Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer. AppArmor profiles enforce policies to make sure that programs do what they are supposed to do, but nothing else.
NovellĀ® AppArmor provides immunization technologies that protect applications from the inherent vulnerabilities they possess. After installing Novell AppArmor, setting up Novell AppArmor profiles, and rebooting the computer, your system becomes immunized because it begins to enforce the Novell AppArmor security policies. Protecting programs with Novell AppArmor is referred to as immunizing.
Administrators only need to care about the applications that are vulnerable to attacks and generate profiles for these. Hardening a system thus comes down to building and maintaining the AppArmor profile set and monitoring any policy violations or exceptions logged by AppArmor's reporting facility.
Users should not notice AppArmor at all. It runs behind the
scenes
and does not require any user interaction. Performance is
not affected noticeably by AppArmor. If some activity of the application is
not covered by an AppArmor profile or if some activity of the application is
prevented by AppArmor, the administrator needs to adjust the profile of this
application to cover this kind of behavior.
Novell AppArmor sets up a collection of default application profiles to protect standard Linux services. To protect other applications, use the Novell AppArmor tools to create profiles for the applications that you want protected. This chapter introduces the philosophy of immunizing programs. Proceed to Section 20.0, Profile Components and Syntax, Section 22.0, Building and Managing Profiles with YaST, or Section 23.0, Building Profiles from the Command Line if you are ready to build and manage Novell AppArmor profiles.
Novell AppArmor provides streamlined access control for network services by specifying which files each program is allowed to read, write, and execute, and which type of network it is allowed to access. This ensures that each program does what it is supposed to do and nothing else. Novell AppArmor quarantines programs to protect the rest of the system from being damaged by a compromised process.
Novell AppArmor is a host intrusion prevention or mandatory access control scheme. Previously, access control schemes were centered around users because they were built for large timeshare systems. Alternatively, modern network servers largely do not permit users to log in, but instead provide a variety of network services for users, such as Web, mail, file, and print servers. Novell AppArmor controls the access given to network services and other programs to prevent weaknesses from being exploited.
HINT: Background Information for Novell AppArmor
To get a more in-depth overview of AppArmor and the overall concept behind it, refer to Section 17.1, Background Information on AppArmor Profiling.