This creates an approximate profile for the program or application you are autodepping. You can generate approximate profiles for binary executables and interpreted script programs. The resulting profile is called “approximate” because it does not necessarily contain all of the profile entries that the program needs to be properly confined by Novell AppArmor. The minimum autodep approximate profile has at least a base include directive, which contains basic profile entries needed by most programs. For certain types of programs, autodep generates a more expanded profile. The profile is generated by recursively calling ldd(1) on the executables listed on the command line.

To generate an approximate profile, use the autodep program. The program argument can be either the simple name of the program, which autodep finds by searching your shell's path variable, or it can be a fully qualified path. The program itself can be of any type (ELF binary, shell script, Perl script, etc.) and autodep generates an approximate profile, to be improved through the dynamic profiling that follows.

The resulting approximate profile is written to the /etc/apparmor.d directory using the Novell AppArmor profile naming convention of naming the profile after the absolute path of the program, replacing the forward slash (/) characters in the path with period (.) characters. The general form of autodep is to enter the following in a terminal window when logged in as root:

autodep [ -d /path/to/profiles ] [program1 program2...]

If you do not enter the program name or names, you are prompted for them. /path/to/profiles overrides the default location of /etc/apparmor.d.

To begin profiling, you must create profiles for each main executable service that is part of your application (anything that might start without being a child of another program that already has a profile). Finding all such programs depends on the application in question. Here are several strategies for finding such programs:

The complain or learning mode tool detects violations of Novell AppArmor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are permitted, but also logged. To improve the profile, turn complain mode on, run the program through a suite of tests to generate log events that characterize the program's access needs then postprocess the log with the Novell AppArmor tools to transform log events into improved profiles.

Manually activating the complain mode (using the command line) adds a flag to the top of the profile so that /bin/foo becomes /bin/foo flags=(complain). To use complain mode, open a terminal window and enter one of the following lines as a root user.

Each of the above commands activates the complain mode for the profiles/programs listed. The command can list either programs or profiles. If the program name does not include its entire path, then complain searches $PATH for the program. So, for instance, complain /usr/sbin/* finds profiles associated with all of the programs in /usr/sbin and put them into complain mode, and complain /etc/apparmor.d/* puts all of the profiles in /etc/apparmor.d into complain mode.

The enforce mode tool detects violations of Novell AppArmor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are logged and not permitted. The default is for enforce mode to be turned on. Turn complain mode on when you want the Novell AppArmor profiles to control the access of the program that is profiled. Enforce toggles with complain mode.

Manually activating enforce mode (using the command line) adds a flag to the top of the profile so that /bin/foo becomes /bin/foo flags=(enforce). To use enforce mode, open a terminal window and enter one of the following lines as a root user.

Each of the above commands activates the enforce mode for the profiles and programs listed.

If you do not enter the program or profile names, you are prompted to enter one. /path/to/profiles overrides the default location of /etc/apparmor.d.

The argument can be either a list of programs or a list of profiles. If the program name does not include its entire path, enforce searches $PATH for the program. For instance, enforce /usr/sbin/* finds profiles associated with all of the programs in /usr/sbin and puts them into enforce mode. enforce /etc/apparmor.d/* puts all of the profiles in /etc/apparmor.d into enforce mode.

genprof (or Generate Profile) is Novell AppArmor's profile generating utility. It runs autodep on the specified program, creating an approximate profile (if a profile does not already exist for it), sets it to complain mode, reloads it into Novell AppArmor, marks the syslog, and prompts the user to execute the program and exercise its functionality. Its syntax is as follows:

genprof [ -d /path/to/profiles ]  program

If you were to create a profile for the the Apache Web server program httpd2-prefork, you would do the following in a root shell:

logprof is an interactive tool used to review the learning or complain mode output found in the syslog entries then generate new entries in Novell AppArmor security profiles.

When you run logprof, it begins to scan the log files produced in learning or complain mode and, if there are new security events that are not covered by the existing profile set, it gives suggestions for modifying the profile. The learning or complain mode traces program behavior and enters it in syslog. logprof uses this information to observe program behavior.

If a confined program forks and execs another program, logprof sees this and asks the user which execution mode should be used when launching the child process. The following execution modes are options for starting the child process: ix, px, and ux. If a separate profile exists for the child process, the default selection is px. If one does not exist, the profile defaults to ix. Child processes with separate profiles have autodep run on them and are loaded into Novell AppArmor, if it is running.

When logprof exits, profiles are updated with the changes. If the AppArmor module is running, the updated profiles are reloaded and if any processes that generated security events are still running in the null-complain-profile, those processes are set to run under their proper profiles.

To run logprof, enter logprof into a terminal window while logged in as root. The following options can also be used for logprof:

logprof scans the log, asking you how to handle each logged event. Each question presents a numbered list of Novell AppArmor rules that can be added by pressing the number of the item on the list.

By default, logprof looks for profiles in /etc/apparmor.d/ and scans the log in /var/log/messages so, in many cases, running logprof as root is enough to create the profile.

However, there might times when you need to search archived log files, such as if the program exercise period exceeds the log rotation window (when the log file is archived and a new log file is started). If this is the case, you can enter zcat -f `ls -1tr /var/log/messages*` | logprof -f -.

Following is an example of how logprof addresses httpd2-prefork accessing the file /etc/group. The example uses [] to indicate the default option.

In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which pulls in a predefined set of Novell AppArmor rules. Selecting 1 to #include the name service package resolves all of the future questions pertaining to DNS lookups and also makes the profile less brittle in that any changes to DNS configuration and the associated nameservice profile package can be made just once, rather than needing to revise many profiles.

Profile:  /usr/sbin/httpd2-prefork
Path:     /etc/group
New Mode: r

[1 - #include <abstractions/nameservice>]
 2 - /etc/group
[(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish

Select one of the following responses:

In an example from profiling vsftpd, we see this question:

Profile:  /usr/sbin/vsftpd
Path:     /y2k.jpg
New Mode: r

[1 - /y2k.jpg]

(A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish

Several items of interest appear in this question. First, note that vsftpd is asking for a path entry at the top of the tree, even though vsftpd on SUSE Linux serves FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, Novell AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path.

The second item of interest is that you might want to grant FTP read access to all of the JPEG files in the directory, so you could use Glob w/Ext and use the suggested path of /*.jpg. Doing so collapses all previous rules granting access to individual .jpg files and forestalls any future questions pertaining to access to .jpg files.

Finally, you might want to grant more general access to FTP files. If you select Glob in the last entry, logprof replaces the suggested path of /y2k.jpg with /*. Or you might want to grant even more access to the entire directory tree, in which case you could use the New path option and enter /**.jpg (which would grant access to all .jpg files in the entire directory tree) or /** (which would grant access to all files in the directory tree).

The above deal with read accesses. Write accesses are similar, except that it is good policy to be more conservative in your use of regular expressions for write accesses.

Dealing with execute accesses is more complex. You must decide which of the three kinds of execute permissions to grant:

In the following example, the /usr/bin/mail mail client is being profiled and logprof has discovered that /usr/bin/mail executes /usr/bin/less as a helper application to “page” long mail messages. Consequently, it presents this prompt:

/usr/bin/nail -> /usr/bin/less
(I)nherit / (P)rofile / (U)nconstrained / (D)eny

	Tip
The actual executable file for /usr/bin/mail turns out to be /usr/bin/nail, which is not a typographical error.

The program /usr/bin/less appears to be a simple one for scrolling through text that is more than one screen long and that is in fact what /usr/bin/mail is using it for. However, less is actually a large and powerful program that makes use of many other helper applications, such as tar and rpm.

	Tip
Run less on a tar ball or an RPM file and it shows you the inventory of these containers.

You do not want to automatically run rpm when reading mail messages (that leads directly to a Microsoft* Outlook–style virus attacks, because rpm has the power to install and modify system programs) and so, in this case, the best choice is to use Inherit. This results in the less program executed from this context running under the profile for /usr/bin/mail. This has two consequences:

In other circumstances, you might instead want to use the Profile option. This has two effects on logprof:

Finally, you might want to grant the child process very powerful access by specifying Unconfined. This writes ux into the parent profile so that when the child runs, it runs without any Novell AppArmor profile being applied at all. This means running with no protection and should only be used when absolutely required.

A syntax coloring file for the vim text editor highlights various features of an Novell AppArmor profile with colors. Using vim and the Novell AppArmor syntax mode for vim, you can see the semantic implications of your profiles with color highlighting. Use vim to view and edit your profile by typing vim at a terminal window.

To enable the syntax coloring when you edit a Novell AppArmor profile in vim, use the commands :syntax on then :set syntax=apparmor. Alternatively, you can place these lines in your ~/.vimrc file:

syntax on
set modeline
set modelines=5

When you enable this feature, vim colors the lines of the profile for you:

	Note
There is a security risk when using these lines in your .vimrc file, because it causes vim to trust the syntax mode presented in files you are editing. It might enable an attacker to send you a file to open with vim that might do something unsafe.

Use the apparmor.vim and vim man pages and the :help syntax from within the vim editor for further vim help about syntax highlighting. The Novell AppArmor syntax is stored in /usr/share/vim/current/syntax/apparmor.vim.

The unconfined command examines open network ports on your system, compares that to the set of profiles loaded on your system, and reports network services that do not have Novell AppArmor profiles. It requires root privilege and that it not be confined by a Novell AppArmor profile.

unconfined must be run as root to retrieve the process executable link from the proc file system. This program is susceptible to the following race conditions:

	Note
This program lists processes using TCP and UDP only. In short, this program is unsuitable for forensics use and is provided only as an aid to profiling all network-accessible processes in the lab.

For more information about the science and security of Novell AppArmor, refer to the following papers: