ソースを表示

== Application Security and System Security ==

An individual application can be secured using an individual profile, but how to secure a system? A vital question in securing any system is "against what threats?" We could profile all of the programs on the system, but that would be a lot of effort, and in most cases unnecessary. For instance, consider the network threat model: we want to prevent remote network attackers from gaining control of the system. To prevent such an attack, we need to ensure that all programs that communicate with the network have an AppArmor profile. If we profile all applications that connect to the network, then the AppArmor profiles completely control everything that a network attacker could do to the system.

Note: When an AppArmor profile grants permission to execute another program, it specifies whether the child executes in its own profile (denoted px), executes in the same profile as the parent inheriting the parent's profile, (denoted ix) or whether the child gets to execute unconstrained (denoted ux). The px permission should be used for major programs that broker access to data, such as Apache executing Sendmail to send some mail. The ix permission should be used for smaller, utility programs that operate on whatever data the parent has at hand, such as a shell script executing cp to copy a file. The ux permission is very dangerous, and should be used carefully to allow administrative access that is not regulated by AppArmor, such as the ultimate system administrator's shell executed from the SSH daemon.

Since the network threat model is so common a concern, AppArmor comes with a system analyzer called unconfined, which scans the machine for open network ports, finds the programs listening to those open network ports, and lists the profiles wrapped around those programs, if any. If unconfined reports that all open network ports lead to AppArmor profiles, then it is the case that these profiles fully define the worst case the attacker could impose on the machine.

Similarly, to protect a workstation against network attack, all of the programs that process network input should be profiled. Some of these programs have persistent open network ports, such as ssh clients. Some have transient open network ports, such as web browsers, mail clients, and IM clients. And some such programs have no network ports, but none the less process network input with considerable security risks, such as the OpenOffice suite, which is often asked to immediately open .doc files that are attached to incoming e-mail messages. However, one still need not profile all of the programs on the workstation, only those that process network input.

In a different situation, to protect a kiosk workstation against attacks from users, all of the programs that accept keyboard and mouse input should be profiled, as well as any other device readers such as bar codes and mag stripe readers. This "keyboard threat model" is very similar to the network threat model above, but with the threat coming from local IO devices like the keyboard and card reader, rather than the network interfaces.

[[en:AppArmor Detail]]
[[de:Apparmor Details]]
[[it:AppArmor Details]]