------------------------------------------------------------ revno: 3640 committer: Adam Sommer <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Mon 2007-12-10 01:31:28 -0500 message: Reorganized the Security section adding a section on AppArmor. Content based on https://help.ubuntu.com/community/AppArmor originally written by Mathias Gug. modified: generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml' --- a/generic/server/C/security.xml 2007-04-05 10:38:17 +0000 +++ b/generic/server/C/security.xml 2007-12-10 06:31:28 +0000 @@ -20,7 +20,9 @@ which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering. </para> - <sect1 id="firewall-introduction" status="complete"> + <sect1 id="firewall" status="review"> + <title>Firewall</title> + <sect2 id="firewall-introduction" status="complete"> <title>Firewall Introduction</title> <para> The kernel's packet filtering system would be of little use to administrators without @@ -30,8 +32,8 @@ iptables. Thus, iptables is all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task. </para> - </sect1> - <sect1 id="ip-masquerading" status="complete"> + </sect2> + <sect2 id="ip-masquerading" status="complete"> <title>IP Masquerading</title> <para> The purpose of IP Masquerading is to allow machines with private, non-routable IP @@ -78,8 +80,8 @@ Internet and all traffic related to those connections to return to the machine that initiated them. </para> - </sect1> - <sect1 id="firewall-tools" status="complete"> + </sect2> + <sect2 id="firewall-tools" status="complete"> <title>Tools</title> <para> There are many tools available to help you construct a complete firewall without @@ -99,8 +101,8 @@ clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows. </para> - </sect1> - <sect1 id="firewall-logs" status="complete"> + </sect2> + <sect2 id="firewall-logs" status="complete"> <title>Logs</title> <para> Firewall logs are essential for recognizing attacks, troubleshooting your @@ -129,6 +131,341 @@ analyzing tool such as <application>fwanalog</application>, <application> fwlogwatch</application>, or <application>lire</application>. </para> - </sect1> + </sect2> + </sect1> + <sect1 id="apparmor" status="review"> + <title>AppArmor</title> + <para> + <application>AppArmor</application> is a Linux Security Module implementation of name-based mandatory access controls. + AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. + </para> + <para> + <application>AppArmor</application> is installed and loaded by default. It uses <emphasis>profiles</emphasis> of + an application to determine what files and permissions the application requires. Some packages will install their own profiles, + and additional profiles can found in the <application>apparmor-profiles</application> package. + </para> + <para> + To install the <application>apparmor-profiles</application> package from a terminal prompt: + </para> +<screen> +<command>sudo apt-get install apparmor-profiles</command> +</screen> + <para> + AppArmor profiles have two modes of execution: + </para> + <itemizedlist> + <listitem> + <para> + Complaining/Learning: profile violations are permitted and logged. Useful for testing and developing new profiles. + </para> + </listitem> + <listitem> + <para> + Enforced/Confined: enforces profile policy as well as logging the violation. + </para> + </listitem> + </itemizedlist> + <sect2 id="apparmor-usage" status="review"> + <title>Using AppArmor</title> + <para> + The <application>apparmor-utils</application> package contains command line utilities that you can use to change the + <application>AppArmor</application> execution mode, find the status of a profile, create new profiles, etc. + </para> + <itemizedlist> + <listitem> + <para> + <application>apparmor_status</application> is used to view the current status of AppArmor profiles. + </para> +<screen> +<command>sudo apparmor_status</command> +</screen> + </listitem> + <listitem> + <para> + <application>aa-complain</application> places a profile into <emphasis>complain</emphasis> mode. + </para> +<screen> +<command>sudo aa-complain /path/to/bin</command> +</screen> + </listitem> + <listitem> + <para> + <application>aa-enforce</application> places a profile into <emphasis>enforce</emphasis> mode. + </para> +<screen> +<command>sudo aa-enforce /path/to/bin</command> +</screen> + </listitem> + <listitem> + <para> + The <filename>/etc/apparmor.d</filename> directory is where the AppArmor profiles are located. It can be used to + manipulate the <emphasis>mode</emphasis> of all profiles. + </para> + <para> + Enter the following to place all profiles into complain mode: + </para> +<screen> +<command>sudo aa-complain /etc/apparmor.d/*</command> +</screen> + <para> + To place all profiles in enforce mode: + </para> +<screen> +<command>sudo aa-enforce /etc/apparmor.d/*</command> +</screen> + </listitem> + <listitem> + <para> + <application>apparmor_parser</application> is used to load a profile into the kernel. It can also be used to + reload a currently loaded profile using the <emphasis>-r</emphasis> option. To load a profile: + </para> +<screen> +<command>cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a</command> +</screen> + <para> + To reload a profile: + </para> +<screen> +<command>cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r</command> +</screen> + </listitem> + <listitem> + <para> + <filename>/etc/init.d/apparmor</filename> can be used to <emphasis>reload</emphasis> all profiles: + </para> +<screen> +<command>sudo /etc/init.d/apparmor reload</command> +</screen> + </listitem> + <listitem> + <para> + The <filename>/etc/apparmor.d/disable</filename> directory can be used along with the <application>apparmor_parser -R</application> + option to <emphasis>disable</emphasis> a profile. + </para> +<screen> +<command>ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/</command> +<command>apparmor_parser -R /etc/apparmor.d/profile.name</command> +</screen> + <para> + To <emphasis>re-enable</emphasis> a disabled profile remove the symblic link to the profile in + <filename>/etc/apparmor.d/disable/</filename>. Then load the profile using the <emphasis>-a</emphasis> option. + </para> +<screen> +<command>rm /etc/apparmor.d/disable/profile.name</command> +<command>cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a</command> +</screen> + </listitem> + <listitem> + <para> + <application>AppArmor</application> can be disabled, and the kernel module unloaded by entering the following: + </para> +<screen> +<command>sudo /etc/init.d/apparmor kill</command> +<command>sudo update-rc.d -f apparmor remove</command> +</screen> + </listitem> + <listitem> + <para> + To re-enable <application>AppArmor</application> enter: + </para> +<screen> +<command>sudo /etc/init.d/apparmor start</command> +<command>sudo update-rc.d apparmor defaults</command> +</screen> + </listitem> + </itemizedlist> + <note> + <para> + Replace <emphasis>profile.name</emphasis> with the name of the profile you want to manipulate. Also, replace + <filename>/path/to/bin/</filename> with the actual executable file path. For example for the <application>ping</application> + command use <filename>/bin/ping</filename> + </para> + </note> + </sect2> + <sect2 id="apparmor-profiles" status="review"> + <title>Profiles</title> + <para> + <application>AppArmor</application> profiles are simple text files located in <filename>/etc/apparmor.d/</filename>. The + files are named after the full path to the executable they profile replacing the "/" with ".". + For example <filename>/etc/apparmor.d/bin.ping</filename> is the AppArmor profile for the <filename>/bin/ping</filename> + command. + </para> + <para> + There are two main type of rules used in profiles: + </para> + <itemizedlist> + <listitem> + <para> + <emphasis>Path entries:</emphasis> which detail which files an application can access in the file system. + </para> + </listitem> + <listitem> + <para> + <emphasis>Capability entries:</emphasis> determine what privileges a confined process is allowed to use. + </para> + </listitem> + </itemizedlist> + <para> + As an example take a look at <filename>/etc/apparmor.d/bin.ping</filename>: + </para> +<programlisting> +#include <tunables/global> +/bin/ping flags=(complain) { + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + capability net_raw, + capability setuid, + network inet raw, + + /bin/ping mixr, + /etc/modules.conf r, +} +</programlisting> + <itemizedlist> + <listitem> + <para> + <emphasis>#include <tunables/global>:</emphasis> include statements from other files. This allows statements pertaining to + multiple applications to be placed in a common file. + </para> + </listitem> + <listitem> + <para> + <emphasis>/bin/ping flags=(complain):</emphasis> path to the profiled program, also setting the mode to + <emphasis>complain</emphasis>. + </para> + </listitem> + <listitem> + <para> + <emphasis>capability net_raw,:</emphasis> allows the application access to the CAP_NET_RAW Posix.1e capability. + </para> + </listitem> + <listitem> + <para> + <emphasis>/bin/ping mixr,:</emphasis> allows the application read and execute access to the file. + </para> + </listitem> + </itemizedlist> + <note> + <para> + After editing a profile file the profile must be reloaded. See <xref linkend="apparmor-usage"/> for details. + </para> + </note> + <sect3 id="apparmor-profiles-new" status="review"> + <title>Creating a Profile</title> + <itemizedlist> + <listitem> + <para> + <emphasis>Design a test plan:</emphasis> Try to think about how the application should be exercised. The test plan should be divided + into small test cases. Each test case should have a small description and list the steps to follow. + </para> + <para> + Some standard test cases are: + </para> + <itemizedlist> + <listitem> + <para> + Starting the program. + </para> + </listitem> + <listitem> + <para> + Stopping the program. + </para> + </listitem> + <listitem> + <para> + Reloading the program. + </para> + </listitem> + <listitem> + <para> + Testing all the commands supported by the init script. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <emphasis>Generate the new profile:</emphasis> Use <application>aa-genprof</application> to generate a new profile. + From a terminal: + </para> +<screen> +<command>sudo aa-genprof executable</command> +</screen> + <para> + For example: + </para> +<screen> +<command>sudo aa-genprof slapd</command> +</screen> + </listitem> + <listitem> + <para> + To get your new profile included in the <application>apparmor-profiles</application> package, file a bug in + <emphasis>Launchpad</emphasis> against the <ulink url="https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug">AppArmor</ulink> + package: + </para> + <itemizedlist> + <listitem> + <para> + Include your test plan and testcases. + </para> + </listitem> + <listitem> + <para> + Attach your new profile to the bug. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </sect3> + <sect3 id="apparmor-profiles-update" status="review"> + <title>Updating Profiles</title> + <para> + When the program is misbehaving, audit messages are sent to the log files. The program <application>aa-logprof</application> can be used + to scan log files for <application>AppArmor</application> audit messages, review them and update the profiles. From a terminal: + </para> +<screen> +<command>sudo aa-logprof</command> +</screen> + </sect3> + </sect2> + <sect2 id="apparmor-references" status="review"> + <title>References</title> + <itemizedlist> + <listitem> + <para> + See the <ulink url="http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/index.html?page=/documentation/apparmor/apparmor201_sp10_admin/data/book_apparmor_admin.html">AppArmor Administration Guide</ulink> for advanced configuration options. + </para> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + For details using AppArmor with other Ubuntu releases see the <ulink url="https://help.ubuntu.com/community/AppArmor"> + AppArmor Community Wiki</ulink> page. + </para> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + The <ulink url="http://en.opensuse.org/AppArmor">OpenSUSE AppArmor</ulink> page is another introduction to AppArmor. + </para> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + A great place to ask for <application>AppArmor</application> assistance, and get involved with the Ubuntu Server community, + is the <emphasis>#ubuntu-server</emphasis> IRC channel on <ulink url="http://freenode.net">freenode</ulink>. + </para> + </listitem> + </itemizedlist> + </sect2> + </sect1> </chapter> -- https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy You are receiving this branch notification because you are subscribed to it. To unsubscribe from this branch go to https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy/+subscription/ubuntu-core-doc. -- ubuntu-doc-commits mailing list ubuntu-doc-commits@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits