AppArmorGutsy
|
Size: 4626
Comment:
|
Size: 4884
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 36: | Line 36: |
| * Need to load the apparmor module in the initrd and start the rc script as early as early possible. See [https://bugs.launchpad.net/bugs/116624 LP#116624:Profiles not applied to running processes when AppArmor is started] | * Need to load the apparmor module in the initrd and start the rc script as early as early possible. See [https://bugs.launchpad.net/bugs/116624 LP#116624:Profiles not applied to running processes when AppArmor is started] - '''OK''' |
| Line 40: | Line 40: |
| Widespread testing : | ==== Widespread testing ==== |
| Line 49: | Line 49: |
| * ship profiles in complain mode at first (in order to avoid the FC2 disaster when selinux was shipped in strict by default and nothing was working anymore). | |
| Line 71: | Line 72: |
| * Put all profiles into complain/enforce mode. * integrate into rc script. |
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: apparmor-gutsy
Created: 2007-05-29 by MathiasGug
Packages affected: apparmor
See also: SecurityModuleAdminTool, AppArmor
Summary
This specification details what should be done for AppArmor in Gutsy.
Release Note
AppArmor is a security framework.
Rationale
The SecurityModuleAdminTool is getting bigger and broader in scope. It won't be fully implemented for Gutsy. Let's focus on AppArmor support in Gutsy.
Use Cases
- Alice has installed an ubuntu server to provide file and printer sharing service via samba. She wants to increase the security level of her server.
Assumptions
Design
We need to focus on :
- providing good profiles that works out of the box for the default configuration.
simple command line tools to manage applied profiles. They should provide the functionalities defined in SecurityModuleAdminTool.
Implementation
Kernel module
- Need to include apparmor in the default kernel for gusty.
Need to load the apparmor module in the initrd and start the rc script as early as early possible. See [https://bugs.launchpad.net/bugs/116624 LP#116624:Profiles not applied to running processes when AppArmor is started] - OK
Good profiles
Widespread testing
- involve the community :
- send email on ubuntu-server, ubuntu-hardened.
- section in UWN.
improve user guide at UsingAppArmor.
- provide packages for feisty :
- kernel modules for feisty kernels.
- other apparmor packages built for feisty. Could be done via backport or apt repository on people.ubuntu.com.
- ship profiles in complain mode at first (in order to avoid the FC2 disaster when selinux was shipped in strict by default and nothing was working anymore).
Administration tools
Command lines tools based on the current apparmor perl scripts found in apparmor-utils.
Features :
- Enable/Disable security framework :
- via apparmor rc script.
- Show security framework status :
- via apparmor_status script.
list loaded security profiles and their mode : OK - patch sent upstream - in 2.0.1+510.dfsg-0ubuntu7
list services that are protected by a profile and their mode : OK - patch sent upstream - in 2.0.1+510.dfsg-0ubuntu7
list services that have a profile defined but which is not applied : OK - patch sent upstream - in 2.0.1+510.dfsg-0ubuntu7
summarize how many policy violations have been reported for each service : NOT IMPLEMENTED Upstream plans to have a log parsing library.
- Enable/Disable on per service basis : security profiles can be applied to individual service.
- Two scripts (enforce,complain) are provided in apparmor-utils to change the mode of the profile. However there a no script to enable/disable a profile. Write two scripts to do that :
- aa-enable to apply a profile.
- aa-disable to disable a profile.
- Put all profiles into complain/enforce mode.
- integrate into rc script.
- Logging infrastructure.
AppArmor uses the audit kernel subsystem :
- aa-eventd from apparmor-utils scans the log files for apparmor audit messages and dumps them into a sqlite database. It can also send notification by email if configured to do so.
Requires to include packages from universe. See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116921 LP#116921]
auditd : package is in universe for gutsy. General audit daemon which support SELinux events, but apparmor support is very basic. Upstream plans to implement event dispatching, a plugin framework and realtime notification.
Long term solution.
- do nothing : by default audit messages are sent to syslog if auditd is not running. They are then logged in /var/log/messages.
Short term solution, for gutsy.
- aa-eventd from apparmor-utils scans the log files for apparmor audit messages and dumps them into a sqlite database. It can also send notification by email if configured to do so.
- Notify user of policy violation.
- User notification :
- Asynchronous :
- via logcheck.
- Realtime :
- via email.
- Asynchronous :
- User notification :
Scripts should be developed in cooperation with upstream. Thus, they should be written in perl.
AppArmor user guide
UsingAppArmor page should be improved :
- add a usage section to how basic tasks can be performed.
- add a debug section : what to do if profiled applications stop working :
- get the list of policy violations.
- generate an updated profile for the daemon.
- send the new profile to the maintainer to update the packaged profile if necessary.
Test/Demo Plan
Outstanding Issues
BoF agenda and discussion
AppArmorGutsy (last edited 2008-08-06 16:19:57 by localhost)