SecurityModuleAdminTool

Revision 3 as of 2007-05-10 14:32:15

Clear message

* Launchpad Entry: SecurityModuleAdminTool

  • Created: 2007-05-09 by MathiasGug

  • Packages affected: apparmor-profiles, selinux-policy

  • See also: AppArmor, ["SELinux"]

Summary

This specification defines an administration tool used to setup and apply security profiles to programs.

Rationale

The main security frameworks (["SELinux"] and AppArmor) are in Ubuntu repositories. However, their setup and management are not easy and relies mainly on command line tools.

["SELinux"] is already in the kernel and the utilities are in main. There are a number of profiles installed by default.

AppArmor is not included in the kernel. All the packages are in universe. There are a number of profiles installed by default.

Use Cases

  • Alice has installed an ubuntu server to provide file and printer sharing service via samba. She wants to increase the security level of her server.

    She opens the security policy manager and applies an AppArmor security policy to the samba service.

  • Bob has just installed a LAMP server using the ubuntu alternate cd. He wants to increase the security of his server by using ["SELinux"]. He opens the security policy manager and applies a ["SELinux"] security policy to the LAMP service.

Scope

It should be made easy to activate and deactivate security profiles for services. It should be possible to update the profile according to the audit logs.

Design

  • Provide good profiles
    • In order to create a good profile, the target program has to be well tested. That leads to automatic software testing. This is also important for software updates : for each update, the profile has to be checked and potentialy updated if the behaviour of the software has changed. Test suite exists. They can be used to generated policies.
  • Frontend administration tool
    • The frontend is used by the end user to enable profiles for program. The frontend should be framework agnostic.

Implementation

Good profiles

The base profiles can be used as a start. Profiles for the following services can be provided :

  • ntpd
  • named
  • samba (smbd, nmbd)
  • postfix
  • apache from the standard LAMP installation

Where profiles should be included ?

  • in the application package. Requires to educated package maintainer about security policy framework.
  • in one package policy. The policy maintainer has to track all application changes.
  • one package policy for each application. May lead to lots of small packages.

Feedback from users should be leveraged to improve shipped profiles. Integration with [Apport].

Administration tool

It is based on the services-admin tool.

  • Reporting extension :
    • It can be extended with a basic reporting function showing how many policy violation have been reported. A function to report the violation in order to improve the policy. Automatically file a bug under apparmor, instead of the application.
  • Profile update :
    • The end user can be offered the choice to update the profile according to the generated audit log.
  • Realtime notification :
    • Policy violation can be monitored and reported via email.

Ressources :

A User Friendly Tool for Notification & Diagnosis of AVC Denials

Security module backends

AppArmor requires a manual compilation of the kernel module. The solution is to include AppArmor in the kernel.

Enable/disable apparmor :

Activation of a new profile : restart apparmor :

  • /etc/init.d/apparmor restart

[http://outflux.net/blog/archives/2007/04/02/apparmor-now-in-feisty/ AppArmor now in feisty]

  • ["SELinux"]

Enable/disable selinux : ["SELinux"] has to be activated on the kernel command line, at the bootloader level. Enabling/disabling it requires rebooting the system.

Activation of a new profile :

Outstanding Issues

the compilation of a module. AppArmor has been posted on the lklm for inclusion in April 2007. Response has been much better compared to the previous request.

BoF agenda and discussion

CategorySpec