2.2 Inspect Open Ports to Immunize Programs

An automated method for finding network server daemons that should be profiled is to use the unconfined tool. You can also simply view a report of this information in the YaST GUI (refer to Application Audit Report for instructions).

The unconfined tool uses the command netstat -nlp to inspect your open ports from inside your computer, detect the programs associated with those ports, and inspect the set of Novell AppArmor profiles that you have loaded. Unconfined then reports these programs along with the Novell AppArmor profile associated with each program, or reports none if the program is not confined.

NOTE: If you create a new profile, you must restart the program that has been profiled for unconfined to detect and report the new profiled state.

Below is a sample unconfined output:

2325 /sbin/portmap not confined
3702 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'
4040 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)'
4373 /usr/lib/postfix/master confined by '/usr/lib/postfix/master (enforce)'
4505 /usr/sbin/httpd2-prefork confined by '/usr/sbin/httpd2-prefork (enforce)'
5274 /sbin/dhcpcd not confined
5592 /usr/bin/ssh not confined
7146 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (complain)'

The first portion is a number. This number is the process ID number (PID) of the listening program.

The second portion is a string that represents the absolute path of the listening program

The final portion indicates the profile confining the program, if any.

NOTE: Unconfined requires root privileges and should not be run from a shell that is confined by an AppArmor profile.

Unconfined does not distinguish between one network interface and another, so it reports all unconfined processes, even those that might be listening to an internal LAN interface.

Finding user network client applications is dependent on your user preferences. The unconfined tool detects and reports network ports opened by client applications, but only those client applications that are running at the time the unconfined analysis is performed. This is a problem because network services tend to be running all the time, while network client applications tend only to be running when the user is interested in them.

Applying Novell AppArmor profiles to user network client applications is also dependent on user preferences, and Novell AppArmor is intended for servers rather than workstations. Therefore, we leave profiling of user network client applications as an exercise for the user.

To aggressively confine desktop applications, the unconfined command supports a paranoid option, which reports all processes running and the corresponding AppArmor profiles that might or might not be associated with each process. The unconfined user can then decide whether each of these programs needs an AppArmor profile.

Additional profiles can be traded with other users and with the NovellĀ® security development team on the user mailing list at http://mail.wirex.com/mailman/listinfo/immunix-users.

2.2.1 Immunizing Cron Jobs

To find programs that are run by cron, you need to inspect your local cron configuration. Unfortunately, cron configuration is rather complex, so there are numerous files to inspect. Periodic cron jobs are run from these files:


For root's cron jobs, you can edit the tasks with crontab -e and list root's cron tasks with crontab -l. You must be root for these to work.

Once you find these programs, you can use the Add Profile Wizard to create profiles for them. Refer to Section 3.3.1, Adding a Profile Using the Wizard.

2.2.2 Immunizing Web Applications

To find Web applications, you should investigate your Web server configuration. The Apache Web server is highly configurable and Web applications can be stored in many directories, depending on your local configuration. SUSE Linux, by default, stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web application should have an Novell AppArmor profile.

Once you find these programs, you can use the AppArmor Add Profile Wizard to create profiles for them. Refer to Section 3.3.1, Adding a Profile Using the Wizard.

CGI Programs and Subprocess Confinement in Web Applications

Because CGI programs are executed by the Apache Web server, the profile for Apache itself usr.sbin.httpd2-prefork (for Apache2 on SUSE Linux) must be modified to add execute permissions to each of these programs. For instance, adding the line /srv/www/cgi-bin/my_hit_counter.pl rpx grants Apache permission to execute the Perl script my_hit_counter.pl and requires that there be a dedicated profile for my_hit_counter.pl. If my_hit_counter.pl does not have a dedicated profile associated with it, the rule should say /srv/www/cgi-bin/my_hit_counter.pl rix to cause my_hit_counter.pl to inherit the usr.sbin.httpd2-prefork profile.

Some users might find it inconvenient to specify execute permission for every CGI script that Apache might invoke. Instead, the administrator can grant controlled access to collections of CGI scripts. For instance, adding the line /srv/www/cgi-bin/*.{pl,py,pyc} rix allows Apache to execute all files in /srv/www/cgi-bin/ ending in .pl (Perl scripts) and .py or .pyc (Python scripts). As above, the ix part of the rule causes the Python scripts to inherit the Apache profile, which is appropriate if you do not want to write individual profiles for each Python script.

NOTE: If you want the subprocess confinement module (mod_change_hat) functionality when Web applications handle Apache modules (mod_perl and mod_php), use the ChangeHat features when you add a profile in YaST or at the command line. To take advantage of the subprocess confinement, refer to Section 5.1, Apache ChangeHat.

Profiling Web applications that use mod_perl and mod_php require slightly different handling. In this case, the program is a script interpreted directly by the module within the Apache process, so no exec happens. Instead, the Novell AppArmor version of Apache calls change_hat() naming a subprofile (a hat) corresponding to the name of the URI requested.

NOTE:The name presented for the script to execute might not be the URI, depending on how Apache has been configured for where to look for module scripts. If you have configured your Apache to place scripts in a different place, the different names appear in syslog when Novell AppArmor complains about access violations. See Section 4.0, Managing Profiled Applications.

For mod_perl and mod_php scripts, this is the name of the Perl script or the PHP page requested. For example, adding this subprofile allows the localtime.php page to execute and access the local system time:

localtime.php {
/etc/localtime                        r,
/srv/www/cgi-bin/localtime.php        r,
/usr/lib/locale/**                    r,

If no subprofile has been defined, the Novell AppArmor version of Apache applies the DEFAULT_URI hat. This subprofile is basically sufficient to display an HTML Web page. The DEFAULT_URI hat that Novell AppArmor provides by default is the following:

/usr/sbin/suexec2 ixr,
/var/log/apache2/** rwl,
/home/*/public_html/**             r,
/srv/www/htdocs/**                 r,
/srv/www/icons/*.{gif,jpg,png}     r,
/usr/share/apache2/**              r,

If you want a single Novell AppArmor profile for all Web pages and CGI scripts served by Apache, a good approach is to edit the DEFAULT_URI subprofile.

2.2.3 Immunizing Network Agents

To find network server daemons that should be profiled, you should inspect the open ports on your machine, consider the programs that are answering on those ports, and provide profiles for as many of those programs as possible. If you provide profiles for all programs with open network ports, an attacker cannot get to the file system on your machine without passing through a Novell AppArmor profile policy.

Scan your server for open network ports manually from outside the machine using a scanner, such as nmap, or from inside the machine using netstat. Then inspect the machine to determine which programs are answering on the discovered open ports.