor-profiles</application> package
from a terminal prompt:
+ </para>
+<screen>
+<command>sudo apt-get install apparmor-profiles</command>
+</screen>
+ <para>
+ AppArmor profiles have two modes of execution:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Complaining/Learning: profile violations are permitted and
logged. Useful for testing and developing new profiles.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Enforced/Confined: enforces profile policy as well as logging the
violation.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <sect2 id="apparmor-usage" status="review">
+ <title>Using AppArmor</title>
+ <para>
+ The <application>apparmor-utils</application> package contains
command line utilities that you can use to change the
+ <application>AppArmor</application> execution mode, find the status
of a profile, create new profiles, etc.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <application>apparmor_status</application> is used to view the
current status of AppArmor profiles.
+ </para>
+<screen>
+<command>sudo apparmor_status</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ <application>aa-complain</application> places a profile into
<emphasis>complain</emphasis> mode.
+ </para>
+<screen>
+<command>sudo aa-complain /path/to/bin</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ <application>aa-enforce</application> places a profile into
<emphasis>enforce</emphasis> mode.
+ </para>
+<screen>
+<command>sudo aa-enforce /path/to/bin</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ The <filename>/etc/apparmor.d</filename> directory is where the
AppArmor profiles are located. It can be used to
+ manipulate the <emphasis>mode</emphasis> of all profiles.
+ </para>
+ <para>
+ Enter the following to place all profiles into complain mode:
+ </para>
+<screen>
+<command>sudo aa-complain /etc/apparmor.d/*</command>
+</screen>
+ <para>
+ To place all profiles in enforce mode:
+ </para>
+<screen>
+<command>sudo aa-enforce /etc/apparmor.d/*</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ <application>apparmor_parser</application> is used to load a
profile into the kernel. It can also be used to
+ reload a currently loaded profile using the
<emphasis>-r</emphasis> option. To load a profile:
+ </para>
+<screen>
+<command>cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a</command>
+</screen>
+ <para>
+ To reload a profile:
+ </para>
+<screen>
+<command>cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>/etc/init.d/apparmor</filename> can be used to
<emphasis>reload</emphasis> all profiles:
+ </para>
+<screen>
+<command>sudo /etc/init.d/apparmor reload</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ The <filename>/etc/apparmor.d/disable</filename> directory can
be used along with the <application>apparmor_parser -R</application>
+ option to <emphasis>disable</emphasis> a profile.
+ </para>
+<screen>
+<command>ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/</command>
+<command>apparmor_parser -R /etc/apparmor.d/profile.name</command>
+</screen>
+ <para>
+ To <emphasis>re-enable</emphasis> a disabled profile remove the
symblic link to the profile in
+ <filename>/etc/apparmor.d/disable/</filename>. Then load the
profile using the <emphasis>-a</emphasis> option.
+ </para>
+<screen>
+<command>rm /etc/apparmor.d/disable/profile.name</command>
+<command>cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ <application>AppArmor</application> can be disabled, and the
kernel module unloaded by entering the following:
+ </para>
+<screen>
+<command>sudo /etc/init.d/apparmor kill</command>
+<command>sudo update-rc.d -f apparmor remove</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ To re-enable <application>AppArmor</application> enter:
+ </para>
+<screen>
+<command>sudo /etc/init.d/apparmor start</command>
+<command>sudo update-rc.d apparmor defaults</command>
+</screen>
+ </listitem>
+ </itemizedlist>
+ <note>
+ <para>
+ Replace <emphasis>profile.name</emphasis> with the name of the
profile you want to manipulate. Also, replace
+ <filename>/path/to/bin/</filename> with the actual executable
file path. For example for the <application>ping</application>
+ command use <filename>/bin/ping</filename>
+ </para>
+ </note>
+ </sect2>
+ <sect2 id="apparmor-profiles" status="review">
+ <title>Profiles</title>
+ <para>
+ <application>AppArmor</application> profiles are simple text files
located in <filename>/etc/apparmor.d/</filename>. The
+ files are named after the full path to the executable they profile
replacing the "/" with ".".
+ For example <filename>/etc/apparmor.d/bin.ping</filename> is the
AppArmor profile for the <filename>/bin/ping</filename>
+ command.
+ </para>
+ <para>
+ There are two main type of rules used in profiles:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis>Path entries:</emphasis> which detail which files an
application can access in the file system.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis>Capability entries:</emphasis> determine what
privileges a confined process is allowed to use.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ As an example take a look at
<filename>/etc/apparmor.d/bin.ping</filename>:
+ </para>
+<programlisting>
+#include <tunables/global>
+/bin/ping flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability net_raw,
+ capability setuid,
+ network inet raw,
+
+ /bin/ping mixr,
+ /etc/modules.conf r,
+}
+</programlisting>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis>#include <tunables/global>:</emphasis> include
statements from other files. This allows statements pertaining to
+ multiple applications to be placed in a common file.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis>/bin/ping flags=(complain):</emphasis> path to the
profiled program, also setting the mode to
+ <emphasis>complain</emphasis>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis>capability net_raw,:</emphasis> allows the
application access to the CAP_NET_RAW Posix.1e capability.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis>/bin/ping mixr,:</emphasis> allows the application
read and execute access to the file.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <note>
+ <para>
+ After editing a profile file the profile must be reloaded. See
<xref linkend="apparmor-usage"/> for details.
+ </para>
+ </note>
+ <sect3 id="apparmor-profiles-new" status="review">
+ <title>Creating a Profile</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis>Design a test plan:</emphasis> Try to think about
how the application should be exercised. The test plan should be divided
+ into small test cases. Each test case should have a small
description and list the steps to follow.
+ </para>
+ <para>
+ Some standard test cases are:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Starting the program.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Stopping the program.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Reloading the program.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Testing all the commands supported by the init script.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis>Generate the new profile:</emphasis> Use
<application>aa-genprof</application> to generate a new profile.
+ From a terminal:
+ </para>
+<screen>
+<command>sudo aa-genprof executable</command>
+</screen>
+ <para>
+ For example:
+ </para>
+<screen>
+<command>sudo aa-genprof slapd</command>
+</screen>
+ </listitem>
+ <listitem>
+ <para>
+ To get your new profile included in the
<application>apparmor-profiles</application> package, file a bug in
+ <emphasis>Launchpad</emphasis> against the <ulink
url="https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug";>AppArmor</ulink>
+ package:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Include your test plan and testcases.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Attach your new profile to the bug.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+ </sect3>
+ <sect3 id="apparmor-profiles-update" status="review">
+ <title>Updating Profiles</title>
+ <para>
+ When the program is misbehaving, audit messages are sent to the
log files. The program <application>aa-logprof</application> can be used
+ to scan log files for <application>AppArmor</application> audit
messages, review them and update the profiles. From a terminal:
+ </para>
+<screen>
+<command>sudo aa-logprof</command>
+</screen>
+ </sect3>
+ </sect2>
+ <sect2 id="apparmor-references" status="review">
+ <title>References</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ See the <ulink
url="http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/index.html?page=/documentation/apparmor/apparmor201_sp10_admin/data/book_apparmor_admin.html";>AppArmor
Administration Guide</ulink> for advanced configuration options.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <itemizedlist>
+ <listitem>
+ <para>
+ For details using AppArmor with other Ubuntu releases see the
<ulink url="https://help.ubuntu.com/community/AppArmor";>
+ AppArmor Community Wiki</ulink> page.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <ulink url="http://en.opensuse.org/AppArmor";>OpenSUSE
AppArmor</ulink> page is another introduction to AppArmor.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A great place to ask for <application>AppArmor</application>
assistance, and get involved with the Ubuntu Server community,
+ is the <emphasis>#ubuntu-server</emphasis> IRC channel on
<ulink url="http://freenode.net";>freenode</ulink>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </sect2>
+ </sect1>
</chapter>
--
https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy
You are receiving this branch notification because you are subscribed to it.
To unsubscribe from this branch go to
https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy/+subscription/ubuntu-core-doc.
--
ubuntu-doc-commits mailing list
ubuntu-doc-commits@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits
