SecurityModuleAdminTool
|
Size: 3406
Comment:
|
Size: 4545
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| * '''Launchpad Entry''': UbuntuSpec:SecurityModuleAdminTool | * '''Launchpad Entry''': UbuntuSpec:SecurityModuleAdminTool * '''Created''': 2007-05-09 by MathiasGug |
| Line 3: | Line 4: |
| * '''See also''': AppArmor, SELinux | * '''See also''': AppArmor, ["SELinux"] |
| Line 6: | Line 7: |
| This specification defines an administration tool used to setup and apply | This specification defines an administration tool used to setup and apply |
| Line 10: | Line 11: |
| The main security frameworks (SELinux and AppArmor) are in Ubuntu repositories. However, their setup and management are not easy and relies mainly on command |
The main security frameworks (["SELinux"] and AppArmor) are in Ubuntu repositories. However, their setup and management are not easy and relies mainly on command |
| Line 14: | Line 16: |
| SELinux is already in the kernel and the utilities are in main. There are a | ["SELinux"] is already in the kernel and the utilities are in main. There are a |
| Line 21: | Line 23: |
| * Alice has installed an ubuntu server to provide file and printer sharing | * Alice has installed an ubuntu server to provide file and printer sharing |
| Line 27: | Line 29: |
| to increase the security of his server by using SELinux. He opens the security policy manager and applies a SELinux security policy to |
to increase the security of his server by using ["SELinux"]. He opens the security policy manager and applies a ["SELinux"] security policy to |
| Line 33: | Line 35: |
| services. | services. |
| Line 39: | Line 41: |
| In order to create a good profile, the target program has to be well tested. | In order to create a good profile, the target program has to be well tested. |
| Line 41: | Line 43: |
| updates : for each update, the profile has to be checked and potentialy | updates : for each update, the profile has to be checked and potentialy |
| Line 44: | Line 46: |
| Test suite exists. They can be used to generated policies. |
|
| Line 45: | Line 49: |
| The frontend is used by the end user to enable profiles for program. The frontend should be framework agnostic. |
The frontend is used by the end user to enable profiles for program. The frontend should be framework agnostic. |
| Line 59: | Line 63: |
| Where profiles should be included ? * in the application package. Requires to educated package maintainer about security policy framework. * in one package policy. The policy maintainer has to track all application changes. * one package policy for each application. May lead to lots of small packages. Feedback from users should be leveraged to improve shipped profiles. Integration with [Apport]. |
|
| Line 63: | Line 77: |
| It can be extended with a basic reporting function showing how many policy | It can be extended with a basic reporting function showing how many policy |
| Line 65: | Line 79: |
| A function to report the violation in order to improve the policy. Automatically file a bug under apparmor, instead of the application. |
|
| Line 70: | Line 86: |
| Yast2 provides an administration tool for AppArmor and Fedora has an administration tool for SELinux. |
* Realtime notification : Policy violation can be monitored and reported via email. Ressources : * Yast2 provides an administration tool for AppArmor. * Fedora and RHEL 5 have an administration tool for ["SELinux"] : * system-config-selinux * [https://hosted.fedoraproject.org/projects/setroubleshoot Setroubleshoot] : A User Friendly Tool for Notification & Diagnosis of AVC Denials |
| Line 76: | Line 99: |
| AppArmor requires a manual compilation of the kernel module. The solution is to include AppArmor in the kernel. |
AppArmor requires a manual compilation of the kernel module. The solution is to include AppArmor in the kernel. Enable/disable apparmor : |
| Line 85: | Line 110: |
| * SELinux SELinux has to be activated on the kernel command line, at the bootloader level. |
* ["SELinux"] Enable/disable selinux : ["SELinux"] has to be activated on the kernel command line, at the bootloader level. |
| Line 88: | Line 115: |
| Line 93: | Line 121: |
| * AppArmor : AppArmor is not included in the kernel by default and requires the compilation of a module. AppArmor has been posted on the lklm for inclusion in April 2007. |
* AppArmor : AppArmor is not included in the kernel by default and requires the compilation of a module. AppArmor has been posted on the lklm for inclusion in April 2007. Response has been much better compared to the previous request. |
* Launchpad Entry: SecurityModuleAdminTool
Created: 2007-05-09 by MathiasGug
Packages affected: apparmor-profiles, selinux-policy
See also: AppArmor, ["SELinux"]
Summary
This specification defines an administration tool used to setup and apply security profiles to programs.
Rationale
The main security frameworks (["SELinux"] and AppArmor) are in Ubuntu repositories. However, their setup and management are not easy and relies mainly on command line tools.
["SELinux"] is already in the kernel and the utilities are in main. There are a number of profiles installed by default.
AppArmor is not included in the kernel. All the packages are in universe. There are a number of profiles installed by default.
Use Cases
- Alice has installed an ubuntu server to provide file and printer sharing service via samba. She wants to increase the security level of her server.
She opens the security policy manager and applies an AppArmor security policy to the samba service.
- Bob has just installed a LAMP server using the ubuntu alternate cd. He wants to increase the security of his server by using ["SELinux"]. He opens the security policy manager and applies a ["SELinux"] security policy to the LAMP service.
Scope
It should be made easy to activate and deactivate security profiles for services. It should be possible to update the profile according to the audit logs.
Design
- Provide good profiles
- In order to create a good profile, the target program has to be well tested. That leads to automatic software testing. This is also important for software updates : for each update, the profile has to be checked and potentialy updated if the behaviour of the software has changed. Test suite exists. They can be used to generated policies.
- Frontend administration tool
- The frontend is used by the end user to enable profiles for program. The frontend should be framework agnostic.
Implementation
Good profiles
The base profiles can be used as a start. Profiles for the following services can be provided :
- ntpd
- named
- samba (smbd, nmbd)
- postfix
- apache from the standard LAMP installation
Where profiles should be included ?
- in the application package. Requires to educated package maintainer about security policy framework.
- in one package policy. The policy maintainer has to track all application changes.
- one package policy for each application. May lead to lots of small packages.
Feedback from users should be leveraged to improve shipped profiles. Integration with [Apport].
Administration tool
It is based on the services-admin tool.
- Reporting extension :
- It can be extended with a basic reporting function showing how many policy violation have been reported. A function to report the violation in order to improve the policy. Automatically file a bug under apparmor, instead of the application.
- Profile update :
- The end user can be offered the choice to update the profile according to the generated audit log.
- Realtime notification :
- Policy violation can be monitored and reported via email.
Ressources :
Yast2 provides an administration tool for AppArmor.
- Fedora and RHEL 5 have an administration tool for ["SELinux"] :
- system-config-selinux
[https://hosted.fedoraproject.org/projects/setroubleshoot Setroubleshoot] :
A User Friendly Tool for Notification & Diagnosis of AVC Denials
Security module backends
AppArmor requires a manual compilation of the kernel module. The solution is to include AppArmor in the kernel.
Enable/disable apparmor :
Activation of a new profile : restart apparmor :
- /etc/init.d/apparmor restart
[http://outflux.net/blog/archives/2007/04/02/apparmor-now-in-feisty/ AppArmor now in feisty]
- ["SELinux"]
Enable/disable selinux : ["SELinux"] has to be activated on the kernel command line, at the bootloader level. Enabling/disabling it requires rebooting the system.
Activation of a new profile :
Outstanding Issues
the compilation of a module. AppArmor has been posted on the lklm for inclusion in April 2007. Response has been much better compared to the previous request.
BoF agenda and discussion
SecurityModuleAdminTool (last edited 2008-08-06 16:28:34 by localhost)