- by Martin Kaba
- on Tue Jun 5, 2007
In the computing world it is often said that “the only fully-secured computer is one that is turned off”. This phrase is emblematic simply because the most talked-about aspect in the computer world is security.
The GNU/Linux systems are appreciated a lot for their resistance to external attacks but some have even gone further to create higher security levels. Two well acclaimed security tools are the SELinux by RedHat and AppArmor by SUSE Linux.
Traditional methods of securing a computer have revolved around controlling access to critical services. So, if you need to secure network applications, you need to police network traffic. But security vendors are realizing that securing a computer, in effect, boils down to protecting the applications instead. Novell’s AppArmor is designed with just this is mind.
One would assume defending applications is as easy as guarding the whole gamut of services running on a network attached computer. But applications these days are complex and intertwined, sharing libraries and files scattered all over the disk. More importantly, Discretionary Access Control (DAC) allows a program to run with the permissions of the user executing it, which introduces the possibility of exploiting a defect in the application to gain super user privileges.
With AppArmor, the idea is to defend indivclassual applications against such threats by restricting their access to only the necessary files and libraries. Simply put, it allows one to lock down an application and the files to be accessed with absolute path names, followed by the common read and write access modes.
AppArmor plugs into theLinux Security Model (LSM) kernel interface. LSM is the de-facto API in the Linux kernel that security models must talk to, which can be applied as a patch to a stock kernel.
AppArmor is integrated into both of Novell’s offerings, the subscription-based SUSE Enterprise Linux and the free openSUSE Linux distribution. If you chose not to install AppArmor during installation, you can do it post-install through SUSE’s setup tool, YaST.
AppArmor has its own management section under YaST. From here, you can enable or disable AppArmor as well as add, delete, and update application profiles. Once AppArmor is enabled, it automatically enforces security profiles that are present in the /etc/apparmor.d directory.
For what it promises, AppArmor is fairly simple to roll-out, at least for SUSE users. Installation doesn’t require any kernel or application recompilation and is well integrated into both Novell distributions. Even home users of SUSE Linux would find it relatively easy to wrap a secure profile around some of their critical network applications, like the Gaim instant messenger or the Firefox Web browser.
But to extract maximum juice out of AppArmor you really have to know the application thoroughly. Once the profile takes over, access to every feature that you forgot to make it aware of, will be blocked. If you are careless, you can also even trip over AppArmor’s flexibility. Read and carefully choose the appropriate permissions for all the references to the various files and libraries. Make careful use of the wildcard characters.
Novell has two guides related to AppArmor, the detailed Administrators Guide and the short Quick Start Guide. Plus they have a FAQ, and several mailing lists as well. As mentioned earlier, there are several profiles included to help you get started. Enterprise users get the benefit of maintenance updates through their SUSE Linux subscription
What’s coming up
AppArmor is under heavy development. While it is well integrated into the Novell distributions, you could also use AppArmor with Slackware. An Ubuntu port is also under way or have a look a the CodeBlog for a hand. To make AppArmor smarter, the developers have plans to use a better static analyzer in place of the current one that just recursively runs ldd to list shared library calls. Also under works is a smarter learning mode that will help administrators save time, by not reporting actions that have already been reported.
I personally do not find it necessary getting into a AppArmor vs SELinux duel. Cause I believe these two products, with their different approach , and of course different problems they generate, need improvement and above all support from the GNU/Linux community.
AppArmor is a very mature tool and Novell continues to develop it further. But like every security tool, you must learn to use it properly. It’s fairly easy to use from within the two SUSE variants but to reach the masses it has to be supported by other distributions as well. With mixed reactions to the recent Novell-Microsoft partnership, AppArmor could face some resistance from other distribution vendors.
No Licensing Fees
As an open source offering from Novell, AppArmor Linux application security has no licensing fees. AppArmor is included in the SUSE Linux Enterprise 10 products and in openSUSE.