40 Managing profiled applications #
After creating profiles and immunizing your applications, SUSE® Linux Enterprise Server becomes more efficient and better protected if you perform AppArmor® profile maintenance (which involves analyzing log files, refining your profiles, backing up your set of profiles and keeping it up-to-date). You can deal with these issues before they become a problem by setting up event notification by e-mail, updating profiles from system log entries by running the aa-logprof tool, and dealing with maintenance issues.
40.1 Reacting to security event rejections #
When you receive a security event rejection, examine the access violation
and determine if that event indicated a threat or was part of normal
application behavior. Application-specific knowledge is required to make
the determination. If the rejected action is part of normal application
behavior, run aa-logprof
at the command line.
If the rejected action is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.
40.2 Maintaining your security profiles #
In a production environment, you should plan on maintaining profiles for all the deployed applications. The security policies are an integral part of your deployment. You should plan on taking steps to back up and restore security policy files, plan for software changes, and allow any needed modification of security policies that your environment dictates.
40.2.1 Backing up your security profiles #
Backing up profiles might save you from having to re-profile all your programs after a disk crash. Also, if profiles are changed, you can easily restore previous settings by using the backed up files.
Back up profiles by copying the profile files to a specified directory.
You should first archive the files into one file. To do this, open a terminal window and enter the following as
root
:>
sudo
tar zclpf profiles.tgz /etc/apparmor.dThe simplest method to ensure that your security policy files are regularly backed up is to include the directory
/etc/apparmor.d
in the list of directories that your backup system archives.You can also use
scp
or a file manager like Nautilus to store the files on certain kind of storage media, the network, or another computer.
40.2.2 Changing your security profiles #
Maintenance of security profiles includes changing them if you decide that your system requires security for its applications. To change your profiles in AppArmor, refer to Section 36.2, “Editing profiles”.
40.2.3 Introducing new software into your environment #
When you add a new application version or patch to your system, you should always update the profile to fit your needs. You have several options, depending on your company's software deployment strategy. You can deploy your patches and upgrades into a test or production environment. The following explains how to do this with each method.
If you intend to deploy a patch or upgrade in a test environment, the
best method for updating your profiles is to run
aa-logprof
in a terminal as root
. For
detailed instructions, refer to
Section 37.7.3.9, “aa-logprof—scanning the system log”.
If you intend to deploy a patch or upgrade directly into a production
environment, the best method for updating your profiles is to monitor
the system frequently to determine if any new rejections should be added
to the profile and update as needed using aa-logprof
.
For detailed instructions, refer to
Section 37.7.3.9, “aa-logprof—scanning the system log”.