In a production enviroment, you should plan on maintaining profiles for all of the deployed applications. The security policies are an integral part of your deployment. You should plan on taking steps to backup and restore security policy files, plan for software changes, and allow any needed modification of security policies that your enviroment dictates. These items are covered in the following sections:
Because you take the time to make profiles, it makes sense to back them up. Backing up profiles might save you from having to reprofile all your programs after a disk crash. Also, if profiles are changed, you can easily restore previous settings by using the backed up files.
Back up profiles by copying the profile files to a specified directory.
You should first archive the files into one file.To do this, open a terminal window and enter the following as root:
tar zclpf profiles.tgz /etc/subdomain.d
The simplest method to ensure that your security policy files are regularly backed up is to include the directory /etc/subdomain.d in your list of directories that your backup system archives.
You can also use scp or a file manager like Konqueror or Nautilus to store the files on some kind of storage media, the network, or another computer.
Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications. To change your profiles in Novell AppArmor, refer to Section 3.3.3, Editing a Profile.
When you add a new application version or patch to your system, you should always update the profile to fit your needs. You have several options that depend on your company's software deployment strategy. You can deploy your patches and upgrades into a test or production environment. The following explains how to do this with each method.
If you intend to deploy a patch or upgrade in a test enviroment, the best method for updating your profiles is one of the following:
Run the profiling wizard by selecting in YaST. This updates your application profile set with the current productions using minimal effort. For step-by-step instructions, refer to Section 3.3.1, Adding a Profile Using the Wizard.
Run genprof by typing genprof in a terminal while logged in as root. For detailed instructions, refer to genprof.
If you intend to deploy a patch or upgrade directly into a production enviroment, the best method for updating your profiles is one of the following:
Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed using logprof. For detailed instructions, refer to logprof.
Run the profiling tools to learn the new behavior (high security risk as all accesses are allowed and logged, not rejected). For step-by-step instructions, refer to Section 3.3.5, Updating Profiles from Syslog Entries.