In the last issue of Novell Connection, we got a glimpse of some of the new features of SUSE Linux Enterprise 10 that make this a standout product and place it above competitive offerings when it comes to addressing the needs of enterprise users. Chief among those requirements is the protection of corporate assets and compliance with strict regulations, even as the threats against those assets are escalating.
To better meet the needs of business users, Novell has contributed an extra layer of security with its SUSE Linux Enterprise 10 release. AppArmor is an open source project led by Novell that delivers a unique profile-based security to Linux systems (both server and desktops) and provides businesses with very granular control over what the deployed systems can and cannot do.
Last quarter in Novell Connection, we learned how AppArmor closes the door on application breaches, and allows developers and system administrators to effectively wrap a layer of security around each individual application. In this article, we'll give you a recipe for using ZENworks Linux Management to distribute AppArmor security profiles to multiple servers within your organization, and talk about some of the new security features in development for AppArmor.
> The Threat Inherent in Vulnerable Applications
Software flaws in complex applications provide attackers with an avenue to compromise systems that host critical data in the enterprise. Firewalls and other forms of perimeter security only solve part of the problem because businesses have to open their network to access by customers, partners and mobile employees. So the perimeter essentially shrinks down to the machine that hosts the critical data. IT organizations struggle to keep these machines patched to protect against the latest exploits, but this reactive security strategy still leaves businesses exposed.
With experience, hackers are becoming faster at exploiting a vulnerability and sometimes a hacker may be the first to discover the vulnerability. A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known leaving businesses little or no time to download, test and apply patches to their systems.
> Introducing AppArmor and ZENworks Linux Management
AppArmor is an application security framework, integrated with SUSE Linux Enterprise, that provides mandatory access control for programs, protecting against the exploitation of software flaws in applications that can lead to compromised systems. AppArmor provides a way to lock down those systems so that software flaws, whether they are known or unknown, can't be exploited to compromise the system.
And AppArmor solves the problem of zero-day exploits by providing a proactive security model that enforces good application behavior regardless of the type of attack. The AppArmor framework consists of a complete set of tools that facilitates the development of custom security policies so you can effectively deploy security policies for open source, commercial and custom applications with only about a half day of training.
Novell ZENworks Linux Management makes it easy to embrace and extend Linux in your existing environment. It is the only solution that uses Policy-Driven Automation to deploy, manage and maintain Linux resources. It also provides automated and intelligent policies that allow centralized control across the lifecycle of Linux systems for desktop lockdown, imaging, remote management, inventory and software management. The result is a comprehensive Linux management solution that dramatically reduces the overhead needed to manage Linux systems.
After you update an AppArmor profile, you might want to distribute the new profile to systems with similar configurations. Though you can do this with a Linux shell, ZENworks Linux Management provides an easy, fast and reliable method to distribute AppArmor profiles. This article provides a recipe for distributing updated AppArmor profiles using the ZENworks Linux Management bundle interface.
> Getting Started
Here's what you'll need to start distributing AppArmor policies using ZENworks:
- Two or more SUSE Linux Enterprise Server or Desktop machines with ZENworks agents installed (one as the server)
- Novell AppArmor installed and enabled on machines to be managed by ZENworks
- AppArmor RPM creation script (download instructions below)
- Some ZENworks knowledge
- A ZENworks-compatible Web browser (such as Firefox)
- optional: Some knowledge of bash commands and vi
- optional: Knowledge of RPM package creation
> Creating and Distributing New Profile RPMs
It's easy to create new AppArmor profiles using the static analysis and learning mode tools included as part of the AppArmor framework. See A Hardened Backend in the Q2 2006 issue for detailed instructions, or take a look at the AppArmor User's Guide at novell.com/documentation/apparmor.
AppArmor provides a way to lock down systems so that software flaws, whether they are known or unknown, can't be exploited to compromise the system.
Now, let's say we have just created an AppArmor profile for the Gaim chat client included on the GNOME desktop. This is an appropriate application to secure because it listens to an open network port on your desktop and is therefore vulnerable to outside attackers. The AppArmor profile for Gaim will be called something similar to opt.gnome.bin.gaim and is in the directory /etc/apparmor.d/.
Now, let's distribute this profile to a number of similarly configured machines. To distribute this profile using ZENworks Linux Management, you need to package it as an RPM. You can create the RPM manually, or by using a script that Novell has created which does most of the work for you, including version control, placing the profile in the appropriate directory, and making sure any abstractions used in the profile are packaged up and delivered to the target machines.
Whether you are planning to use the RPM script or create an RPM manually, first download the RPM script because it contains a few packages important for the completion of either process. To download the AppArmor RPM script, go to opensuse.org/apparmor and click on the AppArmor_RPM_script link.
> Manual Creation of RPM
Once you have the AppArmor RPM script, open a terminal window and follow these instructions to build an RPM from this profile:
- Move to the directory that contains AppArmor profiles.
- Prepackage the profile you want to distribute.
tar cvzf apparmor-profile-thisprofile.tgz thisprofile
- Move the tar file to the RPM source directory.
- Move to the directory with the RPM specfile template
- Copy (don't move) the template file to an appropriate name. For example, if you are distributing a new Gaim profile, copy the file
to "apparmor-profiles-gaim.spec". You might want to append the version number to the spec file, though this isn't required.
- If this is not the first time you've updated this profile, launch a text editor (such as vi), and increment the number in the "Release:" field and resave the spec file.
- Update the following fields to appropriate values: "Summary", "Name", "Source0", "Provides:". Also update the install and %file lines.
- To build an RPM, do the following:
rpmbuild -ba apparmor-profile-gaim.spec
- Go to the section "Uploading RPMs with ZENworks" below to finish.
> RPM Creation Using the Provided Script
Here's an alternate method for creating an AppArmor profile RPM using the script you downloaded earlier.
- Execute the RPM building script.
- Answer the questions when the script prompts you. You'll need to know the name of the profile (for example, opt.gnome.bin.gaim),
and optionally a release number. The release number is necessary to differentiate between different RPMs that might be created on different machines. It will default to '1' if nothing is entered.
- An RPM will be created in the /var/tmp/ directory.
> Uploading RPMs with ZENworks
The ZENworks Control Center, a Web-based tool for administering ZENworks features, is available with ZENworks Linux Management. Once you authenticate to the system, your browser goes to the ZENworks Linux Management home page which gives an introduction to the system and instructions on the basic functions of ZENworks and the Control Center.
The Control Center lists all your devices grouped by server and workstation. This list features inventory, assigned bundles (such as sets of RPM packages to deliver), and other information about each of your devices. From the ZENworks Control Center, you can assign RPM packages to be delivered in bundles and installed to any device or groups of devices.
To upload RPMs to ZENworks Linux Management, do the following
- Log in to the ZENworks management interface.
- Select the Bundle tab in the ZENworks interface.
- Select New, then Bundle from the drop-down menu.
- Select RPM Package Bundle and click Next.
- Enter a Name, and optionally a Display Name and Description. Click Next. (See Figure 1.)
- Click on Upload RPM. Click Browse and go to the /tmp/var directory. Select the RPM you created. Click Open. The name of the file should appear in the text field. Click OK, then click Next. (See Figure 2.)
- Leave the settings for the Pre- and Post-distribution scripts at "None." Click Next and repeat it for the following dialog. (See Figure 3.)
- At the confirmation screen, click Finish. There will be a pause, then you should see a success screen. Click OK.
> RPM Distribution Using ZENworks
Now that we have developed a profile, created an RPM for that profile and uploaded it into ZENworks Linux Management, it's time to distribute that profile to our target machines. Just a few more steps and we'll be finished!
- Log in to the ZENworks management interface (if you have not already).
- Select the Bundle tab in the ZENworks interface.
- You should see the name of the bundle you created in the previous section (such as apparmor-profile-gaim-1.1.rpm). Click on it.
- Select Add from the drop-down menu. Select Add again at the next screen. Now you will see a pop-up box. Select the appropriate group from the list, such as Workstations. Click OK. Click Next.
- Select Relative to Refresh from the dropdown menu for both of the following forms. Click Next each time. At the Special Flags screen, click Next.
- At the confirmation screen, click Finish.
> Confirming the Bundle Installation
ZENworks bundle updates work on a schedule, and the bundle installation will occur on the next scheduled refresh.
> Checking Bundle Status
You can check for success or error messages in the bundles screen by clicking on the name of the bundle. You may also click on Refresh link on the right-side menu to see pending events related to the bundle.
> Checking or Changing the Refresh Schedule
- Select the Device tab.
- Select the appropriate group related to the host you want to configure.
- Select the device (hostname or system alias).
- Select Settings.
- Select the Device Refresh Schedule tab.
- If you previously changed the refresh schedule, skip this step. This option will not be available. Otherwise, click the Override settings link.
- Change the Days, Hours and Minutes fields to the numbers you want. For example: "0" Days, "0" Hours, "30" Minutes, will make the system refresh every 30 minutes.
Note: The refresh schedule will not be updated until the next refresh event.
AppArmor secures individual applications against latent defects and protects an entire system against a particular threat, such as a network attack, by protecting all applications that face the network. AppArmor was designed for usability to meet the needs of most Linux users, both home and enterprise. SUSE Linux Enterprise includes the AppArmor framework, a set of default security profiles and a comprehensive tool set for developing custom profiles. ZENworks Linux Management is a powerful solution to deploy, manage and maintain Linux resources. Using ZENworks Linux Management, you can easily deploy AppArmor profiles from a central location to multiple machines in your enterprise.